Hi Julian,
all szenarios you describe are possible. Of course some are not the optimum solution.
Just adding ACLs to controller and leaving them on core switches will be secure, but WIFI traffic will be filtered two times.
Adding to controller and dropping ACLs from core without changing anything else will drop security for wired clients.
----------------------------
I prefere to have seperate VLANs for wired and wireless. That way you can filter wired at core and wireless at controller. But I try to omit filtering at core (see below...)
For me, the rest is on how you like to operate this.
DUR for Controller on CPPM will save operational burdon.
Not sure, since I have no experience with CPPM and Cisco switches. But I guess DACLs for Cisco would work with CPPM too. You could move wired ACLs to access switches and save operational burden like with DUR and wireless...
So I would try that route:
- separate wifi to a different VLAN
- use DUR for wireless
- filter wireless only at controller, not at core.
If customer is willing to do this:
- authenticate users/devices at access switches
- assign ACLs to sessions at access layer, if possible use DACLs
If above is done:
- drop filters from core switches
A lot of this is just my opinion. Others might decide different...
Regards, Jö