in my LAN i have two 4503(distribution) and 10 switch (access).I applied this VACL on two 4500.This was worked well.
vlan access-map Guest-wifi 10
match ip address deny-guest-wifi
vlan access-map Guest-wifi 20
vlan filter Guest-wifi vlan-list 22
ip access-list extended deny-guest-wifi
permit ip 172.24.22.0 0.0.0.255 172.24.0.0 0.0.255.255
But what I want to know how this VACL is going to deny the data of both users who have same subnet and vlan and they are located on the same access switch.