Solved: Re: DACL for Printers

Srinivasan Nagarajan · ‎05-27-2021

Hi Experts,

Currently, we've an Authorization profile configured for the printers (canon) with the DACL being used is 'permit ip any any'. Now, client would like to restrict just to the basic services as given below:-

permit udp any eq bootpc any eq bootps
permit tcp any any eq 25
permit udp any any eq 53
permit tcp any eq 9100 any
deny ip any any

1. If any extra port needs to be allowed for a device in a network discover the printer ?

2. The above ACL is applied from the source-port perspective (oubound from device). For the return traffic, should it be allowed explicitly?

3.Also, client would like to apply an ACL from RFC1918 address TO this Printer on 'any' services. How can this be done (in addition to DACL)?

Thanks in advance.

julian.bendix · ‎05-27-2021

Hey!

1) If another port needs to be allowed.. you will find out once something doesn't work and then you need to add it to the dACL. If you don't know what exactly the printer does, you'll need to capture the traffic (SPAN Port on Switch) or ask the vendor.

2) You don't need to allow the return traffic, the dACL is only applied inbound on the switchport.

3) You can't realize that with the dACL, you should do that somewhere else in the network (Firewall?).

Let me know if that helps.

BR
Juls

View solution in original post

julian.bendix · ‎05-27-2021

Hey!

1) If another port needs to be allowed.. you will find out once something doesn't work and then you need to add it to the dACL. If you don't know what exactly the printer does, you'll need to capture the traffic (SPAN Port on Switch) or ask the vendor.

2) You don't need to allow the return traffic, the dACL is only applied inbound on the switchport.

3) You can't realize that with the dACL, you should do that somewhere else in the network (Firewall?).

Let me know if that helps.

BR
Juls

Srinivasan Nagarajan · ‎05-27-2021

Hi Julian

Thanks for the reply.

2. Yeah, DACL is inbound to the switch port. Does the return traffic from the destination need to be explicitly allowed or permitted automatically ?

3. Client would like to get this done on the ISE and I'm not sure if using ACL(Filter-ID) would work. what is the purpose of this attribute which is appended with .in on the AuthZ policy. Any idea?

julian.bendix · ‎05-27-2021

Hey,

2) Yes the return traffic will work, since there is no filter for that direction at all (if you don't add one specifically somewhere else).

3) Unfortunately I don't know .. In all setups I work with we solved this on another level (Firewall etc.).

BR
Juls

Srinivasan Nagarajan · ‎05-27-2021

Thanks for the reply and your time. I'll leave it open to other folks to check and assist us for the below:-

Client would like to get this done on the ISE and I'm not sure if using ACL(Filter-ID) would work. what is the purpose of this attribute which is appended with .in on the AuthZ policy. Any idea?

john david333 · ‎10-29-2022

Thank You for your question I got my issue solved too was having the same issue that annoyed me the most. As I was getting the issue with my Epson Sublimation Printer here instead of the canon.

wemav21770 · ‎12-11-2023

DACL (Discretionary Access Control List) for printers manages who can access and perform actions (like printing or managing settings) and lists user/group permissions for the printer.