ACL implementation

I have 2 subnets one is for PC the other is for Printers. I have an ACL that allows traffic to go from the PC vlan/subnet to the printer vlan/subnet. Do i need another ACL to allow traffic back from the printers to the printers. I believe on one ACL should suffice.
SydNal2009Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

kevinhsiehCommented:
It completely depends on why are you using ACLs. If you are doing things for security I would only allow the appropriate traffic from your print servers to the printers, as well as any management/configuration traffic you want to allow. I would block traffic form the printer VLAN except from whatever is required to print or for management. The software in printers isn't known to be very secure and it rarely gets updated, so it would be best if a hacked printer can't hack the rest of your network and get back out to the Internet.
0
SydNal2009Author Commented:
Thanks, for the response.
Also, what is an ingress ACL and egress ACL?
0
nociSoftware EngineerCommented:
ingress is for incoming traffic, egress is for outgoing traffic.
0
kevinhsiehCommented:
Ingress traffic is entering an interface, and egress traffic is traffic that leaves the interface. Let me try to give you more specific example. If you want to control the traffic that can leave your printers' VLAN, the easiest way to do that is control the traffic that ENTERS the router from the printer VLAN, that is, you would use an ingress filter on the printers' VLAN. If you had many VLANS and you want to limit which ones can communicate with your printers, you may want to put an egress ACL on the printers VLAN to allow traffic from just specific host/networks and block everything else. It is easier to put an egress ACL on the printers' VLAN than an ingress ACL on every other VLAN interface that you want to block traffic. When talking about ingress and egress, it is from the standpoint of the router, not the network segment.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
TCP/IP

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.