Now I will do small Lab:

In This Lab I have 6 host connected to a Switch, with Ip address
as follow 200.1.1.x where x=Router number,

I will go to my multi-layer switch and configure VACL=VLAN Access-list

My host in here act as router:

R1=200.1.1.1
R2=200.1.1.2
R3=200.1.1.3
R4=200.1.1.4
R5=200.1.1.5
R6=200.1.1.6

At the beginning since all router are in same subnets they can ping each other:

But

Goal is that the R1, R2,R3, will not be able to ping R4
in same VlAN,

This concept is same as Route-map that will be covered later on,
Here is what it will look like when I finish; it will read it from top to bottom as we see I can have VLAN-access map with no match ( it means all other traffic)

Here is the Final Result on the Switch (That I will configure it)

vlan access-map DROP_1234 10 ( 10=sequence number)
action drop
match ip address BLOCK_FIRST_THREE
vlan access-map DROP_1234 20 (20=seqence number)
action forward
!
vlan filter DROP_1234 vlan-list 1 (here we apply to the VLAN)

ip access-list extended BLOCK_FIRST_THREE ( here i have my goal)
permit ip 200.1.1.0 0.0.0.3 host 200.1.1.4
source destination

Step 1) Define your interesting traffic

Sw1#config t
Enter configuration commands, one per line. End with CNTL/Z.
Sw1(config)#ip acc
Sw1(config)#ip acce
Sw1(config)#ip access-list ?
extended Extended Access List
log-update Control access list log updates
logging Control access list logging