cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
620
Views
0
Helpful
6
Replies

Filtering ports within a 3750 switch

jschweng
Level 1
Level 1

Our 3750G switch has one VLAN. The switch has workstations and printers attached. We want to only allow communication from a central print server to the printers, so no direct workstation to printer communication. The central print server is on another part of the network. What's the best way to filter restrict traffic to the printers?

Do I need to create another printer VLAN and apply ACLs between the 2? I'm hoping to keep just one VLAN. Thanks.

6 Replies 6

jschweng
Level 1
Level 1

Any help would be appreciated. Thanks.

jeff.cook
Level 1
Level 1

You need to create an ACL to block all traffic except what you want. Then if you keep one VLAN you would need to assign it to every interface a printer is plugged into.

If you create a 2nd VLAN for the printers, then you only need to assign the ACL at the routed interface for that VLAN.

hobbe
Level 7
Level 7

the 3750s have the possibility to do access-list on both egress and ingress on routed ports. so if you are going with the vlan option you make 2 access-lists, one for inbound traffic to the printers and one for outbound traffic from the printers.

add them to the routed interface (two rows)

"ip access-group 101 in"

"ip access-group 102 out"

in switch mode however there is only in.

so then you will have to add a block (access-list) to every interface on the switches or settle for halfopen connections ie the connection goes to the printer but is blocked on the way back to the sender.

Hello,

As other posters have said the best design option is to have all your printers on a seperate VLAN and filter on the layer 3 interface.

However it is also possible to use VACLS to filter traffic between hosts on the same VLAN.

http://www.cisco.com/en/US/tech/tk389/tk814/tk838/tsd_technology_support_sub-protocol_home.html#

Regards

Thanks for the help everyone. Would this work:

Configure the printers on a private Vlan (setup as isolated)

Workstations and uplink ports are on the primary Vlan (setup as isolated)

Uplink ports are on primary Vlan but setup as promiscuous port

lockheed,

What you thought can be done.

- Central Print Server and printers are in community_A. They need talking with each other.

- Workstations are in community_B.

- Uplink ports(Trunks),Nothing to do. Just allow primary and secondary vlans.

- Servers are in promiscuous mode. In case all devices have to talk with.

- In case you want to route workstations to other segment. Don't forget to add "private-vlan mapping" at the interface vlan level. Because they are a secondary vlan,Community_B.

- Need to manually configure VTP transparent mode on all devices involved. It has to be Cisco 3560 or higher.

HTH,

Toshi

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco