Cisco :: WLC 5508 LAP1262 Security Features Design
Dec 2, 2011
I am planning to get the following Hardware;AIR-CT5508-50-K9 5508 Series Controller for up to 50 APs AIR-LAP1262N-E-K9 802.11a/g/n Ctrlr-based AP; Ext Ant; E Reg Domain..During my design, i am considering to get the following security features.I don't have WCS and Mobility Services Engine (MSE). Managing Access Points at remote/WAN office.wIPS configuration (without WCS and MSE)How Rouge APs will be detected and Prevented. Can Automated prevention be implemented.Is wIPS (with WLC 5508) support to detect and prevent Rouge AP.Is Proxy Redirection supported on WLC so that the traffic from Wireless clients will automatically be redirected to Proxy (without adding the proxy in explorers of Wireless Clients).
Any chance the filtering features on the 5508 controller code will make it into WCS at some poiint? Being able to sort these lists would be invaluable.
just have few questions about designing WLC 5508. The scenario is that currently one of the client has a firewall Tie ring T1 internet facing and T2 internal which has multiple DMZ connected. T2 firewall has a DMZ switch connected which has a router which connects to MPLS cloud to different site across the country. (around 10 sites) all static routing. Now the client is thinking to deploy wireless at all 10 sites using H-REAP. The issue is that client has only one WLC and they are not willing to buy other as i was thinking to deploy two WLC one for corporate and one for guest users. (one in internal network and on in DMZ). Now my question is as follow.
1- Keeping in mind that there is only one WLC where should i physically put it? 2- How guest users will work ? How the authentication will be done? 3-There are 8 SFP ports in WLC how physical topology will look like? 4-How many V LANs i have to make for wireless users will that be 10? (1 at each site) ?
My last question is that how these ports work on WLC are they just like switch e.g one port can be assigned to different v lan....just confuse about interfaces and vlans on WLC (interfaces concept).
We have two multilayer switches and only one ASA 5520. I'd like to connect ASA in the way described on the picture: each redundant interface includes two physical ones, which are connected to different switches
My question is what kind of link it is necessary to have between switches to make this idea work? I'd have subinterfaces like Re1.100, Re2.200 and so on for my traffic.
I understand that correct design approach is to have two redundant firewalls with failover but we cannot purchase the second one yet.
I have some doubts about the best solution for the design of a mini data center.In the data center there is a 6500 with FWSM module installed, there are some vlans created, all of them in the fwsm module. For example, a back end server to communicate with a server in the front end must always pass through the firewall. My question is, all these flows passing in the firewall does not degrade the speed of communication?What is the best practice, just pass the communications with the WAN in the firewall, and the vlan communication between front end and back end is only set up in 6500?
My company has chosen to allow our employees to bring in and use their own personal electronic devices such as i Pads, i Phones, tablet PC's, etc... We intend to allow them to access our network with these devices. My question is if an employee decides to enable a WiFi hotspot on an iPhone, i Pad or other device and then share out that network connection we have provided to them to allow other devices to tether to it, how do we prevent or mitigate this issue with our W LAN environment?
Our current environment consists of 4400 series WLC's and 1131, 1231 and 1242 series AP's using version 7.098.218 code. We plan on migrating to 5500 series WLC's and 3500 series AP's but this will not happen overnight.
I have some doubts about the best solution for the design of a mini data center.In the data center there is a 6500 with FWSM module installed, there are some vlans created, all of them in the fwsm module. For example, a back end server to communicate with a server in the front end must always pass through the firewall. My question is, all these flows passing in the firewall does not degrade the speed of communication?What is the best practice, just pass the communications with the WAN in the firewall, and the vlan communication between front end and back end is only set up in 6500?
This is one of our first site where we are implementing Cisco wireless, and we bought some external Autonomous AP1262, when we should have bought Lightweight LAP1262 . We can get those replaced, but I am looking into migrating them in order to get them to register with our 5508 controllers.
There do not seem to be a migration tool to download for 1262. Must it be done via the WCS ?So far I have not managed to add these autonomous AP to the controllers. How to know if a migration toll exists for those !
I have a 5508 wlc trunked to a 6500 switch. Also trunked to the switch on both eth0 and eth1 is the CAS. The CAM is connected with an access port.
The CAS and CAM are on seperate VLANs and the CAS was added to the CAM without issue. I followed the example document for OOB WLAN (VLANs and mapping etc) but I don't get any authentication going on. The client associates and the WLAN interface is the quarantine VLAN However it seems the client can connect to the network without issue (can web browse to a server internaly to the campus)
The client is shown in the wireless clients on the device page of the CAM, If i close down either of the CAS interfaces the client connectivity is broken.
Just once, randomly the Clean Access Login Page appeared on the client (battery had died and waited about an hour) but when I rebooted the CAS to check it was consistent it never came back.
The connection can reach up to 144Mbps when using WPA2 with AES (Layer 2 security), WMM allowed (QOS). But when I use 802.1X (Layer 2 security), can only reach up to 54Mbps. Any special setting when using 802.1X to reach 144Mbps? Or do I need to upgrade?
web authenticate users within a specific Active Directory Security Group. I tried to authenticate over Radius with Cisco Secure ACS and Network Access Restrictions. But NAR only works with Layer 2 authentication. And Web Authentication over LDAP can only be used with User Objects.
I have been monitoring the alarm summary but have been off couple days and i see one of my controllers is down. Getting critical level security and message is port is down on the controller, condition link down. The other issue is config difference found between NCS and Contoller, I tried getting them to sync together but still getting the same message.
NCM is going away. It is recommend to move to LMS. We already have a LMS deployment. Currently just used for Monitoring/Performance.Trying to figure out how to get the Configuration change piece that we used NCM for into LMS. Not really having any luck.What I am really wanting to do is configuration archive, device config change notices (when a device config changes I can run report to see who and what was changed), and configuration comparisions (between old and new configs)
Need to understand some features of Cisco Small Business 300 Series Managed Switches. one of this is "Static routing/Layer 3 IP routing between V LAN's allows for communicating across V LAN's without degrading application performance" what is this means can i create V LAN or just V LAN can pass through this kind of switch? how about this features from Cisco Catalyst 2960 Series Switches " The ability to set up virtual LAN's so employees are connected by organizational functions, project teams, or applications rather than on a physical or geographical basis" what is the difference of this features of this different model of switches?
I just purchased a SA 520 and I am trying out the IPS feature before I buy. During my tests I get around 85 Mbps off a 100 Mbps connection (which is relatively normal), however as soon as I enable IPS with very few options (Trojan/virus, HTTP, etc), it drops down to 18 or so. Anyway to improve this?
I wish to use a 1921/k9 as a router on a stick. Inside interface interconnects up to 9 VLAN, and performs the routing. Does the 1921/k9 supports trunking and VLANs (I think it should support 16 VLAN, but I am not shure) or I should choose 1921-SEC-k9? Routing performance is the same both on 1921/k9 and 1921-SEC-k9? (I think I'll use static routes or RIP, it is not a large network)
I'm trying to secure my dir-615 and I can get in to the web site but the connection wizard is greyed out and the manual set-up is alos greyed out even though I can select manual set up?
I am doing a security assessment of an organization that uses 871/881 routers with the firewall features enabled. I see the following commands defining packet inspection done by the firewall software.
-ip inspect name inet-users tcp -ip inspect name inet-users udp -ip inspect name inet-users icmp
What I am trying to define is the inspect name "inet-users". It is obviously a constant defined by IOS as it is not defined anywhere in the configuration file like any other "variable" and does not generate an error.What does "inet-users" define? I'm assuming it is all users using the interface(s) where the inspect commands are used, but is that correct? The Cisco IOS manuals do not contain a reference to "inet-users" hence why I'm here asking.
We just replaced a floor swithc, and ended up going with an IOS-XE software, LMS does not seem to like this software, the device is not available in my Identity dashboard, it's abviously running dot1x.
LMS shows it as software version 03.02.01.SG, same as you get when you do a show version, license level is enterprise services.
Actual Image name: cat4500e-universalk9.SPA.03.02.01.SG.150-2.SG1.bin
Also, the IOS upgrade option does not work for this device, it give an error saying to perform an inventory collection, which I have manually performed, the device is reachable and manageable by LMS, and it does not show up in any of the IOS version reports.
My current network setup has pix 525 firewall and for IDS i have 4215 box.As the utilization is high i am buying new ASA5520 firewall.
My query is 1 My IDS is end of support should i buy an IPS moudle with the asa 5520.is it recommended? 2 Other than firewalling what are the default features supported in asa 5520 like vpn,content filtering etc.
Device: Cisco ISR 1811 IOS: 15.1(4)M5 Advanced IP Services
I seem to be unable to access any IKEv2 features. The command crypto ikev2 is not available. Everything I've read suggests IKEv2 is available in this IOS version.Is there something I'm missing?
After configuring the router and enabling a load of functions to secure our LAN, the download speed halved! Even disabling AcitveX "eats" 10Mbs! I understand that enabling IPsec will drag the speed down to 25Mbps, but I have disabled this.
Even setting the QoS to speeds equal or higher then the ISP's promissises drags the speed down!
I would like to configure the policy base routing (PBR) on router (3900) base on the "specific tcp port" (TCP port 16255) to re-direct the traffic to another FE port.
From cisco web portal, CAT 4500 should support PBR as below:"Policies can be based on IP address, port numbers, or protocols. For a simple policy, use any one of these descriptors; for a complicated policy, use all of them." url...
Does 3900 router has the same features on the PBR? if yes, can it support "source tcp port" and/or "destination TCP port"?
using the 55xx as a L3 Distribution switch or even as a Core. By enabling the L3 features does it allow you enabled L3 SVI's for VLAN interfaces or are there interfaces on the daughter card that are used for routing instead?
give me the run down on the features removed from the 4400 series in the 2500 series? Obviously 4400 is now EOL, and so i cannot purchase new. Therefore I was looking at the 2500 for my implementation to save costs also.I would like to have two SSID's, running seperate VLAN's, one voice, one guest, trunk the link to the AP's, which will be 1131AG or newer, N possibly. Voice needs to be encrypted with WPA or WPA2, guest needs to be open using the guest access feature. Here's a sample but with EAP:
[URL]
Is this supported to have WPA on one SSID and Guest access on the other? i did spot a paragraph in the 4400 manual stating that certain restrictions apply regarding one SSID having encryption and the other being guest mode?I notice also in the WCS documentation, it doesn't explicitly state it supports the 2500 series under the managed devices section?
The products from SRP 540 series line (541w etc) will ever support IPv6 features or remote VPN (eg SSL VPN or Cisco QuickVPN)? If yes, is there a time horizon?
