06-09-2008 05:46 AM
I am working on securing our current set up where Management VPN for CPE's is not as restrictive as I would like it to be.
At present any CPE can access any other CPE as VRF definition is the same for all CPE MNGT as well OSS (hub).
what I want to acheive is to allow CPEs to reach OSS but never communicate with each other.
I use default route from CPE to PE, if I had BGP I could filter out all CPE ranges.
I looked into playing with import/export route targets. I cannot see how I can isolate 2 CPEs connected to same PE (while keeping same RD and RT imp/exp).
Making OSS as a hub and CPE as spokes is not problem.
Any thoughts or suggestions on what is best practice here to isolate CPE-CPE ?
As I see it I have the painful option of using BGP on all CPEs already deployed. or simply use ACLs to only allow traffic from CPE to OSS.
TIA
Sam
Solved! Go to Solution.
06-10-2008 05:07 AM
Have looked into what Cisco calls a half-duplex VRF?
It removes the critical requirement for a separate VRF per customer but I'm not sure the solution meets all of your needs.
-Greg
06-09-2008 07:23 AM
HI Sam, [Pls RATE if HELPS]
If your requirement is as below:
HO Side:
=========
ip vrf 1012-XYZ-Hub
rd xxxx:1012
route-target export xxxx:101012
route-target import xxxx:101012
route-target import xxxx:xxxx
route-target import xxxx:101014
>> Import only the BO Side RT Values
>> Export & Import the HO RT Values
BO Side:
=========
!
ip vrf 1014-XYZ-Spoke2
rd xxxx:1014
route-target export xxxx:101014
route-target import xxxx:101012
!
>> Import the HO Side RT Values
>> Export the BO Side RT Values
Note:"xxxx" is the ISP AS No#
This Approach, will help in avoiding the CPE-CPE access landing on same PE's nevertheless it will access only the HO. Use Unique RD value for each SPOKE Location.
Hope I am Informative
Pls RATE if HELPS
Best Regards,
Guru Prasad R
06-09-2008 09:31 AM
hi
you can also use import map command.
regard
Ashish GUpta
06-09-2008 09:44 AM
thank you both for replies.
I have actually already played with above options, including export map from OSS or Hub mapped to a new extcommunity. However, I was unable to filter out CE to see another CE (when I tested I used BGP so I can see the effects of my filtering).
I have 50 CEs roughly sharing a /24 and terminated in an SVI which is then placed into a mngt VRF.
I will re test tomorrow with exactely the same as suggested above and feed back with output results.
Thanks again
Sam
06-09-2008 10:19 PM
here is my config, excately same as u suggested. OSS has all routes which is what I want, howver CPEs have eachother prefixes still. both CPE are on same PE.
ip vrf mgmt
rd as:100
export map OSS
route-target export as:100
route-target import as:100
route-target import as:200
!
ip vrf mgmt_cpe
rd as:200
route-target export as:200
route-target import as:100
!
route-map OSS permit 10
match ip address prefix-list OSS
set extcommunity rt as:100
export map is not entirely needed here, but I am using it to have more control on OSS prefixes I want to leak to CPE vrf.
Sam
06-09-2008 11:44 PM
Hi
remove route-target import as:100 . from the mgmt.
regards
Ashish gupta
06-10-2008 12:06 AM
it wont make a difference.
in fact I have shit down BGP session to OSS , so only 2 sessions towards CPE1 , and CPE2 under mgmt vrf. at same time, I removed both import and export definition....CPEs are still seeing eachother prefixes !
both CPEs are on same NPE.
Sam
!
ip vrf mgmt_cpe
rd as:200
!
address-family ipv4 vrf mgmt_cpe
redistribute connected
neighbor 172.16.150.2 remote-as 65001
neighbor 172.16.150.2 activate
neighbor 172.16.150.2 send-community both
neighbor 172.16.160.2 remote-as 65002
neighbor 172.16.160.2 activate
neighbor 172.16.160.2 send-community both
no synchronization
exit-address-family
!
06-10-2008 01:05 AM
It seems that the only way I can achieve this is to use a different RD for each CPE. and since CPE are conncted to same PE, I must use a separate VRF which is rather cumbersome.
the only option I have is to use ACLs to restric t CE-CE traffic.
I hope someone has a better idea !
Sam
06-10-2008 05:07 AM
Have looked into what Cisco calls a half-duplex VRF?
It removes the critical requirement for a separate VRF per customer but I'm not sure the solution meets all of your needs.
-Greg
06-10-2008 05:54 AM
Greg,
This is excately what I am after.
I will put it to teh test.
many thanks
Sam
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide