Showing results for 
Search instead for 
Did you mean: 

LAC/LNS same device


I'm trying to get around an issue with Multi link on an ASR by handing it of to another separate LNS specifically for it.

Is it possible to run an ASR as a LAC and an LNS at the same time? I thought it may have been possible but have had no luck with it.

Thanks in advance for any help.



Manuel Rodriguez
Cisco Employee

Hi Trent,

This should be doable. You can, for example, return attributes in the authorization response for the session you want to forward indicating the session needs to be forwarded. This are normally Tunnel attributes like Tunnel-Type, Tunnel-Server-Endpoint, Tunnel-Client-Endpoint, etc.

I'm not sure if the session you want to forward is connected directly to the ASR1k of it it is already a session which was forwarded from a LAC. If the second, you may need to use multihop VPDN, which can also be done on ASR1k.



Hi Manual,

Thanks for that, i had been looking at that but was unable to get it to work.

Essentially the user hits the first LNS, authenticates to radius and terminates on the existing LNS.

I must have something wrong as it never attempts to even do the vpdn search order via multi hop or domain.

another question i have of this setup, is can you use teh same radius server for both LNS or do you require to run separate ones?

Here is my vpdn configuration for the multi hop on LNS 1, I don't even get any VPDN packets attempt on the second so i haven't included its configuration.

vpdn multihop
vpdn redirect source
vpdn logging
vpdn logging local
vpdn logging tunnel-drop
vpdn search-order multihop-hostname
vpdn-group mlp
protocol l2tp
multihop hostname LSTEST01
initiate-to ip

Any assistance would be greatly appreciated, ill get going at it anyway.



Just an update, i got this working.

Hi Trent,

Appreciate it was a while ago you last posted but out of interest what did you do to get this working?



It was as per the document above supplied by Manual, with the addition i had to authenticate the inbound L2TP session before it would start the outbound LT2P. So for example it was coming from a LAC named of the hostname, i could see it hit my radius and was failing with a default password of cisco. When i added that in radius I could see the inbound authenticate and then it worked straight away. I had to do this for the various LAC's sending thru that i wanted to then create an outbound session from.

Hi Trent,

Thanks for coming back to me. So was the resulting behaviour that all sessions were forwarded from the LAC to a separate LNS or were you using the LAC to terminate some sessions (and act as an LNS) but forward others? Perhaps I have misunderstood the initial query.


No, we terminated the majority of the sessions on the ASR, when we used the realm setup for multilink we forwarded them on to a 7206VXR. So the asr was acting as a LAC/LNS

Content for Community-Ad