Need help, cisco 3550 and blocking outgoing connections

Hi,

I have a couple of VLANS on a 3550, I would like to block traffic going out to certain hosts. Basically I don't a particular vlan to visit or send mail to /24 network address.

Can anyone show me how this can be done?

Thanks,

vegeetz,

This can be done with a simple ACL. I'm a little confused if you just want to block email or all traffic to this particular network. I'll explain both.

First create your ACL:

3550switch(config)#ip access-list extended BlockMail
3550switch(config-ext-nacl)#deny tcp any 192.168.1.0 0.0.0.255 eq smtp
3550switch(config-ext-nacl)#permit ip any any

Next apply your ACL to an interface. Select the direction you want to apply the ACL with either "in" or "out". Normally, you want to apply extended access-lists closest to the source.

3550switch(config)#interface fastEthernet0/1
3550switch(config-if)#ip access-group BlockMail in

This should drop incoming traffic on port fa0/1 destined for the 192.168.1.0/24 subnet on tcp port 25 (email). You must use the 'permit ip any any' statement because there is an implicit deny at the end of every ACL. This means that if traffic does not match any of the ACL statements, it will automatically be dropped. The permit ip any any statement allows all other IP traffic.

If you wish to block all traffic, simply change the ACL:

3550switch(config-ext-nacl)#deny any 192.168.1.0 0.0.0.255
3550switch(config-ext-nacl)#permit ip any any

Hope this helps