According to the Access Security Guide for your device, the first address and mask of an ACE is source and the second address and mask is the destination. (Just in case, an ACE is an Access Control Entry; that is any line an access-list is made of)
ACE 20 of your ACL states source 192.168.50.0/24 and destination 192.168.101.0/24, then you apply the ACL at VLAN 101 input; however, your VLAN 101 is 192.168.101.0/24, so any input traffic at VLAN 101 would have source address in 192.168.101.0/24. So ACE 20 in your ACL is wrong, you need an ACE with action permit, source 192.168.101.0/24 and destination 192.168.50.0/24.
ip access-list extended "SecureContent"
10 permit ip 192.168.101.0 0.0.0.255 192.168.50.0 0.0.0.255
Regarding the way back for this traffic, it will cross VLAN 101 outbound, so ACL should not be applied to this traffic and it should be allowed.
If traffic back is not allowed then you need to add the way back in your ACL.
ip access-list extended "SecureContent"
10 permit ip 192.168.101.0 0.0.0.255 192.168.50.0 0.0.0.255
20 permit ip 192.168.50.0 0.0.0.255 192.168.101.0 0.0.0.255
EDITED to change the line above to reflect proper ACL structure of numbered entries. (10, 20, etc).
This is often a confusing topic for users new to SVIs as it does seem to work a bit counter intuitively. Most people have a tendency to look at the SVI as some sort of "gateway" and that traffic leaving the VLAN should be outbound and vice versa.
However, it actually works in the opposite way because the SVI is a virtual router interface. It can help to think of the SVI as a physical interface on a physical router connected to the VLAN. From the perspective of this router, traffic arriving on the interface (the SVI) from the VLAN is inbound. Traffic from the rest of the network to the VLAN would be going out (or outbound) from the perspective of this interface.
As an example, take for instance the following SVI:
interface Vlan10
ip address 10.1.1.1 255.255.255.0
ip access-group VLAN10_IN in
ip access-group VLAN10_OUT out
Now, let's say I want to prevent any traffic with spoofed IP addresses from leaving this VLAN. My access list may look like the below. Notice that while this traffic is outbound from the VLAN, it is inbound to the interface and as such is an inbound ACL.
Sw6500#sh ip access-lists VLAN10_IN
Extended IP access list VLAN10_IN
10 permit ip 10.1.1.0 0.0.0.255 any
20 deny ip any any
If I want to limit access to this VLAN so that devices with 192.168.1.0/24 addresses are blocked but all other 192.168.0.0/16 addresses are allowed, the ACL would look something like this:
Sw6500#sh ip access-lists VLAN10_OUT
Extended IP access list VLAN10_OUT
10 deny ip 192.168.1.0 0.0.0.255 any
20 permit ip 192.168.0.0 0.0.255.255 any
30 deny ip any any
Please Note: These are not a complete working access lists; they are meant only as examples. While they may work in certain environments, it may create problems if you try to use it. For instance, it will not allow traffic such as DHCP if the DHCP server is on a different VLAN.
One parting note, that may seem obvious but I have seen trip people up before. If the SVI has multiple subnets associated with it, you need to make sure your ACLs take this into account as traffic that passes between these subnets will be processed by the ACL even though it stays within the VLAN.
As long as you keep the concept that the SVI is an interface, this should be easy to accomplish.
Best Answer
If you want to restrict management access to the switch, you need to apply the ACL to the VTY interfaces: