- Posts: 6
- Thank you received: 0
Need help, cisco 3550 and blocking outgoing connections
15 years 9 months ago #28903
by vegeetz
Need help, cisco 3550 and blocking outgoing connections was created by vegeetz
Hi,
I have a couple of VLANS on a 3550, I would like to block traffic going out to certain hosts. Basically I don't a particular vlan to visit or send mail to /24 network address.
Can anyone show me how this can be done?
Thanks,
I have a couple of VLANS on a 3550, I would like to block traffic going out to certain hosts. Basically I don't a particular vlan to visit or send mail to /24 network address.
Can anyone show me how this can be done?
Thanks,
15 years 9 months ago #28906
by RA1313IT
Replied by RA1313IT on topic Re: Need help, cisco 3550 and blocking outgoing connections
vegeetz,
This can be done with a simple ACL. I'm a little confused if you just want to block email or all traffic to this particular network. I'll explain both.
First create your ACL:
3550switch(config)#ip access-list extended BlockMail
3550switch(config-ext-nacl)#deny tcp any 192.168.1.0 0.0.0.255 eq smtp
3550switch(config-ext-nacl)#permit ip any any
Next apply your ACL to an interface. Select the direction you want to apply the ACL with either "in" or "out". Normally, you want to apply extended access-lists closest to the source.
3550switch(config)#interface fastEthernet0/1
3550switch(config-if)#ip access-group BlockMail in
This should drop incoming traffic on port fa0/1 destined for the 192.168.1.0/24 subnet on tcp port 25 (email). You must use the 'permit ip any any' statement because there is an implicit deny at the end of every ACL. This means that if traffic does not match any of the ACL statements, it will automatically be dropped. The permit ip any any statement allows all other IP traffic.
If you wish to block all traffic, simply change the ACL:
3550switch(config-ext-nacl)#deny any 192.168.1.0 0.0.0.255
3550switch(config-ext-nacl)#permit ip any any
Hope this helps
This can be done with a simple ACL. I'm a little confused if you just want to block email or all traffic to this particular network. I'll explain both.
First create your ACL:
3550switch(config)#ip access-list extended BlockMail
3550switch(config-ext-nacl)#deny tcp any 192.168.1.0 0.0.0.255 eq smtp
3550switch(config-ext-nacl)#permit ip any any
Next apply your ACL to an interface. Select the direction you want to apply the ACL with either "in" or "out". Normally, you want to apply extended access-lists closest to the source.
3550switch(config)#interface fastEthernet0/1
3550switch(config-if)#ip access-group BlockMail in
This should drop incoming traffic on port fa0/1 destined for the 192.168.1.0/24 subnet on tcp port 25 (email). You must use the 'permit ip any any' statement because there is an implicit deny at the end of every ACL. This means that if traffic does not match any of the ACL statements, it will automatically be dropped. The permit ip any any statement allows all other IP traffic.
If you wish to block all traffic, simply change the ACL:
3550switch(config-ext-nacl)#deny any 192.168.1.0 0.0.0.255
3550switch(config-ext-nacl)#permit ip any any
Hope this helps
Time to create page: 0.125 seconds