acl for restricting access to outbound port 25

Discussion in 'Cisco' started by Chad Whitten, May 4, 2004.

  1. Chad Whitten

    Chad Whitten Guest

    switch is a cisco 3550. all ports are in 1 vlan, vlan10 with 1 port
    not in switchport mode. all routing is done on the switch with the
    default route being the device plugged into port 1. default route for
    all other devices on switch is the vlan10 address. i want to block
    all outbound access to port 25 on any host except for 1 or 2. im
    pretty sure ive got the acl for this, just not sure where to apply it
    exactly as this is a switch and not a router.

    here is snip of config

    int fa0/1
    no switchport
    ip address 192.168.1.2 255.255.255.0
    !
    !
    int vlan10
    ip address xxx.xxx.96.1 255.255.255.0
    !
    ip route 0.0.0.0 0.0.0.0 192.168.1.1
    !
    access-list 130 permit tcp any host yyy.yyy.yyy.15 eq smtp
    access-list 130 deny tcp any any eq smtp
    access-list 130 permit ip any any

    should i apply the acl to int fa0/1 or vlan10?

    on my 1700's and 2600's i apply these acls to the serial interface so
    im thinking i would apply here to the fa0/1 interface as its the
    outward facing interface but since the 3550's are remote and i dont
    have a spare to test on, i dont want to make a mistake.
     
    Chad Whitten, May 4, 2004
    #1
    1. Advertising

  2. In article <>,
    (Chad Whitten) wrote:

    > switch is a cisco 3550. all ports are in 1 vlan, vlan10 with 1 port
    > not in switchport mode. all routing is done on the switch with the
    > default route being the device plugged into port 1. default route for
    > all other devices on switch is the vlan10 address. i want to block
    > all outbound access to port 25 on any host except for 1 or 2. im
    > pretty sure ive got the acl for this, just not sure where to apply it
    > exactly as this is a switch and not a router.
    >
    > here is snip of config
    >
    > int fa0/1
    > no switchport
    > ip address 192.168.1.2 255.255.255.0
    > !
    > !
    > int vlan10
    > ip address xxx.xxx.96.1 255.255.255.0
    > !
    > ip route 0.0.0.0 0.0.0.0 192.168.1.1
    > !
    > access-list 130 permit tcp any host yyy.yyy.yyy.15 eq smtp
    > access-list 130 deny tcp any any eq smtp
    > access-list 130 permit ip any any
    >
    > should i apply the acl to int fa0/1 or vlan10?
    >
    > on my 1700's and 2600's i apply these acls to the serial interface so
    > im thinking i would apply here to the fa0/1 interface as its the
    > outward facing interface but since the 3550's are remote and i dont
    > have a spare to test on, i dont want to make a mistake.


    You can either apply it with "ip access-group 130 out" to the outward
    facing interface, or "ip access-group 130 in" on the VLAN interface.

    --
    Barry Margolin,
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
     
    Barry Margolin, May 4, 2004
    #2
    1. Advertising

  3. Chad Whitten

    Chad Whitten Guest

    thanks

    Barry Margolin <> wrote in message news:<>...
    > In article <>,
    > (Chad Whitten) wrote:
    >
    > > switch is a cisco 3550. all ports are in 1 vlan, vlan10 with 1 port
    > > not in switchport mode. all routing is done on the switch with the
    > > default route being the device plugged into port 1. default route for
    > > all other devices on switch is the vlan10 address. i want to block
    > > all outbound access to port 25 on any host except for 1 or 2. im
    > > pretty sure ive got the acl for this, just not sure where to apply it
    > > exactly as this is a switch and not a router.
    > >
    > > here is snip of config
    > >
    > > int fa0/1
    > > no switchport
    > > ip address 192.168.1.2 255.255.255.0
    > > !
    > > !
    > > int vlan10
    > > ip address xxx.xxx.96.1 255.255.255.0
    > > !
    > > ip route 0.0.0.0 0.0.0.0 192.168.1.1
    > > !
    > > access-list 130 permit tcp any host yyy.yyy.yyy.15 eq smtp
    > > access-list 130 deny tcp any any eq smtp
    > > access-list 130 permit ip any any
    > >
    > > should i apply the acl to int fa0/1 or vlan10?
    > >
    > > on my 1700's and 2600's i apply these acls to the serial interface so
    > > im thinking i would apply here to the fa0/1 interface as its the
    > > outward facing interface but since the 3550's are remote and i dont
    > > have a spare to test on, i dont want to make a mistake.

    >
    > You can either apply it with "ip access-group 130 out" to the outward
    > facing interface, or "ip access-group 130 in" on the VLAN interface.
     
    Chad Whitten, May 4, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. DRice
    Replies:
    0
    Views:
    561
    DRice
    Oct 30, 2003
  2. concord

    Outbound ACL question

    concord, Oct 28, 2004, in forum: Cisco
    Replies:
    1
    Views:
    624
    Walter Roberson
    Oct 28, 2004
  3. xman
    Replies:
    4
    Views:
    4,710
    Walter Roberson
    May 16, 2005
  4. lcekid08
    Replies:
    0
    Views:
    415
    lcekid08
    Aug 10, 2008
  5. Giuen
    Replies:
    0
    Views:
    1,012
    Giuen
    Sep 12, 2008
Loading...

Share This Page