Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Basic IOS Filtering Question


I have a fairly basic question. We have a very small network, but have seen spam on the rise recently. It comes from a limited number of domains and I would like to block it at the Router level, so my email server does not even need to see it. However, I've added (what I think are) the appropriate access-list lines and email from those subnets still seems to be passing through. Can someone help. An example of the line that I have is:

access-list 101 deny ip any

(I think this blocks ips in the range -

Also, if there is a better (but free) way of blocking incoming spam traffic at the router level, I would love to hear it. We run MS Exchange and it's filtering seems completely inept.

Thanks for any help.

Cisco Employee

Re: Basic IOS Filtering Question

The access-list you show would drop all traffic from, assuming you have it applied INBOUND on your outside interface, for example:

int serial 0

description Interface to Internet

ip access-group 101 in

Keep in mind though that at the end of every access-list, there's an implicit "deny all", so if you just have the above line in your ACL, it will actually block ALL traffic. A better way to do this would be to just filter SMTP traffic with the following:

access-list 101 deny tcp any eq smtp

access-list 101 permit ip any any

Having said that, this is still not a very good way to block spam, since the spam could be coming from any number of different SMTP servers on the Internet. There is really no good way to block it from the router unfortunately, you're better off doing it from your internal mail gateway.

New Member

Re: Basic IOS Filtering Question

Thanks for the reply. Yes - I have this set inbound on my outside interface.....Hmm, I wonder if it has anything to do with the other filters I be more complete, here is an extended smaple. My email server ip is (not real) in this example.

access-list 101 deny ip

access-list 101 permit tcp any any established

access-list 101 permit udp any host eq smtp

access-list 101 permit ip any host

So - do the last three cancel out the first one - or should this configuration work? I'll look into the firewall product as well.

The reasons I want to block it at the router are (a) it seems to be coming from a reasonably well defined set of spammers and (b) the filtering in MS Exchange (my email server) is just terrible. I started with Exchange filtering and it has just had a 0% success rate. My next step is to purchase a mail spam protection system, but I'm trying to avoid that if I can.

(Plus, it always help to learn more about the capabilities and configuration of the router).

Cisco Employee

Re: Basic IOS Filtering Question

Well, on a router, there are several ways to do this, but most elegant would be using IOS Firewall IDS technique which also takes care of spam attacks, (but the IOS FW image is not free)

Also you could look into CAR to limit the bandwidth for SMTP traffic, below is not exactly a sample config, but just to give you an idea how to use CAR;