So I've created vlan 16 as my new vlan for this single node. I gave vlan interface an ip address of 192.168.16.1, set the Node, my test machine in this case to 192.168.16.5 and configured it's interface to switchport access vlan 16. 

I'll need my node to have internet access, and it'll need to reach 192.168.209.24 and 192.168.210.1 on VLAN 10 and 10.10.1.12 on Vlan 1.

I'm looking at creating extended access list as such:

access-list 100 permit ip host 192.168.16.5 0.0.0.0 192.168.209.24

access-list 100 permit ip host 192.168.16.5 0.0.0.0 192.168.210.1

access-list 100 permit ip host 192.168.16.5 0.0.0.0 10.10.1.12

access-list 100 deny ip 192.168.16.0 0.0.0.255 192.168.208.0 0.0.0.3                   (192.168.208.0-192.168.211.255)

access-list 100 deny ip 192.168.16.0 0.0.0.255 10.0.0.0 0.255.255.255                 (10.0.0.0-10.255.255.255) 

access-list 100 permit ip 192.168.16.5 0.0.0.0 any

Then I need to configure the interface vlan 16

interface Vlan16
description Restrict Access
ip address 192.168.16.1 255.255.255.0
ip access-group 100 out

Does that look right? Do I need an interface IP on the vlan 16?

Thank you!

Edit: tested, I can ping the 192.168.16.1 (cisco switch) and 192.168.210.1 (cisco switch) but nothing else.

That's very close to what I was doing. I was able to get the access to my specified IPs 192.168.209.24, 210.1, and 10.10.1.12 to work. I had the access-group 100 set to out at first, after I changed it, that took care of the deny. 

The issue I am having is reaching the internet. 

I've removed the deny statements, and tried permit ip any any at the end just to see if I could ping 8.8.8.8 and it fails. I tried to also add permit ip host 192.168.16.5 any, and it also fails to ping  8.8.8.8.

Here is my current configuration:

interface Vlan16
description OSPI Restrict Access
ip address 192.168.16.1 255.255.255.0
ip access-group 100 in

Extended IP access list 100
20 permit ip host 192.168.16.5 0.0.0.0 192.168.209.24
30 permit ip host 192.168.16.5 0.0.0.0 192.168.210.1 (13 matches)
40 permit ip host 192.168.16.5 0.0.0.0 10.10.1.12
80 permit ip host 192.168.16.5 0.0.0.0 192.168.208.5 (2 matches)     (this is just another server I needed access to.)
90 permit ip any any (43 matches)

interface GigabitEthernet7/0/15 (this is where my test system is sitting.)
switchport access vlan 16
switchport mode access

I removed the Deny statements just for testing. When they are added, I'm having success with all of my rules except the internet. I'll also note that if I remove the access-group from the vlan16 interface, internet works just fine as well.

Edit: or atleast it was before I started messing with these access lists. I noticed now that the network adapter on the test computer is showing a gateway of 0.0.0.0 and 192.168.16.1. I'm thinking this is a problem. I'll try to resolve.

I was going to suggest it might be a NAT issue as you are using a new subnet but you say internet works fine without the acl. 

The acl looks good to me, let me know how you get on once you have sorted out the adapter. 

Jon

I could have sworn the internet worked before I did any of the ACL stuff, but I must be mistaken. I had to setup the route on my sonicwall for the vlan 16 to hit my core switch. I got that working.

So internet is working, and all of my permits are working, but it appears I hit a new snag! 

After adding the permit ip host 192.168.16.5 any, it looks like I'm not able to ping anything on my deny spaces as well. I cleaned up my access a little, and this is what it is now.

Extended IP access list 100
10 permit ip host 192.168.16.5 0.0.0.0 192.168.209.24
20 permit ip host 192.168.16.5 0.0.0.0 192.168.210.1 (1 match)
30 permit ip host 192.168.16.5 0.0.0.0 10.10.1.12
40 permit ip host 192.168.16.5 0.0.0.0 192.168.208.5
50 deny ip 192.168.16.0 0.0.0.255 192.168.208.0 0.0.0.3
60 deny ip 192.168.16.0 0.0.0.255 10.0.0.0 0.255.255.255
70 permit ip host 192.168.16.5 any (5 matches)

I'm able to ping other devices on the 192.168.208.0 network now. Does entry 70 supersede entries 50 and 60?

edit: I dropped the permit any, and that fixed it. So that tells me either the deny entries are incorrect, or the permit any supersedes? Or something else altogether.. AWW ha 

I think the wildcard mask is wrong in line 50 ie. it should be 0.0.3.255 not 0.0.0.3. 

Jon

Doh, I didn't see this message. 

I noticed my vlan 1 was working correctly just the vlan 10 wasn't. I've never worked with ACLs or these wildcards before. 

I got it!! I had the wrong inverse subnet for my 192.168.208.0 network.

Should have been

deny ip 192.168.16.0 0.0.0.255 192.168.208.0 0.0.3.255 instead of 0.0.0.3.

Thanks SOO much Jon, couldn't have even began this without you!

No problem, glad you got it working. 

Jon