I have two vlans with IPs belonging to a 3550 cisco catalyst, one of them is an office and the other leaves the office to connect to a larger network. This larger network must remain isolated from the office network. In the office we have a printer, and we have stations in the office for both the office network and for the larger network. Is it possible that both vlans of the switch can use the same printer without compromising both networks? How is this configured? The vlan that goes to the larger network doesn't pass through a trunk, it is simply given an IP which is publicised with EIGRP in the switch.
Thanks alot for any help, security is an important factor and yet if it's possible to print in the office from both networks without opening pandora's box it would be a great relief :)
If the two networks must remain isolated, then either the printer must be connected seperately to each network (with different NICs), or else you must have a firewall between the two networks that cleans the outside printer connections throughly enough to satisfy your security policy.
If the printer is connected via two NICs then you just push the problem one step further over: you are counting on the firmware of the printer to be secure enough that it is not possible to connect to it through the less-secure VLAN and convince it to talk to the more-secure VLAN. Printers are seldom designed with security has a primary goal, so it is best to assume that there is -some- facility on the printer that would allow contamination into the other NIC (e.g., you could probably provoke it to send an SNMP Trap, or start a tftp session, and possibly you could corrupt the printer firmware enough to watch ARP packets and other broadcasts.)
If you have a firewall able to scrube the transactions well enough to be trusted against attacks such as are suggested above, then you would still probably want to set up the printer on a DMZ reachable through from both networks. Even then, you have to ask yourself, "suppose someone in the larger network were able to corrupt the printer enough to be able to pull off copies of what was being printed by the internal users: would taking those copies be a significant security problem?".
Typically, this kind of issue is most easily resolved by adding a second printer -- it usually isn't worth the time effort that would be required to create a secure setup when "security is an important factor".
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.