Adding public access to wifi LAN without compromising security

benpressman · ‎08-24-2010

My hospital has a LAN with a server running Server 2003, about 40 hardwired

work stations and various network printers. The network receives its internet

access through two T-1 lines, each interfaced through a Cisco router. In

addition, several COWS(computers on wheels) connect to the LAN through a

wireless network consisting of three Cisco Aironet 1130AG WAPs using

WPA encryption. We need to be able to give the public access to the

internet without compromising the security of the LAN. Can I create a second

SSID in the 1130AGs in such a way that the public can have access to the

internet, but not be able to hack into the hospital LAN?

Stephen Rodriguez · ‎08-25-2010

Ben,

This is possible, you would need to create a new VLAN on the LAN to support the guest users. Then trunk to the AP, as we will now have multiple SSID and VLAN that we need to pass traffic for. The way you keep the "guest" from the "internal" is to put ACL's up at L3 that deny traffic between the two subnets.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

benpressman · ‎08-25-2010

Thanks for your response Stephen. Pardon my ignorance, but I would appreciate it if I could ask you some questions in order to understand your answer.

So each of my three AP's is connected to the LAN via an ethernet cable. When you say "trunk to the AP", are you talking about how the two separate SSID channels pass their data through the ethernet cable to the LAN and is that set up in the AP? And I don't know what "put ACL's up at L3" means. Other than those minor details, I think I am starting to get your drift.