Cisco Blogs

3 ways to secure guest access to your small business network

December 21, 2010 - 1 Comment

You can provide guests with Internet access while ensuring the safety of your company data

I do a fair bit of traveling in my job. When selecting hotels, secure Internet access is one of my top criteria. It’s right up there with a comfy bed and fluffy pillows. I want to know that when I’m using the hotel network, I can access my corporate email or do online banking without having to worry about whether an intruder is prying on my Internet connection. It’s the same when I visit a client site. Clients very kindly let me use their Internet connection, but they want to ensure that I can’t snoop on their corporate network.

When the tables are turned and you’re the host who’s extending your network to your guests, how do you ensure the safety of your company information as well as the safety of your guest’s data?

Here are three methods to consider:

1. Create a “second network”

Blogger Leo Notenboom recommends creating a “second network” to protect your internal network. You could create a dedicated secure network for guests and ensure that they cannot access your internal network and data.

Notenboom provides a clear diagram that shows how this is done. The following example better illustrates how this is done. In this scenario, you’d have a main router that’s connected to the Internet. That router, let’s call it Jim, has two other routers connected to him—one called Jane and the other called Mike. Your computer is connected to Mike, while your guest’s computer is connected to Jane. Although Jane and Mike are connected to Jim, you can’t see what’s happening inside Jane’s network, and your guest can’t see what’s happening inside Mike’s network.

Notenboom explains that if your Internet service provider (ISP) gives you more than one IP address, you may not need the Internet-sharing router (Jim). You could instead use a simple hub or switch.

2. Create a virtual local area network (VLAN)

VLANs allow you to partition your network, grouping together clients and servers. This can be done without running new cables or making major changes to your network setup. The broadcast traffic (the messages that network devices continuously send to the LAN to announce their presence) are sent only to devices within each VLAN.

Each VLAN is connected to a single switch that supports VLANs. You select the ports on the switch that you want to be set up as a VLAN.

SearchNetworking explains it this way: “These ports are then grouped to become one VLAN, and any broadcasts or information passed among these ports will not be seen by the remaining ports on the switch.” In other words, your guests wouldn’t be able to see the information you’re generating in your particular VLAN, and vice versa.

3. Install a wireless network just for your guests

With the price of wireless access points becoming ever more affordable, you could consider creating a dedicated wireless network for your guests. You can set this up just like your existing wireless network, except this new wireless network would require a different password. You’d connect this new access point to your existing cable modem, if it can support multiple access points. If not, you could get a wireless LAN controller, such as the Cisco 2100 Series Wireless LAN Controller to manage the whole shebang. The Cisco 2100 supports up to six access points.

For the ultimate in guest access, read how Geek Terminal, a business lounge for mobile professionals, provides network security for its customers.  Another company I worked with Mullaloo Beach Resorts is a beach hotel in Perth Australia.  Watch the video below to see how they deployed secure wireless to improve guest satisfaction and staff productivity!

Does your company provide secure access for guests? If so, how?

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. I truly appreciate this blog.Much thanks again. Cool.