Firewalls, PIX, ASA, VPN, Access Control List, User Authentication, Data Encryption and Best Practices.
1 post • Page 1 of 1
Please enlightent me as to why I need a guest anchor controller? I keep asking myself, whats the point? If I configure a VLAN interface with an ACL that allows outbound traffic only, let the controller handle DHCP and use Googles public DNS it is much simpler for me. I get the content filtering already on my network Websense, the guests are given firewall protection, all while being restricted from accessing internal network resources. Is there something here that I am missing? Thanks, Phill
Hi, Most of the time this is for the security.. The anchor will be plced in the DMZ and there wont be any APs registered to it.. the guest users access will go directly to internet where in the internal user will be secured.. so the guest cannot come to know about the internal info at all.. this is one of the advantage..Lemme if this was helpfull Regards Surendra ==== Please dont forget to rate the posts which answered your question and mark it as answered or was helpfull
You are not missing too much. You could configure the guest vlan with ACLs to only have access to internet through the firewall and restrict access to your internal network like this.However in big topologies, this might not always be that easy so people can prefer to have one guest controller in the DMZ and all the other controllers using it to tunnel traffic. Nicolas
Thanks for the responses. I do not manage the largest wireless network...I only expect it to grow to about 200 APs. I have a great demand for guest wireless access, but I expect it to be limited to less than, say 20 users at any single time organization wide. I do take advantage of the anchoring feature...I use it to tunnel the wireless networks of other agencies through the wireless network that I manage. For the most part, it works great. However, for my organization, one centrally switched guest WLAN would work just fine. Another approach to guest access that I can think of (without using an internal VLAN with an ACL or an anchor controller) would be to create another DMZ interface on the firewall and cable it over to either a separate interface on the wireless controller or cable it directly to an unrouted VLAN allowed to reach my controllers. I am running dual 5508 controllers in a failover configuration. I use only two ports on each controller in LAG mode. If I recall, since I have chosen to use LAG, I can use the other ports separately? Am I correct? I am beginning to believe that a DMZ approach may not be the most beneficial for my organization as getting the content filtering mechanism to work may be a challenge...however, it would bring the guest traffic outside the interior network. At this point, I am leaning towards an internal VLAN with a properly configured ACL and the use of an outside public DNS server.Would this be a sound approach to what I am trying to accomplish? Thanks, Phill