- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cisco MX64W
We are needing to restrict printing down to a select few hosts within our network to a specific printer on the same network. When going into the Firewall portion of our Cisco MX64W, in the Layer 7 section, I've noticed it only allows us to create a Deny rule with no Allow being selectable.
In short, can anyone tell me if creating such a rule on a MX64W is possible?
Thanks for any direction and advice.
- Labels:
-
Firewall
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why don't you create a rule of 3 blocking the source IPs to the printer's destination IP?
Please, if this post was useful, leave your kudos and mark it as solved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, Alemabrahao
I've noticed in the Layer 3 there's only an Inbound and Outbound option, nothing to restrict inside traffic talking to each other. Is this typical of the MX64W not allowing rules for inside traffic?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @BrianVanoy , as previously mentioned, you can restrict inter vlan but not intra. You would need to move the printers into a new IP subnet and restrict that way.
https://www.linkedin.com/in/darrenoconnor/
I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is the printer on the same vlan or a different vlan? If a different VLAN you can create a group policy with the relevant Layer 3 rules and attach it to that VLAN. If it's the same VLAN the MX is not involved in that layer 2 communication and I would recommended moving to seperate vlans to facilitate with a group policy.
You can do intra-vlan blocking with more advanced switching options, if you wanted to investigate that, but if the site is small enough for a MX64W then its likely not worth it, in most cases.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Mloraditch,
Unfortunately, they are on the same VLAN which I always encourage that printers be placed on their own within the network for security reasons/purposes. It doesn't appear the Layer 3 rules allows for any restriction of inside traffic at this time. If I specify the printers address it wants me to restrict the entire VLAN rather than a specific IP address on both the Source and Destiation.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You will either need a Meraki switch and apply the ACL there:
https://documentation.meraki.com/MS/Other_Topics/Switch_ACL_Operation
Or, as others have mentioned, move the printer into its own subnet/VLAN.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The easier option might be to enable IP filtering on the printer itself. Just make sure you include your IP so that the device can be managed and you don't lock yourself out.
