The 2900 switch series supports access lists on a per VLAN interface basis. So you could apply the access list on the lab's VLAN on that switch. This way you stop internet destined traffic before it begins and release the other switches/ASA from the overhead of processing this traffic.
The ACL should prevent any traffic going to a network address that is not in your campus (i.e internet). Say that all your networks (including all VLANs) have the range 172.16.x.x /16. It would be something like this:
[code:1]access-list 100 permit ip any 172.16.0.0 0.0.255.255
interface Vlan1
ip access-group 100 in
[/code:1]
The implicit deny will prevent the internet traffic.
If for any reason this is not possible on your 2900 switch (which I doubt), then I would apply the ACL on the 3500 switch.
!
ip access-list extended Deny_Internet
permit tcp 172.16.11.0 0.0.0.255 any log
deny ip any any
!
Is it possible?
This permit will allow only TCP traffic, so it will prevent any other IP traffic like ping (ICMP) or TFTP (UDP). Are you sure you want to do that?. And you really don't need the deny ip any any command. It's automatically done by an implicit deny.
