Cisco Support Community
Community Member

Designing Secure vs. Non-Secure WLANs

I manage a large health care network with very strict security guidelines. We have dedicated FW's at all our exposure points to the Internet and Extranets. This provides an assurance that allows us not to filter any traffic inside our FW borders. We even have a dedicated DMZ switch that only connects devices exposed outside of our FW's. We have approx 100 WLAN AP's installed supporting the secure clinical network. As a policy we use 128-bit encryption and require Radius authentication of all WLAN remotes. We have 6 major sites (hospitals) with core 65xx architecture.


Mgmt wants to install AP's in select hospitals for vendors/customers use... these WLANs will have access to the Intenet only and will not compromise the secure network. My question is regarding design... should I (a) build an entirely separate physical LAN to support this new unsecure WLAN or do I (b) simply put this traffic on a seperate VLAN and use ACLs to keep the private networks safe? I hesitate to give in to option (b), the cheap one, because I have heard a little bit about Layer 2 attacks and that seems it might apply here. (And I really don't want to start managing ACL's on all our core 65xx routers.)


Is my concern about Layer 2 attacks valid? Are there any other considerations?


Hall of Fame Super Silver

Re: Designing Secure vs. Non-Secure WLANs

Well, if you completely build a sperate WLAN, how and what services do they need. Will that WLAN have to be tied into you current network? Planning to have a sperate internet connection? Look at We have worked with their product for a while now. What I can say about this.... I'm not a slaes man, but it does CoS. You can specify how much bandwidth a user or group can have, it terminates VPN connections, you can specify what protocols or ports they are allowed to use. It works with novel, windows domain, and radius.

*** Please rate helpful posts ***
Community Member

Re: Designing Secure vs. Non-Secure WLANs


Vernier has similar functions, plus some other bells and whistles, but I would be interested in more details on your experience with Bluesocket.

Have you been able to successfully segment out users by group, client type, os, ap accessed, etc.?

Matthew Wheeler

Chief Wireless Architect

Blue Modal

CreatePlease to create content