Thanks!  I'll break out the cut-and-paste.

Depending on what your ACLs do, generally you only need to insure traffic is subjected to them just once.

The VLANs in question are for restricted Wi-Fi connections.  The intent is to block traffic from IPs on those VLANs going to any internal (or VPN connected) resources other than the DHCP server and our edge ASA for egress. 

My intent is to put a couple of IP "permits" to  the intended DHCP and ASA IPs, a "deny" to the rest of the internal and VPN IPs, and then a permit all.  ACL to be applied to the "out" path from the VLAN I want to isolate.

Because the wireless APs involved may be connected to any switch in the network, I'm assuming that I would need the same logic on all the switches.  I'm looking at whether the Wi-Fi infrastructure can handle this natively, but want to make sure I have a fallback.

Does that sound as if I'm off track?

"off track", maybe not, but you can sometimes make trade-offs in where ACL are installed for "network" efficiency vs. "management" efficiency.

I.e. you can sometimes trade off where you place an ACL to minimize the number of places you need to use it vs. having it placed to drop packets ASAP.

For example, say you have multiple VLANs that can source a particular class of traffic you wish to block, but all that VLAN traffic will egress on one interface.  You could have an ingress ACL on each VLAN or you could have an egress ACL on the egress interface.  The former is more "network" efficient in that it blocks the traffic ASAP but the latter means you only need to maintain one interface ACL application.

I think I grasp what you are saying.  Let me run out a slightly detailed "what if" and see if I'm getting it right...

Say I have VLAN 1, 10 and 20, with IP ranges of 10.0.1.x, 10.4.1.x and 10.4.7.x respectively.  These are configured on two switches, A & B.

Hosts in any of the 3 VLANs may be attached to EITHER switch.  I want VLAN 20 to talk to an ASA and a DHCP server that happen to be on Switch A, but no other hosts on my network.

In that case, I would need the block from 10.4.7.x to 10.x.x.x on both switches, would I not?  Otherwise, if the ACL were only on switch A, a host on VLAN 20 on switch B would be able to talk to a host on VLAN 10 on that same switch.

Ok, you could have an ACL on VLAN 20 gateway(s) controlling ingress and/or egress, conversely you might have an ACL on other VLANs controlling VLAN 20 for ingress and/or egress, or you might have have an ACL on all VLANs controlling VLAN 20 for ingress and/or egress.  Or, you might have VLAN 20 setup as a private VLAN allowing access to the ports for the ASA and DHCP server.

In that case, I would need the block from 10.4.7.x to 10.x.x.x on both switches, would I not?  

No, when a host in vlan 20 needs to communicate with a host in vlan 10, the traffic will need to go from that host to its default gateway (vlan 20 SVI) and than to vlan 10 SVI and host in vlan 10. So, you only need to apply the ACL say to vlan 20 interface (SVI) to allow or block traffic from or to it.

HTH