Filtering ports within a 3750 switch

Unanswered Question
Apr 8th, 2009

Our 3750G switch has one VLAN. The switch has workstations and printers attached. We want to only allow communication from a central print server to the printers, so no direct workstation to printer communication. The central print server is on another part of the network. What's the best way to filter restrict traffic to the printers?

Do I need to create another printer VLAN and apply ACLs between the 2? I'm hoping to keep just one VLAN. Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
hobbe Mon, 04/13/2009 - 23:56

the 3750s have the possibility to do access-list on both egress and ingress on routed ports. so if you are going with the vlan option you make 2 access-lists, one for inbound traffic to the printers and one for outbound traffic from the printers.

add them to the routed interface (two rows)

"ip access-group 101 in"

"ip access-group 102 out"

in switch mode however there is only in.

so then you will have to add a block (access-list) to every interface on the switches or settle for halfopen connections ie the connection goes to the printer but is blocked on the way back to the sender.

jschweng Wed, 04/15/2009 - 18:30

Thanks for the help everyone. Would this work:

Configure the printers on a private Vlan (setup as isolated)

Workstations and uplink ports are on the primary Vlan (setup as isolated)

Uplink ports are on primary Vlan but setup as promiscuous port

thotsaphon Wed, 04/15/2009 - 22:00


What you thought can be done.

- Central Print Server and printers are in community_A. They need talking with each other.

- Workstations are in community_B.

- Uplink ports(Trunks),Nothing to do. Just allow primary and secondary vlans.

- Servers are in promiscuous mode. In case all devices have to talk with.

- In case you want to route workstations to other segment. Don't forget to add "private-vlan mapping" at the interface vlan level. Because they are a secondary vlan,Community_B.

- Need to manually configure VTP transparent mode on all devices involved. It has to be Cisco 3560 or higher.




This Discussion