Hello David
Ideally, in a properly designed network, you would typically use separate subnets and VLANs to control the communication between hosts. That is indeed best practice. However, VACLs add a layer of flexibility for situations where you may not have the luxury of creating separate VLANs/subnets, either due to a lack of budget for the appropriate equipment and infrastructure to create those subnets, or because you need a quick and dirty security solution (even if it is temporary),
Since VACLs are used to filter traffic within the same VLAN, they can work as an additional layer of flexibility. This is especially useful when you have servers or devices within the same VLAN that should not interact with each other using particular protocols.
Another scenario could be in a shared hosting environment, where multiple clients are on the same VLAN but shouldn’t be able to communicate with each other’s servers for privacy and security reasons.
VACLs can also be used for traffic control, allowing you to manage the flow of traffic within a VLAN to prevent network congestion or to prioritize certain types of traffic.
So while it’s true that creating separate subnets is a common method for controlling traffic, VACLs provide an additional layer of control within a VLAN, giving you more flexibility to manage your network.
Another alternative to VACLs is the use of private VLANs. As you can see there are several features that can be used to deliver similar results. Which one you will end up using depends on cost, time, permanence of solution, and convenience.
VACLs filter traffic at both Layers 2 and 3. Also, any traffic that does not match any of the permit or redirect statements in the VACL access map is implicitly dropped. This means that the VACL you created will implicitly drop ARP messages. The communication will continue to operate until either the ARP cache expires, or until you clear the ARP cache. Because the ARP cache has a timeout of several hours, you wouldn’t see the impact of this during the timeframe of creating a lab, so it is not an issue… unless you clear the ARP cache as you did.
So the solution is what you suggested, to add a match statement in the VACL and forward the ARP messages.
I hope this has been helpful!
Laz