it's a little bit late in my country (almost midnight) but I would try to answer your post (may be not a very good idea); it seems me that you are appliing the ACL just to control NAT not to permit/deny IP traffic. This way when a host in 192.168.0.x network try to connect to another host in the 10.10.10.0 network, it just sends the IP packet to it's default gateway (I suppose your router) and it will deliver the packet to the destionation network, un-natted but it will. Isn't it ?
I am not clear about the original poster statement that some devices were not vlan aware and that is why everything is in the same vlan. Having these 4 networks/subnets all in the same vlan is a very unusual design and I believe that it is causing (or will cause) problems, starting with this need to restrict traffic.
To the extent that hosts in the network need to send their traffic through the router to get to destinations then the router is able to control access. To the extent that hosts in the network can communicate directly with other hosts then the router is not able to control that traffic. So the question becomes do these hosts need to send their traffic through the router to reach hosts in the other network?
To the extent that a host would send its traffic to its default gateway for destinations that it believes is remote then yes the traffic would go through the router. But considering that all of these hosts are in the same vlan and therefore in the same broadcast domain, then if a host in 10.10.10.0 wants to communicate with a host in 192.168.0.0 and if the host sends an ARP request for the destination address, then the other host would receive the ARP, would reply, and the hosts would communicate without needing the router. And in that case the router can not control the traffic.
So the real answer to the question of the original poster is that it depends on the behavior of the hosts in the network. The best that he can do is to configure an access list to control the traffic and to apply it inbound on the vlan 10 interface.
Ok, I didn't explain things very well. This is a router that I have as my NAT firewall/DMVPN to the office at my house. What I am doing, if you see the static DHCP assignments for the 192.168 net, those are my daughters iPads. I want to prevent those devices from being able to see anything but the internet, no normal network (10.10) or any of the VPN networks (which if I am remembering my networking correctly, they can't anyways, since their subnet is not being advertised by the OSPF policy). My WiFi access point is the device that is not VLAN compatible (hence my comment about not being able to do separate VLAN's, and then restricting VLAN to VLAN access).
This is not a "security" issue, beyond wanting to keep my kids from deciding to access either my network share, or our network printer.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...