cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1168
Views
0
Helpful
9
Replies

CE-to-CE filtering

cisco_lad2004
Level 5
Level 5

I am working on securing our current set up where Management VPN for CPE's is not as restrictive as I would like it to be.

At present any CPE can access any other CPE as VRF definition is the same for all CPE MNGT as well OSS (hub).

what I want to acheive is to allow CPEs to reach OSS but never communicate with each other.

I use default route from CPE to PE, if I had BGP I could filter out all CPE ranges.

I looked into playing with import/export route targets. I cannot see how I can isolate 2 CPEs connected to same PE (while keeping same RD and RT imp/exp).

Making OSS as a hub and CPE as spokes is not problem.

Any thoughts or suggestions on what is best practice here to isolate CPE-CPE ?

As I see it I have the painful option of using BGP on all CPEs already deployed. or simply use ACLs to only allow traffic from CPE to OSS.

TIA

Sam

1 Accepted Solution

Accepted Solutions

Have looked into what Cisco calls a half-duplex VRF?

It removes the critical requirement for a separate VRF per customer but I'm not sure the solution meets all of your needs.

-Greg

View solution in original post

9 Replies 9

guruprasadr
Level 7
Level 7

HI Sam, [Pls RATE if HELPS]

If your requirement is as below:

HO Side:

=========

ip vrf 1012-XYZ-Hub

rd xxxx:1012

route-target export xxxx:101012

route-target import xxxx:101012

route-target import xxxx:xxxx

route-target import xxxx:101014

>> Import only the BO Side RT Values

>> Export & Import the HO RT Values

BO Side:

=========

!

ip vrf 1014-XYZ-Spoke2

rd xxxx:1014

route-target export xxxx:101014

route-target import xxxx:101012

!

>> Import the HO Side RT Values

>> Export the BO Side RT Values

Note:"xxxx" is the ISP AS No#

This Approach, will help in avoiding the CPE-CPE access landing on same PE's nevertheless it will access only the HO. Use Unique RD value for each SPOKE Location.

Hope I am Informative

Pls RATE if HELPS

Best Regards,

Guru Prasad R

hi

you can also use import map command.

regard

Ashish GUpta

thank you both for replies.

I have actually already played with above options, including export map from OSS or Hub mapped to a new extcommunity. However, I was unable to filter out CE to see another CE (when I tested I used BGP so I can see the effects of my filtering).

I have 50 CEs roughly sharing a /24 and terminated in an SVI which is then placed into a mngt VRF.

I will re test tomorrow with exactely the same as suggested above and feed back with output results.

Thanks again

Sam

here is my config, excately same as u suggested. OSS has all routes which is what I want, howver CPEs have eachother prefixes still. both CPE are on same PE.

ip vrf mgmt

rd as:100

export map OSS

route-target export as:100

route-target import as:100

route-target import as:200

!

ip vrf mgmt_cpe

rd as:200

route-target export as:200

route-target import as:100

!

route-map OSS permit 10

match ip address prefix-list OSS

set extcommunity rt as:100

export map is not entirely needed here, but I am using it to have more control on OSS prefixes I want to leak to CPE vrf.

Sam

Hi

remove route-target import as:100 . from the mgmt.

regards

Ashish gupta

it wont make a difference.

in fact I have shit down BGP session to OSS , so only 2 sessions towards CPE1 , and CPE2 under mgmt vrf. at same time, I removed both import and export definition....CPEs are still seeing eachother prefixes !

both CPEs are on same NPE.

Sam

!

ip vrf mgmt_cpe

rd as:200

!

address-family ipv4 vrf mgmt_cpe

redistribute connected

neighbor 172.16.150.2 remote-as 65001

neighbor 172.16.150.2 activate

neighbor 172.16.150.2 send-community both

neighbor 172.16.160.2 remote-as 65002

neighbor 172.16.160.2 activate

neighbor 172.16.160.2 send-community both

no synchronization

exit-address-family

!

It seems that the only way I can achieve this is to use a different RD for each CPE. and since CPE are conncted to same PE, I must use a separate VRF which is rather cumbersome.

the only option I have is to use ACLs to restric t CE-CE traffic.

I hope someone has a better idea !

Sam

Have looked into what Cisco calls a half-duplex VRF?

It removes the critical requirement for a separate VRF per customer but I'm not sure the solution meets all of your needs.

-Greg

Greg,

This is excately what I am after.

I will put it to teh test.

many thanks

Sam

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: