Enterprise Guest Access

Enterprises generally have guests with high needs to remain productive and in touch, and they have the benefit of an existing network infrastructure that can be leveraged to support their guests. With the growing number of built-in radios in laptops, guests are requesting this type of guest access to utilitize WLANs while working remotely with their company.

Enterprise Guest Access Requirements

Providing access to enterprise guests poses several unique network requirements. Unlike traditional enterprise network users, the IT/networking staff does not control the end-to-end user connection. Instead, enterprise guest networks must support many users with an unknown variety of devices, configuration, and security. To enable diverse users to easily get connected without IT support, the guest access network must have a full range of public-access features that are described in the following sections.

Open Authentication Guest VLAN

For guests to become connected, there must be a way to authenticate with "open authentication." Using their security scheme of choice, network designers can utilize full security for all their internal users and applications while maintaining a single VLAN with open authentication. This VLAN becomes the guest network.

Traffic Separation of the Guest VLAN to the Edge of the Enterprise

Enterprises require that the guest WLAN traffic not interact with the normal enterprise traffic for security and business-continuity reasons. With this in mind, the network designer must select the proper technology to provide traffic separation for the WLAN as it crosses his enterprise.

Plug-and-Play Connectivity

The network designer must provide a simple connectivity process in which guests can self-activate access. As many as 15 percent of end-user devices are configured with static proxies or DNS configurations. These users must be able to get connected without having to reconfigure their laptops or PDAs.

Cost-Effective and Secure Access Codes

To limit access on the guest network, a network designer might choose to implement an access gateway that can challenge users for valid credentials. The network designer can choose to do this for a variety of reasons, but in many cases the network designer might be required to provide access codes to track and audit who used the guest access for liability reasons. These credentials must be easy to administer and distribute because there is a large volume of guests, many of whom will only need access for a day or even a few hours.

Enterprise Guest Access Design

To provide a technical solution to the preceding requirements, the network designer must utilize several technologies simultaneously. The open authentication for the guest WLAN is easily accommodated using the open authentication in the 802.11 specifications. To provide traffic separation, network designers must combine several technologies to logically separate the guest WLAN from the enterprise network.

One method is to utilize the WLAN VLAN with open authentication to a wired VLAN. In small to medium-size enterprises, the wired guest VLAN can connect directly to the enterprise edge, where a gateway is installed to deal with the last two requirements. However, in large enterprises, it might be impossible to connect the guest VLAN to the enterprise edge if the enterprise does not utilize a Layer 2 core because Layer 2 cores are not as prevalent as Layer 3 cores in many large enterprises. If there is not a Layer 2 core, the network designer must utilize some tunneling protocol either to extend the VLAN across the Layer 3 core or to create an IP-addressable tunnel to encapsulate the guest VLAN traffic and transmit it across the enterprise Layer 3 core. Many technologies exist to perform this function, the most notable being MPLS for extending the guest and GRE for creating an IP-addressable tunnel across the Layer 3 core. Either type of solution should, if possible, leverage a Layer 3 platform that utilizes Virtual Routing Forwardings (VRFs) such as the Supervisor720 for the Catalyst 6500 platform. The use of VRFs creates an independent routing domain for the guest VLAN. This isolation minimizes the risk that a network connectivity issue on the guest VLAN will affect the rest of the enterprise network.


The concept of using VRFs and tunneling traffic across the core of a large network is a complex issue. Because this is a WLAN book, it will not delve into this subject in depth. It is suggested that you continue reading up on this subject by visiting the Cisco website and reviewing documentation and design guides relating to this subject.

Another method is to leverage the Wireless LAN Services Module (WLSM) and the central switching design to tunnel the guest traffic to the edge of the corporate network.

Finally, the network designer must address the last two requirements of the guest access: cost effectiveness and secure access codes. These requirements are addressed via the use of a gateway device such as the Cisco Building Broadband Building Manager (BBSM) or the Service Selection Gateway in IOS. It should be noted that gateway devices can be bottlenecks to network throughput, so the network designer must be careful that the guest WLAN traffic doesn't overwelm the gateway device. Figure 11-8 depicts a design that accommodates the requirements for enterprise guest access and that utilizes the technology as previously described.

Figure 11-8. Enterprise Guest Access Design

Figure 11-9 depicts guest access that leverages the WLSM and the central switch design. The inherent tunneling in the solution allows the network administrator to deliver the guest WLAN traffic directly to the corporate edge, where a gateway device can provide the authentication for the guests.

Figure 11-9. Enterprise Guest Access with the Central Switch Design

Using the designs in Figures 11-8 and 11-9 as templates, the network designer should be able to refine the design for his environment to provide secure guest WLAN access.