BTW, what @MHM Cisco World is showing is correct.

Thanks

MHM

---

@MHM Cisco World wrote:

it for SVI ACL not for physical 
please be sure again before answer 

MHM

---

Yup, it's I who had it backwards!

Corrected my other replies.

Thank you.

PS:

BTW, do try to be sure of my replies, but I do get it wrong, occasionally. One nice thing about these forums, with an implicit "peer review", incorrect information usually gets called out.

In this pic when i want to denied some hosts under vlan 10 to vlan 20 by configure access-group IN on vlan 20, the ACL should be deny ip host 10.10.10.10 any or deny ip any host 10.10.10.10?

deny ip any host 10.10.10.10 <<- if it config under vlan 20 direction IN

MHM

---

@MHM Cisco World wrote:

deny ip host 10.10.10.10 any

Because Inbound for SVI of from host in same subnet of SVI not from different subnet.

MHM

---

After my last flub, it's with trepidation I ask, wouldn't the answer be deny ip any host 10.10.10.10?

OP asked for an in ACL on VLAN 20 SVI. So, such an ACL would need to block return traffic from VLAN 20 (src) to VLAN 10 (dst), yes?

Get it

Thanks 

MHM

@hs08 just some other options for using those two ACEs. . .

deny ip host 10.10.10.10 any

Could be used as an in for SVI 10, where it blocks the host from sending any traffic out of VLAN 10

Could also be used as an out for SVI 20 where it blocks VLAN 20 from receiving any traffic from that one host.

deny ip any host 10.10.10.10

Could be used as an in for SVI 20, where it blocks all of VLAN 20 from sending any traffic to that host.

Could also be used as an out for SVI 10 where it blocks that host from receiving any traffic external to VLAN 10.

Remember a single ACL applies to one direction of traffic but traffic can be bidirectional (although bidirectional conversations are broken even if just one direction is blocked). So, to guarantee no traffic, you would need two ACLs.

Next, keep mind the scope of any.  As above, its implied scope changes when applied on SVI 10 vs. 20.  This issue can be negated by using a specific network.

For example, rather than

deny ip host 10.10.10.10 any

perhaps

deny ip host 10.10.10.10 10.10.20.0 0.0.0.255

Lastly, an old recommendation of ACL applications is, to drop traffic ASAP.  This would suggest using an in ACL, but if blocking bidirectional traffic, related in ACL ACEs relationships, on different interfaces (possibly on different devices), can be easily overlooked.  So, for maintainability, an in and out on the same interface can be better. (For a case of a specific host, often its gateway interface might be the better choice, as the ACL, logically, is near the targeted host.)