Configuring a complex
Configure the hardware ACLs
The command
Each individual filter in the example below match on IP traffic destined to a specific network from any source IP.
Any IP traffic not matching an ACL is implicitly permitted. This allows traffic not filtered to be able to access the Internet.
Note - these traffic filters are being used for quite a different purpose than the ACLs that are used in the
Instead, these filters are checking individual packets that are coming into the switch, and blocking those packets that are trying to reach IP addresses that should not be reachable from their VRF domain.
Via the filters, the switch knows which IP subnets should not be reachable from a given domain, and so can drop any packets that are trying to reach IP addresses in those subnets.
The dropping (filtering) of those ingress packets is important in the case where a VRF has a default route to a shared VRF and there is an external router that exists in the shared VRF. If there is no external router in the shared VRF or VRF has no default route via the shared VRF, then these IP hardware filters are not required.
Without these filters, traffic which has source IP within one VRF to destination IP within another VRF will be routed via the shared VRF to the external router (the external Internet BGP router in this example). The external router will route the traffic back to the shared VRF, which will in turn route the traffic to the destination IP within the destination VRF. And the packet will be replied to. In effect, the external router inadvertently breaks the
Without the external router, although the shared VRF has routes to the other VRF domains, the VRF device will maintain the
