SWAN Central Switch Design Considerations

The SWAN central switch deployment mode, discussed Chapter 9, can have a number of implications on how the network designer layers security in the WLAN deployment. The exact implications depend on which security frameworks (802.1x/EAP or VPN) the network designer has selected for the WLAN deployment.

In embedded security design environments, the central switch deployment primarily affects how you integrate additional security technology, such as firewalls and network intrusion detection, after the end user has accessed the WLAN. Figure 10-5 depicts how multiple WLAN VLANs are tunneled via multipoint Generic Router Encapsulation (mGRE) across access layer or distribution layer Ethernet switches to the 6500 with the Wireless LAN Services Module (WLSM).

Figure 10-5. Central Switch Design Considerations with Embedded Security

After the mGRE tunnels are terminated on the 6500, the WLAN traffic is routed to the additional network security devices (firewall and network intrusion detection) for inspection. In VPN overlay design environments, the centralized switching mode impacts how and where you position the VPN gateway device and additional security technology. Figure 10-6 depicts how IPSec VPNs from multiple clients on differing WLAN VLANs are tunneled via mGRE across access layer or distribution layer Ethernet switches to the 6500 with the WLSM.

Figure 10-6. Central Switch Design Considerations with VPN Overlays

After the mGRE tunnels are terminated on the 65000, the WLAN IPSec VPN traffic is routed to the VPN gateway device that sits between the WLAN and the corporation's core network. Any additional security devices, such as network intrusion detection, are placed after the VPN gateway. There are two main benefits with this design. First, the design offers an easy way to centralize the VPN gateways within a large campus environment. Second, this design enables Layer 3 mobility for VPN users across a large campus.