Configure VLAN for test network

Where does the 10.0.0.0 router interface reside? On the 3560 or on the 2621?

See the graphic for the current config
Drawing1.gif

If you want physical VLAN separation, you can create a second VLAN on the 3560 and enable routing on the 3560.  The 10.10.10.0/24 hosts would have the 3560 as their default gateway and same with the 192.168.0.0/24 subnet.  You can then use access-lists on the 3560 VLAN interfaces to restrict traffic between subnets.  The inside IP of the 2621 would need to be re-addressed and put in a separate VLAN on the 3560.  In fact, if the 2621 isn't taking in any T1's or non-ethernet connections, you could take it completely out of the picture and just use the 3560 and PIX.   The alternative is, trunking between the 3560 and 2621 and having the 2621 route between subnets using subinterfaces.  Which direction do you want to go?

I have to keep the 2621 for netflow on the 10.10.10.0/24 LAN. I could however take a port from the 3560 and plug it directly into the pix bypassing the 2621 for the test vlan only. I definitely want to keep complete seperation. BTW the test VLAN machines wil be coming from a VMWARE esx server if that matters at all in this equation. I have another thread connected to this project on the VMWARE side as well.
https://www.experts-exchange.com/questions/23895911/Setup-Test-VMWARE-Network-for-with-internet-access.html

Typo in the access-list (permit):

Should be:

ip access-list extended test-access
deny ip any 10.10.10.0 0.0.0.255      <--denies traffic from the Test hosts to the Prod hosts
permit ip any any                               <--allows traffic to the Internet

You Rule man!

Can I start a new question and have you help.... it is related to this one?

Sure thing.

Here is the new question
https://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q-23903141-Setup-test-domain-on-test-network.html