I have a wireless network using Aironet 1200 access points with PEAP and a Microsoft Radius server controlling access to the network. Now I have been asked to provide guest access through the network to the internet. I have created a guest ssid and placed it on a separate vlan on one access point nearest where the guests are likely to be. What I need to do is design a solution that will restrict current employees from using the guest ssid. Control the bandwidth being consumed by the guest ssid and protect the internal LAN. These access points are connected to a Catalyst 3560 switch which is connected to the gateway router. Are vlans on the access point the way to go or should they be on the switch? If on the switch, can the port connected to the gateway router belong to two different vlans or will this compromise network security? Any suggestions would be greatly appreciated.