Separaitng client L2TP Traffic

Unanswered Question
Jan 6th, 2009


Assume the SP L2tp tunnel terminates in a interface which is a part of VRF global.

Even if you assign the users different vrfs through AV-Pair in radius when they login, hence everything comes through VRF global , how would it work , I mean how would you put them in a separate VRF?

I have no active interface on the router for the VRF which user belong to , I have a loopback but when the user authenticates , although I see VRF is passed by AV-Pair nothing happens.

I wonder if someone can help


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Laurent Aubert Tue, 01/06/2009 - 19:48


L2TP traffic will terminated in your VRF global which is usually the GRT. After de-encapsulation your user traffic will be routed using the routing table of the VRF received from the RADIUS so you definitely need on the router an interface belonging to this VRF on which you will route this traffic.

Hope this helps



ssg14 Tue, 01/06/2009 - 22:32

Thx Laurent,

So you mean I create at least a loopback for each VRF i wanna have and assign the loopbacks to those VRFs correspondingly?

***Hence everything comes through one link , I can't have any other interface while it's got no usage.


Laurent Aubert Wed, 01/07/2009 - 08:51

You need to know where the user traffic once de-encapsulated must be routed as I suppose the final destination is not the router itself so it can't be loopback interface. It must be a physical interface or subinterface.

Once you identified this interface, you need to add it to the VRF associated to your user and configure the routing policy accordingly so the router will have a route to join the final destination.

It really depends on your design

Hope this helps



ssg14 Wed, 01/07/2009 - 22:19

Dear Laurent,

traffic once de-encapsulated goes back to provider again , as I've attached a sample picture.

VPN or Internet just terminate to T1 then for whatever destination except one (Internal servers)goes back to provider, provider just play as a transit area.

My main purpose is when these CPEs authenticates , not be able to see each others traffic by placing them into separate VRFs , so I gain better control over them.


Laurent Aubert Thu, 01/08/2009 - 06:42

OK thanks for the update.

You could have default static route for each VRF pointing to your T1 interface but as your ppp session is bind to a dynamic virtual-access interface, you can't have for the returning traffic a specific route in the GRT to point to this virtual-access as it can change after tunnel re-negotiation.

I see two solution to meet your requirement:

1- Split your T1 with multiple sub-interfaces. One to terminate L2TP traffic and one for each VRF. It will work if your SP provide L3VPN services.

2- Don't use VRF

2a- Apply an ACL on the virtual-template to block CPE-CPE traffic

2b- Use a proxy for Internet access. CPE needs only to join the proxy to reach Internet so you could deploy a simple ACL on all the CPE allowing only traffic to your internal servers including the proxy.




This Discussion