«

switch is a cisco 3550. all ports are in 1 vlan, vlan10 with 1 port
not in switchport mode. all routing is done on the switch with the
default route being the device plugged into port 1. default route for
all other devices on switch is the vlan10 address. i want to block
all outbound access to port 25 on any host except for 1 or 2. im
pretty sure ive got the acl for this, just not sure where to apply it
exactly as this is a switch and not a router.

here is snip of config

int fa0/1
no switchport
ip address 192.168.1.2 255.255.255.0
!
!
int vlan10
ip address xxx.xxx.96.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
access-list 130 permit tcp any host yyy.yyy.yyy.15 eq smtp
access-list 130 deny tcp any any eq smtp
access-list 130 permit ip any any

should i apply the acl to int fa0/1 or vlan10?

on my 1700's and 2600's i apply these acls to the serial interface so
im thinking i would apply here to the fa0/1 interface as its the
outward facing interface but since the 3550's are remote and i dont
have a spare to test on, i dont want to make a mistake.

In article < >,
(Chad Whitten) wrote:

> switch is a cisco 3550. all ports are in 1 vlan, vlan10 with 1 port
> not in switchport mode. all routing is done on the switch with the
> default route being the device plugged into port 1. default route for
> all other devices on switch is the vlan10 address. i want to block
> all outbound access to port 25 on any host except for 1 or 2. im
> pretty sure ive got the acl for this, just not sure where to apply it
> exactly as this is a switch and not a router.
>
> here is snip of config
>
> int fa0/1
> no switchport
> ip address 192.168.1.2 255.255.255.0
> !
> !
> int vlan10
> ip address xxx.xxx.96.1 255.255.255.0
> !
> ip route 0.0.0.0 0.0.0.0 192.168.1.1
> !
> access-list 130 permit tcp any host yyy.yyy.yyy.15 eq smtp
> access-list 130 deny tcp any any eq smtp
> access-list 130 permit ip any any
>
> should i apply the acl to int fa0/1 or vlan10?
>
> on my 1700's and 2600's i apply these acls to the serial interface so
> im thinking i would apply here to the fa0/1 interface as its the
> outward facing interface but since the 3550's are remote and i dont
> have a spare to test on, i dont want to make a mistake.

You can either apply it with "ip access-group 130 out" to the outward
facing interface, or "ip access-group 130 in" on the VLAN interface.

--
Barry Margolin,
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***

thanks

Barry Margolin <> wrote in message news:<barmar->...
> In article < >,
> (Chad Whitten) wrote:
>
> > switch is a cisco 3550. all ports are in 1 vlan, vlan10 with 1 port
> > not in switchport mode. all routing is done on the switch with the
> > default route being the device plugged into port 1. default route for
> > all other devices on switch is the vlan10 address. i want to block
> > all outbound access to port 25 on any host except for 1 or 2. im
> > pretty sure ive got the acl for this, just not sure where to apply it
> > exactly as this is a switch and not a router.
> >
> > here is snip of config
> >
> > int fa0/1
> > no switchport
> > ip address 192.168.1.2 255.255.255.0
> > !
> > !
> > int vlan10
> > ip address xxx.xxx.96.1 255.255.255.0
> > !
> > ip route 0.0.0.0 0.0.0.0 192.168.1.1
> > !
> > access-list 130 permit tcp any host yyy.yyy.yyy.15 eq smtp
> > access-list 130 deny tcp any any eq smtp
> > access-list 130 permit ip any any
> >
> > should i apply the acl to int fa0/1 or vlan10?
> >
> > on my 1700's and 2600's i apply these acls to the serial interface so
> > im thinking i would apply here to the fa0/1 interface as its the
> > outward facing interface but since the 3550's are remote and i dont
> > have a spare to test on, i dont want to make a mistake.
>
> You can either apply it with "ip access-group 130 out" to the outward
> facing interface, or "ip access-group 130 in" on the VLAN interface.