Wanted to verify a design and determine what flaws or inherited risks are associated with it.
We have the AP’s attached to the inside access layer switches and using VLAN tags to drop corporate users on their respective VLANs. We also are tagging guest traffic on a separate VLAN, but this is also on the inside network. I have the Layer 3 SVI for the guest VLAN ACL’d off as a whole, denying traffic from leaking back into the corporate LAN and only permitting internet bound traffic. Our edge firewall also denies this traffic from leaking back into the corporate LAN. The Guest network is just a straight shot out. The AP’s airspace-acl sent from ISE changes the local ACL on the endpoints connection, and SSID itself also deny traffic to the internal subnets but allow everything else straight out to the internet. Under the following circumstances, is our guest network presumably safe to advertise while still connected to the inside of our network?
• Guest VLAN isolated from corporate internal VLANs • Guest VLAN is ACL’d from access internal subnets • Guest SSID ACL’d from accessing internal subnets • Guest subnet ACL’d at edge firewall from u-turning • Trunking switchports to the AP, and native VLAN is an unused VLAN • Layer 2 isolation is enabled on the AP
edited for typos
No comments:
Post a Comment