Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4196
Views
10
Helpful
16
Replies

Access List deny and permit users to access network printer

Go to solution
alvin.baro@gmail.com
Level 1
Level 1

‎03-27-2019 10:40 PM

I need some help with access-list !

i have a subnet 172.16.1.0 255.255.250.0 (VLAN 1)

In the same subnet, I have a Network Printer 172.16.1.153

I need to deny all users to connect to network printer except for 2 users 172.16.1.36 and 172.16.1.115

Please see below picture for your reference.

Printer.PNG

 

 

Thanks!

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Georg Pauwen
VIP
VIP

‎03-28-2019 12:18 AM

Hello,

 

if all your clients are in VLAN 1, you could also use a VLAN ACL. This would look as below:

 

ip access-list extended PRINTER_ACL
permit ip host 172.16.1.36 host 172.16.1.153
permit ip host 172.16.1.115 host 172.16.1.153

!

vlan access-map PRINTER_VACL 10
match ip address PRINTER_ACL
action forward

!

vlan filter PRINTER_VACL vlan-list 1

View solution in original post

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni
In response to alvin.baro@gmail.com

‎03-28-2019 02:37 AM - edited ‎03-28-2019 03:21 AM

Hi,

My concern with the solution is that do you have fixed IP on the Client's machine? 

 

 
ip access-list extended Printer_Allow
permit ip host 172.16.1.36 host 172.16.1.153
permit ip host 172.16.1.115 host 172.16.1.153
deny ip 172.16.1.0 0.0.0.255 host 172.16.1.153
permit ip any any
!
vlan access-map Printer_Allow_VACL 10
match ip address Printer_Allow
action forward
!
vlan filter Printer_Allow_VACL vlan-list 1

You have to configure this where Printer is connected.

 

Regards,

Deepak Kumar

 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

View solution in original post

16 Replies 16

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni

‎03-27-2019 11:42 PM

Hi,

is it possible to keep Printer in another VLAN?

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

Go to solution
alvin.baro@gmail.com
Level 1
Level 1
In response to Deepak Kumar

‎03-27-2019 11:58 PM

@Deepak Kumar If that's the only option then please help me. 

 

Thanks

0 Helpful

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni
In response to alvin.baro@gmail.com

‎03-28-2019 12:10 AM - edited ‎03-28-2019 03:22 AM

Hi,

Please share the Printer IP address, switch port where printer is connected, Client's mac address which you want to allow and VLAN number. 

 

I will make acl for you.

 

Edit: MAC was the typo

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

Go to solution
alvin.baro@gmail.com
Level 1
Level 1
In response to Deepak Kumar

‎03-28-2019 02:22 AM

@Deepak Kumar 

Printer MAC: 1860.2468.718c

Printer switchport on layer2 switch: f0/5

Client1 Mac address: 8C-16-45-89-52-x1

Client1 Mac address: 8C-16-45-89-52-x2

 

0 Helpful

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni
In response to alvin.baro@gmail.com

‎03-28-2019 03:23 AM

Hi,
Sorry Mac was the Typo. I suppose to ask for IP address.

Regards,
Deepak Kumar
Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

Go to solution
Georg Pauwen
VIP
VIP

‎03-28-2019 12:18 AM

Hello,

 

if all your clients are in VLAN 1, you could also use a VLAN ACL. This would look as below:

 

ip access-list extended PRINTER_ACL
permit ip host 172.16.1.36 host 172.16.1.153
permit ip host 172.16.1.115 host 172.16.1.153

!

vlan access-map PRINTER_VACL 10
match ip address PRINTER_ACL
action forward

!

vlan filter PRINTER_VACL vlan-list 1

Go to solution
alvin.baro@gmail.com
Level 1
Level 1
In response to Georg Pauwen

‎03-28-2019 01:24 AM

@Georg Pauwen Thanks!

Where should I configure the VLAN ACL? layer2 switch or layer 3 switch?

0 Helpful

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni
In response to alvin.baro@gmail.com

‎03-28-2019 02:37 AM - edited ‎03-28-2019 03:21 AM

Hi,

My concern with the solution is that do you have fixed IP on the Client's machine? 

 

 
ip access-list extended Printer_Allow
permit ip host 172.16.1.36 host 172.16.1.153
permit ip host 172.16.1.115 host 172.16.1.153
deny ip 172.16.1.0 0.0.0.255 host 172.16.1.153
permit ip any any
!
vlan access-map Printer_Allow_VACL 10
match ip address Printer_Allow
action forward
!
vlan filter Printer_Allow_VACL vlan-list 1

You have to configure this where Printer is connected.

 

Regards,

Deepak Kumar

 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Go to solution
alvin.baro@gmail.com
Level 1
Level 1
In response to Deepak Kumar

‎03-28-2019 06:17 PM

Thanks @Deepak Kumar  and @Georg Pauwen  VACL resolved the issue! Many thanks to both of you. :)

0 Helpful

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni
In response to alvin.baro@gmail.com

‎03-28-2019 09:24 PM

Hi,

We are happy that the solution has worked for you. 

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to Georg Pauwen

‎03-28-2019 05:26 AM

Hello,

 

apply the VACL on the layer 2 switch...

0 Helpful

Go to solution
AhalaY
Level 1
Level 1

‎03-28-2019 03:21 AM

Hi!

 

On layer3, if your switch have license LANBASE, to trying extended access-list to interface Fe0/5:

(config) access-list 101 permit ip any host 172.16.1.115

(config) access-list 101 permit ip any host 172.16.1.36

(config) interface Fe0/5

(config-if) ip access-group 101 in

 

The printer will receive all traffic, but will only be able to send for two hosts.

It's workaround, no more.

 

0 Helpful

Go to solution
paul driver
VIP
VIP

‎03-28-2019 03:31 AM

Hello

alvin.baro@gmail.com wrote:

I need some help with access-list !

i have a subnet 172.16.1.0 255.255.250.0 (VLAN 1)

In the same subnet, I have a Network Printer 172.16.1.153

I need to deny all users to connect to network printer except for 2 users 172.16.1.36 and 172.16.1.115

 

Now does this mean also any users in any other vlans , if so VACL;s wont perform that action you will need to apply a RACL


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni
In response to paul driver

‎03-28-2019 03:49 AM

Hi,

As per her message. there is only one VLAN (1). 

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card