?
Solved

Restrict Printer Access - HP JetDirect

Posted on 2004-10-06
7
Medium Priority
?
877 Views
Last Modified: 2010-05-18
We have a high-quality color laser printer connected to a HP JetDirect interface on our network. We have been restricting access to the print spool on the server, but some enterprising users have found that they can print directly to the JetDirect, thus bypassing the restrictions. I tried to restrict access to the JetDirect using our Cisco 6509 by putting an ACL in place that only allows traffic to/from the server. However, when I do this, no one can print, even those users that are supposed to be able to. I would have thought that this would work, since the windows based pc's are setup to print to the server, which it turn would spool the jobs to the printer, but it doesn't. I had check with a network packet sniffer first, and the only traffic that I was seeing at the jetdirect was traffic to/from the server.

Next I tried to restrict access to specific ports, with the same result. No one can print.

For reasons that I can't get into, I can't put the printer on a seperate VLAN or network.

Does anyone have any other ideas?

Thanks
0
Comment
Question by:jbielot
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
7 Comments
 
LVL 15

Expert Comment

by:Frabble
ID: 12268293
Hi
  You haven't made it clear what kind of ACL you tried first. I take it the printer, server and users are on separate networks for you to try and use the 6509 to block ports, or are they all in the same network so that you could block using a MAC access list?
0
 
LVL 1

Author Comment

by:jbielot
ID: 12268495
I tried blocking ports, but when I only allow the server access, no one can print to the spool file. I didn't consider creating an ACL allowing specific MAC's access. Will try on Monday.

The printer, server & users are all on the same network. I wanted to put the printers on a seperate vlan, but corporate won't let me.

Thanks.
0
 
LVL 15

Expert Comment

by:Frabble
ID: 12268935
Hmm, not sure what you've managed to do by stopping access to the server if you've configured for the printer.
Anyway, here's the brute force approach. Identify the MAC addresses of systems that you want to allow access to the printer e.g server for printing, yourself for management, routers if printing from other networks etc., eg 0123456789AB, and give it the label "HPCLJ_allowed"

In configuration mode on the 6509, enter:

mac  access-list  extended  HPCLJ_allowed
  permit  host  0123.4567.89AB any
  permit  host  <mac addresss 2> any
  permit  host  <yet another here> any
  deny  any  any

Select the interface the printer is plugged into and enter:

mac  access-group  HPCLJ_allowed  out

Good luck.
0
Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

 
LVL 1

Author Comment

by:jbielot
ID: 12386388
Can't create an ACL on the 6509 to block MAC addresses. Called Cisco. Told I would need a IOS upgrade & memory upgrade. No $$$ in the budget this year.
0
 
LVL 1

Author Comment

by:jbielot
ID: 12618498
I found a solution on the HP web site. I don't have the exact article number handy. The solution was to add an ACL to the print server box, and that can only be done via Telnet. The web interface doesn't have that functionality.
0
 

Accepted Solution

by:
modulo earned 0 total points
ID: 13458036
PAQed with points refunded (250)

modulo
Community Support Moderator
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question