CE-to-CE filtering

Answered Question
Jun 9th, 2008
User Badges:
  • Gold, 750 points or more

I am working on securing our current set up where Management VPN for CPE's is not as restrictive as I would like it to be.


At present any CPE can access any other CPE as VRF definition is the same for all CPE MNGT as well OSS (hub).


what I want to acheive is to allow CPEs to reach OSS but never communicate with each other.

I use default route from CPE to PE, if I had BGP I could filter out all CPE ranges.


I looked into playing with import/export route targets. I cannot see how I can isolate 2 CPEs connected to same PE (while keeping same RD and RT imp/exp).

Making OSS as a hub and CPE as spokes is not problem.

Any thoughts or suggestions on what is best practice here to isolate CPE-CPE ?


As I see it I have the painful option of using BGP on all CPEs already deployed. or simply use ACLs to only allow traffic from CPE to OSS.


TIA


Sam

Correct Answer by gjstem about 8 years 10 months ago

Have looked into what Cisco calls a half-duplex VRF?


It removes the critical requirement for a separate VRF per customer but I'm not sure the solution meets all of your needs.


-Greg

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
guruprasadr Mon, 06/09/2008 - 07:23
User Badges:
  • Gold, 750 points or more

HI Sam, [Pls RATE if HELPS]


If your requirement is as below:


HO Side:

=========

ip vrf 1012-XYZ-Hub

rd xxxx:1012

route-target export xxxx:101012

route-target import xxxx:101012

route-target import xxxx:xxxx

route-target import xxxx:101014


>> Import only the BO Side RT Values

>> Export & Import the HO RT Values


BO Side:

=========

!

ip vrf 1014-XYZ-Spoke2

rd xxxx:1014

route-target export xxxx:101014

route-target import xxxx:101012

!


>> Import the HO Side RT Values

>> Export the BO Side RT Values


Note:"xxxx" is the ISP AS No#


This Approach, will help in avoiding the CPE-CPE access landing on same PE's nevertheless it will access only the HO. Use Unique RD value for each SPOKE Location.


Hope I am Informative


Pls RATE if HELPS


Best Regards,


Guru Prasad R

cisco_lad2004 Mon, 06/09/2008 - 09:44
User Badges:
  • Gold, 750 points or more

thank you both for replies.


I have actually already played with above options, including export map from OSS or Hub mapped to a new extcommunity. However, I was unable to filter out CE to see another CE (when I tested I used BGP so I can see the effects of my filtering).


I have 50 CEs roughly sharing a /24 and terminated in an SVI which is then placed into a mngt VRF.


I will re test tomorrow with exactely the same as suggested above and feed back with output results.


Thanks again


Sam



cisco_lad2004 Mon, 06/09/2008 - 22:19
User Badges:
  • Gold, 750 points or more

here is my config, excately same as u suggested. OSS has all routes which is what I want, howver CPEs have eachother prefixes still. both CPE are on same PE.


ip vrf mgmt

rd as:100

export map OSS

route-target export as:100

route-target import as:100

route-target import as:200

!

ip vrf mgmt_cpe

rd as:200

route-target export as:200

route-target import as:100

!

route-map OSS permit 10

match ip address prefix-list OSS

set extcommunity rt as:100


export map is not entirely needed here, but I am using it to have more control on OSS prefixes I want to leak to CPE vrf.



Sam


ashish_gupta Mon, 06/09/2008 - 23:44
User Badges:

Hi


remove route-target import as:100 . from the mgmt.


regards

Ashish gupta

cisco_lad2004 Tue, 06/10/2008 - 00:06
User Badges:
  • Gold, 750 points or more

it wont make a difference.


in fact I have shit down BGP session to OSS , so only 2 sessions towards CPE1 , and CPE2 under mgmt vrf. at same time, I removed both import and export definition....CPEs are still seeing eachother prefixes !


both CPEs are on same NPE.


Sam


!

ip vrf mgmt_cpe

rd as:200

!

address-family ipv4 vrf mgmt_cpe

redistribute connected

neighbor 172.16.150.2 remote-as 65001

neighbor 172.16.150.2 activate

neighbor 172.16.150.2 send-community both

neighbor 172.16.160.2 remote-as 65002

neighbor 172.16.160.2 activate

neighbor 172.16.160.2 send-community both

no synchronization

exit-address-family

!



cisco_lad2004 Tue, 06/10/2008 - 01:05
User Badges:
  • Gold, 750 points or more

It seems that the only way I can achieve this is to use a different RD for each CPE. and since CPE are conncted to same PE, I must use a separate VRF which is rather cumbersome.


the only option I have is to use ACLs to restric t CE-CE traffic.


I hope someone has a better idea !


Sam

Correct Answer
gjstem Tue, 06/10/2008 - 05:07
User Badges:

Have looked into what Cisco calls a half-duplex VRF?


It removes the critical requirement for a separate VRF per customer but I'm not sure the solution meets all of your needs.


-Greg

cisco_lad2004 Tue, 06/10/2008 - 05:54
User Badges:
  • Gold, 750 points or more

Greg,


This is excately what I am after.

I will put it to teh test.


many thanks


Sam



Actions

This Discussion