Comments on: allow external visitor to get to Internet http://itknowledgeexchange.techtarget.com/itanswers/allow-external-visitor-to-get-to-internet/ Fri, 24 May 2013 07:13:09 +0000 hourly 1 By: koohiisan http://itknowledgeexchange.techtarget.com/itanswers/allow-external-visitor-to-get-to-internet/#comment-94281 koohiisan Mon, 18 Jul 2011 10:12:46 +0000 #comment-94281 Thanks everyone for all the great suggestions! After all of this stress, this particular vendor decided to allow us to go DHCP. I’ll save these for the future in case we decide to allow more vendors in who *won’t* let us go the easy route. :)

Thanks!!

]]> By: tweeks http://itknowledgeexchange.techtarget.com/itanswers/allow-external-visitor-to-get-to-internet/#comment-93978 tweeks Thu, 07 Jul 2011 03:30:07 +0000 #comment-93978 yes.. either a hardwired link on a special outgoing only VLAN (behind a stateful NAT)… OR if you have a full blown firewall router, set up a dedicated “vendor DMZ” that allows them to get out but not touch any inbound traffic or systems.

You should also throttle such traffic so that his actions cannot have adverse affects on your provider bandwidth/connectivity, otherwise he could DoS your location my sucking down content.. or worse.. doing something stupid that is perceived as an attack by others.

While you’re at it.. you might want to just route any such traffic on a non-backbone connection (with separate IP and provider bandwidth). That’s what we did for our guest VLANs. That way if they send spam of soemthing, your main DC IPs don’t get blocked and tained by spam RBLs.

Good luck!

Tweeks

]]> By: anchors http://itknowledgeexchange.techtarget.com/itanswers/allow-external-visitor-to-get-to-internet/#comment-93941 anchors Tue, 05 Jul 2011 15:45:20 +0000 #comment-93941 I agree wtih CiscoOne. Why bother with the trouble of not having him get a address via DHCP? Being in a secure environment though, we want to assign those vendors to a vlan to segregate the traffic. So….we get a wired/wireless router set up assigning dhcp addresses, dns, etc….and have it attached to our main switch on a port with the proper vlan restriictions.

]]> By: ciscoone http://itknowledgeexchange.techtarget.com/itanswers/allow-external-visitor-to-get-to-internet/#comment-93850 ciscoone Sat, 02 Jul 2011 01:16:17 +0000 #comment-93850 Are you using DHCP in your network if so if so he can just set his connection to obtain Ip address automaticlly.

]]> By: hairstraightback http://itknowledgeexchange.techtarget.com/itanswers/allow-external-visitor-to-get-to-internet/#comment-93816 hairstraightback Fri, 01 Jul 2011 18:52:05 +0000 #comment-93816 route ADD xxx.xxx.xxx.xxx MASK xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx

Means:

route ADD “network” MASK “subnet mask” “gateway ip”

For example, if you were on the 192.168.1.0 network, and you had a gateway on 192.168.1.12 configured to access the 10.10.10.0/24 network, you would use a route add statement like this:

route ADD 10.10.10.0 MASK 255.255.255.0 192.168.1.12

Your routing table should now reflect that change, and all traffic to the 10.10.10.x range will now be sent over to the gateway machine.

The route add change will only stick across reboots if you add it with the -p flag, as in the following:

route -p ADD 10.10.10.0 MASK 255.255.255.0 192.168.1.12

]]>