The biggest fallacy is that VLANS provide security like hitting a brick wall; they don't.
Using a separate VLAN for each room really doesn't add any security anyway in and of itself because a multi-layer switch will simply take the IP address and Mask assigned to each SVI and drop all of those respective subnets into the default routing process/VRF.
Regardless, if you do this you need 12 subnets (one for each VLAN), and you need to put your DHCP server helper IPs onto the SVIs, too.
Then to break connectivity between the rooms most folks would use ACLs, which would probably work but for meaningful security you also need to isolate the routing processes!
Realistically though, you would probably want to create 12 VRF tables such that each SVI is on its own virtual router instance vs being all routed together between the rooms. From there, you would need the Internet connection in its own VRF as well. Okay, so that is very easy... but now you need them to all talk to the Internet which is NOT in any of those routing processes and if you do IP VRF Forwarding dropping it into one, only that room has Internet...
To remedy this, you now need to do PBR (Policy Based Routing) and drop a route-map onto each SVI whereby you match the destination based on what would otherwise be a default route and set the destination VRF to the Internet VRF.
Bet you don't want to do the VLAN Idea anymore.
******************
I would do protected switchports:
Switch# conf t
Switch(config)# interface range GigabitEthernet0/1 -48
Switch(config-if)# switchport protected
Switch(config-if)# end
Protected ports cannot transmit/receive traffic between other protected ports. Hence, you would connect the Internet off a non-protected port and be done with it!
********************
My choice:
Only about $1000!
For the best security buy an Application-Layer firewall like a Palo Alto and configure it. Create a separate zone for every room and drop a sub-interface for each room into a different zone. This uses 802.1q and trunks it into a switch. From there you deliver an access port to the room within that VLAN, but it is critical you use only layer-2 functionality on the switch leaving the routing process on the Palo Alto! Make all zones layer-3 zones and put some subnet information on them (basically the default gateway). Setup DHCP on there, too. Make a NAT rule to NAT them all to a shared external IP for all those zones. NAT your staff to another IP from the pool though by using a different source zone.
Create a policy for each room to the outside to allow that traffic, and specify it by type using the same address object for each rule.
Next setup QoS on the Palo Alto guaranteeing the staff have more bandwidth and that the rooms are divided up evenly
Honestly, it would take only about an hour to configure it this way. I would put the majority of applications in the address-group to allow them, but if abuse happens, you could pull them out of the address group and it would impact all rooms. Each room would be firewalled from one another, but the settings would be uniform. If needed you could add a rule to just allow the Staff zone to any zone, and the staff could then print to a printer, scan the networks, etc.
