(config-ext-nacl)#permit ip host 192.168.1.X 192.168.2.XXX 0.0.0.255 (this is to permit the guy to access the other vlan, you can add many permit lines)
(config-ext-nacl)#deny ip any 192.168.2.XXX 0.0.0.255 (this is to deny all other guys to get to the other vlan).
config)#int vlan 1
config-if)#ip access-group NAME in (apply the access-list to the traffic coming into the vlan 1 from the vlan 1 users, alternatively this can be applied in the outbound direction on vlan 2 interface. remember that only 1 access-list can be applied to an interface in one particular direction.)
The suggestion by Victor would allow certain traffic between VLAN 100 and 110 and would allow traffic from the local VLAN to outside resources but not to the other VLAN. My understanding of your post is that you do not want anyone in VLAN 100 to communicate with anyone in VLAN 110. If that is correct then you do not need the command:
permit ip host 192.168.1.X 192.168.2.XXX 0.0.0.255
I am not clear from your post whether you want devices in the VLANs to communicate with outside resources or whether you want them to only communicate locally. Perhaps you can clarify this?
Yes if you have deny icmp any any and deny ip any any as an inbound access list then you will break DHCP. You would need to permit the UDP ports for DHCP (you could permit any any or you could limit it to permit any host 255.255.255.255 since the DHCP request is a broadcast packet).
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...