You can use a Standard Access Control List to allow or deny traffic to a host, network, or any host.
In our example below we will deny traffic from the 20.20.20.0/24 to the 10.10.10.0/24 network
Topology used: Router-on-a-stick
Configuration
Router(config)#
access-list Add an access list entry
!
Router(config)#access-list ?
<1-99> IP standard access list
!
Router(config)#access-list 10 ?
deny Specify packets to reject
permit Specify packets to forward
remark Access list entry comment
!
Router(config)#access-list 10 deny ?
Hostname or A.B.C.D Address to match
any Any source host
host A single host address
!
Router(config)#access-list 10 deny 10.10.10.0 /24
!
Router(config)#interface gigabitEthernet 0/0.20
!
Router(config-subif)#ip ?
Interface IP configuration subcommands:
access-group Specify access control for packets
!
Router(config-subif)#ip access-group ?
<1-199> IP access list (standard or extended)
<1300-2699> IP expanded access list (standard or extended)
WORD Access-list name
Router(config-subif)#ip access-group 10 ?
in inbound packets
out outbound packets
Router(config-subif)#ip access-group 10 out Verification
Our pings begin to drop from PC-2 to PC-1 after applying the ACL to interface Gi0/0.20
PC-2> ping 10.10.10.10 -t
84 bytes from 10.10.10.10 icmp_seq=1 ttl=63 time=7.283 ms
84 bytes from 10.10.10.10 icmp_seq=2 ttl=63 time=20.782 ms
10.10.10.10 icmp_seq=18 timeout
10.10.10.10 icmp_seq=19 timeout
10.10.10.10 icmp_seq=20 timeout
!
Router#show access-lists
Standard IP access list 10
10 deny 10.10.10.0, wildcard bits 0.0.0.255 (56 matches)
Topic discussion at CLI Warriors - Forum