Solved

Cisco VLAN ACLs

Posted on 2013-11-15
5
275 Views
Last Modified: 2014-04-17
The goal: Without needing a new VLAN and renumbering devices, only allowing printing via the print server(s) and not directly to the network printers.

The problem: I'm not sure what to put into the access-list. ACLs are not my strength. Of course, I do not have a test network available so I need to be more confident in this before I deploy it and break the production network. So, your help is appreciated.

Clients (Mac, Windows, whatever) need to be able to reach the print servers as well as other devices on the network. The only thing we want to block is printing directly from end-user devices.

Where I am so far: (10.20.30.x will be the print servers)
ip access-list extended restrictPrinting
permit ip 10.20.30.0 0.0.0.255 any
deny ip any any eq 631
deny ip any any eq 9100

vlan access-map VLAN10ACL 10
match ip address restrictPrinting
action drop

vlan filter VLAN10ACL vlan-list 10

Open in new window


Thanks in advance!
0
Comment
Question by:A-p-u
  • 3
  • 2
5 Comments
 
LVL 22

Expert Comment

by:eeRoot
ID: 39652173
There are several ports used by a print server to send print jobs, as well as monitor the printers for status, ink levels, etc.  You can use an app like TCP Eye to see what ports are used by your print server when connecting to printers.  Then create the ACL to allow those ports to connect from your print server's IP.  All ACL's end with an explicit deny-all, so after allowing the traffic from the print server, all other traffic will be dropped.
0
 
LVL 1

Author Comment

by:A-p-u
ID: 39666869
The implicit deny all at the end of the ACL will block all other traffic on the network, correct?  We need an "allow all except" scenario instead of a "allow X, deny everything else" config.
0
 
LVL 22

Expert Comment

by:eeRoot
ID: 39672155
Since ACL's work based on the order of the rules, the statement to allow traffic from the print server needs to listed first, then the explicit deny-all would block everything else.
0
 
LVL 1

Accepted Solution

by:
A-p-u earned 0 total points
ID: 39904948
We ended up renumbering the printers. The deny-all was making the ACL difficult to manage.
0
 
LVL 1

Author Closing Comment

by:A-p-u
ID: 40006108
Changing our plans on how to filter traffic allowed for the least surprise by future network administrators.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question