The equipment you have is fine. The only issue is that the router will not be that fast routing between LANs, a layer 3 switch would be quicker, but if there is not too much traffic between them the router should be fine. You need to create the vlans on the switches, and then a trunk to the router. The router will have sub-interfaces, each with an IP address for the individual vlan (subnet), which will also be the default gateway for that particular vlan. These can be exactly as you show in your question. If you don't want a particular vlan to be able to access another, create an access list (ACL) and apply it to the subinterface on the router. This should really be applied to both inbound and outbound traffic. For example, to block traffic from vlan 3 to vlan 4 ip access-list extended No-V3-to-V4 deny ip any 10.0.4.0 0.0.0.255 permit ip any any ! ip access-list extended No-V4-to-V3 deny ip any 10.0.3.0 0.0.0.255 permit ip any any ! int fastethernet0/1.3 desc ** VLAN 3 - Client ** encapsulation dot1Q 3 ip access-group No-V3-to-V4 out ! int fastethernet0/1.4 desc ** VLAN 3 - Finance ** encapsulation dot1Q 4 ip access-group No-V4-to-V3 out ! The permit ip any any at the end of the access list allows that VLAN to still connect to any of the other vlans, and to the Internet. The routing and NAT for the Internet is not shown, all you will need is a default route to the Internet router that is in VLAN 7. As the router is the gateway for all the vlans, it will have routes between them, and to the Internet (the 0.0.0.0 0.0.0.0 route) so all VLANs will be able to access the Internet. That is the basic idea, from that you can allow or deny access between the vlans, or to individual hosts on a particular vlan. Hope this helps.

The equipment you have is fine. The only issue is that the router will not be that fast routing between LANs, a layer 3 switch would be quicker, but if there is not too much traffic between them the router should be fine. You need to create the vlans on the switches, and then a trunk to the router. The router will have sub-interfaces, each with an IP address for the individual vlan (subnet), which will also be the default gateway for that particular vlan. These can be exactly as you show in your question. If you don't want a particular vlan to be able to access another, create an access list (ACL) and apply it to the subinterface on the router. This should really be applied to both inbound and outbound traffic. For example, to block traffic from vlan 3 to vlan 4 ip access-list extended No-V3-to-V4 deny ip any 10.0.4.0 0.0.0.255 permit ip any any ! ip access-list extended No-V4-to-V3 deny ip any 10.0.3.0 0.0.0.255 permit ip any any ! int fastethernet0/1.3 desc ** VLAN 3 - Client ** encapsulation dot1Q 3 ip access-group No-V3-to-V4 out ! int fastethernet0/1.4 desc ** VLAN 3 - Finance ** encapsulation dot1Q 4 ip access-group No-V4-to-V3 out ! The permit ip any any at the end of the access list allows that VLAN to still connect to any of the other vlans, and to the Internet. The routing and NAT for the Internet is not shown, all you will need is a default route to the Internet router that is in VLAN 7. As the router is the gateway for all the vlans, it will have routes between them, and to the Internet (the 0.0.0.0 0.0.0.0 route) so all VLANs will be able to access the Internet. That is the basic idea, from that you can allow or deny access between the vlans, or to individual hosts on a particular vlan. Hope this helps.