02-18-2009 04:28 PM - edited 03-06-2019 04:06 AM
On a 4507 switch, I have several VLANs defined. I'm defining ACLs for these and have run into a problem allowing printing between two VLANs.
VLAN 2 is defined for public devices and VLAN 6 for staff. Public devices have no need to interact with staff devices at all, including printers, so I deny access to VLAN 6 in the ACL. Staff devices only need to interact with printers in VLAN 2 and no other devices. ACLs are applied inbound on the respective VLAN interfaces.
If I include these lines in the respective ACLs, printing from VLAN 6 to a printer in VLAN 2 fails. (note: to keep it shorter, I only included the pertinent ACL lines.)
access-list 102 permit tcp 10.50.0.0 0.0.255.255 eq 9100 10.40.0.0 0.0.255.255 established
access-list 102 deny ip any 10.40.0.0 0.0.255.255
access-list 102 permit ip any any
access-list 106 permit tcp 10.40.0.0 0.0.255.255 10.50.0.0 0.0.255.255 eq 9100
access-list 106 deny ip any 10.50.0.0 0.0.255.255
access-list 106 permit ip any any
In debugging this, I see the PC in VLAN 6 make attempts to connect from any number of various ports (1400, 1500, 1600â¦) to establish the connection to the printer in VLAN 2 on port 9100. If I change the ACL for VLAN 6 to the following, printing will now work, but this allows access to all devices in VLAN 2 - not just the printers.
access-list 106 deny ip any 10.50.0.1 0.0.255.0
access-list 106 permit ip any any
I've seen various forum discussions concerning this, but haven't found any solutions that work here. Yet, I do see that others are limiting printing only to port 9100. So, I wanted to know how to configure the ACLs to only allow printing between the VLANs.
TIA
Rick
02-19-2009 01:47 AM
Rick,
Your situation is a classic for Private VLANS:-
http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008013565f.shtml#vlan_access')">http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008013565f.shtml#vlan_access
http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a008017acad.shtml
HTH>
02-19-2009 06:17 AM
Are you using a printer server or direct to IP printing?
02-20-2009 06:49 AM
We have both, depending on the client the staff member logs in on.
Rick
02-24-2009 10:35 PM
ACL seems to be good but you said what you post is not the hole ACL.
so may be if you post all the config and the debug, this can help us
02-27-2009 07:08 AM
Here's the full ACLs that are applied to VLANs 2 and 6. As a bandaid solution, I'm giving static IP addresses to the printers and have included lines in the ACL to allow communication to these IPs.
access-list 102 remark VLAN2 ACL for Domain Public Devices
access-list 102 permit udp any eq bootpc host 10.30.10.55 eq bootps
access-list 102 permit udp any eq bootpc host 10.30.10.56 eq bootps
access-list 102 deny ip any 10.50.0.1 0.0.255.0
access-list 102 permit tcp 10.50.0.0 0.0.255.255 host 10.50.10.2 eq 8080
access-list 102 deny ip any host 10.50.10.2
access-list 102 permit tcp 10.50.0.0 0.0.255.255 host 10.30.10.20 eq www
access-list 102 permit tcp 10.50.0.0 0.0.255.255 host 10.30.10.20 eq 443
access-list 102 permit tcp 10.50.0.0 0.0.255.255 host 10.30.10.29 eq www
access-list 102 permit tcp 10.50.0.0 0.0.255.255 host 10.30.10.29 eq 443
access-list 102 permit tcp 10.50.0.0 0.0.255.15 eq 9100 10.40.0.0 0.0.255.255 established
access-list 102 permit tcp 10.50.0.0 0.0.255.15 eq 9100 10.50.0.0 0.0.255.255 established
access-list 102 permit udp 10.50.0.0 0.0.255.255 10.50.0.255 0.0.255.0 range netbios-ns netbios-ss
access-list 102 deny tcp any 10.50.0.0 0.0.255.255 eq www
access-list 102 deny tcp any 10.50.0.0 0.0.255.255 eq 443
access-list 102 deny tcp any 10.50.0.0 0.0.255.255 eq telnet
access-list 102 deny tcp any 10.50.0.0 0.0.255.255 eq ftp
access-list 102 deny udp any 10.50.0.0 0.0.255.255 eq tftp
access-list 102 permit ip 10.50.0.0 0.0.255.255 10.50.0.0 0.0.255.15
access-list 102 deny ip any 10.30.0.1 0.0.255.0
access-list 102 permit ip 10.50.0.0 0.0.255.255 10.30.10.0 0.0.1.255
access-list 102 deny ip any 10.0.0.0 0.255.255.255
access-list 102 deny ip any 172.16.0.0 0.15.255.255
access-list 102 deny ip any 192.168.0.0 0.0.255.255
access-list 102 permit ip any any
access-list 106 remark VLAN6 ACL for Domain Staff Devices
access-list 106 permit udp any eq bootpc host 10.30.10.55 eq bootps
access-list 106 permit udp any eq bootpc host 10.30.10.56 eq bootps
access-list 106 deny ip any 10.30.0.1 0.0.255.0
access-list 106 permit ip 10.40.0.0 0.0.255.255 10.30.10.0 0.0.1.255
access-list 106 deny ip any 10.40.0.1 0.0.255.0
access-list 106 deny ip any host 10.40.10.2
access-list 106 permit ip 10.40.0.0 0.0.255.255 10.40.0.0 0.0.255.255
access-list 106 deny ip any 10.50.0.1 0.0.255.0
access-list 106 permit ip 10.40.0.0 0.0.255.255 10.50.0.0 0.0.255.15
access-list 106 deny ip any 10.0.0.0 0.255.255.255
access-list 106 deny ip any 172.16.0.0 0.15.255.255
access-list 106 deny ip any 192.168.0.0 0.0.255.255
access-list 106 permit ip any any
02-28-2009 10:52 PM
please give the IPs of the printer and the computer you are trying from.
also pleaese confirm you are applying these ACL as in, and you don't have out ACLs
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: