Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Cisco VLAN ACLs

Posted on 2013-11-15
5
Medium Priority
?
297 Views
Last Modified: 2014-04-17
The goal: Without needing a new VLAN and renumbering devices, only allowing printing via the print server(s) and not directly to the network printers.

The problem: I'm not sure what to put into the access-list. ACLs are not my strength. Of course, I do not have a test network available so I need to be more confident in this before I deploy it and break the production network. So, your help is appreciated.

Clients (Mac, Windows, whatever) need to be able to reach the print servers as well as other devices on the network. The only thing we want to block is printing directly from end-user devices.

Where I am so far: (10.20.30.x will be the print servers)
ip access-list extended restrictPrinting
permit ip 10.20.30.0 0.0.0.255 any
deny ip any any eq 631
deny ip any any eq 9100

vlan access-map VLAN10ACL 10
match ip address restrictPrinting
action drop

vlan filter VLAN10ACL vlan-list 10

Open in new window


Thanks in advance!
0
Comment
Question by:A-p-u
  • 3
  • 2
5 Comments
 
LVL 22

Expert Comment

by:eeRoot
ID: 39652173
There are several ports used by a print server to send print jobs, as well as monitor the printers for status, ink levels, etc.  You can use an app like TCP Eye to see what ports are used by your print server when connecting to printers.  Then create the ACL to allow those ports to connect from your print server's IP.  All ACL's end with an explicit deny-all, so after allowing the traffic from the print server, all other traffic will be dropped.
0
 
LVL 1

Author Comment

by:A-p-u
ID: 39666869
The implicit deny all at the end of the ACL will block all other traffic on the network, correct?  We need an "allow all except" scenario instead of a "allow X, deny everything else" config.
0
 
LVL 22

Expert Comment

by:eeRoot
ID: 39672155
Since ACL's work based on the order of the rules, the statement to allow traffic from the print server needs to listed first, then the explicit deny-all would block everything else.
0
 
LVL 1

Accepted Solution

by:
A-p-u earned 0 total points
ID: 39904948
We ended up renumbering the printers. The deny-all was making the ACL difficult to manage.
0
 
LVL 1

Author Closing Comment

by:A-p-u
ID: 40006108
Changing our plans on how to filter traffic allowed for the least surprise by future network administrators.
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
In this article I will be showing you how to subnet the easiest way possible for IPv4 (Internet Protocol version 4). This article does not cover IPv6. Keep in mind that subnetting requires lots of practice and time.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question