Printing across VLANs on an MX75

Solved
Scottyboy
Here to help

Printing across VLANs on an MX75

Hi,

 

I have set up separate vlans with 3 requiring access to a Xerox Versalink printer on its own vlan.

 

I have followed all the port rules and added them into the portal but my print jobs don't arrive.

I can add the printer, ping the printer, ping the hostname of the printer but the jobs never arrive and puts up an error with no detail.

Ran wireshark and the packet capture on the MX but shows the ports i've already opened

 

Allowed ports 443, 8800, 8801, 8802, 9100, 515, 25 and 631 TCP

9807, 53 and 161 UDP

 

Can anyone advise please?

 

1 Accepted Solution
Scottyboy
Here to help

Hi,

 

Looks like the issue is all down to DNS of the printer. We can ping it but can't ping the hostname. If you edit the host file on a laptop you can see the jobs appear on the printer but not if no host added. I would be great if this could be put into the meraki so that when users connect they get this info but it doesn't look like this is possible unless we put in a DNS server or manually add this to any clients that join the network however thats not possible for casual site visitors. The meraki cant ping the hostname either so now need to find a work around without manually adding the host file or a DNS server, any ideas?

We've streamlined the rules, whitelisting was added but didn't make a difference so now removed.  

 

Cheers for advice everyone 

View solution in original post

14 Replies 14
alemabrahao
Kind of a big deal
Kind of a big deal

Have you tried putting the print on allowed list?

 

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Blocking_and_Allowing...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Scottyboy
Here to help

Hi Alemabrahao,

 

Just added it to the whitelist and still the same. I'll upload the rules i've added later today to show whats been setup.

 

Thanks for the advise.

 

Scottyboy
Here to help

Hi,

 

Looks like the issue is all down to DNS of the printer. We can ping it but can't ping the hostname. If you edit the host file on a laptop you can see the jobs appear on the printer but not if no host added. I would be great if this could be put into the meraki so that when users connect they get this info but it doesn't look like this is possible unless we put in a DNS server or manually add this to any clients that join the network however thats not possible for casual site visitors. The meraki cant ping the hostname either so now need to find a work around without manually adding the host file or a DNS server, any ideas?

We've streamlined the rules, whitelisting was added but didn't make a difference so now removed.  

 

Cheers for advice everyone 

alemabrahao
Kind of a big deal
Kind of a big deal

Why don't add printers by IP?

 

Or if don't want to create a DNS server just configure host file as you commented.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Scottyboy
Here to help

I do add the printer as an IP it just won’t send a job to the printer without knowing its hostname, rather a strange one. The only reason I didn’t want to add a host file is it’s a mixture of visitor and permanent staff across the 3 vlans and maintaining that would be tough.

All the rules are nice and secure and we didn’t need to whitelist any device. Just need to find an easy solution to the hostname scenario but thanks for everyone’s input so far 

alemabrahao
Kind of a big deal
Kind of a big deal

The best solution is using a DNS server, the "easy" solution is adding the information on host file.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Brash
Kind of a big deal
Kind of a big deal

Check the event log for L7 rule matches.

Temporarily change the printer L3 rule to any to verify whether additional ports are required to be open

alemabrahao
Kind of a big deal
Kind of a big deal

If he tested with a allow list, it doesn't make sense.

 

Allow List

Applies the following settings to a client:

 

Is exempt from all firewall rules, both Layer 3 and Layer 7 (Applies to both the MX Security Appliance and the MR Access Points)

Bypasses AMP

Bypasses a Click-through Splash page 

Bypasses a Billing (paid access) Splash page and access the network on an SSID without paying or authenticating

Bypasses a Sign-on Splash page without authenticating (Applies to both the MX Security Appliance and the MR Access Points)

Is exempt from Per-client bandwidth limit (Applies to both the MX Security Appliance and the MR Access Points)

Is exempt from Traffic shaping rules (Applies to both the MX Security Appliance and the MR Access Points)

Bypasses Content filtering on MX Security Appliance

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
ww
Kind of a big deal
Kind of a big deal

It still depends which device is whitelisted. If the printer is whitelisted but the client sending the print job is not, it could still not work. 

alemabrahao
Kind of a big deal
Kind of a big deal

So, it's very simple to test, just put the client in an allow list to. 😉

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
BlakeRichardson
Kind of a big deal
Kind of a big deal

What OS are you using that won't allow you to print via IP and only FQDN?

 

Both windows and MacOS will allow either unless your Windows devices have some GPO thats forbidding it. 

 

I see you have opened the ports for IPP, LPD/LPR and HTTP printing, which protocol are you actually using? 

Scottyboy
Here to help

Windows 10 pro and it looks like 515 and 9100 tcp seem to be the main ones. I've narrowed down the ports to the ones below just to cover myself in case that was an issue. Even did an ip any any and still had the same problem.

 

Just to recap

From the three VLANS, 80,443,515, 9100 and 631 TCP, 161, 53 and 5353 udp

from the printer 9807 udp and 8800 plus 25 tcp

 

I add the printer either via the Xerox smart tool or add printer,(add using tcp/ip etc) and all looks good. just no host file on the laptop then not a single job will appear in the printer queue.

 

The printer is a Xerox Versalink 7030

 

Cheers

BlakeRichardson
Kind of a big deal
Kind of a big deal

Is IP filtering enabled on the printer?

Scottyboy
Here to help

Can't access the printer at the moment as someone on site has switched it off but from what i recall the following ports were enabled.

 

Ftp, http, ipp ,lpd, 9100, sftp, smb, smtp, snmp, soap, and wsd

switched off were ipsec, ldap, s/mime and sntp

 

Bonjour, AirPrint, Google Print and Mopria are off but plan to put the first two on 

Managed to get someone to put the printer on and its not enabled and nor is domain filtering

 

Cheers

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels