Hi Jason,
Let’s look at the VACL:
SwitchA(config)#access-list 100 permit ip any host 192.168.1.100
SwitchA(config)#vlan access-map NOT-TO-SERVER 10
SwitchA(config-access-map)#match ip address 100
SwitchA(config-access-map)#action drop
SwitchA(config-access-map)#vlan access-map NOT-TO-SERVER 20
SwitchA(config-access-map)#action forward
Thanks to statement 10, all traffic with destination 192.168.1.100 will be dropped. This includes any device in the 192.168.1.0/24 subnet. So far so good.
If you don’t add statement 20 then ALL traffic will be dropped. For example, when 192.168.1.1 tries to reach 192.168.1.2, it would be dropped. That’s why we added statement 20.
If you only want to prevent ComputerA + B from reaching the server then you could specify these IP addresses in the access-list. However, since IP addresses are easy to change it would probably be better to create more separation by adding another VLAN. Use one VLAN where hosts are allowed to reach the server, another one where it’s not allowed and use access-lists on the SVI interfaces instead.
Rene