The goal: Without needing a new VLAN and renumbering devices, only allowing printing via the print server(s) and not directly to the network printers.
The problem: I'm not sure what to put into the access-list. ACLs are not my strength. Of course, I do not have a test network available so I need to be more confident in this before I deploy it and break the production network. So, your help is appreciated.
Clients (Mac, Windows, whatever) need to be able to reach the print servers as well as other devices on the network. The only thing we want to block is printing directly from end-user devices.
Where I am so far: (10.20.30.x will be the print servers)
ip access-list extended restrictPrinting
permit ip 10.20.30.0 0.0.0.255 any
deny ip any any eq 631
deny ip any any eq 9100
vlan access-map VLAN10ACL 10
match ip address restrictPrinting
vlan filter VLAN10ACL vlan-list 10
Thanks in advance!