I'm getting puzzled about ACL on inter-vlan routing...well, I have actually 3 VLAN:
1 - LAN (192.168.0.0/16)
666 - CC Security Camera (172.16.1.0/24)
100 - Wireless LAN (172.16.2.0/24)
I've enabled IP routing and assigned the VLAN interface IP address only to VLAN 1 and 100 (camera system should be completely isolated on its own) setting 192.168.0.30 IP for VLAN 1 and 172.16.1.1 for VLAN 100. Everything works as expected (ping, ecc). The default global router is the company router with IP 192.168.0.1 - I have configured it in the switch.
Now I have to set an ACL to allow this specific traffic scenario:
1. Deny access to switch terminal (www,telnet and ssh) from any IP in the VLAN 100 (that is, wireless clients MUST NOT be able to access switch configuration in any way)
2. Allow wireless client to only PING and access a specific server on VLAN 1 (192.168.2.13) on a set of determined ports (80, 443, 8080 and DNS ports)
3. Any other traffic must be denied from VLAN 100 to VLAN 1
In few words wireless clients are able to access the intranet web server (that also act as simple dns server for them) and no other thing - something like a guest network.
I've managed to do some of this ACL (and they worked in some sort) but i've started to mess up and i've deleted everything and I want to do a clean and working configuration.