Tuesday, August 5, 2008
Saturday, August 2, 2008
The Website is Down
I know that no one reads my blog, and those that might stumble upon this site probably already know what I'm talking about, but I just learned about a great video called The Website is Down
I give it 5 stars for making me, and my co-workers, laugh everytime we watch it.
Basically, the movie is IT helpdesk related. Just watch and enjoy...
I give it 5 stars for making me, and my co-workers, laugh everytime we watch it.
Basically, the movie is IT helpdesk related. Just watch and enjoy...
Cisco Wireless Guest Access
It has come to my attention that with my previous post about wired guest access, I might as well clarify a little about Cisco's wireless guest access.
Cisco's wireless controllers have the ability to "anchor" wlans to a specific controller. I'm think from a Route/Switch perspective there is some benefit to this when it comes to roaming users.
Anyhow, I personally think that by complete accident, Cisco discovered this anchoring feature could be used to provide guest access. After all, it is rather ingeneous. If you already have the ability to anchor a client to a specific controller, what happens when you anchor a client to a controller that is out in a DMZ? Secured guest access, thats what.
Basically, by anchoring a specific wlan to the DMZ controller, you've effectively locked your "guest" users out of your network why still using the trusted infrastructure.
The next step now is with wired guest access. As I mentioned in the previous post, you can create a "guest lan" and anchor it the dmz controller as well. It is the exact same concept, except the guest lan picks up traffic on a specific VLAN whereas wireless guest access picks up traffic from a specific wlan.
Cisco's wireless controllers have the ability to "anchor" wlans to a specific controller. I'm think from a Route/Switch perspective there is some benefit to this when it comes to roaming users.
Anyhow, I personally think that by complete accident, Cisco discovered this anchoring feature could be used to provide guest access. After all, it is rather ingeneous. If you already have the ability to anchor a client to a specific controller, what happens when you anchor a client to a controller that is out in a DMZ? Secured guest access, thats what.
Basically, by anchoring a specific wlan to the DMZ controller, you've effectively locked your "guest" users out of your network why still using the trusted infrastructure.
The next step now is with wired guest access. As I mentioned in the previous post, you can create a "guest lan" and anchor it the dmz controller as well. It is the exact same concept, except the guest lan picks up traffic on a specific VLAN whereas wireless guest access picks up traffic from a specific wlan.
Cisco Wireless - Guest Access from different controller versions
Below you will find a proposed design on how to use Guest Access on Cisco Wireless Controllers with different software revisions.
Why might you have different controllers on different software? The answer is quite simple, Cisco doesn't support the 1000 series access points in 5.x and the mesh features have thier own code right now only in 4.1.
When using wireless guest access based on Anchoring to a DMZ controller, all controllers need to be in the same software version and revision (4.1, 4.2, etc..).
So, if you wanted to take advantage of different features in 5.x, you would either need a different DMZ controller for anchoring or you would have to come up with some other method to anchor your old controller software to the new one.
Version 5.x has this fantastic feature where you can do the Guest Access over a wired connection. Check out this document from Cisco about sample confguration if interested. Anyhow, this feature basically allows you to configure a controller in 5.x code to take traffic on a Layer 2 vlan and anchor it to a controller. This is basically just how wireless guest access works.
So here is what I think would work great:
All of the 1000 series access points and mesh access points can be on a controller with the mesh code (4.1.XXX). The other internal controller and the dmz controller can be upgraded to 5.X.
With this done, you should be able to simply break the anchor to the dmz from the mesh controller and dump the traffic out onto a specified vlan.
In theory, the 5.X controller would be anchoring that vlan to the DMZ and there you have it.
Now you've got wireless access as usual from all controllers, but your guest access on the mesh controller anchors to the internal controller (as a wired connection) and is then picked up and sent to the DMZ.
This all sounds good to me. Any thoughts?
Why might you have different controllers on different software? The answer is quite simple, Cisco doesn't support the 1000 series access points in 5.x and the mesh features have thier own code right now only in 4.1.
When using wireless guest access based on Anchoring to a DMZ controller, all controllers need to be in the same software version and revision (4.1, 4.2, etc..).
So, if you wanted to take advantage of different features in 5.x, you would either need a different DMZ controller for anchoring or you would have to come up with some other method to anchor your old controller software to the new one.
Version 5.x has this fantastic feature where you can do the Guest Access over a wired connection. Check out this document from Cisco about sample confguration if interested. Anyhow, this feature basically allows you to configure a controller in 5.x code to take traffic on a Layer 2 vlan and anchor it to a controller. This is basically just how wireless guest access works.
So here is what I think would work great:
All of the 1000 series access points and mesh access points can be on a controller with the mesh code (4.1.XXX). The other internal controller and the dmz controller can be upgraded to 5.X.
With this done, you should be able to simply break the anchor to the dmz from the mesh controller and dump the traffic out onto a specified vlan.
In theory, the 5.X controller would be anchoring that vlan to the DMZ and there you have it.
Now you've got wireless access as usual from all controllers, but your guest access on the mesh controller anchors to the internal controller (as a wired connection) and is then picked up and sent to the DMZ.
This all sounds good to me. Any thoughts?
Subscribe to:
Posts (Atom)
