Thanks Flavio, this is the config. What I have been given here by a cisco VIP is the deny. If i apply to an interface , which inteface and what is general rule about in/out? 

Do you mind to share the PacketTrace file so that will be much easier to help?

You need to zip it before attach.

It is easier for you but it removes a lot of other people who do not use PT and in addition the posted solution is useless to anyone without PT. 

Better for the community if configurations and diagrams are posted. 

Jon

https://www.youtube.com/watch?v=NqibHK5f930

take look on this video.
you need to refresh some info.

You say put some effort in, I have been at this for two years. CISCO literature may as well be written in a foreign language and the training material is dire.   the community is there to help that's why I ask the community, usually the community is helpful and polite. Maybe you should put some effort on manners

you have misunderstood what i mean. anyway, 

check below link

https://content.cisco.com/chapter.sjs?uri=/searchable/chapter/content/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/xe-3s/sec-data-acl-xe-3s-book/sec-create-ip-apply.html.xml

it clearly guides what is ACL and how it uses. good luck

if you need more help let me know i will share some clear guides

Hi Paul, thanks for the question. I was told by the CISCO VIP doing our training to apply it only on the central router.  I am, reading a tonne of collateral but nothing is really simple here.  I get the concept of the ACL.  I understand it needs to be applied in the route but is it applied on outgoing or incoming interface from device or router? 

Which int am I applying this to and I am applying in or out?

Thanks

1. 1st thing is we need to know which traffic we are going to block or allow. 

then crate a access list as below. this will block telnet traffic  from 192.168.1.1  to any  address from first line. then allows all other traffic from second line.

ip access-list extended blocktelnet
 deny tcp host 192.168.1.1 any eq telnet
 permit any any

 2. then we need to map access list to some router interface in correct direction.

this code allied to interface gig 0/1 and it is applied to inbound traffic. that means any traffic coming into  the router fill filter according to access list named blocktelnet as per this example. if you want to filter traffic from router to outside of interface, you can use out command upon in  keyword. 

interface gigabitethernet 0/1
 ip access-group blocktelnet in

3. when selecting which interface to apply access list is bit tricky. 

extended ACLs (which can select more parameters and be more specific) need to apply more closer to source. more general selection ACLs are can apply more closer to destination. also we can apply for the place we want as per requirement. 

if you are planning to block icmp traffic between two hosts, you can apply blocking ACL closer to source or destination router. if you are applying that to closest router to source PC, better apply it to interface which connected to PC/switch of source network and select inbound. 

if you are applying ACL closer to destination PC, generally you can apply that to interface of router which connected to destination network. when select interface to apply ACL, we can apply it to the interface connected directly in to destination network as outbound direction. also we can apply ACL to inbound of other interfaces in same router. 

hope you understood the basic traffic pattern filtering way. 

Thanks Jon