Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Filtering ports within a 3750 switch

Our 3750G switch has one VLAN. The switch has workstations and printers attached. We want to only allow communication from a central print server to the printers, so no direct workstation to printer communication. The central print server is on another part of the network. What's the best way to filter restrict traffic to the printers?

Do I need to create another printer VLAN and apply ACLs between the 2? I'm hoping to keep just one VLAN. Thanks.

6 REPLIES
Community Member

Re: Filtering ports within a 3750 switch

Any help would be appreciated. Thanks.

Community Member

Re: Filtering ports within a 3750 switch

You need to create an ACL to block all traffic except what you want. Then if you keep one VLAN you would need to assign it to every interface a printer is plugged into.

If you create a 2nd VLAN for the printers, then you only need to assign the ACL at the routed interface for that VLAN.

Gold

Re: Filtering ports within a 3750 switch

the 3750s have the possibility to do access-list on both egress and ingress on routed ports. so if you are going with the vlan option you make 2 access-lists, one for inbound traffic to the printers and one for outbound traffic from the printers.

add them to the routed interface (two rows)

"ip access-group 101 in"

"ip access-group 102 out"

in switch mode however there is only in.

so then you will have to add a block (access-list) to every interface on the switches or settle for halfopen connections ie the connection goes to the printer but is blocked on the way back to the sender.

Bronze

Re: Filtering ports within a 3750 switch

Hello,

As other posters have said the best design option is to have all your printers on a seperate VLAN and filter on the layer 3 interface.

However it is also possible to use VACLS to filter traffic between hosts on the same VLAN.

http://www.cisco.com/en/US/tech/tk389/tk814/tk838/tsd_technology_support_sub-protocol_home.html#

Regards

Community Member

Re: Filtering ports within a 3750 switch

Thanks for the help everyone. Would this work:

Configure the printers on a private Vlan (setup as isolated)

Workstations and uplink ports are on the primary Vlan (setup as isolated)

Uplink ports are on primary Vlan but setup as promiscuous port

Re: Filtering ports within a 3750 switch

lockheed,

What you thought can be done.

- Central Print Server and printers are in community_A. They need talking with each other.

- Workstations are in community_B.

- Uplink ports(Trunks),Nothing to do. Just allow primary and secondary vlans.

- Servers are in promiscuous mode. In case all devices have to talk with.

- In case you want to route workstations to other segment. Don't forget to add "private-vlan mapping" at the interface vlan level. Because they are a secondary vlan,Community_B.

- Need to manually configure VTP transparent mode on all devices involved. It has to be Cisco 3560 or higher.

HTH,

Toshi

215
Views
0
Helpful
6
Replies
CreatePlease to create content