If I have two VLANs, 1 (native) and 2 (iSCSI) and I want to put inbound ACLs to restrict the traffic that gets into VLAN 2. From the perspective of VLAN 2, does my inbound ACL get evaluated for both traffic originating from VLAN 1 and going into VLAN 2, AND traffic originating in VLAN 2 going back to VLAN1 (as traffic would be going 'in' the virtual interface for VLAN 2 to be routed back to VLAN1).
So if my iSCSI subnet was 10.0.0.0/24 and I wanted to allow www, https, and smtp (192.168.1.1):
ip access-l e iSCSI_NetIn
permit ip 10.0.0.0 255.255.255.0 any
permit icmp any any eq echo
permit tcp any 10.0.0.0 255.255.255.0 eq 80
permit tcp any 10.0.0.0 255.255.255.0 eq 443
permit tcp host 192.168.1.1 eq 25 10.0.0.0 255.255.255.0 established (SMTP)
deny any any log
int vlan 2 -> ip access-g iSCSI_NETIn in
In reality I am going to have ACL's on both VLAN1 and the other VLANs on this switch which is dedicated purpose and I have not found a definitive answer on if incoming traffic is destined for VLAN2 and I have incoming ACLs on both VLAN1 and VLAN2 if it is matched against both ACLs, and that returning traffic will also be matched on the inbound VLAN2 ACL.
An inbound access-list on a vlan interface filters traffic coming FROM devices on that vlan.
An outbound access-list on a vlan interface filters traffic going TO devices on that vlan.
So if traffic comes from vlan 1 to vlan 2 and both vlans have an inbound access-list the traffic is first evaluated by vlan 1 access-list. It then gets sent to the device on vlan 2. When the device responds and sends the packet back it is then filtered by the access-list on vlan 2 interface before being sent to vlan 1.
Note if the packet is not allowed obviously it won't be sent it will be dropped.