Hello,

in addition to Ankur's post, a simple way to restrict access between VLAN's would be configuring access lists as in the sample configuration below:

interface FastEthernet0/0.1

encapsulation dot1q 1 native

ip address 192.168.1.1 255.255.255.0

ip access-group 100 out

!

interface FastEthernet0/0.2

encapsulation dot1q 2

ip address 192.168.2.1 255.255.255.0

ip access-group 101 out

!

access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 100 permit ip any any

!

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 permit ip any any

For SVI's (VLAN interfaces) the configuration would look like this:

interface Vlan1

ip address 192.168.1.1 255.255.255.0

ip access-group 100 out

!

interface Vlan2

ip address 192.168.2.1 255.255.255.0

ip access-group 101 out

!

access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 100 permit ip any any

!

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 permit ip any any

Regards,

Nethelper