Hey @jon.baxter1 

I feel like if I proceed with this and have the explicit deny at the end, then I need to create a long extended list to accommodate all of my IP ranges and VLANs.

- Here in an extended list, you are matching the desired traffic that you want to allow. So yes only traffic you are permitting in the extended list will be allowed.

- Yes, you need to create a long extended list to accommodate all of my IP ranges and VLANs.

Note: As I said this extended list is used to match the traffic, you need to allow traffic in both directions for each IP ranges and VLANs. For example, the list you mentioned above should be like below:

ip access-list extended CONTROLSACL

permit ip 192.168.17.0 0.0.0.255 172.18.24.0 0.0.0.255

permit ip 172.18.24.0 0.0.0.255 192.168.17.0 0.0.0.255

Please rate if you find my answer useful.

Hi,

     In order to filter IP traffic via IP ACL's, the point of attachment is what gives the name to be a PACL, VACL or RACL:

            - PACL, means Port ACL, an ACL applied on a layer 2 port (access or trunk), which affects ingress traffic (direction is only ingress, cannot be modified)

            - VACL, means VLAN ACL, an ACL applied at the VLAN level, and affects intra-VLAN traffic and also inter-VLAN traffic

            - RACL, means Router ACL, an ACL applied on a layer 3 port (IP address configured), and affects traffic as per the configuration, ingress or egress

Technically speaking, you could use any of these to restrict traffic, however:

       - intra VLAN traffic can only be restricted via PACL and VACL as traffic never reaches a default gateway where a RACL may be enforced

      - inter VLAN traffic can be restricted by any of those 3 methods

Thus, VACL is preferred against PACL when you need to control intra VLAN traffic in s scalable manner by applying the ACL in a single place, at the VLAN level, as opposed to each port level via PACL.

In your case, as you want to restrict inter VLAN traffic, any of the above methods will work, and yes, there is no need to configure explicit deny entries in the ACL, as long as your configured statements meet your intended policy requirements.

Regards,

Cristian Matei.

Hello

What you seem to be doing here is allowing access only between two routed subnets, so a routeed access-list would be applicable., VACLs on the otherhand are used to prohibit intra-vlan communication which isnt what you want to do.

Note: the acl logic for SVI routed acl:
IN = orignating within the vlan
Out = originating from outside the vlan

example:
ip access-list extended Vlan172
permit ip 172.18.24.0 0.0.0.255 any

ip access-list extended Vlan192
permit ip 192.168.17.0 0.0.0.255 any

int vlan 192
ip access-group Vlan172 out

int vlan 172
ip access-group Vlan192 out