Applying L3 ACLs to a VRF
Within VRF access configuration mode you can apply access lists to VRF access groups for the restriction of traffic to and from other VRFs. For standard and extended ACLs, One ingress and one egress IPv4 and one ingress and one egress IPv6 access group may be applied to a VRF. The same access group may be applied to multiple VRFs. For policy ACLs, a single policy ACL may be configured per VRF.
Use the vrf-access command in VRF configuration mode to enter to enter VRF access configuration mode.
Once in VRF access configuration mode, you can apply:
- One ingress IPv4 access list from the specified VRF using the ip access-group from-vrf command or from any VRF using the ip access-group from-any-vrf command
- One ingress IPv6 access list from the specified VRF using the ipv6 access-group from-vrf command or from any VRF using the ipv6 access-group from-any-vrf command
- One egress IPv4 access list to the specified VRF using the ip access-group to-vrf command or to any VRF using the ip access-group to-any-vrf command
- One egress IPv6 access list to the specified VRF using the ipv6 access-group to-vrf command or to any VRF using the ipv6 access-group to-any-vrf command
- One policy ACL to the specified VRF using the ip policy-access-list command in the VRF configuration mode