In one embodiment, a network device includes an interface to receive packets from sources in a network for forwarding to destinations in the network, the sources and destinations being assigned to groups, each packet including a source and destination identifier, a memory configured to store a source-group mapping table that maps source identifiers to source-groups, a destination-group mapping table that maps destination identifiers to destination-groups, and an intergroup access-control list that maps source-destination-group pairs to forwarding rules, and a single IC chip configured, for each packet, to find a source-group for the source identifier in the source-group mapping table, find a destination-group for the destination identifier in the destination-group mapping table, find a forwarding rule for a source-destination pair including the found source and destination-group in the intergroup access-control list, and forward or drop the packet according to the found forwarding rule.