I agree with BB that if we knew more about this environment that we could give better advice. At this point all we know is a switch and a router and some vlans. The original poster asks if it is possible to provide each vlan with access to Internet but to prevent one vlan from accessing another vlan. In general the answer is that yes this is possible. There are two approaches that could be used:

1) As BB suggests one approach would be to enable routing on the switch, configure a default route on the switch with the router as the next hop, and configure the connection from the switch to the router as a routed link. On each switch vlan interface you would need to configure and apply an access list. This access list would deny traffic whose source address was in this vlan and destination of any other vlan subnet and then the access list would permit traffic whose source was in this vlan to any destination. On the router you would need to configure routes to each of the subnets on the switch, configure address translation for each of the subnets on the switch, and configure a default route.

2) The other approach would be to treat the switch as a layer 2 switch, configure the vlans, configure one vlan interface with an IP address for management purposes, and configure the connection from switch to router as a trunk which would carry all of the vlans. On the router you would configure the interface connecting to the switch with a subinterface for each of the vlans. Each subinterface would have an IP address, would do routing for that subnet, and would have an access list similar to what I describe in 1). This is frequently described as router on a stick. The router would need to be configured with address translation for each of the vlan subnets, and would have a default route for the Internet connection.

Hi Richard,

Thank for your help. And please help me clarify some points below.

I have set up like attached file. I have two PCs connect to SW, PC1 vlan 10 and PC2 vlan 20. SW has trunk link with Router0. Config sub-interface in Router0. I want to know when packet from Router0 to Router1, it has vlan's tag or not ?

Does Router modified layer2 frame and remove vlan's tag?

Hello
The connection between rtr 0 and rtr 1 is a direct layer connection so no tagging of traffic is performed.

Hi Paul, I want to know what router do with vlan's tag packet, Does router always remove it ?

As per the diagram, PC0 should be able to reach PC1, since you have Sub Interface configured on Router, which can take care of routing here.

how are you testing? Ping  ? then in this case PC may have FW, disable, and test it.

Router 0 to Router 1, we are not sure what is configured there. high level as per your diagram i do not see any tag happens, since its just point to point link and you confirmed PC able to get internet.

HI Paul,

Thank for you answer. Please help me explain about below thing. Router has interface 0/0 and 0/1. 

interface 0/0 has two sub-interface 0/0.1 and 0/0.2. When PC send packet to internet, router receive vlan's tagged packet in interface 0/0, What does router do ? It removed vlan's tagged and send packet with modified layer in 0.0.2.

just for reading time :

http://www.firewall.cx/networking-topics/vlan-networks/219-vlan-tagging.html

We have been discussing an environment that has a switch with 2 vlans, in each vlan is connected at least one device. The switch connects to router0 on an interface configured as a trunk and carrying the 2 vlans. router0 connects to the switch with physical interface 0/0. The router interface 0/0 is configured with subinterfaces for vlan 10 and vlan 20. router0 connects on interface 0/1 to router1. We are not told any details about the connection of router0 to router1 and assume that it is a regular Ethernet interface. We also assume that the configured gateway for the PCs would be the router subinterface IP address for that vlan.

Let me describe what happens as a PC attempts to send a packet to the Internet, focusing on the layer 2 header and vlan tagging. So the PC connected in vlan 10 wants to send a packet the Internet.

- The PC builds the packet and sends the packet to its gateway. This is a standard Ethernet frame and has no vlan tag or any other information about vlan membership. In the Ethernet frame the source mac address is the PC and the destination mac is the gateway (router subinterface).

- the switch receives the frame on an access port in vlan 10. The switch will be doing layer 2 forwarding so it looks at the destination mac address and looks in the mac forwarding table and discovers that it should forward the frame out the trunk interface on vlan 10. As the switch sends the frame out the trunk interface it adds a vlan tag indicating membership in vlan 10. There are no other changes to the layer 2 header.

- router0 receives the frame on its vlan 10 subinterface. The router removes the vlan tag and since it will be doing layer 3 forwarding it looks at the IP destination address. router0 determines that it should forward the packet to router1. router0 removes the existing layer 2 header and builds a new layer 2 header. In this header the source mac address is the router0 interface mac and the destination mac is the router1 interface mac address. There is no vlan tag for this frame. router0 sends the frame out interface 0/1.

- router1 receives the frame on its interface, looks at the destination IP address, makes its forwarding decision, removes the existing Ethernet header and builds a new Ethernet header and sends the packet on to the next hop.

In all this processing the only time there is a vlan tag is when an Ethernet frame is being sent or received on a trunk interface. Otherwise it is a standard Ethernet frame with no vlan tag. We can also make the point that when doing layer 2 forwarding the Ethernet header is not changed, other than possibly adding or removing a vlan tag. When doing layer 3 forwarding the existing Ethernet header is always removed and a new Ethernet header is built.