This answer focuses on the following part:
or is there a better way to segregate traffic as I require?
Overall, it might turn out to be easier to run two internal VLANs with each their SVI (interface vlan XXX) with each their own subnet, and accepting the (possibly still small) disadvantage of having to renumber some hosts.
If you do, instead of trying to use a feature restricted built-in switch's functionality, you can resort to the "classic" and more flexible features the router has to offer: interface access lists, CBAC firewall, ZoneBasedFirewall (ZBFW), etc.