Solved

Cisco VLAN ACLs

Posted on 2013-11-15
5
283 Views
Last Modified: 2014-04-17
The goal: Without needing a new VLAN and renumbering devices, only allowing printing via the print server(s) and not directly to the network printers.

The problem: I'm not sure what to put into the access-list. ACLs are not my strength. Of course, I do not have a test network available so I need to be more confident in this before I deploy it and break the production network. So, your help is appreciated.

Clients (Mac, Windows, whatever) need to be able to reach the print servers as well as other devices on the network. The only thing we want to block is printing directly from end-user devices.

Where I am so far: (10.20.30.x will be the print servers)
ip access-list extended restrictPrinting
permit ip 10.20.30.0 0.0.0.255 any
deny ip any any eq 631
deny ip any any eq 9100

vlan access-map VLAN10ACL 10
match ip address restrictPrinting
action drop

vlan filter VLAN10ACL vlan-list 10

Open in new window


Thanks in advance!
0
Comment
Question by:A-p-u
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 22

Expert Comment

by:eeRoot
ID: 39652173
There are several ports used by a print server to send print jobs, as well as monitor the printers for status, ink levels, etc.  You can use an app like TCP Eye to see what ports are used by your print server when connecting to printers.  Then create the ACL to allow those ports to connect from your print server's IP.  All ACL's end with an explicit deny-all, so after allowing the traffic from the print server, all other traffic will be dropped.
0
 
LVL 1

Author Comment

by:A-p-u
ID: 39666869
The implicit deny all at the end of the ACL will block all other traffic on the network, correct?  We need an "allow all except" scenario instead of a "allow X, deny everything else" config.
0
 
LVL 22

Expert Comment

by:eeRoot
ID: 39672155
Since ACL's work based on the order of the rules, the statement to allow traffic from the print server needs to listed first, then the explicit deny-all would block everything else.
0
 
LVL 1

Accepted Solution

by:
A-p-u earned 0 total points
ID: 39904948
We ended up renumbering the printers. The deny-all was making the ACL difficult to manage.
0
 
LVL 1

Author Closing Comment

by:A-p-u
ID: 40006108
Changing our plans on how to filter traffic allowed for the least surprise by future network administrators.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question