CE-to-CE filtering

Answered Question
Jun 9th, 2008

I am working on securing our current set up where Management VPN for CPE's is not as restrictive as I would like it to be.

At present any CPE can access any other CPE as VRF definition is the same for all CPE MNGT as well OSS (hub).

what I want to acheive is to allow CPEs to reach OSS but never communicate with each other.

I use default route from CPE to PE, if I had BGP I could filter out all CPE ranges.

I looked into playing with import/export route targets. I cannot see how I can isolate 2 CPEs connected to same PE (while keeping same RD and RT imp/exp).

Making OSS as a hub and CPE as spokes is not problem.

Any thoughts or suggestions on what is best practice here to isolate CPE-CPE ?

As I see it I have the painful option of using BGP on all CPEs already deployed. or simply use ACLs to only allow traffic from CPE to OSS.



Correct Answer by gjstem about 8 years 8 months ago

Have looked into what Cisco calls a half-duplex VRF?

It removes the critical requirement for a separate VRF per customer but I'm not sure the solution meets all of your needs.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
guruprasadr Mon, 06/09/2008 - 07:23

HI Sam, [Pls RATE if HELPS]

If your requirement is as below:

HO Side:


ip vrf 1012-XYZ-Hub

rd xxxx:1012

route-target export xxxx:101012

route-target import xxxx:101012

route-target import xxxx:xxxx

route-target import xxxx:101014

>> Import only the BO Side RT Values

>> Export & Import the HO RT Values

BO Side:



ip vrf 1014-XYZ-Spoke2

rd xxxx:1014

route-target export xxxx:101014

route-target import xxxx:101012


>> Import the HO Side RT Values

>> Export the BO Side RT Values

Note:"xxxx" is the ISP AS No#

This Approach, will help in avoiding the CPE-CPE access landing on same PE's nevertheless it will access only the HO. Use Unique RD value for each SPOKE Location.

Hope I am Informative


Best Regards,

Guru Prasad R

cisco_lad2004 Mon, 06/09/2008 - 09:44

thank you both for replies.

I have actually already played with above options, including export map from OSS or Hub mapped to a new extcommunity. However, I was unable to filter out CE to see another CE (when I tested I used BGP so I can see the effects of my filtering).

I have 50 CEs roughly sharing a /24 and terminated in an SVI which is then placed into a mngt VRF.

I will re test tomorrow with exactely the same as suggested above and feed back with output results.

Thanks again


cisco_lad2004 Mon, 06/09/2008 - 22:19

here is my config, excately same as u suggested. OSS has all routes which is what I want, howver CPEs have eachother prefixes still. both CPE are on same PE.

ip vrf mgmt

rd as:100

export map OSS

route-target export as:100

route-target import as:100

route-target import as:200


ip vrf mgmt_cpe

rd as:200

route-target export as:200

route-target import as:100


route-map OSS permit 10

match ip address prefix-list OSS

set extcommunity rt as:100

export map is not entirely needed here, but I am using it to have more control on OSS prefixes I want to leak to CPE vrf.


ashish_gupta Mon, 06/09/2008 - 23:44


remove route-target import as:100 . from the mgmt.


Ashish gupta

cisco_lad2004 Tue, 06/10/2008 - 00:06

it wont make a difference.

in fact I have shit down BGP session to OSS , so only 2 sessions towards CPE1 , and CPE2 under mgmt vrf. at same time, I removed both import and export definition....CPEs are still seeing eachother prefixes !

both CPEs are on same NPE.



ip vrf mgmt_cpe

rd as:200


address-family ipv4 vrf mgmt_cpe

redistribute connected

neighbor remote-as 65001

neighbor activate

neighbor send-community both

neighbor remote-as 65002

neighbor activate

neighbor send-community both

no synchronization



cisco_lad2004 Tue, 06/10/2008 - 01:05

It seems that the only way I can achieve this is to use a different RD for each CPE. and since CPE are conncted to same PE, I must use a separate VRF which is rather cumbersome.

the only option I have is to use ACLs to restric t CE-CE traffic.

I hope someone has a better idea !


Correct Answer
gjstem Tue, 06/10/2008 - 05:07

Have looked into what Cisco calls a half-duplex VRF?

It removes the critical requirement for a separate VRF per customer but I'm not sure the solution meets all of your needs.


cisco_lad2004 Tue, 06/10/2008 - 05:54


This is excately what I am after.

I will put it to teh test.

many thanks



This Discussion