Hi,
I have 2 VLANs defined on my C3750 : vlan 1 for my local LAN (myLAN) and vlan 2 (192.168.12.0) for special use (internet access for patients (I work in a hospital); for access to Internet from vlan 2 i must use a gateway (my FireWall) on vlan 1; the patients must use DHCP which is defined on the C3750; all other traffic must be denied except internet traffic; so i use an ACL to deny traffic on my LAN and on RFC1918 (private) networks.
The problems (see config):
1 - When i put the access-list 100 on interface vlan 2 there's no longer DHCP access from the patients's PCs (and no other access !); when i remove the access-list 100, DHCP works fine, but all accesses are permitted ! What to do for the ACL to work?
2 - the logging of accesses can't be seen in a show log though the log keyword (or log-input) is used on the ACEs. Why ?
3 - Can i define a DHCP lease less than one day on the C3750 DHCP server ?
Here's part of the config :
ip routing
ip dhcp excluded-address 192.168.12.1 192.168.12.10
ip dhcp excluded-address 192.168.12.31 192.168.12.255
!
ip dhcp pool pool1
network 192.168.12.0 255.255.255.0
default-router 192.168.12.1
dns-server 225.95.78.1 225.95.78.2
interface Vlan2
ip address 192.168.12.1 255.255.255.0
ip access-group 100 in
remark permit DHCP
access-list 100 permit udp any host 192.168.12.1 eq bootps log-input
remark deny <myLAN> access
access-list 100 deny ip 192.168.12.0 0.0.0.255 <myLAN> 0.0.255.255 log-input
remark deny RFC1918 networks access
access-list 100 deny ip 192.168.12.0 0.0.0.255 192.168.0.0 0.0.255.255 log-input
access-list 100 deny ip 192.168.12.0 0.0.0.255 10.0.0.0 0.255.255.255 log-input
access-list 100 deny ip 192.168.12.0 0.0.0.255 172.16.0.0 0.15.255.255 log-input
remark permit Internet access
access-list 100 permit ip 192.168.12.0 0.0.0.255 any log-input
Thanks
I have 2 VLANs defined on my C3750 : vlan 1 for my local LAN (myLAN) and vlan 2 (192.168.12.0) for special use (internet access for patients (I work in a hospital); for access to Internet from vlan 2 i must use a gateway (my FireWall) on vlan 1; the patients must use DHCP which is defined on the C3750; all other traffic must be denied except internet traffic; so i use an ACL to deny traffic on my LAN and on RFC1918 (private) networks.
The problems (see config):
1 - When i put the access-list 100 on interface vlan 2 there's no longer DHCP access from the patients's PCs (and no other access !); when i remove the access-list 100, DHCP works fine, but all accesses are permitted ! What to do for the ACL to work?
2 - the logging of accesses can't be seen in a show log though the log keyword (or log-input) is used on the ACEs. Why ?
3 - Can i define a DHCP lease less than one day on the C3750 DHCP server ?
Here's part of the config :
ip routing
ip dhcp excluded-address 192.168.12.1 192.168.12.10
ip dhcp excluded-address 192.168.12.31 192.168.12.255
!
ip dhcp pool pool1
network 192.168.12.0 255.255.255.0
default-router 192.168.12.1
dns-server 225.95.78.1 225.95.78.2
interface Vlan2
ip address 192.168.12.1 255.255.255.0
ip access-group 100 in
remark permit DHCP
access-list 100 permit udp any host 192.168.12.1 eq bootps log-input
remark deny <myLAN> access
access-list 100 deny ip 192.168.12.0 0.0.0.255 <myLAN> 0.0.255.255 log-input
remark deny RFC1918 networks access
access-list 100 deny ip 192.168.12.0 0.0.0.255 192.168.0.0 0.0.255.255 log-input
access-list 100 deny ip 192.168.12.0 0.0.0.255 10.0.0.0 0.255.255.255 log-input
access-list 100 deny ip 192.168.12.0 0.0.0.255 172.16.0.0 0.15.255.255 log-input
remark permit Internet access
access-list 100 permit ip 192.168.12.0 0.0.0.255 any log-input
Thanks