Wait a second, there's serious problems w/ this proposed configuration (or else I’m misunderstanding the proposal).
I'm assuming the Cisco 1841 router is the library's primary router, the switch is patched to the primary router LAN to LAN, and that the proposal is to patch the Cisco WRVS4400N Wireless N VPN Router to the switch in support of the patrons.
[cisco 1841](lan)<-- wire -->(lan)[switch](lan)<-- wire -->(wan)[cisco wrvs4400n]
If not, correct me. If so, then it’s a big mistake.
Simply patching the WAN of the wireless router to the primary router (or switch) does NOTHING to protect the network of the primary router. All clients of the wireless router now have access to the upstream network of the primary router! If anything, the patrons are protected from the library’s network thanks to the wireless router’s firewall.
I suppose if the switch is configured w/ VLANs, it’s possible to prevent this. But it’s still tricky since you’d need to have three VLANs; one for the library, one for the patrons, and a third to route both independently to the Internet. So it can be done, but a bit tricky to implement, esp. if you’re new to VLANs and routing commands.
What would work better (and frankly be easier to implement) is to make the wireless router the primary (public) router, then place the library’s router behind it.
[cisco wrvs4400n](lan)<-- wire -->(wan)[cisco 1841] ](lan)<-- wire -->(lan)[switch]
Now the *library* is protected from patrons by the WAN’s firewall, yet the library can still see the patrons who are upstream.
And I would also enable AP Isolation on the wireless router to prevent patrons from accessing each other (does nothing to prevent wireless users from seeing/accessing any wired resources on that same router though).
The DMZ of either router is irrelevant since that only allows remote access through the firewall for remote users. And I just don’t see where anything involving remote access comes into play in this scenario. At least not based on the limited information provided so far.
As always when using multiple routers, each needs to use different networks (e.g., 192.168.1.x and 10.0.0.x).
But even using two routers is not without some risk. Because the WAN of the library’s router and patrons share the same network, there remains the possibility (if only remotely) of an ARP poisoning attack. IOW, someone could monitor ARP traffic of the patron network, determine the MAC address of the library router’s WAN, then spoof their own MAC address w/ that of the WAN, and create a MITM (Man In The Middle) attack. So everything that travels to and from the WAN of the library’s router also passes to and from the attacker! The attacker just sits there, monitoring traffic looking for things of interest, with no one the wiser. A very clever and almost impossible attack to detect while it’s happening.
Granted, we talking about what’s possible here, not necessarily what’s likely, but it illustrates how easily you can make a mistake and really mess up if you don’t know what to look for!
The best solution (at least if you’re only using hardware, not VLANs) is using three (3) routers in a Y configuration.
[patron router](lan)<-- wire -->(wan)[primary router](wan)<-- wire -->(lan)[library router]
Now ARP poisoning is not possible because the patrons and the library never share the same network, EVER. And now you could use the DMZ of the primary router and direct it to the library router’s WAN IP to permit remote access for library staff. Meanwhile, patrons have no remote access at all (which probably makes sense).