Hi Richard,

Are you meaning to assigning an ACL to the vlan99 like 'ip access-group 101 in'?

I did do that an although it did seam to filter traffic what I noticed was when doing a simple ping to one of the devices the response I received was filtered. I'd prefer the response to be the same as if they device was not connected.

Yes I am suggesting an extended access list applied with access-group. Whether it is applied in or out depends on how you configure the access list. Given the little that we know about your environment and given this statement of requirements "Only allow traffic from 200.0.0.72/29 to access the devices in vlan99."  it seems to me to be preferable to assign it as out, but in could certainly work assigned as in. It might look something like this

access-list 101 permit ip 200.0.0.72 0.0.0.248 10.0.0.0 0.0.0.255

interface vlan 99

ip access-group 101 out

I am not clear what you are saying about ping and about filtering. Was the ping sourced from 200.0.0.72 subnet or sourced from somewhere else? Can you help me understand this better?

This also makes me think about another aspect of this discussion. Your requirement was a restriction on what addresses could access 10.0.0.0/24. Do you want 10.0.0.0/24 to be able to access other subnets? What I have suggested would not do that.

This is what I'm talking about when doing that. Maybe it's not that big of a deal but to me that response shows that a host does live their and I don't like that  

# Config

interface Vlan99

  ip address 10.0.0.1 255.255.255.0

  ip access-group vlan99-out out

!

ip access-list extended vlan99-out
permit ip 200.0.0.72 0.0.0.7 any
deny ip any any log
!

# ping output using ping on a Linux machine, first reply is without the acl, second is the response after it's been applied.

64 bytes from 10.0.0.120: icmp_seq=1440 ttl=254 time=0.897 ms
From 200.0.0.171 icmp_seq=1441 Packet filtered
From 200.0.0.171 icmp_seq=1442 Packet filtered

Thanks for the additional information. What IP address is the source of this ping? What is 200.0.0.171? To deal with notifications try this

interface vlan 99

no ip unreachable

200.0.0.171 is the primary IP assigned to the vlan that the linux machine is pinging from.

Source of the ping is from a secondary IP range assigned to the same vlan that linux machine is pining from.  The linux machine is getting it's ip from that secondary range.

no ip unreachable on vlan99 doesn't change anything.

Without more context the IP information is not as helpful as I had thought it might be. Surprised that no ip unreachable did not change anything. Perhaps needs to be applied on the interface which is used to reach 200.0.0.171 rather than on the vlan 99 interface.