I am trying to do a very simple setup.

we have one provider connecting to our Carrier Ethernet Metro.

provider is sending me with 3 VLAN which i usually take them inside one vman ( port is configured untag) and take it through our Metro.

now what i am trying to archive is to allow 3 Vlans with specific tag ( like is provider tried to send more vlans or different tags than what was agreed on) these vlans should not enter my VMAN.

I would use CEP rather than using CNP with 'cvid' ACL.

# configure vman vman100 add port 1 cep cvid 50 - 52
Thanks for the replay Kevin,

but will it have the same effect as using CNP. one more thing, the termination of these vlans will be on a L3 router and its configured as double tag on the router
I think packets are doubled tagged as CNP when they are transported in a VMAN.
Yes this is the scenario which we have.

Question is can we do CEP and transport them and do the double tagging ?!
Yes. you can with CEP.