[c-nsp] VPDN multihop/forwarding not working

CiscoNSP_list CiscoNSP_list cisconsp_list at hotmail.com
Sun Feb 3 18:01:59 EST 2013

Thanks Oli,

> Well, have you defined any of these other realms on the Radius server
> (with the static "cisco" password)? If you don't, and if you don't have a
> vpdn-group with a "request-dialin" matching their realm, nothing will
> break, adding the "vpdn authorization .." on those vtemplates will just
> make sure the LNS no longer sends these Radius requests (with the
> domain).. have you checked the Radius traces since you enabled vpdn
> multihop? If you have users with "@" or "/" on other vpdn-groups, you will
> see those?

Our current setup is - We have multiple realms all
configured on our radius server (no cisco password, just each DSL account i.e.
FNN at realm and a random system generated password), and approx 15 vpdn-groups on
our LNS that connect to the carriers LACs all accept-dialin and all using
virtual-template7 eg:



vpdn-group CARRIERLAC_1



  protocol l2tp

  virtual-template 7

hostname CARRIERLAC_1


 local name LNS01

 lcp renegotiation

 l2tp tunnel password

 ip mtu adjust


interface Virtual-Template7

 description DSL

 ip unnumbered

 ip flow ingress

 qos pre-classify

 ppp authentication
chap callin


 So, we are adding a new dsl realm, connection requests for
the new realm will be coming from the same LAC's, but we want to not auth the
new realm via our existing radius server - We want our LNS to create an L2TP
tunnel to another LNS for this new realm (And then this other LNS will authenticate
the DSL tails via another radius server.

 Hope that makes sense, and that Hotmail hasnt screwed up the
formatting too much!


More information about the cisco-nsp mailing list