Solved

Cisco VLAN ACLs

Posted on 2013-11-15
5
267 Views
Last Modified: 2014-04-17
The goal: Without needing a new VLAN and renumbering devices, only allowing printing via the print server(s) and not directly to the network printers.

The problem: I'm not sure what to put into the access-list. ACLs are not my strength. Of course, I do not have a test network available so I need to be more confident in this before I deploy it and break the production network. So, your help is appreciated.

Clients (Mac, Windows, whatever) need to be able to reach the print servers as well as other devices on the network. The only thing we want to block is printing directly from end-user devices.

Where I am so far: (10.20.30.x will be the print servers)
ip access-list extended restrictPrinting
permit ip 10.20.30.0 0.0.0.255 any
deny ip any any eq 631
deny ip any any eq 9100

vlan access-map VLAN10ACL 10
match ip address restrictPrinting
action drop

vlan filter VLAN10ACL vlan-list 10

Open in new window


Thanks in advance!
0
Comment
Question by:A-p-u
  • 3
  • 2
5 Comments
 
LVL 21

Expert Comment

by:eeRoot
ID: 39652173
There are several ports used by a print server to send print jobs, as well as monitor the printers for status, ink levels, etc.  You can use an app like TCP Eye to see what ports are used by your print server when connecting to printers.  Then create the ACL to allow those ports to connect from your print server's IP.  All ACL's end with an explicit deny-all, so after allowing the traffic from the print server, all other traffic will be dropped.
0
 
LVL 1

Author Comment

by:A-p-u
ID: 39666869
The implicit deny all at the end of the ACL will block all other traffic on the network, correct?  We need an "allow all except" scenario instead of a "allow X, deny everything else" config.
0
 
LVL 21

Expert Comment

by:eeRoot
ID: 39672155
Since ACL's work based on the order of the rules, the statement to allow traffic from the print server needs to listed first, then the explicit deny-all would block everything else.
0
 
LVL 1

Accepted Solution

by:
A-p-u earned 0 total points
ID: 39904948
We ended up renumbering the printers. The deny-all was making the ACL difficult to manage.
0
 
LVL 1

Author Closing Comment

by:A-p-u
ID: 40006108
Changing our plans on how to filter traffic allowed for the least surprise by future network administrators.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now