Hello Cyril,

this can be done: the gateway provides inter-vlan routing.

To introduce connectivity limitations you need to deploy the appropriate ACLs.

vlan 1         -----> 10.10.10.0/24

vlan 2        ------> 10.10.20.0/24

vlan 3       ------> 10.10.30.0/24

access-list 101 permit ip 10.10.10.0 0.0.0.255 10.10.30.0 0.0.0.255

access-list 102 permit ip 10.10.20.0 0.0.0.255 10.10.30.0 0.0.0.255

int vlan 1

ip access-group 101 in

int vlan 2

ip access-group 102 in

note:

if you want to provide internet access you need modified ACLs like

access-list 111 deny ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255

access-list 111 permit ip 10.10.10.0 0.0.0.255 any

access-list 112 deny ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 112 permit ip 10.10.20.0 0.0.0.255 any

to be applied in place of the previuos ones

Hope to help

Giuseppe