04-08-2009 12:41 PM - edited 03-06-2019 05:04 AM
Our 3750G switch has one VLAN. The switch has workstations and printers attached. We want to only allow communication from a central print server to the printers, so no direct workstation to printer communication. The central print server is on another part of the network. What's the best way to filter restrict traffic to the printers?
Do I need to create another printer VLAN and apply ACLs between the 2? I'm hoping to keep just one VLAN. Thanks.
04-10-2009 07:57 AM
Any help would be appreciated. Thanks.
04-13-2009 01:48 PM
You need to create an ACL to block all traffic except what you want. Then if you keep one VLAN you would need to assign it to every interface a printer is plugged into.
If you create a 2nd VLAN for the printers, then you only need to assign the ACL at the routed interface for that VLAN.
04-13-2009 11:56 PM
the 3750s have the possibility to do access-list on both egress and ingress on routed ports. so if you are going with the vlan option you make 2 access-lists, one for inbound traffic to the printers and one for outbound traffic from the printers.
add them to the routed interface (two rows)
"ip access-group 101 in"
"ip access-group 102 out"
in switch mode however there is only in.
so then you will have to add a block (access-list) to every interface on the switches or settle for halfopen connections ie the connection goes to the printer but is blocked on the way back to the sender.
04-14-2009 06:32 AM
Hello,
As other posters have said the best design option is to have all your printers on a seperate VLAN and filter on the layer 3 interface.
However it is also possible to use VACLS to filter traffic between hosts on the same VLAN.
http://www.cisco.com/en/US/tech/tk389/tk814/tk838/tsd_technology_support_sub-protocol_home.html#
Regards
04-15-2009 06:30 PM
Thanks for the help everyone. Would this work:
Configure the printers on a private Vlan (setup as isolated)
Workstations and uplink ports are on the primary Vlan (setup as isolated)
Uplink ports are on primary Vlan but setup as promiscuous port
04-15-2009 10:00 PM
lockheed,
What you thought can be done.
- Central Print Server and printers are in community_A. They need talking with each other.
- Workstations are in community_B.
- Uplink ports(Trunks),Nothing to do. Just allow primary and secondary vlans.
- Servers are in promiscuous mode. In case all devices have to talk with.
- In case you want to route workstations to other segment. Don't forget to add "private-vlan mapping" at the interface vlan level. Because they are a secondary vlan,Community_B.
- Need to manually configure VTP transparent mode on all devices involved. It has to be Cisco 3560 or higher.
HTH,
Toshi
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: