I Just posted this in the associate group, but I'll cross-post it here. The context was that the chap wanted to block smtp traffic from a specific external subnet.
Visualize it. Let's assume your connection to the internet looks like this. Mailserver --- Ethernet0 (Router) Serial 0 --- ISP --- Badpeople The "source" of the traffic you want to block is badpeople. Pretend you are the router. You want to block traffic from badpeople (SOURCE) that is going to your mailserver (Destination) and you want to block it as it travels IN (Inbound) from your ISP (Serial 0). -access-list 101 deny xx.xx.xx.0 0.0.0.255 123.123.123.123 eq 25 -access-list 101 permit any any -interface serial 0 -access-group 101 in Alternately, you could let the traffic cross you (the router) and block it as it travels OUT (outbound) of the Ethernet port (E0) towards the mail server. It would be a waste of router resources to let it cross the router before being dropped, but if this was a very busy router with many ports and a dedicated port to the mail server then it might be an option. -access-list 101 deny xx.xx.xx.0 0.0.0.255 123.123.123.123 eq 25 -access-list 101 permit any any -interface Ethernet 0 -access-group 101 out Additionally, Traffic travels in both directions. I can't think of a reason why you'd want to, but you could block traffic as it leaves the mail server (source) headed back to badpeople (destination). This traffic would travel In the ethernet port (ethernet 0 access-group xxx in) and Out the serial port (serial 0 access-group xxx out). You don't block traffic this (if possible) because you don't know what port the outbound tcp connection will be on. -Ejay I'm a CCNA and CCNP and I'm looking for full-time or Contract work, please contact me off-list if you have any openings or suggestions. -----Original Message----- From: none ya [mailto:[EMAIL PROTECTED]] Sent: Friday, February 15, 2002 9:03 PM To: [EMAIL PROTECTED] Subject: access-group ## in or out? [7:35578] Would someone please give me a simple explanation/example that will clarify when to use "in" or "out" when you apply an ACL to a router interface? Thanks! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35737&t=35578 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
