Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1204
Views
0
Helpful
9
Replies

CE-to-CE filtering

Go to solution
cisco_lad2004
Level 5
Level 5

‎06-09-2008 05:46 AM

I am working on securing our current set up where Management VPN for CPE's is not as restrictive as I would like it to be.

At present any CPE can access any other CPE as VRF definition is the same for all CPE MNGT as well OSS (hub).

what I want to acheive is to allow CPEs to reach OSS but never communicate with each other.

I use default route from CPE to PE, if I had BGP I could filter out all CPE ranges.

I looked into playing with import/export route targets. I cannot see how I can isolate 2 CPEs connected to same PE (while keeping same RD and RT imp/exp).

Making OSS as a hub and CPE as spokes is not problem.

Any thoughts or suggestions on what is best practice here to isolate CPE-CPE ?

As I see it I have the painful option of using BGP on all CPEs already deployed. or simply use ACLs to only allow traffic from CPE to OSS.

TIA

Sam

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
gjstem
Level 1
Level 1
In response to cisco_lad2004

‎06-10-2008 05:07 AM

Have looked into what Cisco calls a half-duplex VRF?

It removes the critical requirement for a separate VRF per customer but I'm not sure the solution meets all of your needs.

-Greg

View solution in original post

0 Helpful
9 Replies 9

Go to solution
guruprasadr
Level 7
Level 7

‎06-09-2008 07:23 AM

HI Sam, [Pls RATE if HELPS]

If your requirement is as below:

HO Side:

=========

ip vrf 1012-XYZ-Hub

rd xxxx:1012

route-target export xxxx:101012

route-target import xxxx:101012

route-target import xxxx:xxxx

route-target import xxxx:101014

>> Import only the BO Side RT Values

>> Export & Import the HO RT Values

BO Side:

=========

!

ip vrf 1014-XYZ-Spoke2

rd xxxx:1014

route-target export xxxx:101014

route-target import xxxx:101012

!

>> Import the HO Side RT Values

>> Export the BO Side RT Values

Note:"xxxx" is the ISP AS No#

This Approach, will help in avoiding the CPE-CPE access landing on same PE's nevertheless it will access only the HO. Use Unique RD value for each SPOKE Location.

Hope I am Informative

Pls RATE if HELPS

Best Regards,

Guru Prasad R

0 Helpful

Go to solution
ashish_gupta
Level 1
Level 1
In response to guruprasadr

‎06-09-2008 09:31 AM

hi

you can also use import map command.

regard

Ashish GUpta

0 Helpful

Go to solution
cisco_lad2004
Level 5
Level 5
In response to guruprasadr

‎06-09-2008 09:44 AM

thank you both for replies.

I have actually already played with above options, including export map from OSS or Hub mapped to a new extcommunity. However, I was unable to filter out CE to see another CE (when I tested I used BGP so I can see the effects of my filtering).

I have 50 CEs roughly sharing a /24 and terminated in an SVI which is then placed into a mngt VRF.

I will re test tomorrow with exactely the same as suggested above and feed back with output results.

Thanks again

Sam

0 Helpful

Go to solution
cisco_lad2004
Level 5
Level 5
In response to guruprasadr

‎06-09-2008 10:19 PM

here is my config, excately same as u suggested. OSS has all routes which is what I want, howver CPEs have eachother prefixes still. both CPE are on same PE.

ip vrf mgmt

rd as:100

export map OSS

route-target export as:100

route-target import as:100

route-target import as:200

!

ip vrf mgmt_cpe

rd as:200

route-target export as:200

route-target import as:100

!

route-map OSS permit 10

match ip address prefix-list OSS

set extcommunity rt as:100

export map is not entirely needed here, but I am using it to have more control on OSS prefixes I want to leak to CPE vrf.

Sam

0 Helpful

Go to solution
ashish_gupta
Level 1
Level 1
In response to cisco_lad2004

‎06-09-2008 11:44 PM

Hi

remove route-target import as:100 . from the mgmt.

regards

Ashish gupta

0 Helpful

Go to solution
cisco_lad2004
Level 5
Level 5
In response to ashish_gupta

‎06-10-2008 12:06 AM

it wont make a difference.

in fact I have shit down BGP session to OSS , so only 2 sessions towards CPE1 , and CPE2 under mgmt vrf. at same time, I removed both import and export definition....CPEs are still seeing eachother prefixes !

both CPEs are on same NPE.

Sam

!

ip vrf mgmt_cpe

rd as:200

!

address-family ipv4 vrf mgmt_cpe

redistribute connected

neighbor 172.16.150.2 remote-as 65001

neighbor 172.16.150.2 activate

neighbor 172.16.150.2 send-community both

neighbor 172.16.160.2 remote-as 65002

neighbor 172.16.160.2 activate

neighbor 172.16.160.2 send-community both

no synchronization

exit-address-family

!

0 Helpful

Go to solution
cisco_lad2004
Level 5
Level 5
In response to guruprasadr

‎06-10-2008 01:05 AM

It seems that the only way I can achieve this is to use a different RD for each CPE. and since CPE are conncted to same PE, I must use a separate VRF which is rather cumbersome.

the only option I have is to use ACLs to restric t CE-CE traffic.

I hope someone has a better idea !

Sam

0 Helpful

Go to solution
gjstem
Level 1
Level 1
In response to cisco_lad2004

‎06-10-2008 05:07 AM

Have looked into what Cisco calls a half-duplex VRF?

It removes the critical requirement for a separate VRF per customer but I'm not sure the solution meets all of your needs.

-Greg

0 Helpful

Go to solution
cisco_lad2004
Level 5
Level 5
In response to gjstem

‎06-10-2008 05:54 AM

Greg,

This is excately what I am after.

I will put it to teh test.

many thanks

Sam

0 Helpful
Customers Also Viewed These Support Documents