ACL implementation

Posted on 2014-08-05
Last Modified: 2014-08-18
I have 2 subnets one is for PC the other is for Printers. I have an ACL that allows traffic to go from the PC vlan/subnet to the printer vlan/subnet. Do i need another ACL to allow traffic back from the printers to the printers. I believe on one ACL should suffice.
Question by:SydNal2009
    LVL 41

    Assisted Solution

    It completely depends on why are you using ACLs. If you are doing things for security I would only allow the appropriate traffic from your print servers to the printers, as well as any management/configuration traffic you want to allow. I would block traffic form the printer VLAN except from whatever is required to print or for management. The software in printers isn't known to be very secure and it rarely gets updated, so it would be best if a hacked printer can't hack the rest of your network and get back out to the Internet.

    Author Comment

    Thanks, for the response.
    Also, what is an ingress ACL and egress ACL?
    LVL 39

    Assisted Solution

    ingress is for incoming traffic, egress is for outgoing traffic.
    LVL 41

    Accepted Solution

    Ingress traffic is entering an interface, and egress traffic is traffic that leaves the interface. Let me try to give you more specific example. If you want to control the traffic that can leave your printers' VLAN, the easiest way to do that is control the traffic that ENTERS the router from the printer VLAN, that is, you would use an ingress filter on the printers' VLAN. If you had many VLANS and you want to limit which ones can communicate with your printers, you may want to put an egress ACL on the printers VLAN to allow traffic from just specific host/networks and block everything else. It is easier to put an egress ACL on the printers' VLAN than an ingress ACL on every other VLAN interface that you want to block traffic. When talking about ingress and egress, it is from the standpoint of the router, not the network segment.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    Auditors face some challenges when reviewing router and firewall configurations.  I'm going to discuss a few of them in this article.  My assumption is that there is a device hardening standard in place, which points out the key elements of configur…
    Article by: rfc1180
    The Maximum Segment size (MSS) is an important consideration when troubleshooting connectivity via the Internet/Intranet. As the packets are routed via the Internet/Intranet, the packets must traverse through multiple routers in the path between two…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    24 Experts available now in Live!

    Get 1:1 Help Now