if I need to allow only certain nodes to access vlans behind VE iface do I do it with ACLs?
I think of that VE on VlanZ as a gateway to those nodes, through which the nodes would get to other Vlans.
Would I need to construct ACLs with all the subnets & hosts or there is another, simpler way?
And if yes, them I'm trying but... I fail. How would such a rule look like?
I'm trying something obvious:
deny ip any 10.5.8.0 255.255.255.0
then apply it to the VE iface as ingress, but... nodes which have VE's IP as the gateway to 10.5.8.0/24 still get there.