ACLs to allow only printing between VLANs

Unanswered Question
Feb 18th, 2009

On a 4507 switch, I have several VLANs defined. I'm defining ACLs for these and have run into a problem allowing printing between two VLANs.

VLAN 2 is defined for public devices and VLAN 6 for staff. Public devices have no need to interact with staff devices at all, including printers, so I deny access to VLAN 6 in the ACL. Staff devices only need to interact with printers in VLAN 2 and no other devices. ACLs are applied inbound on the respective VLAN interfaces.

If I include these lines in the respective ACLs, printing from VLAN 6 to a printer in VLAN 2 fails. (note: to keep it shorter, I only included the pertinent ACL lines.)

access-list 102 permit tcp 10.50.0.0 0.0.255.255 eq 9100 10.40.0.0 0.0.255.255 established

access-list 102 deny ip any 10.40.0.0 0.0.255.255

access-list 102 permit ip any any

access-list 106 permit tcp 10.40.0.0 0.0.255.255 10.50.0.0 0.0.255.255 eq 9100

access-list 106 deny ip any 10.50.0.0 0.0.255.255

access-list 106 permit ip any any

In debugging this, I see the PC in VLAN 6 make attempts to connect from any number of various ports (1400, 1500, 1600…) to establish the connection to the printer in VLAN 2 on port 9100. If I change the ACL for VLAN 6 to the following, printing will now work, but this allows access to all devices in VLAN 2 - not just the printers.

access-list 106 deny ip any 10.50.0.1 0.0.255.0

access-list 106 permit ip any any

I've seen various forum discussions concerning this, but haven't found any solutions that work here. Yet, I do see that others are limiting printing only to port 9100. So, I wanted to know how to configure the ACLs to only allow printing between the VLANs.

TIA

Rick

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
scdladmin Fri, 02/20/2009 - 06:49

We have both, depending on the client the staff member logs in on.

Rick

ohassairi Tue, 02/24/2009 - 22:35

ACL seems to be good but you said what you post is not the hole ACL.

so may be if you post all the config and the debug, this can help us

scdladmin Fri, 02/27/2009 - 07:08

Here's the full ACLs that are applied to VLANs 2 and 6. As a bandaid solution, I'm giving static IP addresses to the printers and have included lines in the ACL to allow communication to these IPs.

access-list 102 remark VLAN2 ACL for Domain Public Devices

access-list 102 permit udp any eq bootpc host 10.30.10.55 eq bootps

access-list 102 permit udp any eq bootpc host 10.30.10.56 eq bootps

access-list 102 deny ip any 10.50.0.1 0.0.255.0

access-list 102 permit tcp 10.50.0.0 0.0.255.255 host 10.50.10.2 eq 8080

access-list 102 deny ip any host 10.50.10.2

access-list 102 permit tcp 10.50.0.0 0.0.255.255 host 10.30.10.20 eq www

access-list 102 permit tcp 10.50.0.0 0.0.255.255 host 10.30.10.20 eq 443

access-list 102 permit tcp 10.50.0.0 0.0.255.255 host 10.30.10.29 eq www

access-list 102 permit tcp 10.50.0.0 0.0.255.255 host 10.30.10.29 eq 443

access-list 102 permit tcp 10.50.0.0 0.0.255.15 eq 9100 10.40.0.0 0.0.255.255 established

access-list 102 permit tcp 10.50.0.0 0.0.255.15 eq 9100 10.50.0.0 0.0.255.255 established

access-list 102 permit udp 10.50.0.0 0.0.255.255 10.50.0.255 0.0.255.0 range netbios-ns netbios-ss

access-list 102 deny tcp any 10.50.0.0 0.0.255.255 eq www

access-list 102 deny tcp any 10.50.0.0 0.0.255.255 eq 443

access-list 102 deny tcp any 10.50.0.0 0.0.255.255 eq telnet

access-list 102 deny tcp any 10.50.0.0 0.0.255.255 eq ftp

access-list 102 deny udp any 10.50.0.0 0.0.255.255 eq tftp

access-list 102 permit ip 10.50.0.0 0.0.255.255 10.50.0.0 0.0.255.15

access-list 102 deny ip any 10.30.0.1 0.0.255.0

access-list 102 permit ip 10.50.0.0 0.0.255.255 10.30.10.0 0.0.1.255

access-list 102 deny ip any 10.0.0.0 0.255.255.255

access-list 102 deny ip any 172.16.0.0 0.15.255.255

access-list 102 deny ip any 192.168.0.0 0.0.255.255

access-list 102 permit ip any any

access-list 106 remark VLAN6 ACL for Domain Staff Devices

access-list 106 permit udp any eq bootpc host 10.30.10.55 eq bootps

access-list 106 permit udp any eq bootpc host 10.30.10.56 eq bootps

access-list 106 deny ip any 10.30.0.1 0.0.255.0

access-list 106 permit ip 10.40.0.0 0.0.255.255 10.30.10.0 0.0.1.255

access-list 106 deny ip any 10.40.0.1 0.0.255.0

access-list 106 deny ip any host 10.40.10.2

access-list 106 permit ip 10.40.0.0 0.0.255.255 10.40.0.0 0.0.255.255

access-list 106 deny ip any 10.50.0.1 0.0.255.0

access-list 106 permit ip 10.40.0.0 0.0.255.255 10.50.0.0 0.0.255.15

access-list 106 deny ip any 10.0.0.0 0.255.255.255

access-list 106 deny ip any 172.16.0.0 0.15.255.255

access-list 106 deny ip any 192.168.0.0 0.0.255.255

access-list 106 permit ip any any

ohassairi Sat, 02/28/2009 - 22:52

please give the IPs of the printer and the computer you are trying from.

also pleaese confirm you are applying these ACL as in, and you don't have out ACLs

Actions

This Discussion