Showing results for 
Search instead for 
Did you mean: 
Join Customer Connection to register!

ASR place Subscriber session in a VRF

Hello Everybody,

i realized the following IPoE scenario :



- IP Address assignment : DHCP-server-radius-proxy ( Circuit-id, remote-id)

- Subscribers Session authenticated : session initiator source ip-address


subscribers use 3 channels depending on the vlan they are connected to; 

so I thought of assigning a vrf to each session through Cisco-AV-Pair attribute :


Cisco-AVPair", "+=", "ip:vrf-id=beeline


For the policy to work, it is necessary to configure a multiservice interface for each vrf (should act as a boundary between vrf routing table and default routing table)

So I did : (let's take the beeline channel for example)


interface multiservice 1

ip vrf forwarding beeline

ip addres a.a.a.a

no keepalive


it all works fine : the ip is assigned, the session is authenticated, the traffic goes out through the right vrf...but it does not go back to the subscriber..the multiservice interface does not forward traffic to the subscriber. 


In the routing table of the vrf beeline I see this route : via multiservice1 


If I try to ping the subscriber's ip from vrf :


ping vrf beeline 

it works!! the traffic reaches the subscriber with the source ip of the multiservice interface (and then manages to get out of the vrf)...but the traffic from the internet seems to hang in the vrf.


i tried to use the primary service :


policy-map type service VPN

ip vrf forwarding beeline

sg-service-type primary


and to assign the policy via the attribute Cisco-Account-Info :

Cisco-Account-Info", "+=", "AVPN")


but in this way the session is not even authenticated and nothing works...


I've been searching eveywhere but I can't find a solution...(I only find information about VPN services but that's not my case)


maybe i could use PBR to forward traffic based on source ip but i don't know how to do in this case



Thanks for your help.