Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Cisco VLAN ACLs

Posted on 2013-11-15
5
Medium Priority
?
293 Views
Last Modified: 2014-04-17
The goal: Without needing a new VLAN and renumbering devices, only allowing printing via the print server(s) and not directly to the network printers.

The problem: I'm not sure what to put into the access-list. ACLs are not my strength. Of course, I do not have a test network available so I need to be more confident in this before I deploy it and break the production network. So, your help is appreciated.

Clients (Mac, Windows, whatever) need to be able to reach the print servers as well as other devices on the network. The only thing we want to block is printing directly from end-user devices.

Where I am so far: (10.20.30.x will be the print servers)
ip access-list extended restrictPrinting
permit ip 10.20.30.0 0.0.0.255 any
deny ip any any eq 631
deny ip any any eq 9100

vlan access-map VLAN10ACL 10
match ip address restrictPrinting
action drop

vlan filter VLAN10ACL vlan-list 10

Open in new window


Thanks in advance!
0
Comment
Question by:A-p-u
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 22

Expert Comment

by:eeRoot
ID: 39652173
There are several ports used by a print server to send print jobs, as well as monitor the printers for status, ink levels, etc.  You can use an app like TCP Eye to see what ports are used by your print server when connecting to printers.  Then create the ACL to allow those ports to connect from your print server's IP.  All ACL's end with an explicit deny-all, so after allowing the traffic from the print server, all other traffic will be dropped.
0
 
LVL 1

Author Comment

by:A-p-u
ID: 39666869
The implicit deny all at the end of the ACL will block all other traffic on the network, correct?  We need an "allow all except" scenario instead of a "allow X, deny everything else" config.
0
 
LVL 22

Expert Comment

by:eeRoot
ID: 39672155
Since ACL's work based on the order of the rules, the statement to allow traffic from the print server needs to listed first, then the explicit deny-all would block everything else.
0
 
LVL 1

Accepted Solution

by:
A-p-u earned 0 total points
ID: 39904948
We ended up renumbering the printers. The deny-all was making the ACL difficult to manage.
0
 
LVL 1

Author Closing Comment

by:A-p-u
ID: 40006108
Changing our plans on how to filter traffic allowed for the least surprise by future network administrators.
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question