one more question, couldn't I use only 2 permits? because at last there will be an implicit deny for all,

So could I remove deny ip 172.16.20.0 0.0.0.255 172.16.0.0 0.0.255.255?

You ask a couple of interesting questions.

- We have had some discussion about applying acl in or out but it seems you still do not understand the principle that applying the acl is from the perspective of the vlan interface. If the vlan subnet is the source address in the acl then it would apply to traffic from the device into the interface. So apply the acl in. If the vlan subnet were the destination address in the acl then apply outbound.

- If you remove the second statement (which denies traffic from vlan 20 to other internal vlans) then the remaining statement (permit ip 172.16.20.0 0.0.0.255 any) will permit communication from vlan 20 to other vlans. Keep the deny statement in the acl.

@Richard Burts Thankss for giving such valuable information, in my case I have a coreswitch and the vlan interfaces are on it. so it should be IN right? because you said you will apply traffic from the device to the vlan interface, and my hosts are connected to the switches that has uplinks to the coreswitch and then from coreswitch to firewall

@Richard Burts Thankss, I was reading that a named acl is better for later access list sequence, how can I make such a named acl with the same config?

If you will be configuring the acl on the core switch then we are thinking about the vlan interface on the core switch. Is the traffic coming into the interface to be processed? Then apply the acl in. Is the traffic going out of the interface to a device in the vlan? Then apply the acl out.

In your case I am not sure that it makes much difference whether you use a named acl or a numbered acl. But if you would like to try a named acl it is pretty simple. Just configure a named acl that has the same 3 statements and then in the access-group where you apply the acl just change from the number to the name.

so in my case it's out? still a bit confused hahaha, my vlan interfaces are on the coreswitch, and I want to have one way from vlan 20 to a host in vlan 10 and block all other traffic, the hosts are connected to coreswitch directly.

so for named acl I would only use: 

ip access-list extended MYACL and then complete the same commands and then ip access-group MYACL in

right?

@Richard Burts Thankss for helping me in this, I just have one more question, everything is ok, but I want to keep RDP working. I used this first statement before: permit tcp host 172.16.20.2 host 172.16.10.2 eq 443, and then we denied such host to all other vlans and then permit any to access the internet. But I want to be able to have RDP session to 172.16.20.2, is this achieved by the permit any at the end, or should I add permit tcp 172.16.0.0 0.0.255.255 host 172.16.20.2 eq 3389,

Thanks in advance!

You could use that permit statement for RDP but it really is not needed. The permit any will take care of it.

ohh ok, Thanks!!, I was using the commands on the new Cisco CBS350, and the commands were a bit different so I used:

ip access-list extended MYACL

permit tcp host 172.16.20.2 any host 172.16.10.2 443 ace-priority 1
deny ip host 172.16.20.2 172.16.0.0 0.0.255.255 ace-priority 2

permit ip host 172.16.20.2 any ace-priority 3

and then applied this command on Vlan20 Interface:

service-acl input MYACL

by default the service-acl default action is deny any

So far everything is fine, but from your perspective, is there anything missing or wrong?

Thanks!

I am not familiar with the CBS350 and the command syntax is certainly different. If it is working as you expect that is a very good thing. I do not see anything wrong or missing.

Thanks @Richard Burts