Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Wireless guest access and layer 2 vlans

I've been having some in depth conversations with my colleagues at work and would like to peer into this forum for advise.

Here is the setup/scenario: An AP with open auth. The AP is bridged to a layer 2 vlan on our core production switches. In this vlan, we have a dedicated dsl router. No Firewall involved possibly FW feature set on router enabled.... this is simply for hot spot access for guest users. Non-company asset machines only.

The point of concern is the fact that these unsecure devices utilize a VLAN on our internal production switches. Being that this is a layer2 vlan with no switch interfaces, does this pose a risk?

Is there anyway it can be compromised or can it be "hacked" to gain access to the production network?? Can someone wirelessly spoof ethernet tags?

What if the AP was an LWAPP ap. The controller will have an interface in that Layer2 vlan but the option to administer the controller via wireless will be disabled. Any security concerns here as well?

Thank you,


Hall of Fame Super Silver

Re: Wireless guest access and layer 2 vlans

You can alwasy setup the layer 2 as a private vlan. There was a thing called vlan hopping in which a hacker would double tag a frame, but that is all I know about that. If you have a WLC, it would be the same, the traffic would have to come out one of the ports to your core to the dsl. it's like if you have a guest user that plugs into your LAN, is it a guest lan or your corporate lan. Look at your security policies your for organization. I do have many clients that ddo what you are trying to do.

What some are doing is if you have a FW with a DMZ, you can put a wlc 4402-12 in the DMZ and create a tunnel back to your foreign (inside) wlc. This way guest will associate to an ap, get tunneled all the way to the DMZ.

See this link:

*** Please rate helpful posts ***
CreatePlease to create content