Руководство По Проектированию для Cisco Cisco Aironet 350 Mini-PCI Wireless LAN Client Adapter
4-35
Enterprise Mobility 4.1 Design Guide
OL-14435-01
Chapter 4 Cisco Unified Wireless Network Architecture—Base Security Features
Architecture Integration
Architecture Integration
Cisco provides a wide variety of security services that are either integrated into Cisco IOS, integrated
into service/network modules, offered as standalone appliances, or as software.
into service/network modules, offered as standalone appliances, or as software.
The Cisco Unified Wireless Network architecture eases the integration of these security services into the
solution because it provides a Layer 2 connection between the WLAN clients and the upstream wired
network. This means that appliances or modules that operate by being “inline” with client traffic can be
easily inserted between WLAN clients and the wired network. For example, an older WLSM-based
deployment requires the implementation of VRF-Lite on the Cisco 6500 to enable WLAN client traffic
to flow through a Cisco Firewall Service Module (FWSM); whereas in a Cisco Unified WLAN
deployment, a WiSM can simply map the (WLAN) client VLAN directly to the FWSM. The only WLAN
controllers in the Cisco Unified Wireless portfolio that cannot directly map WLAN traffic to a
physical/logical interface at Layer 2 are ISR-based WLC modules. An ISR WLAN module does have
access to all the IOS and IPS features available on the ISR, but IP traffic from the WLAN clients must
be directed in and out specific ISR service module interfaces using IOS VRF features on the router.
solution because it provides a Layer 2 connection between the WLAN clients and the upstream wired
network. This means that appliances or modules that operate by being “inline” with client traffic can be
easily inserted between WLAN clients and the wired network. For example, an older WLSM-based
deployment requires the implementation of VRF-Lite on the Cisco 6500 to enable WLAN client traffic
to flow through a Cisco Firewall Service Module (FWSM); whereas in a Cisco Unified WLAN
deployment, a WiSM can simply map the (WLAN) client VLAN directly to the FWSM. The only WLAN
controllers in the Cisco Unified Wireless portfolio that cannot directly map WLAN traffic to a
physical/logical interface at Layer 2 are ISR-based WLC modules. An ISR WLAN module does have
access to all the IOS and IPS features available on the ISR, but IP traffic from the WLAN clients must
be directed in and out specific ISR service module interfaces using IOS VRF features on the router.
shows an example of architectural integration between a WiSM and the FWSM module. In
this example, the WLAN client is on the same subnet as the outside firewall interface. No routing policy
or VRF configuration is required to ensure that WLAN client traffic in both directions goes through the
firewall.
or VRF configuration is required to ensure that WLAN client traffic in both directions goes through the
firewall.
A Cisco Network Admission Control (NAC) Appliance (formerly Cisco Clean Access) can be
implemented in combination with a WLAN deployment to ensure that end devices connecting to the
network meet enterprise policies for compliance with latest security software requirements and
operating system patches. Like the FWSM module discussed above, the Cisco NAC Appliance can also
be integrated into a Cisco Unified Wireless Network architecture at Layer 2, thereby permitting strict
control over which wireless user VLANs are subject to NAC policy enforcement.
implemented in combination with a WLAN deployment to ensure that end devices connecting to the
network meet enterprise policies for compliance with latest security software requirements and
operating system patches. Like the FWSM module discussed above, the Cisco NAC Appliance can also
be integrated into a Cisco Unified Wireless Network architecture at Layer 2, thereby permitting strict
control over which wireless user VLANs are subject to NAC policy enforcement.
Figure 4-30
Firewall Module Integration Example
In addition to ease of integration at the network layer, the Cisco Unified Wireless Network solution
provides integration with Cisco IDS deployments, allowing clients blocked by the Cisco IDS to be
excluded from the Cisco Unified Wireless Network.
provides integration with Cisco IDS deployments, allowing clients blocked by the Cisco IDS to be
excluded from the Cisco Unified Wireless Network.
For more information on the design, and configuration of these solution, as well Cisco Security Agent
(CSA) WLAN features, see the Secure Wireless Design Guide 1.0 at the following URL:
(CSA) WLAN features, see the Secure Wireless Design Guide 1.0 at the following URL:
.
Outside
10.1.30.1
Selected
VLAN(s)
Inside
172.28.1.2
Catalyst 6500
dot1Q trunk
dot1Q trunk
dot1Q trunk
190370
LWAPP
LWAPP
IP: 10.1.30.22
LWAPP
LWAPP
Forwarding Engine
FWSM