jbielot
asked on
Restrict Printer Access - HP JetDirect
We have a high-quality color laser printer connected to a HP JetDirect interface on our network. We have been restricting access to the print spool on the server, but some enterprising users have found that they can print directly to the JetDirect, thus bypassing the restrictions. I tried to restrict access to the JetDirect using our Cisco 6509 by putting an ACL in place that only allows traffic to/from the server. However, when I do this, no one can print, even those users that are supposed to be able to. I would have thought that this would work, since the windows based pc's are setup to print to the server, which it turn would spool the jobs to the printer, but it doesn't. I had check with a network packet sniffer first, and the only traffic that I was seeing at the jetdirect was traffic to/from the server.
Next I tried to restrict access to specific ports, with the same result. No one can print.
For reasons that I can't get into, I can't put the printer on a seperate VLAN or network.
Does anyone have any other ideas?
Thanks
Next I tried to restrict access to specific ports, with the same result. No one can print.
For reasons that I can't get into, I can't put the printer on a seperate VLAN or network.
Does anyone have any other ideas?
Thanks
ASKER
I tried blocking ports, but when I only allow the server access, no one can print to the spool file. I didn't consider creating an ACL allowing specific MAC's access. Will try on Monday.
The printer, server & users are all on the same network. I wanted to put the printers on a seperate vlan, but corporate won't let me.
Thanks.
The printer, server & users are all on the same network. I wanted to put the printers on a seperate vlan, but corporate won't let me.
Thanks.
Hmm, not sure what you've managed to do by stopping access to the server if you've configured for the printer.
Anyway, here's the brute force approach. Identify the MAC addresses of systems that you want to allow access to the printer e.g server for printing, yourself for management, routers if printing from other networks etc., eg 0123456789AB, and give it the label "HPCLJ_allowed"
In configuration mode on the 6509, enter:
mac access-list extended HPCLJ_allowed
permit host 0123.4567.89AB any
permit host <mac addresss 2> any
permit host <yet another here> any
deny any any
Select the interface the printer is plugged into and enter:
mac access-group HPCLJ_allowed out
Good luck.
Anyway, here's the brute force approach. Identify the MAC addresses of systems that you want to allow access to the printer e.g server for printing, yourself for management, routers if printing from other networks etc., eg 0123456789AB, and give it the label "HPCLJ_allowed"
In configuration mode on the 6509, enter:
mac access-list extended HPCLJ_allowed
permit host 0123.4567.89AB any
permit host <mac addresss 2> any
permit host <yet another here> any
deny any any
Select the interface the printer is plugged into and enter:
mac access-group HPCLJ_allowed out
Good luck.
ASKER
Can't create an ACL on the 6509 to block MAC addresses. Called Cisco. Told I would need a IOS upgrade & memory upgrade. No $$$ in the budget this year.
ASKER
I found a solution on the HP web site. I don't have the exact article number handy. The solution was to add an ACL to the print server box, and that can only be done via Telnet. The web interface doesn't have that functionality.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You haven't made it clear what kind of ACL you tried first. I take it the printer, server and users are on separate networks for you to try and use the 6509 to block ports, or are they all in the same network so that you could block using a MAC access list?