Appropriate addressing (subnet separation) for Unified Wireless Infrastructure components.

Good day all,
I am looking for some advice on appropriate IP subnet separation of the various Cisco Unified Wireless Infrastructure components.  For example, would all components go on their own firewall secured IP subnets?  Can some of the components be grouped together, would there be a performance advantage to that vs a security risk? Just so I am clear, the components I am referring to are WLC, ISE, MSE, and PRIME Infrastructure.
The environment for context is Unified environment, all components are centralized in a single DC (datacenter) but soon to be two DCs. 5508 controllers, 2504 controllers, 3495 security appliances, and 3300 series MSEs.  The deployment model for now is (from the BYOD CVD) Basic Guest with two SSIDs (corporate and guest) and using a guest anchor in a internet DMZ.

It really varies, but it comes down to the basic.... security policy for the devices.  I usually keep the AP's in it own subnet, the WLC in the same subnet as the switches and the MSE and PI in the server subnet.  Wireless will always be on its own subnet and guest, like you have, will be tunneled into its own subnet in the DMZ.  Internal wireless should be separate subnet from your wired side.
Scott

Similar Messages

  • Urgent Help Required for Unified wireless network help

    Dear Community
    i need urget help for a wireless unified network setup to deploy it in a college
    actually what is the senario for this network that i have a WLC 5500 and 12 lwapp 1252 series APs for this deployment ant there is allready an existing lan
    network to connect with it the new wireless unified setup.
    here is above proposed topology .
    i need help for this setup like
    i know the basic configuration on controller to do but i really do not know that from GUI what steps i need to configure on controller for each access points as you can see above i have three floors for building and i want to configur three SSIDs like Employ,contractors and Guest for each floor and how to configure encryption type and shared key for each SSiD.
    and what i have to configure for APs to join them with controller
    and hoe to configure RF grouping for each floor.
    please i need urgent reply because i have tp finish this all setup in one weekonly
    thans in advance.

    Hi,
    Wat ever you want.. the below link has everything.. Just click on the stuff that you neeed fro mthe menu and this will do it for you!!
    http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70.html
    1>> Configure WLANs.
    2>> Configure AP Grouping.
    Regards
    Surendra

  • IP Addressing / Subnetting for AP's connected to 4404 controllers?

    Is there a pro/con, or best practice regarding the ip addressing for your AP's when having them connected to wireless controllers?
    Basically I am trying to decide if the AP's should just use the same VLAN and subnet as what the wireless clients will use, or something different?
    I know that part of the LWAPPs process for finding controllers depends on it grabbing a DHCP address which if you configure the switch port right for the AP according to the deployment guide you are setting the access vlan to that which your wireless clients will use. So the AP will grab DHCP from the client scope then broadcast out on that subnet looking for a controller.
    So far all seems fine and good, and I know you can change the IP address of the AP if you want once it is homed into the controller. But I simply don't know if there is a best practice regarding this.
    Leave the APs IP on same subnet/vlan as the wireless clients or move the AP's to a new one.
    Maybe I am over thinking this, and it really doesn't matter?
    I have two controllers at two main locations, each going to support about 15 AP's. Same SSID at each location and using PEAP.
    Thinking about basically allocating two class c's one for each location for the wireless clients and just do some reservations from each class c scope for the AP's.
    What would be the negatives of doing things this way? Any suggestions or pros/cons would be appreciated.

    Ok so it seems from replies here and in other forums that the wireless clients should be on their own vlan, seperate from the AP's and controllers.
    Which leads me to another question, should the AP's and Controllers be on the same, not be on the same or doesn't matter?
    One pro of being on the same vlan and subnet is the AP's can easily home in to the controller since it will broadcast out to its subnet looking for a controller.
    Any con to this?

  • HT1218 I'm trying to set up a new iPad..it asks for my WiFi network.. I find the network..then it asks for information that I have no idea about: IP address, Subnet Mask, Routet, DNS, Search Domains, Client ID..also the headings are: DHCP,BootP, Static..c

    I am trying to set up my new iPad. it asks for a WiFi connection.. I have one..then the next page asks for these things:DHCP,BootP,Ststic then IP address, Subnet Mask, Router, DNS, Search Domain, Client ID  then HTTP Proxy  I have no idea what any of this means...can someone please help me???

    Thank you sooo much. I was so disappointed...I couldn't wait to get started with the new iPad..then ran into the problem. So simple. You made my day. Thank you for your expertise!!

  • When selecting a network, it is asking for IP address, Subnet, etc.

    I am having trouble signing in to a wifi account. It's asking for IP address, subnet, etc

    That information screen appears when you press the little blue arrow to the right of the name of the network. Try clicking on the name itself. If you see there is already a check mark and the name is blue congratulations you're connected.

  • On my home wireless network, the iphone 5 won't let me enter the IP address, subnet mask and router info. I was able to enter the DNS and Search Domains. How do I open up those fields?

    On my home wireless network, the iphone 5 won't let me enter the IP address, subnet mask and router info. I was able to enter the DNS and Search Domains. How do I open up those fields?

    Apparently the router is not sending the info to the iphone. How can I make that happen?

  • I have a WiFi home connection. It works on my laptop but has stopped working on my iPad, which I tried resetting but it didn't help. It recognises the SSID but then asks for IP Address, Subnet Mask, Router etc. Any ideas on what to do?.

    I have a WiFi home connection. It works on my laptop but has stopped working on my iPad, which I tried resetting but it didn't help. It recognises the SSID but then asks for IP Address, Subnet Mask, Router etc. Any ideas on what to do?.

    1. Turn router off for 30 seconds and on again
    2. Settings>General>Reset>Reset Network Settings

  • Best Practice for FlexConnect Wireless roaming in MediaNet environment?

    Hello!
    Current Cisco best practice recommendations for enterprise MediaNet design, specify that VLANs be local to a switch / switch stack (i.e., to limit the scope of spanning-tree). 
    In the wireless world, this causes problems if you want users while roaming to keep real-time applications up and running.  Every time they connect to a new AP on a different VLAN, then they will need to get a new IP address, which interrupts real-time apps. 
    So...best practice for LAN users causes real problems for wireless users.
    I thought I'd post here in case there's a best practice for implementing wireless roaming in a routed environment that we might have missed so far!
    We have a failover pair of FlexConnect 7510s, btw, configured for local switching for Internal users, and central switching with an anchor controller on the DMZ for Guest users.
    Thanks,
    Deb

    Thanks for your replies, Stephen and JSnyder.
    The situation here is that the original design engineer is no longer here, and the original design was not MediaNet-friendly, in that it had a very few /20 subnets bridged over entire large sites. 
    These several large sites (with a few hundred wireless users per site), are connected to an HQ location (where the 7510s in failover mode are installed) via 1G ethernet hand-offs (MPLS at the WAN provider).  The 7510s are new, and are replacing older contollers at the HQ location. 
    The internal employee wireless users use resources both local to their site, as well as centralized resources.  There are at least as many Guest wireless users per site as there are internal employee users, and the service to them consists of Internet traffic only.  (When moved to the 7510s, their traffic will continue to be centrally switched and carried to an anchor controller in the DMZ.) 
    (1) So, going local mode seems impractical due to the sheer number of users whose traffic bound for their local site would be traversing the WAN twice.  Too much bandwidth would be used.  So, that implies the need to use Flex / HREAP mode instead.
    (2) However, re-designing each site's IP environment for MediaNet would suggest to go routed to the closet.  However, this breaks seamless roaming for users....
    So, this conundrum is why I thought I'd post here, and see if there was some other cool / nifty solution I wasn't yet aware of. 
    The only other (possibly friendly to both needs) solution I'd thought of was to GRE tunnel a subnet from each closet to the collapsed Core / Disti switch at each site.  Unfortunately, GRE tunnels are not supported in the rev of IOS on the present equipment, and so it isn't possible to try this idea.
    Another "blue sky" idea I had (not for this customer, but possibly elsewhere in the future), is to use LAN switches such as 3850s that have WLC functionality built-in.  I haven't yet worked with the WLC s/w available on those, but I was thinking it looks like they could be put into a mobility group, and L3 user roaming between them might then work.  Do you happen to know if this might be a workable solution to the overall big-picture problem? 
    Thanks again for taking the time and trouble to reply!
    Deb

  • Unified wireless guest access

    Hi I need help in configuring unified wireless guest access. i have followed the guide
    http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob41dg/ch10GuAc.html#wp999843.
    But the problem is it still does not work. what i dont get is that the interface for the Guest SSID for the foreign controller is management, does this mean that i have to get an IP address first from the management segment before i can get an IP from the anchor WLC?
    my setup is that i have an anchor controller which is on a different LAN from where my foreign WLC is. the anchor WLC has the DHCP scope and the local net user database. I have already join the two WLC to each other's mobility group. also i have configured the mobility anchor on the WLAN(SSID) of the foreign controller.
    Another thing is that the AP im trying to use is on a different site from where my controller is. Im not sure if this is the one causing problem.
    Can someone help point out my mistake.

    Its rare that I have a difference in opinion from both of you guys but let me share with you an issue I had.
    If you map the foreign controller to the management interface and the tunnel breaks for whatever reason the clients will get dumped on the management interface, even though the WLAN is anchored to the DMZ controller.
    I know this becuase I seen this for my self when I had anchor issues.
    I opened a tac case and it was suggested to use a "dummy interface" on the foreign controller. I forget who I spoke to, this is over a year now. But I then followed up witha Cisco SE on the Advance Wireless team and he commented this is what they do as well. And to add further, a large hospital system here in the Tex Med center had Cisco advance team install their controllers and they too had dummy interfaces for the foreign controllers for guest.
    Just my 2 cents ... Add a dummy interface call he dummy_guest_interface and tie it to 222.222.222.222 or something like ... no need to add anything on the wired.

  • Best Network Settings for mostly wireless, sometimes wired?

    Folks:
    My household --4 desktops Macs, 2 MacBooks, all running 10.4.x or 10.5.x-- lives by using DSL via a Netopia router controlling a LAN, with Cat 5 strung to six desks. No problem there, everything works. Note: for historical reasons --because, mostly, I forget what they were-- all desktops have static IP addresses.
    But sometimes one of us wants to work in the house on a MacBook where there is no Cat 5 strung, that is, wirelessly. It's simple enough to set up a wireless server on one of the Airport-equipped desktops and make certain it stays awake.
    That works, too, as long as each MacBook is configured with separate Network Preference "Locations" -- one for "Wired" and one for "Wireless", and the wireless configuration is IPv4 using DHCP with IPv6 disabled. Specifically, this requires the user to switch the Location when he/she connects or disconnects a Cat 5 cable.
    My questions:
    1. Is there a way of configuring the MacBooks so they will work without the requirement switching the Location when removing or connecting a LAN cable?
    2. Can this configuration also accommodate what is needed for typical hotspots out there in "the outside world", as in coffee-shops, etc, again without switching the Network Preference Location?
    3. Bonus Questions: Would this problem be easier if I modified the wired system configuration to use DHCP instead of fixed IPs? By the way, the Netopia Router will assign addresses in the 192.168.0 to 192.168.15 range, no others.
    4. Double Bonus Questions: What are the responses to the above questions, if instead of serving the wireless from one of the desktops, we added a wired/wireless router, say, a D-LINK WBR1310B1 to the LAN? Yes, it's true, we have already tried that. (Our teenager bought and installed it without my...help.) It worked for a while, something unknown changed, and now wiring up the D-LINK brings down the entire LAN. In other words, what are the "issues" of running wired AND wirelessly, and using Airport remotes with a foreign (non-Apple) wireless router?
    TIA,
    Henry

    1. Is there a way of configuring the MacBooks so they will work without the requirement switching the Location when removing or connecting a LAN cable?
    Yes, but it's a little freaky (in other words, using the Location menu is the better solution).
    To do what you want you need to setup the wireless network on the desktop using a different subnet (e.g. 10.1.x.x) and enable internet sharing (System Preferences -> Sharing).
    Then connect the MacBook to the wireless network and make sure it's set for DHCP (the desktop Mac will act as a DHCP server for the wireless network).
    Now the kicker is to use MacBook's System Preferences -> Network -> Set Service Order to make sure the ethernet interface is above the AirPort interface. Now the MacBook will use the ethernet interface if it's there and fall back to the AirPort if the ethernet is down.
    2. Can this configuration also accommodate what is needed for typical hotspots out there in "the outside world", as in coffee-shops, etc, again without switching the Network Preference Location?
    Yes. Most hot-spots will require the use of DHCP on the client, which is the same as how it's set above.
    3. Bonus Questions: Would this problem be easier if I modified the wired system configuration to use DHCP instead of fixed IPs?
    Yes, but not significantly enough to worry about.
    What are the responses to the above questions, if instead of serving the wireless from one of the desktops, we added a wired/wireless router, say, a D-LINK WBR1310B1 to the LAN?
    The setup on the client would be the same - the main point is in setting the interface preferences so that the wired ethernet has precedence.
    However, a dedicated base station will offer other advantages such as WPA encryption (the Mac-based base station only offers the weaker WEP), and no requirement to leave the desktop Mac running.
    From a 'which base station' standpoint, the Apple base stations would be easier to run in an all-Mac environment, but most of the major brands now use web-based interfaces which make them reasonably easy to manage from a Mac. The issue with your D-Link is almost certainly one of misconfiguration rather than incompatibility, but without knowing how it was setup it's hard to advise further.

  • Setting up Snow Leopard Server with Address Book, iCal for Small Business

    Hello Folks,
    I have a small business with 2-3 people and I want to setup Snow Leopard Server on a Mac Mini. I have everything in place, RAID, Backup drive etc.
    What I need is a guide on how to setup the server correctly and how to setup Address Book Server, iCal Server, DNS, etc. I was in IT a long while back but have gone back to my creative roots and sworn off IT but I am in a situation where my IT guy's wife is pregnant so he is busy painting the baby's room, etc.
    I was looking at Snow Leopard Server for Dummies and a few other books. Do you guys have any suggestions on resources for me to read or research that would give me very straightforward steps in getting this setup. I am at a point where I can re-install from scratch if needed.
    For the ease of those that might respond let's assume I know my way around Mac and general networking as a whole.
    Thanks in advance for any advice.
    Cheers,
    Jason

    Hi Guys,
    First of, I will give you a brief background on me regarding networking as a mac user since 1994. I can setup and network multiple macs without a server in our home and small office. Turning file, print and internet sharing with a regular Mac OS X client version at no problem at all. This would be my first time setting up a Mac OS X Snow Leopard Server.
    I'm in the same boat as Jakekub but we do not have a static IP from our DSL provider. We just bought a Mac Mini Server for our small office with 3 iMacs and 1 MacBook. We will just use the server for internal usage and to centralized things out and use some of server's features like Address Book, Mail, iCal etc. I've search the forums and found Orhidy's post here:
    http://discussions.apple.com/thread.jspa?threadID=2148553
    I even followed the sample IP Address, Subnet Mask, Router, DNS Server and I think I had it correctly setup initially. And I think I got it all running on the basic setup base on his instructions. So I tried to test my DNS settings via Terminal > hostname then got answer as
    servername.companyname.private
    And double checking DNS again with a command: sudo changeip - checkhostname and was given an answer of:
    Primary address = 192.168.1.192
    Current Hostname = servername.companyname.private
    DNS Hostname = servername.companyname.private
    The names match. There is nothing to change
    dirserv:success = "success"
    But here's another one that bugs me. I tried to follow from "Mac OS X Snow Leopard for Dummies" the command line:
    NSLOOKUP hostname
    and got an answer of:
    ;; Got SERVFAIL reply from 192.168.1.192, trying next server
    Server: 192.168.1.1
    Address: 192.168.1.1#53
    ** server can't find hostname: NXDOMAIN
    So does it mean that I still haven't configured my server properly?
    Thank you all for the help in advance!
    dive

  • Generate Prime Interface Availability and Utilization Report for unified APs

    Hi,
    I´m trying to generate interface availability and interface utilization report for unified APs on Prime Infrastructure 2.0, but it doesn´t display any information. I have created device health and interface health templates under desing/Monitor configuration/My templates and deployed under Deploy/Monitoring deployment, but it still don´t show any information,
    thaks for your help.

    Hi Alejandro,
    Did you solve this problem? Or is it a bug?
    I face the some issue with you, I just run "Report/Report Launch Pad/Deivce/Interface Utilization"
    and then I create a report for interface utilization.
    But it display nothing when the report run finished.
    I ask some guys in this forum, they said maybe it's a PI2.1 bug.
    BR
    Frank

  • How to setup a static IP for a wireless printer

    This problem has been ongoing for several versions of OS X and the last five printers I've had and I'm finally over messing with it.  For some reson, when using a wireless printer with OS X this is a repetetive problem, and I think if I configured the printer to a static IP address instead of using DHCP, it might work better.  At least once a week, if not more often, I'll print something and get the ubiquitous Dock error of "Printer is not connected".  The printer is still in Preferences, but if I delete it, then it doesn't show up as it should for selection.
    The only way to fix this is reboot, and then the printer shows up again in Preferences.  I select it and all is well again...until a few days pass and the same thing happens again.  Using an HP LaserJet P1102w, still a current model, but it doesn't matter which printer I use.  I also have an Epson Artisan 725 and the same thing happens with it about once a week.  Also, this happens from both my Mac and my wife's Mac, so it's not an issue with just my machine.
    I've searched for documentation on how to setup a static IP address for a wireless printer with the Airport Extreme, but all I find are tutorials on how to do it with an ethernet hard-wired printer.  Any help would be greatly appreciated.

    You could set up your router to do manual assignment of IP address instead of using DHCP, but that is a PITA, because then you'd have to manually set up IP for all your devices.
    If you have AirPOrt Extreme, you could do this:
    In your Apple TV, go to the Settings >> About and write down the MAC address of your ATV
    Start up the AiPort Admin Utility
    Go to Network tab
    click + in the DHCP reservations
    Choose an IP you want for your ATV & Enter the MAC address
    From now on, this IP address will be reserved to the MAC address and only your ATV will be able to get it, no other device will.
    It is not a static IP in a true sense, but behaves just like one.
    Works great for me...
    If you don't have a AP Extreme, I'm sure other routers will allow you do reservations too.

  • My wifi network connection is not working, will read "unable to join". Am able to access as a guest.  When I hit the blue arrow on the right hand side of my network there is no information e.g ip address, subnet mask, etc.  This info is in my guest area.

    My network has not been working today.  When I click on it it says "unable to access nhe network".  My guest network will work.  When I hit the blue arrow on the right hand side of my network there is no information in the IP address, subnet mask, router, etc.  There is information in my guest section when I checked. I have unplugged and replugged my router and turned my Wifi button of and off, started and restarted my Ipod as per internet suggestions.  Would anyone know how to get my network reactivated.  I am nervous to hit reset network settings in case I lose all my music and icons, etc. added since I got my Ipod.  Thank you for any assistance

    Do other devices now connect?
    Did the iPod connect before?
    What encryption/security is the router using?
    Try:
    - Reset the iOS device. Nothing will be lost
    Reset iOS device: Hold down the On/Off button and the Home button at the same time for at
    least ten seconds, until the Apple logo appears.
    - Power off and then back on the router
    - Reset network settings: Settings>General>Reset>Reset Network Settings
    - iOS: Troubleshooting Wi-Fi networks and connections
    - iOS: Recommended settings for Wi-Fi routers and access points
    - Restore from backup. See:
    iOS: How to back up
    - Restore to factory settings/new iOS device.
    - Make an appointment at the Genius Bar of an Apple store.
    Apple Retail Store - Genius Bar

  • Fix for Airport Wireless Connection Problem stating Self-Assigned IP and not wanting to connect in Lion OSX.

    Fix for Airport Wireless Connection Problem stating Self-Assigned IP and not wanting to connect in Lion OSX.
    Bought my girlfriend the newest Macbook Pro 13" and began experiencing problems with my wifi the moment we got home. Her Macbook would not connect to our home Wi-Fi while my old Macbook Late 2008 running Snow Leopard connected without a problem. Airport would say that it had a Self-Assigned IP address (168.x.x.x). Did not realize it was a Lion problem until after using her Macbook Pro and becoming jealous of the new OSX, I upgraded. Soon after I was unable to go online. Luckily I had my iPad 2 and I began to scoure the net for help. Ran into allot of suggestions but it was not until I tried the following all together was I able to share the good new, from my Macbook. Hope this works:
    First go to Preferences > Network and click on the cog next to the + and - on the sidebar and click Set Service Order
         - Move Wi-Fi to the top and click ok.
         - Set location to Automatic
         - Click Apply
         - Click Advanced
         - Click the "-" on the selected Wi-Fi router you wish to connect to
         - Click Apply
         - Click Lock to Prevent Further Changes
    Go to your Mac's harddrive, (Macintosh)
         - Go to Library > Preferences > SystemConfiguration >
         - Delete "com.apple.airport.preferences.plist" file
    Turn off your computer
         - push and hold Option+Command+R+P
         - turn on computer
         - when the grey screen turns on you will hear the OS X "ON" sound (for lack of a proper term) and it will momentarily restart.
         - you will once again hear the "ON" sound, let go of all keys.
         - this resets your PRAM
    Go to Preferences > Network > Advanced > + sign
         - click Choose a Network
         - Select your network and enter password
    Viola!!! I tried this on my Macbook Late 2008 and my girlfriends new Macbook Pro 2010

         No you are clearly mistaken. The Self-Assigned IP address problem exists on many Macbook Pro models, including the current model, which I mentioned as being the original computer with the problem. While my 2008 Macbook is older it was working perfectly on Snow Leopard and didn't suffer issues until switching to Lion. So clearly the problem exists on the operating system and not so much the hardware.
         I called Apple Support  and they had no fix for the problem and told me that this would hopefully be addressed in a subsequent update. It wasn't until I came accross the answer after trying many different methods that I got both of the Macbooks to connect to my router. Otherwise I wouldn't or could not have been surfing the internet for the last 4 months.
    Cheers.

Maybe you are looking for

  • A Common Sense Solution

    From a photographers perspective, I think many complaints about Photoshop CC are coming from people who have previously paid for the full version of Photoshop AND upgrades after that. First, the price for Photoshop is doubling for loyal users who upg

  • User Exit program

    I have a shell script which will send the data to DOC1 and receive the pdf file. Can you please help me to plug in the script as a user exit when the user clicks the display bill? Please let me know if i can find any document which i can refer for th

  • I can't restore my ipad it gives me an error and I just can't get around it.

    Every time I try to restore my ipad 2it gives me an error code or says, ipad software update server could not be contacted at this time. I have and ipad 2 wifi on 6.1.2 and I just want to restore to the same firmware but I can't figure out how to byp

  • When we click on the copy botton record with same name should not be saved

    Hi, Copy button will copy the record with the same name and will save it.our requirement is when we click on the copy botton ,record with same name should not be saved we are performing this task in custom object 12 and exposed Opportunity Name in th

  • Hiding Close Button

    Hi, I have created one FPM application. When that application is called from portal, an aditional button 'CLOSE' is appearing. I did not put that button to FPM application and when I test the application from R/3, the button is not appearing. But it