I have a 5550 with 10 sub-interfaces (vlans) configured on Five physical Interfaces. Each sub-interface has a different security level based on function. I've noticed that I only have to write an egress rule for traffic to pass from a lower security level interface to higher security level interface. I would have thought I would need to write rules to allow the traffic in both the out and in directions. We are not using NAT, all public IP addresses. Any thoughts on this? Example: if I allow tcp port 3389 out of our production data vlan to our admin vlan I only have to write an ACL that says allow tcp/3389 out of production data. I do not need to write an ACL that allows tcp/3389 into the admin vlan. Is this normal behavior?