Extreme Networks

I'm developing an ACL to allow guest use of certian resources on my network. In the end, the guest network will be its own subnet. So, I want to apply this ACL at the VLAN level. I've got the ACL working at the port level, but when I apply it to the VLAN nothing works...

Where might I be messing this up?

entry allowswitchcom {
if {
source-address 10.0.99.200/32;
} then {
permit;}
}

entry allowswitchcom2 {
if {
source-address 10.0.99.254/32;
} then {
permit;}
}

entry denyswitch {
if {
destination-address 10.0.99.200/32;
source-address 10.0.99.0/24;
} then {
deny;}
}

entry denyswitch2 {
if {
source-address 10.0.99.0/24;
destination-address 10.0.99.254/32;
} then {
deny;}
}

entry denylocalssh {
if {
source-address 10.0.99.0/24;
protocol tcp;
destination-port 22;
} then {
deny;}
}

entry sshmgmt {
if {
destination-address 10.0.99.0/24;
protocol tcp;
destination-port 22;
} then {
deny;}
}

entry allowmakerlab {
if {
source-address 10.0.99.0/24;
destination-address 10.0.99.0/24;
} then {
permit;}
}

entry allowdhcp {
if {
source-address 0.0.0.0/0;
protocol udp;
destination-port 67-68;
} then {
permit;}
}

entry allowdns {
if {
source-address 0.0.0.0/0;
protocol udp;
destination-port 53;
} then {
permit;}
}

entry allowntp {
if {
source-address 0.0.0.0/0;
protocol udp;
destination-port 123;
} then {
permit;}
}

entry allowvncmgmt {
if {
source-address 0.0.0.0/0;
protocol tcp;
source-port 5900-5910;
} then {
permit;}
}

entry allowwinlogon {
if {
source-address 10.0.99.0/24;
protocol tcp;
destination-port > 1024;
destination-address 10.0.66.220/32;
} then {
permit;}
}

#entry allowprint515 {
# if {
# destination-address *printerIP/32;
# protocol tcp;
# destination-port 515;
# } then {
# permit;}
#}

#entry allowprint631 {
# if {
# destination-address *printerIP/32;
# protocol tcp;
# destination-port 631;
# } then {
# permit;}
#}

#entry allowprint9100 {
# if {
# destination-address *printerIP/32;
# protocol tcp;
# destination-port 9100;
# } then {
# permit;}
#}

entry denyHTTPinternal10 {
if {
destination-address 10.0.0.0/8;
protocol tcp;
destination-port 80;
} then {
deny;}
}

entry denyHTTPinternal192 {
if {
destination-address 192.168.0.0/16;
protocol tcp;
destination-port 80;
} then {
deny;}
}

entry denyHTTPinternal172 {
if {
destination-address 172.16.0.0/12;
protocol tcp;
destination-port 80;
} then {
deny;}
}

entry denyHTTPsinternal10 {
if {
destination-address 10.0.0.0/8;
protocol tcp;
destination-port 443;
} then {
deny;}
}

entry denyHTTPsinternal192 {
if {
destination-address 192.168.0.0/16;
protocol tcp;
destination-port 443;
} then {
deny;}
}

entry denyHTTPsinternal172 {
if {
destination-address 172.16.0.0/12;
protocol tcp;
destination-port 443;
} then {
deny;}
}

entry allowhttpinternet {
if {
protocol tcp;
destination-port 80;
} then {
permit;}
}

entry allowhttpsinternet {
if {
protocol tcp;
destination-port 443;
} then {
permit;}
}

entry denyall {
if {
source-address 0.0.0.0/0;
} then {
deny;}
}