I'd recommend the 3750 Switch Software Configuration Guide's chapter
on Network Security with ACLs:
http://www.cisco.com/en/US/products/hw/switches/ps5023/products_configuration_guide_chapter09186a008081de82.html
VACLs are usually used to control traffic within a VLAN (Host A in
VLAN 10 to Host B in VLAN 10), but can be used to filter on layer 2 or
layer 3. A VACL is applied to all traffic in both directions so
creating access-list logic can be more challenging but VACL's can
povide a high level of security.
Router ACL's are easier to manage for filtering traffic between VLANs
(Host A on VLAN 10 to Host B on VLAN 20). Router ACL's can be applied
in inbound and outbound directions and are very similar to ACL's
applied to interfaces on any Cisco router. In a VLAN environment, you
apply the ACL to switch virtual interfaces (SVIs) or routed interfaces
(no switchport).
Here's an example:
Switch(config)# access-list 110 permit tcp any 128.88.0.0 0.0.255.255
gt 1023
Switch(config)# access-list 110 permit tcp any host 128.88.1.2 eq 25
Switch(config)# access-list 110 permit icmp any any
Switch(config)# interface VLAN 10
Switch(config-if)# ip access-group 110 in
3750 switches handle most ACL filtering in hardware so these switches
can handle a fairly large number of access-list statements with little
impact on performance.
