Cisco IOS: Segregating VLANS

I am trying to segregate the traffic on the VLANs, as one is our visitor VLAN (VLAN 3 is the guest lan). It is a Cisco 881W router.

Here is my VLAN configuration:

interface Vlan2
 ip address 10.10.100.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
!
interface Vlan3
 ip address 10.100.10.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
!

Here are my ACLs

access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 2 remark CCP_ACL Category=2
access-list 2 permit 10.10.10.0 0.0.0.255
access-list 3 remark CCP_ACL Category=2
access-list 3 permit 10.10.100.0 0.0.0.255
access-list 4 remark CCP_ACL Category=2
access-list 4 permit 10.100.10.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 70.22.148.0 0.0.0.255 any
access-list 101 permit ip 10.100.10.0 0.0.0.255 10.100.10.0 0.0.0.255
access-list 101 deny   icmp 10.100.10.0 0.0.0.255 10.10.100.0 0.0.0.255
access-list 101 deny   ip 10.100.10.0 0.0.0.255 10.10.100.0 0.0.0.255
access-list 102 permit ip host 255.255.255.255 any

As soon as I add ip access-group 101 in to VLAN 3, VLAN 3 can no longer get out of the router. VLAN 3 can ping the router via 10.100.10.1, and 10.10.100.* is no longer pingable from VLAN 3 (Desired).

Update: I also had to add

access-list 10 permit udp any any eq bootpc
access-list 10 permit udp any any eq bootps

To make DHCP work


To address your issue of not being able to get out to the Internet, you do not have an allow rule allowing 10.100.10.0/24 to 0.0.0.0/0. If you simply want to deny access to the 10.10.100.0/24 network from the 10.100.10.0/24 network, you want your access list to work like this (in this order):

1) Deny 10.100.10.0 0.0.0.255 10.10.100.0 0.0.0.255 2) Permit 10.100.10.0 0.0.0.255 any


As a disclaimer I am not familiar with zone security. However it does look like at a glance you are permiting ICMP (pings) with that.

If you intent is to block the pings with your ACLs you will have to actually apply those ACLs to an interface with a command like: ip access-group 101 in while in the configuration area of a particular vlan.