L2TP traffic will terminated in your VRF global which is usually the GRT. After de-encapsulation your user traffic will be routed using the routing table of the VRF received from the RADIUS so you definitely need on the router an interface belonging to this VRF on which you will route this traffic.
You need to know where the user traffic once de-encapsulated must be routed as I suppose the final destination is not the router itself so it can't be loopback interface. It must be a physical interface or subinterface.
Once you identified this interface, you need to add it to the VRF associated to your user and configure the routing policy accordingly so the router will have a route to join the final destination.
You could have default static route for each VRF pointing to your T1 interface but as your ppp session is bind to a dynamic virtual-access interface, you can't have for the returning traffic a specific route in the GRT to point to this virtual-access as it can change after tunnel re-negotiation.
I see two solution to meet your requirement:
1- Split your T1 with multiple sub-interfaces. One to terminate L2TP traffic and one for each VRF. It will work if your SP provide L3VPN services.
2- Don't use VRF
2a- Apply an ACL on the virtual-template to block CPE-CPE traffic
2b- Use a proxy for Internet access. CPE needs only to join the proxy to reach Internet so you could deploy a simple ACL on all the CPE allowing only traffic to your internal servers including the proxy.
The Cisco EPN system incorporates a network architecture designed to consolidate multiples services on a single Multiprotocol Label Switching (MPLS) transport network. This network is designed primarily based on Application Engineered...
Internet security is important with the increasing attacks that are happening every day. Many internet and browsing security solutions exist, but some are not very easy to use or maybe the question is how can I enable them?
Cisco Software Manager Server
This document describes the programmatic interfaces, RESTful APIs, which are supported by Cisco Software Manager Server (CSM Server).
CSM Server supports a set of finite RESTful APIs. The fir...