I believe you can just deny by default and allow traffic from the registered address blocks under each interface, on incoming interfaces at your central router (and sub-routers). Nice short list. -george william herbert gherbert at crl.com