One of the hot topics for network managers today is guest access. Of course, this has been around at the leading edge for years - 3Com's UK head office had a separate wireless LAN for visitors to use several years ago, for example - but mainstream companies have been understandably nervous about allowing untrusted PCs onto their networks.

That's changing now though: wireless has become the connection of choice for laptop users and laptop users, including your office visitors, expect to be able to connect to the Web and their email everywhere. The question is no longer whether to allow it, but how best to allow it.

The thorough way to do it is a single wireless network with VLANs and multiple SSIDs for different user communities, says Dave Cook, technical manager for European networking manufacturer Funkwerk Enterprise Comms (FEC).

"Multiple SSID support is a feature of professional WLAN kit," he says. "Our AP then ties an 802.11Q VLAN tag to the SSID. It does need VLAN-capable kit in the network, such as switches able to understand 802.11Q tags from other hardware, but you can also hide SSIDs, and WEP can be SSID-specific.

"I'd use access control lists (ACLs) and routing to run three VLANs - Internet, internal and guest, with the latter two able to see the Internet but not each other.

"I'd also recommend a firewall on the guest VLAN, limiting it to ports 80 (HTTP), 25 (POP3) and 110 (SMTP) for all users, then you have to take a view on whether to allow HTTPS and VPNs as well."

That method will not suit everyone though, says Cyril Voidies, director of French network developer Wireless Consulting. He argues that smaller offices in particular will not have the resources to manage more complex infrastructure needed to support VLANs, and says that in response to this his company has developed MeetingSpot, a £275 stand-alone AP designed to be secure, yet make it easy to add and remove users.

"Some people are paranoid about VLANs, plus it can be more expensive than a separate network, for example a separate VLAN might need a separate RADIUS server," he says. "So you want a simple solution with a direct connection to the Internet - we suggest people put in a separate ADSL line."

That's not as cheap in the UK as it is in France, where Voidies reckons that in some areas you can get more than a Megabit for 15 Euro (£10) a month, but it certainly has elements of simplicity on its side - plus it does ensure complete separation from your corporate WLAN.

"If you just put an ordinary AP on, you don't know how clean the visitor PCs are," he says. "We use a Linksys box, the low-level firmware is the same but we add a lot of features on top. It's all managed from a PC, so when you sign-in as a visitor, the receptionist also gives you a password for the system."

He adds that MeetingSpot lets the administrator set time-outs on accounts, or limit their connection hours. Its reports could also be used to charge for connection, he says, allowing it to be used for venue hotspots too.

However, FEC's Dave Cook says you would do better - for larger sites, anyhow - to have everyone on a single wireless network, whether staff or visitors. Apart from anything else, it means fewer transmitters to interfere with each other.

"You don't want additional infrastructure as long as the bandwidth is sufficient," he adds. "It shouldn't be extra admin workload, just the time to configure it. It's one infrastructure to administer, and when there's new firmware for the APs, it's just one lot to upgrade as well.

"What you don't want to do is grab too many channels - this is a more sensible approach to bandwidth. What's nice about guest SSIDs is they all travel across one channel."