I have a current requirement to configure a second VLAN on our WLAN to create wireless "Hot Spots" for our patients and guest. I have to put it into place to where they have access to the internet but not our corporate network. I am some ideas on how to do this, but was wondering 1. has anyone does this and if so how or 2. how would you suggest doing it?

Our topology is as follows:

Two PIX firewalls that work redundantly to provide our internet access for the inside network.

We have two 6609 with RSMs (completely redundant core)that provide access to the wiring closets.

At the wiring closets we have Cisco 2950s, 5000s and 2980Gs. This is where we provide access to the Aironet 1200 Access Points. Each wiring closet is it's own VLAN with the interVLAN routing at the Core (RSMs are using HSRP for redundancy).

We currently have one VLAN that spreads the entire campus network for our staff that gives them wireless access to our private network.

My thoughts on implementation where to create another network (Class B) and another VLAN on the 1200s to provide the internet access Hot Spots. In the RSMs create access-list that deny all private IP address groups (10.0.0.1-10.255.255.254; 172.16.0.1-172.31.255.254; 192.168.0.1-192.168.255.254) except for the one they are on, and the inside address of the PIX.

Any thoughts? Will this work?

Thanks in advance