Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5449
Views
0
Helpful
8
Replies

Isolating printers from computers on the same VLAN?

clybumat1
Level 1
Level 1

‎03-25-2016 08:06 AM - edited ‎03-08-2019 05:06 AM

I have been tasked with isolating printers from computers.  The printers will still talk to the print servers, but users on the PC's should not be able to access them via browser etc. 

This would be easy if they were on separate VLANs.  But printers/computers/APs, etc. are all on the same VLANs.  Our topology is a L3, Routed network design, where each department has their own routed link on a 3750 user network switch that runs to a core 6500 router. 

We first looked into creating access lists, but there are over 300 printers, all on different VLANs and IP ranges, so the access lists would be way too long.

We then looked into private VLANs, but these only work on a trunked environment. 

Is there any other solution here? 

Labels:
0 Helpful
8 Replies 8

acampbell
VIP Alumni
VIP Alumni

‎03-25-2016 08:58 AM

Hi,

You could try creating a VLAN & subnet purely for the printers.
Then create an access list that only allows your print servers and any other management address
to the printers.

Lets say VLAN 111 & subnet 10.100.111.0/24 is defined for the printers
Lets say VLAN 10 & subnet 10.100.10.0/24 is all other devices.
Lets say the Print Servers and your NET MAN Station are

10.100.10.101, 102 & 103

!
vlan 10
name THE-BIG-VLAN
!
vlan 111
name THE-PRINTER-VLAN
!
int vlan 10
decription *** THE-BIG-VLAN ***
ip address 10.100.10.1 255.255.255.0
!
!
int vlan 111
decription *** THE-PRINTER-VLAN ***
ip address 10.100.1.101 255.255.255.0
ip access-group 111 in
!
ip access-list 111 permit ip host 10.100.10.101 any
ip access-list 111 permit ip host 10.100.10.102 any
ip access-list 111 permit ip host 10.100.10.103 any
!

Hope this gives you some pointers

Regards
Alex

Regards, Alex. Please rate useful posts.
0 Helpful

clybumat1
Level 1
Level 1
In response to acampbell

‎03-25-2016 09:31 AM

Hi acampbell.  Thanks for the response.  This was our original idea, but the issue is, there are literally hundreds of printers, and all are setup in DNS.  So we'd have to put in a request for each printer to update their DNS to the new IP, not to mention the task of going to every single printer and changing it's static IP. 

0 Helpful

acampbell
VIP Alumni
VIP Alumni
In response to clybumat1

‎03-25-2016 09:42 AM

Hi,

NO PAIN - NO GAIN.

Rome was not built in ONE day.

You could use DHCP for your printers with a long lease time.

That would buy you some time to reset printer to DHCP
Change access vlan
Build DNS
Build Print Q
Re-static IP printer

Regards
Alex

Regards, Alex. Please rate useful posts.
0 Helpful

clybumat1
Level 1
Level 1
In response to acampbell

‎03-25-2016 09:52 AM

Ha, believe me, I'm with you acampbell.  If it were up to me, I'd put all printers on one or two VLANs.  But the business wants a quick solution here, and it's looking more and more like that is not possible.

This issue is a result of the original design of the network.  And unless there's some other solution we're not thinking of here, we may have to rebuild Rome, if security is that important to the business. 

0 Helpful

glen.grant
VIP Alumni
VIP Alumni
In response to clybumat1

‎03-25-2016 05:20 PM

Sort of sounds like what PVLANS are used for but I can't say I have ever configured them or used them .   Just something to investigate .

Update: sorry didnt see you had looked at that

0 Helpful

clybumat1
Level 1
Level 1
In response to glen.grant

‎04-07-2016 11:17 AM

Ok, so the business still wants us to do this by any means possible.

We have decided to apply a VLAN access map.  Yes it's going to be long, especially for the switch stacks that have 100 printers, but they insist we do it.

The printers need to be isolated to everything but the print servers.  Our first attempt at the list has failed--it is dropping traffic from PC's, and also the print servers.. 

So in other words, we need to permit printer IP x.x.x.x to server IP x.x.x.x.

But deny the printer from everything else.

Can someone post an example config for this?

0 Helpful

clybumat1
Level 1
Level 1
In response to clybumat1

‎04-11-2016 08:18 AM

Bump. Any thoughts on this?

By the way, we were able to get the VACL's working if we applied them to the interface of the printer(s).  But if we apply them to the VLAN, it will block all traffic to/from the printers, even to the print servers that are being allowed in the extended access list..

0 Helpful

paul driver
VIP
VIP

‎03-27-2016 02:49 AM

Hello

the most simplistic way I can think of at present refers not to networking -Cisco but to my days as a wintel server admin and is tying printer browsing down via active directory group policy (gpo)

I am assuming your printers are authorised in AD , If so -You can create gpo security templates defined to certain organisational units (OU)to the enable/disable printer browsing capability and then push this policy out into you relative ad domain

i have not worked with AD for some time now but I am sure you could search the exact procedure 

res

paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents