guest VLAN with VRF-lite

My task is guest isolated VLAN, for security devices which can connect to few host in the Internet for Telemetric data.

add vlan to switches and this 

vlan 171
name security

int g0/0
switchport trunk allowed vlan add 171

create VRF

ip vrf security

create subinterface on router to that vlan and add vrf forwarding command

interface FastEthernet0/0.171
 encapsulation dot1Q 171
 ip vrf forwarding security
 ip address 10.16.171.254 255.255.255.0

create route to GLOBAL routing table to know about vrf subnet (route leaking)

ip route 10.16.171.0 255.255.255.0 FastEthernet0/0.171

create route ro VRF routing table to know about default route of the global routing table

ip route vrf security 0.0.0.0 0.0.0.0 Vlan500 178.173.24.* global

create extended access list for network address translation to the telemetric host on the internet

Extended IP access list 101
    10 permit tcp 10.16.171.0 0.0.0.255 host 62.117.84.* eq 24333
    20 permit tcp 10.16.171.0 0.0.0.255 host 79.98.138.* eq 24333


add this pool to the NAT overload

ip nat inside source list 101 interface Vlan500 vrf security overload

All done!