- yes it should be applied inbound on the VLAN interface where that VLAN is located.
- it should be applied as access-group and not as access-class.
- if it is on the interface where that subnet is located I would suggest changing the source specification of "any" and change it to the subnet of that VLAN.
- you are permitting tcp access for SMTP, web, and ssh, but you are not permitting any DNS traffic. So users will have to specify everything by address and not browse by name. I doubt that is what you had in mind.
The access list is applied in or out from the perspective of the router/switch interface. Traffic from VLAN 172 into the switch interface is applied in. Traffic from the switch interface out to VLAN 172 is applied out.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...