Hub and Spoke VPNs

Dear All,
I need to implement a hub and spoke scenario where the spoke sites must communicate with each other via the hub site. Topology is given below where CE1 is Hub and CE2, CE3 and CE4 are Spokes. All sites use BGP as PE-CE protocol.

To achieve the purpose, I have established two links and two EBGP Peerings between Hub CE1 and PE1. On Hub site PE1, I have configured two routing-instances. In one routing-instance PE1 receives routes from all Spoke CEs and forward it to CE1 but does not export any routes. In second routing-instance CE1 forwards all routes received on the Spoke BGP peering as well as its own routes to PE1. PE1 advertises these to remote/Spoke PEs/CEs.
All routes are good on PEs and CEs and traffic between the Spoke PEs is flowing via Hub site except one problem. The problem is how to stop communication between CE3 with CE4 directly and ensure that these can communicate via Hub site?

Any help would be highly appreciated.


    Is this site-2-site IPSec VPN or MPLS VPN? It seems to me that this is an MPLS VPN. Are you running JunOS devices? Let's see a sample config
