Meraki

Community

Printing across VLANs on an MX75

Solved
Scottyboy
Here to help
‎Aug 26 2023 7:59 AM
‎Aug 26 2023 7:59 AM

Printing across VLANs on an MX75

Hi,

 

I have set up separate vlans with 3 requiring access to a Xerox Versalink printer on its own vlan.

 

I have followed all the port rules and added them into the portal but my print jobs don't arrive.

I can add the printer, ping the printer, ping the hostname of the printer but the jobs never arrive and puts up an error with no detail.

Ran wireshark and the packet capture on the MX but shows the ports i've already opened

 

Allowed ports 443, 8800, 8801, 8802, 9100, 515, 25 and 631 TCP

9807, 53 and 161 UDP

 

Can anyone advise please?

 

Labels:
0 Kudos
1 Accepted Solution
In response to alemabrahao
Scottyboy
Here to help
‎Aug 27 2023 5:02 AM
‎Aug 27 2023 5:02 AM

Hi,

 

Looks like the issue is all down to DNS of the printer. We can ping it but can't ping the hostname. If you edit the host file on a laptop you can see the jobs appear on the printer but not if no host added. I would be great if this could be put into the meraki so that when users connect they get this info but it doesn't look like this is possible unless we put in a DNS server or manually add this to any clients that join the network however thats not possible for casual site visitors. The meraki cant ping the hostname either so now need to find a work around without manually adding the host file or a DNS server, any ideas?

We've streamlined the rules, whitelisting was added but didn't make a difference so now removed.  

 

Cheers for advice everyone 

View solution in original post

0 Kudos
14 Replies 14
alemabrahao
Kind of a big deal
Kind of a big deal
‎Aug 26 2023 9:08 AM
‎Aug 26 2023 9:08 AM

Have you tried putting the print on allowed list?

 

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Blocking_and_Allowing...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Scottyboy
Here to help
‎Aug 26 2023 10:19 AM
‎Aug 26 2023 10:19 AM

Hi Alemabrahao,

 

Just added it to the whitelist and still the same. I'll upload the rules i've added later today to show whats been setup.

 

Thanks for the advise.

 

0 Kudos
In response to alemabrahao
Scottyboy
Here to help
‎Aug 27 2023 5:02 AM
‎Aug 27 2023 5:02 AM

Hi,

 

Looks like the issue is all down to DNS of the printer. We can ping it but can't ping the hostname. If you edit the host file on a laptop you can see the jobs appear on the printer but not if no host added. I would be great if this could be put into the meraki so that when users connect they get this info but it doesn't look like this is possible unless we put in a DNS server or manually add this to any clients that join the network however thats not possible for casual site visitors. The meraki cant ping the hostname either so now need to find a work around without manually adding the host file or a DNS server, any ideas?

We've streamlined the rules, whitelisting was added but didn't make a difference so now removed.  

 

Cheers for advice everyone 

0 Kudos
In response to Scottyboy
alemabrahao
Kind of a big deal
Kind of a big deal
‎Aug 27 2023 5:54 AM
‎Aug 27 2023 5:54 AM

Why don't add printers by IP?

 

Or if don't want to create a DNS server just configure host file as you commented.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Scottyboy
Here to help
‎Aug 27 2023 6:51 AM
‎Aug 27 2023 6:51 AM

I do add the printer as an IP it just won’t send a job to the printer without knowing its hostname, rather a strange one. The only reason I didn’t want to add a host file is it’s a mixture of visitor and permanent staff across the 3 vlans and maintaining that would be tough.

All the rules are nice and secure and we didn’t need to whitelist any device. Just need to find an easy solution to the hostname scenario but thanks for everyone’s input so far 

0 Kudos
In response to Scottyboy
alemabrahao
Kind of a big deal
Kind of a big deal
‎Aug 27 2023 7:09 AM
‎Aug 27 2023 7:09 AM

The best solution is using a DNS server, the "easy" solution is adding the information on host file.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Brash
Kind of a big deal
Kind of a big deal
‎Aug 26 2023 2:09 PM
‎Aug 26 2023 2:09 PM

Check the event log for L7 rule matches.

Temporarily change the printer L3 rule to any to verify whether additional ports are required to be open

0 Kudos
In response to Brash
alemabrahao
Kind of a big deal
Kind of a big deal
‎Aug 26 2023 2:31 PM
‎Aug 26 2023 2:31 PM

If he tested with a allow list, it doesn't make sense.

 

Allow List

Applies the following settings to a client:

 

Is exempt from all firewall rules, both Layer 3 and Layer 7 (Applies to both the MX Security Appliance and the MR Access Points)

Bypasses AMP

Bypasses a Click-through Splash page 

Bypasses a Billing (paid access) Splash page and access the network on an SSID without paying or authenticating

Bypasses a Sign-on Splash page without authenticating (Applies to both the MX Security Appliance and the MR Access Points)

Is exempt from Per-client bandwidth limit (Applies to both the MX Security Appliance and the MR Access Points)

Is exempt from Traffic shaping rules (Applies to both the MX Security Appliance and the MR Access Points)

Bypasses Content filtering on MX Security Appliance

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
ww
Kind of a big deal
Kind of a big deal
‎Aug 26 2023 3:08 PM
‎Aug 26 2023 3:08 PM

It still depends which device is whitelisted. If the printer is whitelisted but the client sending the print job is not, it could still not work. 

0 Kudos
In response to ww
alemabrahao
Kind of a big deal
Kind of a big deal
‎Aug 26 2023 3:10 PM
‎Aug 26 2023 3:10 PM

So, it's very simple to test, just put the client in an allow list to. 😉

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
BlakeRichardson
Kind of a big deal
Kind of a big deal
‎Aug 27 2023 3:06 PM
‎Aug 27 2023 3:06 PM

What OS are you using that won't allow you to print via IP and only FQDN?

 

Both windows and MacOS will allow either unless your Windows devices have some GPO thats forbidding it. 

 

I see you have opened the ports for IPP, LPD/LPR and HTTP printing, which protocol are you actually using? 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
In response to BlakeRichardson
Scottyboy
Here to help
‎Aug 27 2023 4:34 PM
‎Aug 27 2023 4:34 PM

Windows 10 pro and it looks like 515 and 9100 tcp seem to be the main ones. I've narrowed down the ports to the ones below just to cover myself in case that was an issue. Even did an ip any any and still had the same problem.

 

Just to recap

From the three VLANS, 80,443,515, 9100 and 631 TCP, 161, 53 and 5353 udp

from the printer 9807 udp and 8800 plus 25 tcp

 

I add the printer either via the Xerox smart tool or add printer,(add using tcp/ip etc) and all looks good. just no host file on the laptop then not a single job will appear in the printer queue.

 

The printer is a Xerox Versalink 7030

 

Cheers

0 Kudos
In response to Scottyboy
BlakeRichardson
Kind of a big deal
Kind of a big deal
‎Aug 27 2023 4:55 PM
‎Aug 27 2023 4:55 PM

Is IP filtering enabled on the printer?

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
In response to BlakeRichardson
Scottyboy
Here to help
‎Aug 27 2023 5:25 PM
‎Aug 27 2023 5:25 PM

Can't access the printer at the moment as someone on site has switched it off but from what i recall the following ports were enabled.

 

Ftp, http, ipp ,lpd, 9100, sftp, smb, smtp, snmp, soap, and wsd

switched off were ipsec, ldap, s/mime and sntp

 

Bonjour, AirPrint, Google Print and Mopria are off but plan to put the first two on 

Managed to get someone to put the printer on and its not enabled and nor is domain filtering

 

Cheers

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.