Meraki

CudaPrime

Hi all, have a configuration question concerning printing across VLAN's

I have two VLAN's, one I have my printers on (VLAN 7) using a static IP address (e.g. 192.168.7.10)

And one (VLAN 3) my users connect to via Ethernet or Wi-Fi that issues IP addresses via DHCP (e.g. 192.168.3.x)

All inter-VLAN traffic is blocked e.g. rule, 192.168.0.0/16 - Any / 192.168.0.0/16 - Any

I want the users to be able to print but I want the communication to be as secure as possible.

I currently have a layer 3 firewall run in place before my block rule that is set to allow all traffic from any device on VLAN 3 to communicate to the IP on VLAN 7, for example, 192.168.7.10/32 - Any / 192.168.3.0/24 - Any

I believe limiting the communication ports would secure this even more, for example a layer 3 rule like this,

192.168.7.10/32 - 631 / 192.168.3.0/24 - 631

I have not tested this single port assignment yet, so am not sure if other ports will be needed, one of the printers is a Fiery and I've heard they may have other port requirements. The syntax is something I'll have to research for rules that include multiple ports.

That aside for now, can I get some insight on how other have configured their environments to make printing communication across their networks reasonably secure?

Thanks in advance!

BlakeRichardson

I would create a firewall rule that only allows the clients to access the printer/s that are needed and I would lock the rule down to use whichever protocol you use for printing.

If you want to ensure things are secure make sure you enable IP filtering on the printers themselves.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

CudaPrime

Thanks for the ideas! As I have multiple satellite offices, I would need to manage this configuration in setting up addressing for the computers on the networks, then IP Filtering on the printers, would be a logistical pain when considering the employee turnover some of our offices experience.

Am I correct in saying that it seems like using the current rules I have in place, with the new addition of the specific ports, is as good as I can do with the dynamic nature of of some of my offices?

Brash

It depends on the environment.

I have one where there is a common print server - which is actually very helpful for both usability and security given that printers are typically poorly secured devices.

So the rules are set up that printers can only talk to the printer server. The clients cannot communicate directly with the printers.

In another environment, some clients must connect directly to the printers, so there are rules ensuring they can only connect to the printers on the ports specified by the vendor (for the features that are used).

CudaPrime

Thanks for the reply!

I thought about a print server, but doesn't the clients have to communicate with the print server, and then it has to communicate with the printer, and hence I still have to somehow secure all of that communication?

it is starting to look like using the current rules I have in place, with the new addition of the specific ports, is as good as I can do with the dynamic nature of my environment.

With that in mind, how do I determine the ports I should allow between client and printer?

Thanks again!

BlakeRichardson

If you use a print server your clients communicate with the print server and not the printers directly.

The print server passes any jobs onto the appropriate printer, this is a much more secure option and like @Brash this is what I use.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

Meraki

Community

Secure Printing Across VLAN's Question?

Secure Printing Across VLAN's Question?