"Normal" ACLs are applied either inbound or outbound on an interface. However, I've come across a Cisco 6500 series layer 3 switch that uses VLAN access maps to filter traffic within its VLANs. It has two access maps configured, one for forwarding traffic, and one for dropping traffic.
What I would like to know is when during routing/switching are these access maps applied? Are they inbound on any affected VLAN port, outbound, or some other time entirely?
EDIT: Perhaps I was unclear. I understand how to apply the access-map and the commands required; I am asking about when, within the switching logic of the device, are these decisions applied to packets (or perhaps frames is a better term). From one answer below, it seems that the drop/forward decision is taken inbound on any port assigned to the VLAN in question. Is this correct?
If you use a
vlan filtercommand to apply an access-map to a vlan N all Layer 2 and Layer 3 traffic will be filtered by the access-map when entering the vlan N.I recommand you to read http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/vacl.html#wp1037197 for a very complete information of how vlan ACL works.
Usually you need to bind maps/ACLs to an interface. In your case (L3-Switch), this interface should be a VLAN-pseudo-interface (conf t -> int vlan 111) rather than an actual ethernet port.
Could you paste the relevant part of the config?