Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Allowing public Internet on private network

We have a few sales vendors that need to get access to the Internet when they come on-site. What is the best way to protect our network while allowing different vendors to use their laptops. My biggest fear is they bring in an infected laptop and it spreads to our network. Put them on a seperate VLAN?

New Member

Re: Allowing public Internet on private network

You'll need to go beyond simply establishing another "untrusted" VLAN, since it's only protecting you until you get to that first router hop. Knowing nothing about your network, I'll assume that you want to enable "guest" access at every LAN port and over wireless. Enable dot1x port security on your switch ports. Establish an "untrusted" VLAN that becomes the "home of the homeless" for unauthenticated laptops (those without a cert from your certificate server) Firewall that VLAN off on your switches, routers and ASA/PIX appliances so that the ONLY path that they have is outbound to the Internet. That will save you from layer 3 (IP) threats.


Re: Allowing public Internet on private network

the best approach is to implement cisco nac.

basically, a laptop will not get any connectivity before verifying the os patch level as well as the anti-virus updates.

have a look at the cisco page:

New Member

Re: Allowing public Internet on private network

Thanks Jackko, I was also thinking of NAC. Only thing I have a dept head that wants this by next week, imagine that, LOL. I may setup another DMZ and vlan that port off, I think that should protect us.