Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Secure vs. Non-Secure Design

Large health care network with strict security guidelines. The network consists of 6 major sites (hospitals) and a Data Center using Cat 65xx in all cores. We have implmented the following security design standards:

- dedicated FW devices at all exposure points to Internet/Extranets

- no filtering of traffic inside our FW borders

- dedicated DMZ switches for devices outside FW borders

- 128-bit encryption and Radius authentication of all clinical WLAN remotes


Mgmt wants to install AP's in select hospitals for vendors/customers use... these WLANs will have access to the Intenet only. One idea is to provide Internet access to patients and patients' families. My question is regarding design... should I (a) build an entirely separate physical LAN to support this new unsecure WLAN or do I (b) simply put this traffic on a seperate VLAN and use ACLs to keep the private networks safe? I hesitate to give in to option (b), the cheap one, because I have heard a little bit about Layer 2 attacks and it seems to apply here. (And I really don't want to start managing ACL's on all our core 65xx routers.)


Is my concern about Layer 2 attacks valid? Should we continue to maintain integrity at Layers 1/2 or is it considered "safe practice" to rely on Layer 3/4 filtering and VLANs to protect the network?


Re: Secure vs. Non-Secure Design

A quick note: Yes Layer 2 attacks are a valid concern (see link: and view the ppt presentation) but for the most part can be dealt with. If possible, build them off of an existing firewall (eg a PIX) so they are on a DMZ. That way you can limit access to your internal LAN and still provide a high level of security (acls, NAT, layer 2 security etc) and access.

Hope it helps.


CreatePlease login to create content