Hi to all! I'm building FlexVPN concentrator for multi-tenant operations, using ASR 1000-X with RADIUS server. Pushing route prefixes to client using ipsec:route-set=prefix RADIUS attribute. It works. But client is still can gain access to other subnets behind the concentrator just locally adding static route for any other subnet directing to this tunnel. So, here's example: /etc/freeradius/users anton@domain Cleartext-Password := "password" flexvpn-policy Cleartext-Password := "cisco" Framed-IP-Netmask = 255.255.255.255, Service-Type = Framed-User, Cisco-AVPair +="ipsec:addr-pool=flexvpn-devil-pool", Cisco-AVPair +="ipsec:route-set=prefix 10.5.16.0/24", Cisco-AVPair +="ip:interface-config=vrf forwarding altn-mgmt", Cisco-AVPair +="ip:interface-config=ip unnumbered Loopback0" So, the question is how can i filter traffic coming from user side, allowing just particular subnets, which were "pushed" to the client. Thank you in advance, Anton P.S. i know that there is a possibility to add access-group to Virtual-Template interface and filter the traffic, but these ACLs must be predefined on router. This is not suitable for me, coz i would like to have "dynamic" configuration, where prefixes are defined in database and transmitted to VPN concentrator via RADIUS...