Quick summary:
As has already been stated, communication between devices on the same VLAN (or layer-2 segment) does not cross a router but only the switch(es) in between the devices.
Depending on the switches' capabilities, there are several methods to control traffic within a VLAN.
VLAN-based ACLs: packets are filtered when entering a certain VLAN from a port or by layer-3 switching
port-based ACLs: packets are filtered when they are received on a certain port
port-based filtering: packet flows are limited to certain ingress/egress port combinationsACLs work by permiting or denying certain source/destination IPs, or TCP or UDP ports. E.g. you can permit all devices within the 10.1.2.0/24 to communicate with a server at 10.1.2.10 while denying all other inter-VLAN traffic:
1000 permit ip 10.1.2.0/24 10.1.2.10/32
1010 permit ip 10.1.2.10/32 10.1.2.0/24
1010 deny ip 10.1.2.0/24 10.1.2.0/24
9999 permit ip any any
Port-based filtering works by limiting the client ports to communication with the server and router ports and filtering all else. This is sometimes also called protected ports or source-port filtering where these ports are not allowed to communicate with each other. Port-based filtering doesn't work well across up and downlinks as they cannot distinguish between wanted server and unwanted peer traffic across multiple switches.