Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Manage Prefixes on a CE in MPLS VPN

Hi everyone,

In a MPLS VPN with a PE and a CE in a site A,

How can I allow the access of only certain PCs in the site, which can access at the CE,to send traffic to the PE ?

 

Example, Here we have the prefixes p2 p4  and p5 at site2. p2 is both in VPN v1 and v2. p4 is only in VPN v1. p5 is not part of anything.

How can I configure a cisco CE (in this case the CE2) to discipline the access to the PE ? How can I say "p2 can talk with p1 and p3" and " p4 can talk only with p1 at site 1" and " p5 cannot communicate with anyone ?" How can CE2 discriminate the access at PE just looking at the prefix who made the request ? I need the esact Cisco configuration for This Network !!! thank you !! 

Everyone's tags (1)
7 REPLIES

Hello, Okey not sure I

Hello,

 

Okey not sure I totally understand the question but from what I read you could be asking 2 things regarding Filtering prefixes reaching the CE:

 

1)Filtering prefixes at the PE:

This can easily be done with Import-Maps

 

2) Filtering at the CE:

Does not have knowledge about the MPLS network so nothing related with MPLS will be done here, instead you will rely on the Routing-Protocol used in order to filter prefixes.

 

Makes sense?

 

Regards,

 

Jcarvaja

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Dear Julio,so at the CE

Dear Julio,

so at the CE nothing can be done to deny the access from prefix p5 to talk in any vpns, and from p4 to say that it should only talk in the VPN v1 and NOT in the vpn v2 ?

Could you write me the esact configuration of CE( which should run OSPF only ? or BGP?) and of the PE looking at this picture ?? how can I Write this configuration esactly step by step in Cisco language??

 

Thank you very much,

Sincerely

lele

Hello,Well I mean if you are

Hello,

Well I mean if you are talking about Prefix Filtering then the way to go would be that one at the IGP or BGP level.

 

So let's say for OSPF

You want only to install and advertise to your internal routers the prefix 10.0.0.0/24

Config should be something like

access-list 10 permit 10.0.0.0 0.0.0.255

route-map BGP_To_OSPF

match ip address 10

 

router ospf # (Process-ID)

redistribute bgp # (Process-ID) subnets route-map BGP_To_OSPF

 

That's it, Whatever does not is included in the route-map will not be send to the OSPF database.

 

Regards,

 

Jcarvaja

 

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

dear julio,thank you for your

dear julio,

thank you for your answer.

But I need :

the ESACT  configuration  on that Lab shown, on both CE and PE to say:

1)p5(site s2) cannot talk in any VPNs

2)p4(site s2) can talk ONLY inin VPN v1

3) p2(site s2) can talk both in VPN v1 and v2.

thank you very much,

Sincerely

Hello,

Hello, I think I have helped you so far in order for you to be able to do it by yourself. Sorry man but we are a community that supports clients and people trying to learn. We or at least I do not provide configuration from scratch or like that, I do that for my customers hehe You already have the tools and information to make it happen, Now is your turn to work on this, By the way, remember to rate the helpful posts . For us that's a thanks as we do this for free. Regards, Jcarvaja
Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Hello Jcarvaja,No, you said

Hello Jcarvaja,
No, you said how to not annouce the prefix in BGP annouce(using route-map) that is different from what I asked...

I mean, I need to say :

HOW to AVOID that p5(site s2) could talk in any VPNs. and to say that p4(site s2) can talk ONLY inin VPN v1.

This is what I asked!

Route maps are used only to filter some prefixes in the BGP advertisment which is completly different, can you see ?

Hello, Where did I talk about

Hello,

 

Where did I talk about touching the BGP configuration??

 

access-list 10 permit 10.0.0.0 0.0.0.255

route-map BGP_To_OSPF

match ip address 10

 

router ospf # (Process-ID)

redistribute bgp # (Process-ID) subnets route-map BGP_To_OSPF

 

All the configuration is done on the IGP, no need to play with BGP.

 

The whole point is to filter what the IGP routers will learn.

And of course if you want it to do it at the PE level you can use the VRF Import-Map Feature.

 

Makes sense?

 

Regards,

 

 

 

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
195
Views
16
Helpful
7
Replies
CreatePlease to create content