Information About VLAN Access Control Lists
VLAN access control lists (VACLs) or VLAN maps are used to control network traffic within a VLAN. VACLs are configured globally, and the rules are applied on VLANs. VACLs are supported in both ingress and egress directions. In ingress direction VACLs are applied after Port ACL and before Routed ACL. In egress direction VACLs are applied after Routed ACL and before Port ACL. VLAN map is applied to both routed and switched traffic. VLAN map can contain both IP and MAC ACLs to be applied to IP and non-IP traffic respectively.
VLAN Maps
VLAN ACLs or VLAN maps are used to control network traffic within a VLAN. You can apply VLAN maps to all packets that are bridged within a VLAN in the switch or switch stack. VACLs are strictly for security packet filtering and for redirecting traffic to specific physical interfaces. VACLs are not defined by direction (ingress or egress).
All non-IP protocols are access-controlled through MAC addresses and Ethertype using MAC VLAN maps. (IP traffic is not access controlled by MAC VLAN maps.) You can enforce VLAN maps only on packets going through the switch; you cannot enforce VLAN maps on traffic between hosts on a hub or on another switch connected to this switch.
With VLAN maps, forwarding of packets is permitted or denied, based on the action specified in the map.