VACLs / VLAN Access Maps
Again, this is another teach-myself-by-teaching-others moment.
So long story short, regular access lists are used to create IP ranges using IP and wildcard masks. ACLs can be a single line, or can be multiple lines. "permit" is used, though the term itself is merely a holdover, it has nothing to actually do with the rules other than telling the access-map what it is permitted to match against.
Access maps are created with sequence numbers, similar to ACLs. They are processed top-down. Sequence 5 is processed before sequence 6. The match command within a sequence number tells the map what to match against, in this example addresses from an IP access list, list number 110 and 120. At the end of the access-map is an implicit-drop, so if we want to forward everything not explicitly matched against we have to include an explicit forward, without requiring an ACL.
Finally, we use vlan filter to apply the access-map to VLANs.