Currently we are using a Cisco for our core switch, and we are trying to migrate over to a ICX7750. On the Cisco it allows a vlan interface to have an ACL, and a route-map applied to it, but I am unable to configure the ICX to do the same thing, it tells me they can not coexist in the interface.as an example of the infrastructure, a crude map is:we have 4 sites that are interconnected to 1 shared server farm with our own fiber. Each site has their own internet connection we need to keep separate due to static IPs assigned at the WANs.site 1 ip subnet 10.10.1.0/24site 2 subnet 10.10.2.0/24site 3 subnet 10.10.3.0/24site 4 subnet 10.10.4.0/24shared server farm subnet 10.10.100.0/24so the Cisco is configured with the associated vlans to the subnets, which have ACLs in place to prevent the sites to communicate to each other for security reasons other than a few exceptions, and they can share server resources. then any traffic that is not part of our internal network is routed though their designated WANs.here is an example of the config:————————————–interface Vlan1ip access-group 101 inip address 10.10.1.1 255.255.255.0ip policy route-map Internet-Vlan1interface Vlan2ip access-group 102 inip address 10.10.2.1 255.255.255.0ip policy route-map Internet-Vlan2interface Vlan3ip access-group 103 inip address 10.10.3.1 255.255.255.0ip policy route-map Internet-Vlan3interface Vlan4ip access-group 104 inip address 10.10.4.1 255.255.255.0ip policy route-map Internet-Vlan4interface Vlan100ip access-group 110 inip address 10.10.100.1 255.255.255.0ip policy route-map Internet-Vlan100access-list 101 permit ip 10.10.1.0 0.0.0.255 10.10.100.0 0.0.0.255access-list 101 deny ip any anyaccess-list 102 permit ip 10.10.2.0 0.0.0.255 10.10.100.0 0.0.0.255access-list 102 deny any anyaccess-list 103 permit ip 10.10.3.0 0.0.0.255 10.10.100.0 0.0.0.255access-list 103 permit ip host 10.10.3.50 host 10.10.4.50access-list 103 deny any anyaccess-list 104 permit ip 10.10.4.0 0.0.0.255 10.10.100.0 0.0.0.255access-list 104 permit ip host 10.10.4.50 host 10.10.3.50access-list 104 deny any anyaccess-list 110 permit ip 10.10.100.0 0.0.0.255 10.10.0.0 0.0.255.255access-list 110 deny ip any anyaccess-list 151 deny ip 10.10.1.0 0.0.0.255 10.10.0.0 0.0.255.255access-list 151 permit ip any anyaccess-list 152 deny ip 10.10.2.0 0.0.0.255 10.10.0.0 0.0.255.255access-list 152 permit ip any anyaccess-list 153 deny ip 10.10.3.0 0.0.0.255 10.10.0.0 0.0.255.255access-list 153 permit ip any anyaccess-list 154 deny ip 10.10.4.0 0.0.0.255 10.10.0.0 0.0.255.255access-list 151 permit ip any anyaccess-list 160 deny ip 10.10.100.0 0.0.0.255 10.10.0.0 0.0.255.255access-list 160 permit ip any anyroute-map Internet-Vlan1 permit 10match ip address 151set ip next-hop 10.10.1.254route-map Internet-Vlan2 permit 10match ip address 152set ip next-hop 10.10.2.254route-map Internet-Vlan3 permit 10match ip address 153set ip next-hop 10.10.3.254route-map Internet-Vlan4 permit 10match ip address 154set ip next-hop 10.10.4.254route-map Internet-Vlan100 permit 10match ip address 160set ip next-hop 10.10.100.254————————————————————–so on the Cisco the route map policy takes precedence, then if it is not part of the allowed “set” then it moves on to the ACL assigned to the vlan interfacethis way we can keep the internal from hitting our wan routers, and have our ACLs handle the permissions and restrictions for vlan cross communication.This is a crude example, but if we can get some guidance on how to do this on the ICX7750 with the L3 firmware, that would be great!