I have created two access lists, one extended and one standard. The first is an extended access to stop PC1 (10.0.0.2) from FTPing to the FTP server 10.0.0.35.
On Router1 – the access-list has been placed on Fa0/0 as its the closest to the source.
configure terminal access-list 101 deny tcp any eq ftp host 10.0.0.35 access-list 101 permit ip any any interface fa0/0 ip access-group 101 in
When creating an access-list, if a match isn’t found then there is an explicit deny. As can see from above I have created a permit for any IP traffic Without these lines, OSPF wasn’t being advertised and I had no way of testing PC1 could ping the FTP server to verify connectivity and to ensure that FTP was indeed being blocked and not all traffic.
The next access list is an standard access list, the point of this one is to deny host 10.0.0.2 from communicating with the 10.0.0.33 network. However, host 10.0.0.3 can ping the 10.0.0.33 network.
On Router0 I have placed the access list on the Fa0/0 as this is the closest to the destination.
configure terminal access-list 1 deny host 10.0.0.2 access-list 1 permit any interface fa0/0 ip access-group 1 out