it sounds like they're asking for access control lists that would block specific ports, 23 for telnet, 21 for ftp. or one that would only allow port 80 for http. You could demonstrate this by enabling logging on the access control list and it would show hits each time a device attempted to access a block service if you wanted.

OK you have 3 VLANs and each should have its own IP subnet assigned. I am also assuming that you have a router to enable communications between the subnets. If no router and they can't talk between VLANs. First thing you should do is see if you can ping host to host between subnets. If you can then you know that the host have their gateways set and the router knows the route to the destination of the incoming packets. Next you will need to learn about access-list that can be applied to the interfaces of the Cisco router. This access-list will enable you to allow or disallow traffic through that interface by source, destination, port number (HTTP 80, FTP 21, Telnet 23) ect,,,,, That is a huge subject and I can't cover it adequately here in this forum. Do a Google search and you will find lots of information on the subject. Even without an access-list a router will not allow a broadcast through to another network (VLAN) segment which is why they are sometimes referred to as a broadcast domains. Their are ways to allow a broadcast to pass by turning it into a unicast but that is another question. Hope this helps and at least gives you a direction to look.

I think i had to do a similar thing to that for my CCNA, I know i had to use 3 switches and a router but can't for the life of me remember how to demo it. Other than showing them the ACL's and plugging hosts into each VLAN, and try to access the HTTP page of the router (demonstrating the access of port 80), maybe putting in some loopback addresses could prove that it is successful or fails when trying to access the page or pinging a specific IP