Duplicate printer IP address

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • BillyCarpenter
    Field Supervisor

    Site Contributor
    VIP Subscriber
    10,000+ Posts
    • Aug 2020
    • 15519

    #16
    Re: Duplicate printer IP address

    One last thing. We can tell a switch to only learn 1 mac address for a port or several macs. If an unauthorized device is plugged in, we can use 3 different violation modes:


    1. Shut down - the port is shutdown and an admin must turn back on.

    2. Protect - This simply mean that the switch will not put anymore mac addresses in its CAM table and no packets will be forwarded except on authorized devices. Protect mode doesn't generate an alert message or email.

    3. Restrict - Lets only authorized mac addresses communicate on the network and generates alert messages and logs. (it keeps a daily log of port activity. )
    Adversity temporarily visits a strong man but stays with the weak for a lifetime.

    Comment

    • slimslob
      Retired

      Site Contributor
      25,000+ Posts
      • May 2013
      • 35599

      #17
      Re: Duplicate printer IP address

      Originally posted by BillyCarpenter
      There's another way to do this and it's probably the best method, IMHO. You can bind a mac address, or two, to a specific port on the switch. If someone comes along and plugs in a laptop or other device, the port immediately shuts down and the IT dept is notified via email.

      You can also do some other cool stuff but we'll save that for another day.
      And if the main company network also includes WiFi, you can also block devices by their mac, or to be more precise, you can only allow specific devices, even on home WiFi networks. Of course there are a lot of so called IT people out there who do not know or do not care. We have all encountered them. Think they are better than a lowly copier man until one of us determines the cause of a network problem in less than 5 minutes that they have been working on for hours.

      Comment

      • BillyCarpenter
        Field Supervisor

        Site Contributor
        VIP Subscriber
        10,000+ Posts
        • Aug 2020
        • 15519

        #18
        Re: Duplicate printer IP address

        Originally posted by slimslob
        And if the main company network also includes WiFi, you can also block devices by their mac, or to be more precise, you can only allow specific devices, even on home WiFi networks. Of course there are a lot of so called IT people out there who do not know or do not care. We have all encountered them. Think they are better than a lowly copier man until one of us determines the cause of a network problem in less than 5 minutes that they have been working on for hours.

        True. You probably remember me talking about this on the board. I set up several lightweight access points and a WLAN (Wireless LAN Controller) on a Radius Server. It's basically Active Directory for Wireless. You sign in to the wireless network with the same credentials and only have access to the information that was granted to you. The Lightweight Access Points don't do any of the heavy lifting. It's all done on the WLAN controller and you can control everything from there.
        Adversity temporarily visits a strong man but stays with the weak for a lifetime.

        Comment

        • blackcat4866
          Master Of The Obvious

          Site Contributor
          10,000+ Posts
          • Jul 2007
          • 22783

          #19
          Re: Duplicate printer IP address

          Originally posted by BillyCarpenter
          One last thing. We can tell a switch to only learn 1 mac address for a port or several macs. If an unauthorized device is plugged in, we can use 3 different violation modes:


          1. Shut down - the port is shutdown and an admin must turn back on.

          2. Protect - This simply mean that the switch will not put anymore mac addresses in its CAM table and no packets will be forwarded except on authorized devices. Protect mode doesn't generate an alert message or email.

          3. Restrict - Lets only authorized mac addresses communicate on the network and generates alert messages and logs. (it keeps a daily log of port activity. )
          Maybe I don't understand all the variables, but "Restrict" seems like the best option to me. It allows authorized activity, it blocks unauthorized activity, and it records data on a log. I think that covers all the bases. =^..^=
          If you'd like a serious answer to your request:
          1) demonstrate that you've read the manual
          2) demonstrate that you made some attempt to fix it.
          3) if you're going to ask about jams include the jam code.
          4) if you're going to ask about an error code include the error code.
          5) You are the person onsite. Only you can make observations.

          blackcat: Master Of The Obvious =^..^=

          Comment

          • BillyCarpenter
            Field Supervisor

            Site Contributor
            VIP Subscriber
            10,000+ Posts
            • Aug 2020
            • 15519

            #20
            Re: Duplicate printer IP address

            Originally posted by blackcat4866
            Maybe I don't understand all the variables, but "Restrict" seems like the best option to me. It allows authorized activity, it blocks unauthorized activity, and it records data on a log. I think that covers all the bases. =^..^=

            That's the one that I like the best.
            Adversity temporarily visits a strong man but stays with the weak for a lifetime.

            Comment

            • slimslob
              Retired

              Site Contributor
              25,000+ Posts
              • May 2013
              • 35599

              #21
              Re: Duplicate printer IP address

              Originally posted by BillyCarpenter
              One last thing. We can tell a switch to only learn 1 mac address for a port or several macs. If an unauthorized device is plugged in, we can use 3 different violation modes:


              1. Shut down - the port is shutdown and an admin must turn back on.

              2. Protect - This simply mean that the switch will not put anymore mac addresses in its CAM table and no packets will be forwarded except on authorized devices. Protect mode doesn't generate an alert message or email.

              3. Restrict - Lets only authorized mac addresses communicate on the network and generates alert messages and logs. (it keeps a daily log of port activity. )
              One thing I have seen with local offices of large corporations is using managed switches to only allow things like printing only to specific ports.

              Comment

              • BillyCarpenter
                Field Supervisor

                Site Contributor
                VIP Subscriber
                10,000+ Posts
                • Aug 2020
                • 15519

                #22
                Re: Duplicate printer IP address

                Originally posted by slimslob
                One thing I have seen with local offices of large corporations is using managed switches to only allow things like printing only to specific ports.


                You can do so many amazing things with a switch. I fell in love with Cisco switches and routers. However, learning that stuff can be grueling and after some time I realized that I was never gonna use 99% of the stuff that I was learning unless I was planning to go to work for a large corporation one day. That's not in my plans. I'm too old for a career change so I put the CCNA down. I still go back and brush up on it and play around. It really amazing.
                Adversity temporarily visits a strong man but stays with the weak for a lifetime.

                Comment

                • blackcat4866
                  Master Of The Obvious

                  Site Contributor
                  10,000+ Posts
                  • Jul 2007
                  • 22783

                  #23
                  Re: Duplicate printer IP address

                  Originally posted by slimslob
                  One thing I have seen with local offices of large corporations is using managed switches to only allow things like printing only to specific ports.
                  Only that would solve a lot of issues. Port 9100 open only. Hardly anyone uses port 9101, 9102, 9103, 9104 ... maybe leave the port open for SNMP: 161, 162? Printers wouldn't need anything other than 9100, 161, & 162. =^..^=
                  If you'd like a serious answer to your request:
                  1) demonstrate that you've read the manual
                  2) demonstrate that you made some attempt to fix it.
                  3) if you're going to ask about jams include the jam code.
                  4) if you're going to ask about an error code include the error code.
                  5) You are the person onsite. Only you can make observations.

                  blackcat: Master Of The Obvious =^..^=

                  Comment

                  • BillyCarpenter
                    Field Supervisor

                    Site Contributor
                    VIP Subscriber
                    10,000+ Posts
                    • Aug 2020
                    • 15519

                    #24
                    Re: Duplicate printer IP address

                    Originally posted by blackcat4866
                    Only that would solve a lot of issues. Port 9100 open only. Hardly anyone uses port 9101, 9102, 9103, 9104 ... maybe leave the port open for SNMP: 161, 162? Printers wouldn't need anything other than 9100, 161, & 162. =^..^=

                    Switches only deal with Mac Addresses. Ports would be done at the router. It you wanted to block/limit printing at the switch level, it would involve creating an ACL (Access Control List) and we're getting in the deep end of the pool so I'll leave it there.
                    Adversity temporarily visits a strong man but stays with the weak for a lifetime.

                    Comment

                    • BillyCarpenter
                      Field Supervisor

                      Site Contributor
                      VIP Subscriber
                      10,000+ Posts
                      • Aug 2020
                      • 15519

                      #25
                      Re: Duplicate printer IP address

                      My apologies. slim said "managed" switch. That means it does routing.
                      Adversity temporarily visits a strong man but stays with the weak for a lifetime.

                      Comment

                      • blackcat4866
                        Master Of The Obvious

                        Site Contributor
                        10,000+ Posts
                        • Jul 2007
                        • 22783

                        #26
                        Re: Duplicate printer IP address

                        You know, I've brought this up with IT folks before when they're getting non-print data hitting the printers IP, and I've always gotten that " ... it could be done ..." response. Maybe it's over the head of your average office IT guy. =^..^=
                        If you'd like a serious answer to your request:
                        1) demonstrate that you've read the manual
                        2) demonstrate that you made some attempt to fix it.
                        3) if you're going to ask about jams include the jam code.
                        4) if you're going to ask about an error code include the error code.
                        5) You are the person onsite. Only you can make observations.

                        blackcat: Master Of The Obvious =^..^=

                        Comment

                        • slimslob
                          Retired

                          Site Contributor
                          25,000+ Posts
                          • May 2013
                          • 35599

                          #27
                          Re: Duplicate printer IP address

                          Originally posted by blackcat4866
                          Only that would solve a lot of issues. Port 9100 open only. Hardly anyone uses port 9101, 9102, 9103, 9104 ... maybe leave the port open for SNMP: 161, 162? Printers wouldn't need anything other than 9100, 161, & 162. =^..^=
                          What I have encountered has been blocking those ports to locations not designated for printers. Works fine as long as everyone knows about it. Had a local office of a large oil field services company where the corporate IT had setup the switches and administered the network for as number of years until they decided it would be better to have a local IT person but failed to inform her about the designated printer jacks. Got a call one Monday morning that printer in their shop office was not working. Over the weekend they had moped all the furniture including the MFP out of the office so they could paint the office. It had a link light and we could ping it but it still couldn't print. Then I noticed that the network jack it was plugged into was the one I normally used when testing. We pulled the MFP out from the wall and there was another jack next to the power outlet. Moved the connection to it and the MFP immediately started printing everything that had been cued to it.

                          Comment

                          • BillyCarpenter
                            Field Supervisor

                            Site Contributor
                            VIP Subscriber
                            10,000+ Posts
                            • Aug 2020
                            • 15519

                            #28
                            Re: Duplicate printer IP address

                            I know this isn't exactly what blackcat was talking about but I'll share anyway.

                            Let's say that we put the printer on a VLAN. That VLAN will be tied to a range of IP addresses on the same subnet. Basic stuff. Now we can configure the switch to allow or deny printing to certain users by blocking a IP address or addresses via ACL.


                            The syntax would look something like this:




                            ip access-list extended Printer_Allow
                            permit ip host 172.16.1.36 host 172.16.1.153
                            permit ip host 172.16.1.115 host 172.16.1.153
                            deny ip 172.16.1.0 0.0.0.255 host 172.16.1.153
                            permit ip any any
                            !
                            vlan access-map Printer_Allow_VACL 10
                            match ip address Printer_Allow
                            action forward
                            !
                            vlan filter Printer_Allow_VACL vlan-list 1

                            I think blackcat was talking about blocking unwanted network traffic at the port level??
                            Adversity temporarily visits a strong man but stays with the weak for a lifetime.

                            Comment

                            • blackcat4866
                              Master Of The Obvious

                              Site Contributor
                              10,000+ Posts
                              • Jul 2007
                              • 22783

                              #29
                              Re: Duplicate printer IP address

                              Originally posted by BillyCarpenter
                              ...
                              I think blackcat was talking about blocking unwanted network traffic at the port level??
                              Correct. That was what I had in mind anyway. I keep hearing that it's possible, but nobody does it.
                              =^..^=
                              If you'd like a serious answer to your request:
                              1) demonstrate that you've read the manual
                              2) demonstrate that you made some attempt to fix it.
                              3) if you're going to ask about jams include the jam code.
                              4) if you're going to ask about an error code include the error code.
                              5) You are the person onsite. Only you can make observations.

                              blackcat: Master Of The Obvious =^..^=

                              Comment

                              • slimslob
                                Retired

                                Site Contributor
                                25,000+ Posts
                                • May 2013
                                • 35599

                                #30
                                Re: Duplicate printer IP address

                                Originally posted by blackcat4866
                                You know, I've brought this up with IT folks before when they're getting non-print data hitting the printers IP, and I've always gotten that " ... it could be done ..." response. Maybe it's over the head of your average office IT guy. =^..^=
                                I have met a lot of IT people like that. Had one drive over 100 miles from Los Angeles to Taft, CA to install a jack for a printer but didn't even bring half the equipment he needed. Then there was there was the one who could not figure that when some of the computers could not access anything and some could that it just might be have something to do with the computers, like whether or not they were turned off over night. He spent over 5 hours trying to determine which router wasn't working properly when the problem was the DHCP service on the Domain Controller had stopped. When I asked the receptionist to have him call me so I could tell him what I had found he told he was too busy so she had the corporate IT supervisor in Spokane call me. He then did a remote connection to the server and restarted the service. He then had the receptionist to announce for all those having network access problems to reboot their computers.

                                Comment

                                Working...