ITS

Information Technology Services
Information Technology Services

Option 2: Setting up an Access Control List (ACL) or IP filtering on the printer

Note:  Option 1: Moving the Printer to Campus Private Network is the preferred option.

Notes:  

  • If you are using Xerox eSMart eSolutions or the printer is not connected directly to a wall jack (i.e. you are using a switch) you will need to use this method.
  • Not all printers support Access Control List (ACL) or IP Filtering, if the printer does not you will need to use option 1.  

Setting up an Access Control List (ACL) is an alternative of securing your printer and may be required if your building does not have access to the Campus Private Network.  The ACL limits network access to the  printer to only the IP addresses or subnets that you specify.  This includes printing and all other access.  ITS strongly recommends that you test your filtering by attempting to access it from off-campus after it is configured. 

If your device is leased, your vendor can assist in configuring filters or ACL's on your device.

To administer the device after being configured for ACL, the administrator (owner of printer)  must:

  • Use a computer that is on the list
  • Have the correct Web admin password  (note:  if you are still using the default Admin password you should change it)

Note:  The ACL is not configured until at least one computer is in the list.  Once configured, no computer outside the list will have access to the device.

To restrict access to Queen's network you would need to limit access to:

  • 130.15.0.0/16 - Queen's public IP range, and
  • 10.0.0.0/8 - Wireless / Queen's campus VPN
  • 13.0.0.0/8 - Allow Xerox eSMart eSolutions to work.
  • Depending on Printer model, you may need to added the DROP rule for all traffic by setting an ip of  0.0.0.0 mask 0 (all traffic from everywhere).  
    Note: Xerox WorkCentre 7855 require firmware V073.040.075.34540 or later for Drop rule to work. Please contact Xerox to arrange for firmware update if needed.

There are Two ways to configure your printer's Access Control List:

  1. via Web Interface (HP, Cannon, Xerox and others)
  2. via Telnet (HP only).  

Note:  You only need to use one or the other.  Telnet may be need for old HP printers. 

Configure the ACL Using the Web Interface:

Log into the printer via the printer's Web interface  (IP address of Printer) and access the configuration options. 

The following is an example for some HP printers Admin Interface.  This varies by model and vendor:

  • Go to Networking => Authorization => Access Control  (This may vary by model).
  • Enter the following IP Addresses and Mask for Queen's campus, Queen's Wireless and VPN connections
    • IP Address for campus is 130.15.0.0, Mask 255.255.0.0
    • IP address range for wireless and VPN is 10.0.0.0, Mask 255.0.0.0
    • IP address range for Xerox Printers is 13.0.0.0, Mask 255.0.0.0
  • PLEASE DOUBLE check IP address and mask before saving.

Configure the ACL Using Telnet (required for some HP printers)

  • Telnet to the printer
    • Enter the command telnet <IP address of printer>
  • Check your current configuration and bios version.  This is necessary to ensure your printer is able to accept an ACL
    • At the prompt enter the command (it will look like this: >/ )
  • Show the current Access Control List
    • At the prompt enter the command allow: list
    • If you receive the following response it indicates that there currently is no ACL. 
    • Access Control List:
      Not in use
  • If there is a current ACL you can choose to remove it
    • enter the command allow: 0
  • To restrict access to the printer to Queen's Public IP Address range enter the command:
    • allow:  130.15.0.0 255.255.0.0  (this allows access to all computers on campus)
    • allow:  10.0.0.0 255.0.0.0   (this allows computers off campus access if they are using a Virtual Private Network or on campus if they are using a  Wireless connection)
  • PLEASE DOUBLE check ip and mask before saving
    • enter the command allow:list
    • The following will be displayed
      Access Control List:
      IP: 130.15.0.0 Mask: 255.255.0.0
      IP: 10.0.0.0 Mask: 255.0.0.0
  • Save your ACL and quit your telnet session
    • quit
Command what it does Sample of Output
   telnet <ip of printer> Connects you to the printer so you can enter commands.  
   >       Show current configuration and bios version. ===JetDirect Telnet Configuration===
Firmware Rev. : G.08.32
MAC Address : 00:30:c1:03:59:cc
Config By : USER SPECIFIED

IP Address : 130.15.75.17
Subnet Mask : 255.255.255.0
Default Gateway : 130.15.75.1

   > allow: 0   Clear current Access Control List  
   > allow: list Show current Access Control List Access Control List:
Not in use

  > allow: 130.15.0.0 255.255.0.0  

 

Adds the IP address and Mask to the ACL.

These numbers restrict access to Queen's  Public IP Address range.

 
   > allow: 10.0.0.0 255.0.0.0  

Adds the IP address and Mask to the ACL. 

These numbers restricts access to Queen's Private IP Address Ranges (VPN, Wireless etc)

 
   > allow: list

PLEASE DOUBLE check ip and mask before saving.

Note that both the Public and Private IP Address ranges have been added to the ACL.

Access Control List:
IP: 130.15.0.0 Mask: 255.255.0.0
IP: 10.0.0.0 Mask: 255.0.0.0
   > quit   save and quit.  

 

 

Resources:

 

 

Last Updated: February 2017