question about accesslist

zelda1031

n00b
Joined
Jun 21, 2014
Messages
3
Hi guys

i have am a beginner in networking, i apologize if my question looks confusing.

i have setup 3 vlan,
vlan 200 (for staff) 192.168.10.0/24
vlan 300 (for servers) 192.168.11.0/24

vlan 400 (for guest ) 192.168.20.0/24
i used accesslist to limit vlan 400 guest user from accessing to internal network.

ip routing
ip dhcp pool guestwireless
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1

ip access-list extended guestwireless
permit udp any eq bootpc any eq bootps
deny ip any any

i have a printer in vlan 200 ip address 192.168.10.120/32
i would like guest in vlan 400 to access the printer, so i added another line into my accesslist

ip access-list extended guestwireless
permit udp any eq bootpc any eq bootps
permit ip 192.168.20.0 0.0.0.255 host 192.168.10.120
deny ip any any

my question is that is it a security flaw to allow guest to access printer in the internal network ?
 
Last edited:

/usr/home

Supreme [H]ardness
Joined
Mar 18, 2008
Messages
6,160
What's with the 0.0.0.31 mask on the ACL rule? Should be 0.0.0.255 for a /24. That rule is saying the netmask is /27.

They'd need to know the IP to print to it. What model or printer is it? It may support IPP. Then you can at least have a password on it.
 
Last edited:

zelda1031

n00b
Joined
Jun 21, 2014
Messages
3
i am sorry

it is 0.0.0.255

yes they will need to know the IP of the printer to print. i was wondering if it is a security risk to internal network if i allow 192.168.20.0/24 to access printer at 192.168.10.120.....
 

/usr/home

Supreme [H]ardness
Joined
Mar 18, 2008
Messages
6,160
Security risk? Possibly. I'd definitely lock down only the necessary ports, not just by IP address. Be careful while making config changes. But with regular TCP/IP printing anyone can connect and waste printer resources.

Use IPP if possible.
 
Last edited:

obrith

Limp Gawd
Joined
Jun 11, 2004
Messages
267
Your printer absolutely can be an attack surface (even just printing to it - many accept new firmware via a print job!). Make sure it's firmware is up-to-date.
 

Liger88

2[H]4U
Joined
Feb 14, 2012
Messages
2,657
Your printer absolutely can be an attack surface (even just printing to it - many accept new firmware via a print job!). Make sure it's firmware is up-to-date.


Which is why most places put them on their own network/vlan along with any other common peripherals that can be accessed via networked communication.
 
Top