I am working on securing our current set up where Management VPN for CPE's is not as restrictive as I would like it to be.
At present any CPE can access any other CPE as VRF definition is the same for all CPE MNGT as well OSS (hub).
what I want to acheive is to allow CPEs to reach OSS but never communicate with each other.
I use default route from CPE to PE, if I had BGP I could filter out all CPE ranges.
I looked into playing with import/export route targets. I cannot see how I can isolate 2 CPEs connected to same PE (while keeping same RD and RT imp/exp).
Making OSS as a hub and CPE as spokes is not problem.
Any thoughts or suggestions on what is best practice here to isolate CPE-CPE ?
As I see it I have the painful option of using BGP on all CPEs already deployed. or simply use ACLs to only allow traffic from CPE to OSS.
Have looked into what Cisco calls a half-duplex VRF?
It removes the critical requirement for a separate VRF per customer but I'm not sure the solution meets all of your needs.