Cisco 3845, how do I prevent subnets from routing between each other?

I have a setup with a Cisco 3845 ISR + two Dell PowerConnect 6224 L3 Switches + 4 Cisco 1145 WAPs.

My goal is to create two VLANs for wireless access points.  The first VLAN will authenticate against RADIUS/PEAP for our domain computers and route between VLANs for various resources.  The second VLAN will be for guest use only and route directly to the internet and not communicate between VLANs.

I've worked out the part on creating the VLAN for internal use and it works great.  But I don't really know how to make best use of the equipment to isolate the VLAN and route it straight to the internet.

It seems the PowerConnect 6224 doesn't support PVLANs, so I'm trying to figure out how to do what I need with our Cisco 3845 router.  Honestly I don't know where to start.  I'm guessing I want it to do something like the following:

192.168.4.x -> VLAN Gateway -> Cisco 3845 -> Internet (Serial 1/0)

Since I won't know the MAC addresses connecting to the WAPs, I know I can't use filtering.  We also only have 1 HWIC in use and I do have a spare one I can install.  Could I set up an interface on that and some kind of ACL that only permits access between 192.168.4.x and Serial 1/0 (with NAT)?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

A routed interface is a controlled interface which allows for a security/traffic policy to be implemented.
You can deploy ACLs, you can use policy based routing, and you can use CBAC (ios firewall).

ACLs, craft a ACL that categorizes your traffic via source, desitnation, protocol and port. You could do the following;

vlan A = , vlan B =

Apply this to the 2.2.2.x interface (vice versa for 1.1.10 interface)
access-list 100 deny ip
access-list 100 permit ip any any

harbor235 ;}

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ITSupportZagatAuthor Commented:
So, on the acl, can i also specify a (pardon me if i use the term wrong) superscoped ip address to deny since we have several different VLANs in the 192.168.x.x range.

access-list 105 deny ip
access-list 105 permit ip any eq 80
access-list 105 permit ip any eq 443

Sure, once crafted you apply to the interface, i recommend inbound in this situatuion.

config t
interface X
ip access-group 105 in
wr mem

harbor235 ;}
ITSupportZagatAuthor Commented:
Great.  I want to clear up one last thing that's been a point of contention.  I understand that on an ACL if the network isn't allowed access a deny is implied. So, if, as above, I wanted to permit specific network and block others (and all of our internal networks share interface ge0/0), can I do the following or is there a better, best practice:

access-list 105 permit ip any
access-list 105 deny ip
access-list 105 deny ip
access-list 105 permit ip any
access-list 105 permit ip any
access-list 105 permit ip any
access-list 105  deny ip any any

With the goal, same as before, since all networks in our company share ge0/0, i want to allow the network to the internet, but deny local subnets.
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Hardware

From novice to tech pro — start learning today.