I am trying to stop users within a certin VLAN (VLAN20) from ?chatting? with other users within the same VLAN. The users are in the 10.x.24.x range. This VACL will be applied to a 3750 and 4500. Is the below all I?ll need to accomplish this?
ip access-list extended secure-workstation-traffic
permit ip 10.0.24.1 0.255.0.0 any
deny ip 10.0.24.0 0.255.7.255 10.0.24.0 0.255.7.255
permit ip any any
vlan access-map secure-workstation-traffic 10
match ip address secure-workstation-traffic
vlan filter secure-workstation-traffic vlan-list 20
I usually like to place explicit drop and forward statements in there just for readability. But yes that should work just so long as you don't have any port ACLs applied.
Be careful when mixing port based ACLs and VACLs. The behavior is platform-specific. What works on say a 3550 will probably not work on a 3750 or 6500.
Also on some platforms you really have to hunt through the cli to find stats on dropped packets, and often it won't tell you rule by rule or even which access map is dropping packets.