Cisco Cisco Aironet 1240 AG Access Point 白皮書
White Paper
All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 3 of 7
The Cisco Unified Wireless Network supports up to 16 independent wireless LANs and allows
multiple user groups to utilize the same infrastructure. In this context, a wireless LAN is defined
by a unique network name (Service Set Identifier or SSID), security, and quality of service (QoS)
setting. This allows the administrator to define separate SSIDs for different user groups. As an
example, the SSID “guest” might be created for visitors who wish to have wireless Internet access.
Another SSID “office” could be set up for employees, while a third named “shipping” might be
established for business-specific devices such as bar code scanners.
Furthermore, each wireless LAN can be directed to a specific VLAN, ensuring that only the
necessary resources are available to the users of that wireless LAN. Administrators can set
the SSIDs to broadcast or not broadcast, at their discretion. This provides an additional level
of security. By broadcasting only the guest network SSID, fewer attempts will be made by
unauthorized users to access the internal, private wireless LANs.
For some retail enterprises, guest traffic isolation through a VLAN does not provide a sufficient
level of security. In this case, the Cisco Unified Wireless Network can create a Layer 2 tunnel to
direct all guest traffic outside the unsecured network area to a controller dedicated to guest
services. Figure 1 shows an example of such a topology. Even remote and branch office guest
users can be tunneled to a wireless LAN controller for guests, which then applies the appropriate
policies before Internet access is granted. Employee wireless usage policies are managed by the
wireless LAN controller(s) internal to the enterprise
Figure 1. Directing Guest Traffic Outside the Unsecured Network Area Through a Layer 2 Tunnel
Users enter the guest network by opening their browser. A captive portal redirects the browser to a
specific address where a customized login page can be presented. For tracking purposes, unique
user names and passwords can be required. Administration is greatly simplified through the Cisco
Guest Access Lobby Ambassador. Endpoint control, for both employees and guest users, to
ensure that viruses, spyware, and worms are not introduced can be managed through Network