When do ACLs on SVIs get applied on Cisco Catalyst devices? I don't understand exactly when an ACL will get applied when on an SVI. Given the following (pseudo) configuration int vlan 100 ip address 10.0.0.1 255.255.255.0 ip access-list in in ip access-list out out int gig 1/2 switchport access vlan 100 int gig 1/3 switchport access vlan 100 ip access-list extended in deny ip any any ip access-list extended out deny ip any any Could a device on port 1/2 with IP 10.0.0.2 and a device on port 1/3 with 10.0.0.3 talk to each other? Could the devices on 1/2 and 1/3 talk to the SVI at 10.0.0.1? Where specifically is the "in/out" demarcation of the SVI?

If the SVI routes a packet, the TTL of that packet will be decreased as it's forwarded. In other words, you can see the SVI as a hop in traceroute.

As Ron Maupin explains, this is not the case for layer-2 switched traffic between hosts on the same VLAN.

If you want the ACL in your example to process traffic between hosts on Giga1/2 and Giga1/3 you may consider using a layer-2 ACL (available on some devices; not all) or configuring a Private VLAN which allows more complex isolation of devices sharing a layer-2 domain.