User's Manual
Configure VRF-lite | Page 51
Configuring a complex inter-VRF solution
The third access group allow100_deny_private permits VRF red to access shared VRF
network 192.168.100.0/24. Subsequently traffic to all networks within the 192.168.0.0/16
address ranges is denied.
The order of filtering is:
1. Allow access to the subnet in which the port resides.
2. Allow access to specific remote networks via shared.
3. Allow access to the 192.168.100.0/24 address range, then deny access to all other
networks within the 192.168.0.0/16 address ranges.
4. And implicitly, all other traffic not matching the ACLs is allowed to access the Internet.
CONFIGURE VLAN DATABASE
awplus(config)#vlan database
awplus(config-vlan)#vlan 2-7 state enable
awplus(config-vlan)#exit
awplus(config)#interface port1.0.1
awplus(config-if)#access-group allow_to_self_10
awplus(config-if)#access-group access43
awplus(config-if)#access-group allow100_deny_private
awplus(config)#interface port1.0.2
awplus(config-if)#switchport access vlan 2
awplus(config-if)#access-group allow_to_self_20
awplus(config-if)#access-group access44
awplus(config-if)#access-group allow100_deny_private
awplus(config-if)#exit
awplus(config)#interface port1.0.3
awplus(config-if)#switchport access vlan 3
awplus(config-if)#access-group allow_to_self_30
awplus(config-if)#access-group access45
awplus(config-if)#access-group allow100_deny_private
awplus(config-if)#exit
awplus(config)#interface port1.0.4-1.0.5
awplus(config-if)#switchport access vlan 4
awplus(config-if)#access-group allow_to_self_40
awplus(config-if)#access-group access43
awplus(config-if)#access-group access44
awplus(config-if)#access-group access45
awplus(config-if)#access-group allow100_deny_private
awplus(config-if)#exit
awplus(config)#interface port1.0.6-1.0.7
awplus(config-if)#switchport access vlan 5
awplus(config-if)#exit
[cont...]