You can use a Standard Access Control List to allow or deny traffic to a host, network, or any host.
In our example below we will deny traffic from the 20.20.20.0/24 to the 10.10.10.0/24 network
Topology used: Router-on-a-stick
Configuration
Router(config)# access-list Add an access list entry ! Router(config)#access-list ? <1-99> IP standard access list ! Router(config)#access-list 10 ? deny Specify packets to reject permit Specify packets to forward remark Access list entry comment ! Router(config)#access-list 10 deny ? Hostname or A.B.C.D Address to match any Any source host host A single host address ! Router(config)#access-list 10 deny 10.10.10.0 /24 ! Router(config)#interface gigabitEthernet 0/0.20 ! Router(config-subif)#ip ? Interface IP configuration subcommands: access-group Specify access control for packets ! Router(config-subif)#ip access-group ? <1-199> IP access list (standard or extended) <1300-2699> IP expanded access list (standard or extended) WORD Access-list name Router(config-subif)#ip access-group 10 ? in inbound packets out outbound packets Router(config-subif)#ip access-group 10 out
Verification
Our pings begin to drop from PC-2 to PC-1 after applying the ACL to interface Gi0/0.20
PC-2> ping 10.10.10.10 -t
84 bytes from 10.10.10.10 icmp_seq=1 ttl=63 time=7.283 ms
84 bytes from 10.10.10.10 icmp_seq=2 ttl=63 time=20.782 ms
10.10.10.10 icmp_seq=18 timeout
10.10.10.10 icmp_seq=19 timeout
10.10.10.10 icmp_seq=20 timeout
!
Router#show access-lists
Standard IP access list 10
10 deny 10.10.10.0, wildcard bits 0.0.0.255 (56 matches)
