question about accesslist

Z

zelda1031

n00b
Joined
Jun 21, 2014
Messages
3
Hi guys

i have am a beginner in networking, i apologize if my question looks confusing.

i have setup 3 vlan,
vlan 200 (for staff) 192.168.10.0/24
vlan 300 (for servers) 192.168.11.0/24

vlan 400 (for guest ) 192.168.20.0/24
i used accesslist to limit vlan 400 guest user from accessing to internal network.

ip routing
ip dhcp pool guestwireless
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1

ip access-list extended guestwireless
permit udp any eq bootpc any eq bootps
deny ip any any
Click to expand...

i have a printer in vlan 200 ip address 192.168.10.120/32
i would like guest in vlan 400 to access the printer, so i added another line into my accesslist

ip access-list extended guestwireless
permit udp any eq bootpc any eq bootps
permit ip 192.168.20.0 0.0.0.255 host 192.168.10.120
deny ip any any
Click to expand...

my question is that is it a security flaw to allow guest to access printer in the internal network ?
 
Last edited:
What's with the 0.0.0.31 mask on the ACL rule? Should be 0.0.0.255 for a /24. That rule is saying the netmask is /27.

They'd need to know the IP to print to it. What model or printer is it? It may support IPP. Then you can at least have a password on it.
 
Last edited:
i am sorry

it is 0.0.0.255

yes they will need to know the IP of the printer to print. i was wondering if it is a security risk to internal network if i allow 192.168.20.0/24 to access printer at 192.168.10.120.....
 
Security risk? Possibly. I'd definitely lock down only the necessary ports, not just by IP address. Be careful while making config changes. But with regular TCP/IP printing anyone can connect and waste printer resources.

Use IPP if possible.
 
Last edited:
Your printer absolutely can be an attack surface (even just printing to it - many accept new firmware via a print job!). Make sure it's firmware is up-to-date.
 
obrith said:
Your printer absolutely can be an attack surface (even just printing to it - many accept new firmware via a print job!). Make sure it's firmware is up-to-date.
Click to expand...


Which is why most places put them on their own network/vlan along with any other common peripherals that can be accessed via networked communication.
 
You must log in or register to reply here.
Back
Top