I have 4 VLANs:
10 - Wired Clients
11 - Wired Infrastructure
20 - Wireless Clients
21 - Wireless Guests
I need 21 to be isolated, and 10, 11, and 20 need to be able to speak with one another. All other traffic must exit the system on G0/48 which is VLAN 10. I think I will convert this however to VLAN 1 and make VLAN 1 be the full uplink.
I am sharing an example where communication is not allowed between VLAN 2 and VLAN 3.
ip address 192.168.2.1 255.255.255.0
ip address 192.168.3.1 255.255.255.0
ip address 192.168.20.1 255.255.255.0
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 102 permit ip any any
vlan access-map test 10
match ip address 101
vlan access-map test 20
match ip address 102
vlan filter test vlan-list 2
! (ACL applied on VLAN 2)
No.. In the above example, ACL 101 has been dropped in the VLAN access map test (10). Means any Traffic between LAN 2 and Lan 3 are blocked in access map.
Final result: VLAN 2 and VLAN 3 will not communicate with each other. All other traffic will flow without any restriction.
There are different solutions.
What @Deepak Kumar said is one of them.
There is also R-ACL that will looks like:
Let's assume your vlan 21 is 192.168.21.0/24 and your gateway to reach internet is 192.168.10.1.
Ip access-list extended GUEST
permit ip 192.168.21.0 0.0.0.255 host 192.168.10.1
deny ip 192.168.21.0 0.0.0.255 192.168.0.0 0.0.255
Deny ip 192.168.21.0 0.0.0.255 172.16.0.0 0.15.255.255
deny ip 192.168.21.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip 192.168.21.0 0.0.0.255 any
Interface vlan 21
ip access-group GUEST IN
This will deny guest to reach any rfc1918 subnets and allow to access anything else (internet)