Wow, just happen to stumble back on this and I realized that I didn't put the inverse mask. Sorry for the mis-information here is how it should of been stated.
now lets say I want to restrict traffic from users on vlan 11 (10.0.11/0/24) to get to vlan 13 (10.0.13.0/24) and vice versa.
First lets create an advanced acl to deny vlan 11 to vlan 13
acl number 3011
description Inbound vlan 11 traffic
rule deny ip source 10.0.11.0 0.0.0.255 destination 10.0.13.0 0.0.0.255
rule permit ip source any
quit
now go into vlan interface 11 and apply the acl
int vlan 11
packet-filter 3011 inbound
quit
- this will prevent vlan 11 from accesing vlan 13
-this needs to be applied to the inbound interface of vlan 11 since all of vlan 11's traffic is being sent to 10.0.11.1 (which is the vlan's interface) as its gateway.
now to prevent vlan 13 traffic to vlan 11
acl number 3013
description Inbound Vlan 13 traffic
rule deny ip source 10.0.13.0 0.0.0.255 destination 10.0.11.0 0.0.0.255
rule permit ip source any
quit
int vlan 13
packet-filter 3013 inbound
quit
now vlan 11 and 13 can no longer ping or comunicate with each other.
Also advanced ACL's start in the 3000 range so I just add the vlan to the end of it. Ex. vlan 11 - 3011
hope this helps
