Feedback
Table Of Contents
radius-server attribute 32 include-in-access-req
snmp-server enable traps ipmobile
standby track decrement priority
track id application home-agent
ip mobile host
To configure the mobile host or mobile node group, use the ip mobile host command in global configuration mode. To disable these services, use the no form of this command.
ip mobile host {lower [upper] | nai string [static-address {addr1 [addr2] [addr3] [addr4] [addr5] | local-pool name}] [address {addr | pool {local name | dhcp-proxy-client [dhcp-server addr]}]} {interface name | virtual-network network-address mask} [aaa [load-sa [permanent]]] [authorized-pool name] [skip-aaa-reauthentication][care-of-access access-list] [lifetime seconds]
no ip mobile host {lower [upper] | nai string [static-address {addr1 [addr2] [addr3] [addr4] [addr5] | local-pool name}] [address {addr | pool {local name | dhcp-proxy-client [dhcp-server addr]}]} {interface name | virtual-network network-address mask} [aaa [load-sa [permanent]]] [authorized-pool name] [skip-aaa-reauthentication] [care-of-access access-list] [lifetime seconds]
Syntax Description
lower [upper]
One or a range of mobile host or mobile node group IP addresses. The upper end of the range is optional.
nai string
Network access identifier. The NAI can be a unique identifier (username@realm) or a group identifier (@realm).
static-address
(Optional) Indicates that a static IP address is to be assigned to the flows on this NAI. This parameter is not valid if the NAI is a realm.
addr1, addr2, ...
(Optional) One to a maximum of five IP addresses to be assigned using the static-address keyword.
local-pool name
(Optional) Name of the local pool of addresses to use for assigning a static IP address to this NAI.
address
(Optional) Indicates that a dynamic IP address is to be assigned to the flows on this NAI.
addr
(Optional) IP address to be assigned using the address keyword.
pool
(Optional) Indicates that a pool of addresses is to be used in assigning a dynamic IP address.
local name
(Optional) The name of the local pool to use in assigning addresses.
dhcp-proxy-client
(Optional) Indicates that the DHCP request should be sent to a DHCP server on behalf of the mobile node.
dhcp-server addr
(Optional) IP address of the DHCP server.
interface name
When used with DHCP, specifies the gateway address from which the DHCP server should select the address.
virtual-network network-address mask
Indicates that the mobile station resides in the specified virtual network, which was created using the ip mobile virtual-network command.
aaa
(Optional) Retrieves security associations from a AAA (TACACS+ or RADIUS) server. Allows the home agent to download address configuration details from the AAA server.
load-sa
(Optional) Caches security associations after retrieval by loading the security association into RAM. See Table 8 for details on how security associations are cached for NAI hosts and non-NAI hosts.
permanent
(Optional) Caches security associations in memory after retrieval permanently. Use this optional keyword only for NAI hosts.
authorized-pool name
(Optional) Verifies the IP address assigned to the mobile node if it is within the pool specified by the name argument.
skip-aaa-reauthentication
(Optional) When configured, the home agent does not send an access request for authentication for mobile IP re-registration requests. When disabled, the home agent sends an access request for all Mobile IP registration requests.
care-of-access access-list
(Optional) Access list. This can be a named access list or standard access list. The range is from 1 to 99. Controls where mobile nodes roam—the acceptable care-of addresses.
lifetime seconds
(Optional) Lifetime (in seconds). The lifetime for each mobile node (group) can be set to override the global value. The range is from 3 to 65535 (infinite).
Defaults
No host is configured.
Command Modes
Global configuration
Command History
Usage Guidelines
This command configures the mobile host or mobile node group (ranging from lower address to upper address) to be supported by the home agent. These mobile nodes belong to the network on an interface or a virtual network (via the ip mobile virtual-network command). The security association for each mobile host must be configured using the ip mobile secure command or downloaded from a AAA server.
All hosts must have security associations for registration authentication. Mobile nodes can have more than one security association. The memory consumption calculations shown in Table 7 are based on the assumption of one security association per mobile node. Caching behavior of security associations differs between NAI and non-NAI hosts as described in Table 8.
The nai keyword allows you to specify a particular mobile node or range of mobile nodes. The mobile node can request a static IP address (static-address keyword), which is configured using the addr1 variable (for a specific address) or the local-pool keyword (for an IP address from an address pool; the requested address must be in the pool). Or, the mobile node can request a dynamic address (address keyword), which is configured using the addr variable (for a specific address) or the pool keyword (for an IP address from a pool or DHCP server). If this command is used with the Packet Data Serving Node (PDSN) proxy Mobile IP feature and a realm is specified in the ip mobile proxy-host nai command, then only a pool of addresses can be specified in this command.
The address pool can be defined by a local pool or by use of a DHCP proxy client. For DHCP, the interface name keyword and argument combination specifies the gateway address from which the DHCP server should select the address and the dhcp-server keyword specifies the DHCP server address. The NAI is sent in the client-id option of the DHCP packet and can be used to provide dynamic DNS services.
You can also use this command to configure the static IP address or address pool for multiple flows with the same NAI. A flow is a set of {NAI, IP address}.
Security associations can be stored by using one of three methods:
•
On the router
•
•
Each method has advantages and disadvantages, which are described in Table 7.
The caching behavior of security associations for NAI hosts and non-NAI hosts is described in Table 8.
Note
If the aaa load-sa option is configured, the Home Agent caches the SA locally on first registration. In this case the Home Agent will not invoke the RADIUS authorization procedure for re-registration.
If aaa load-sa skip-aaa-reauthentication is configured, the Home Agent caches the SA locally on first registration; however, the Home Agent will not invoke HA-CHAP procedure for re-registration.
The aaa load-sa permanent option is not supported on the Mobile Wireless Home Agent, and should not be configured.Examples
The following example configures a mobile node group to reside on virtual network 20.0.0.0 and retrieve mobile node security associations from a AAA server every time the mobile node registers:
ip mobile host 20.0.0.1 20.0.0.3 virtual-network 20.0.0.0 aaaThe following example configures a mobile node group to reside on virtual network 10.99.1.0 and retrieve and cache mobile node security associations from a AAA server. The cached security association is then used for subsequent registrations.
ip mobile host 10.99.1.1 10.99.1.100 virtual-network 10.99.1.0 aaa load-saThe following example configures a local pool of dynamic addresses to be used in assigning IP addresses to mobile nodes in the cisco.com domain:
ip mobile host nai @cisco.com address pool local mobilenodes virtual-network 9.0.0.0 255.0.0.0 aaa lifetime 180The following example configures a local pool of dynamic addresses to be used in assigning IP addresses to mobile nodes in the cisco.com domain. The security associations that are retrieved from the AAA server are cached as long as the binding is present and are deleted on the home agent when the binding is removed (due to manual clearing of the binding or lifetime expiration).
ip mobile host nai @cisco.com address pool local mobilenodes virtual-network 10.2.0.0 255.255.0.0 aaa load-sa lifetime 180The following example configures a local pool of static addresses to be used in assigning IP addresses to mobile nodes in the cisco.com domain:
ip mobile host nai @cisco.com static-address local-pool mobilenodesThe following example configures a local pool of dynamic addresses to be used in assigning IP addresses to mobile nodes in the cisco.com domain. The security associations that are retrieved from the AAA server are cached permanently until cleared manually.
ip mobile host nai @cisco.com address pool local mobilenodes virtual network 10.2.0.0 255.255.0.0 aaa load-sa permanent lifetime 180The following example configures the DHCP proxy client to use a DHCP server located at 10.1.2.3 to allocate a dynamic home address:
ip mobile host nai @dhcppool.com address pool dhcp-proxy-client dhcp-server 10.1.2.3 interface FastEthernet 0/0Related Commands
ip mobile radius disconnect
To enable the home agent to process Radius Disconnect messages, use the ip mobile radius disconnect command in global configuration mode. To disable the processing of Radius Disconnect messages on the home agent, use the no form of this command.
ip mobile radius disconnect
no ip mobile radius disconnect
Syntax Description
This command has no arguments or keywords.
Command Default
Radius Disconnect messages are not processed by the home agent.
Command Modes
Global configuration
Command History
12.3(7)XJ
This command was introduced.
12.4(11)T
This command was integrated into Cisco IOS Release 12.4(11)T.
Usage Guidelines
In order for packet of disconnect (POD) requests to be processed by AAA, you need to configure the aaa server radius dynamic-author global configuration command.
You must configure radius-server attribute 32 include-in-access-req for the home agent to send the fully qualified domain name (FQDN) in the access request.
Examples
The following example enables the home agent to process Radius Disconnect messages:
Router(config)# ip mobile radius disconnectip mobile realm
To enable inbound user sessions to be disconnected when specific session attributes are presented, use the ip mobile realm command in global configuration mode. To disable this functionality, use the no form of this command.
ip mobile realm @xyz.com vrf vrf-name ha-addr ip-address [aaa-group [accounting aaa-acct-group | authentication aaa-auth-group]] [dns dynamic-update method word] [dns server primary dns server address secondary dns server address [assign]] [hotline]
no ip mobile realm ip mobile realm @xyz.com vrf vrf-name ha-addr ip-address [aaa-group [accounting aaa-acct-group] [dns dynamic-update method word] [dns server primary dns server address secondary dns server address [assign]] [hotline]
Syntax Description
Defaults
There are no default values for this command.
Command Modes
Global configuration
Command History
Usage Guidelines
This CLI defines the VRF for the domain "@xyz.com". The IP address of the Home Agent corresponding to the VRF is also defined, at which the MOIP tunnel will terminate. The IP address of the Home Agent should be a routable IP address on the box. Optionally, the AAA accounting and/or authentication server groups can be defined per VRF. If a AAA accounting server group is defined, all accounting records for the users of the realm will be sent to the specified group. If a AAA authentication server group is defined, HA-CHAP is sent to the server(s) defined in the group.
Examples
The following example identifies the DNS dynamic update keyword:
router(config)#ip mobile realm @ispxyz1.com dns ?dynamic-update Enable 3GPP2 IP reachabilityserver DNS server configurationThe following example identifies the hotlining and vrf keywords:
router(config)# ip mobile realm @ispxyz1.com ?dns Configure DNS detailshotline Hotlining of the mobile hostsvrf VRF for the realm
ip mobile secure
To specify the mobility security associations for the mobile host, visitor, home agent, foreign agent, and proxy-host, use the ip mobile secure command in global configuration mode. To remove the mobility security associations, use the no form of this command.
ip mobile secure {aaa-download | host | visitor | home-agent | foreign-agent | proxy-host} {lower-address [upper-address] | nai string} {inbound-spi spi-in outbound-spi spi-out | spi spi} key hex string [replay timestamp [number] algorithm {md5 | hmac-md5} mode prefix-suffix]
no ip mobile secure {aaa-download | host | visitor | home-agent | foreign-agent | proxy-host} {lower-address [upper-address] | nai string} {inbound-spi spi-in outbound-spi spi-out | spi spi} key hex string [replay timestamp [number] algorithm {md5 | hmac-md5} mode prefix-suffix]
Syntax Description
Defaults
No security association is specified.
Command Modes
Global configuration
Command History
Usage Guidelines
The security association consists of the entity address, SPI, key, replay protection method, authentication algorithm, and mode.
The SPI is the 4-byte index that selects the specific security parameters to be used to authenticate the peer. The security parameters consist of the authentication algorithm and mode, replay attack protection method, timeout, and IP address.
The HMAC-MD5 authentication algorithm is mandatory for mobile-home authentication (MHAE), mobile-foreign authentication (MFAE), and foreign-home authentication (FHAE)
On a home agent, the security association of the mobile host is mandatory for mobile host authentication. If desired, configure a foreign agent security association on your home agent. On a foreign agent, the security association of the visiting mobile host and security association of the home agent are optional. Multiple security associations for each entity can be configured.
If registration fails because the timestamp value is out of bounds, the time stamp of the home agent is returned so that the mobile node can reregister with the time-stamp value closer to that of the home agent, if desired.
The nai keyword is valid only for a host, visitor, and proxy host.
The proxy-host keyword is available only on PDSN platforms running specific PDSN code images; consult Feature Navigator for your Cisco IOS software release.
Note
Examples
The following example shows mobile node 10.0.0.4, which has a key that is generated by the MD5 hash of the string:
ip mobile secure host 10.0.0.4 spi 100 key hex 12345678123456781234567812345678Related Commands
ip mobile tunnel
To specify the settings of tunnels created by Mobile IP, use the ip mobile tunnel command in global configuration mode. To disable the setting of tunnels created by Mobile IP, use the no form of this command.
ip mobile tunnel {crypto map map-name | route-cache [cef] | path-mtu-discovery [age-timer {minutes | infinite}] | nat {inside | outside} | route-map map-tag}
no ip mobile tunnel {crypto map map-name | route-cache [cef] | path-mtu-discovery [age-timer {minutes | infinite}] | nat {inside | outside} | route-map map-tag}
Syntax DescriptionI
Defaults
Disabled.
If enabled, default value for the minutes argument is 10 minutes.
Command Modes
Global configuration
Command History
Usage Guidelines
Path MTU Discovery is used by end stations to find a packet size that does not need to be fragmented when being sent between the end stations. Tunnels must adjust their MTU to the smallest MTU interior to achieve this condition, as described in RFC 2003.
The discovered tunnel MTU should be aged out periodically to possibly recover from a case where suboptimum MTU existed at time of discovery. It is reset to the outgoing MTU of the interface.
The no ip mobile tunnel route-cache command disables fast switching and CEF switching (if CEF is enabled) on Mobile IP tunnels. The no ip mobile tunnel route-cache cef command disables CEF switching only.
CEF switching is currently not supported on a foreign agent when reverse tunneling is enabled. If reverse tunneling is enabled at the foreign agent, disable CEF on the foreign agent using the no ip cef global configuration command. If the foreign agent does not support reverse tunneling, there is no need to disable CEF at the global configuration level.
The crypto map map-name keyword and argument combination are available only on platforms running specific PDSN code images; consult Feature Navigator for your Cisco IOS software release.
Examples
The following example sets the discovered tunnel MTU to expire in 10 minutes (600 seconds):
ip mobile tunnel path-mtu-discovery age-timer 600Related Commands
ip cef
Enables CEF on the RP card.
show ip mobile tunnel
Displays active tunnels.
ip mobile virtual-network
To define a virtual network, use the ip mobile virtual-network command in global configuration mode. To remove the virtual network, use the no form of this command.
ip mobile virtual-network net mask [address address]
no ip mobile virtual-network net mask
Syntax Description
Defaults
No home agent addresses are specified.
Command Modes
Global configuration
Command History
12.0(1)T
This command was introduced.
12.0(2)T
The address keyword and address argument were added.
Usage Guidelines
This command inserts the virtual network into the routing table to allow mobile nodes to use the virtual network as their home network. The network is propagated when redistributed to other routing protocols.
Note
Examples
The following example adds the virtual network 20.0.0.0 to the routing table and specifies that the home agent IP address is configured on the loopback interface for that virtual network:
interface ethernet 0ip address 1.0.0.1 255.0.0.0standby ip 1.0.0.10standby name SanJoseHAinterface loopback 0ip address 20.0.0.1 255.255.255.255ip mobile home-agentip mobile virtual-network 20.0.0.0 255.255.0.0 address 20.0.0.1ip mobile home-agent standby SanJoseHA virtual-networkip mobile secure home-agent 1.0.0.2 spi 100 hex 00112233445566778899001122334455Related Commands
ip mobile host
Configures the mobile host or mobile node group.
redistribute mobile
Redistributes routes from one routing domain into another routing domain.
radius-server attribute 32 include-in-access-req
To send RADIUS attribute 32 (NAS-Identifier) in an access-request or accounting-request, use the radius-server attribute 32 include-in-access-req command in global configuration mode. To disable sending RADIUS attribute 32, use the no form of this command.
radius-server attribute 32 include-in-access-req [format]
no radius-server attribute 32 include-in-access-req
Syntax Description
format
(Optional) A string sent in attribute 32 containing an IP address (%i), a hostname (%h), or a domain name (%d).
Defaults
RADIUS attribute 32 is not sent in access-request or accounting-request packets.
Command Modes
Global configuration
Command History
Usage Guidelines
Using the radius-server attribute 32 include-in-access-req command makes it possible to identify the network access server (NAS) manufacturer to the RADIUS server by sending RADIUS attribute 32 (NAS-Identifier) in an access-request or accounting-request. If you configure the format argument, the string sent in attribute 32 will include an IP address, a hostname, or a domain name; otherwise, the Fully Qualified Domain Name (FQDN) is sent by default.
Examples
The following example shows a configuration that sends RADIUS attribute 32 in the access-request with the format configured to identify a Cisco NAS:
radius-server attribute 32 include-in-access-req format cisco %h.%d %i! The following string will be sent in attribute 32 (NAS-Identifier)."cisco router.nlab.cisco.com 10.0.1.67"radius-server host
To specify a RADIUS server host, use the radius-server host command in global configuration mode. To delete the specified RADIUS host, use the no form of this command.
radius-server host {hostname | ip-address} [test username user-name] [auth-port port-number] [ignore-auth-port] [acct-port port-number] [ignore-acct-port] [timeout seconds] [retransmit retries] [key string] [alias {hostname | ip-address}] [idle-time seconds]
no radius-server host {hostname | ip-address}
Syntax Description
Defaults
No RADIUS host is specified; use global radius-server command values.
RADIUS server load balancing automated testing is disabled by default.
Command Modes
Global configuration
Command History
Usage Guidelines
You can use multiple radius-server host commands to specify multiple hosts. The software searches for hosts in the order in which you specify them.
If no host-specific timeout, retransmit, or key values are specified, the global values apply to each host.
RADIUS Server Automated Testing
When using the radius-server host command to enable automated testing for RADIUS server load balancing:
The authentication port is checked by default. If not specified, the default port of 1645 is used. If you wish to not check the authentication port, the ignore-auth-port keyword must be specified.
The accounting port is checked by default. If not specified, the default port of 1645 is used. If you wish to not check the accounting port, the ignore-acct-port keyword must be specified.
Examples
The following example specifies host1 as the RADIUS server and uses default ports for both accounting and authentication:
radius-server host host1The following example specifies port 1612 as the destination port for authentication requests and port 1616 as the destination port for accounting requests on the RADIUS host named host1:
radius-server host host1 auth-port 1612 acct-port 1616Because entering a line resets all the port numbers, you must specify a host and configure accounting and authentication ports on a single line.
The following example specifies the host with IP address 192.0.2.46 as the RADIUS server, uses ports 1612 and 1616 as the authorization and accounting ports, sets the timeout value to 6, sets the retransmit value to 5, and sets "rad123" as the encryption key, matching the key on the RADIUS server:
radius-server host 192.0.2.46 auth-port 1612 acct-port 1616 timeout 6 retransmit 5 key rad123To use separate servers for accounting and authentication, use the zero port value as appropriate.
The following example specifies that RADIUS server host1 be used for accounting but not for authentication, and that RADIUS server host2 be used for authentication but not for accounting:
radius-server host host1.example.com auth-port 0radius-server host host2.example.com acct-port 0The following example specifies four aliases on the RADIUS server with IP address 192.0.2.1:
radius-server host 192.0.2.1 acct-port 1645 auth-port 1646radius-server host 192.0.2.1 alias 192.0.2.2 192.0.2.3 192.0.2.4The following example shows how to enable RADIUS server automated testing for load balancing with the authorization and accounting ports specified:
radius-server host 192.0.2.176 test username test1 auth-port 1645 acct-port 1646Related Commands
router mobile
To enable Mobile IP on the router, use the router mobile command in global configuration mode. To disable Mobile IP, use the no form of this command.
router mobile
no router mobile
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Global configuration
Command History
Usage Guidelines
This command must be used in order to run Mobile IP on the router, as either a home agent or a foreign agent. The process is started, and counters begin. Disabling Mobile IP removes all related configuration commands, both global and interface.
Examples
The following example enables Mobile IP:
router mobileRelated Commands
show ip mobile binding
To display the mobility binding table on the home agent (HA), use the show ip mobile binding command in privileged EXEC mode.
show ip mobile binding [home-agent ip-address | nai string [session-id string] | summary]
Syntax Description
Command Modes
Privileged EXEC
Command History
Usage Guidelines
You can display a list of all bindings if you press enter. You can also specify an IP address for a specific home agent using the show ip mobile binding home-agent ip-address command.
If the session-id string combination is specified, only the binding entry for that session identifier is displayed. A session identifier is used to uniquely identify a Mobile IP flow. A Mobile IP flow is the set of {NAI, IP address}. The flow allows a single NAI to be associated with one or multiple IP addresses, for example, {NAI, ipaddr1}, {NAI, ipaddr2}, and so on. A single user can have multiple sessions for example, when logging through different devices such as a PDA, cellular phone, or laptop. If the session identifier is present in the initial registration, it must be present in all subsequent registration renewals from that MN.
Examples
The following is sample output from the show ip mobile binding command:
Router# show ip mobile bindingMobility Binding List:Total 110.0.0.1:Care-of Addr 10.0.0.31, Src Addr 10.0.0.31,Lifetime granted 02:46:40 (10000), remaining 02:46:32Flags SbdmGvt, Identification B750FAC4.C28F56A8,Tunnel100 src 10.0.0.5 dest 10.0.0.31 reverse-allowedRouting Options - (G)GREService Options:NAT detectThe following is sample output from the show ip mobile binding command when mobile networks are configured or registered on the home agent:
Router# show ip mobile bindingMobility Binding List:Total 110.0.4.1:Care-of Addr 10.0.0.5, Src Addr 10.0.0.5Lifetime granted 00:02:00 (120), remaining 00:01:56Flags sbDmgvT, Identification B7A262C5.DE43E6F4Tunnel0 src 10.0.0.3 dest 10.0.0.5 reverse-allowedMR Tunnel1 src 10.0.0.3 dest 10.0.4.1 reverse-allowedRouting Options - (D)Direct-to-MN (T)Reverse-tunnelMobile Networks: 10.0.0.0/255.255.255.0(S)10.0.0.0/255.255.255.0 (D)10.0.0.0/255.0.0.0(D)The following is sample output from the show ip mobile binding command with session identifier information:
Router# show ip mobile bindingMobility Binding List:Total 110.100.100.19:Care-of Addr 10.70.70.2, Src Addr 10.100.100.1,Lifetime granted 00:33:20 (20000), remaining 00:30:56Flags SbdmGvt, Identification BC1C2A04.EA42659C,Tunnel0 src 10.100.100.100 dest 10.70.70.2 reverse-allowedRouting OptionsSession identifier 998811234SPI 333 (decimal 819) MD5, Prefix-suffix, Timestamp +/-255, root keyKey 38a38987ad0a399cb80940835689da66SPI 334 (decimal 820) MD5, Prefix-suffix, Timestamp +/-255, session keyKey 34c7635a313038611dec8c16681b55e0The following sample output shows that the home agent is configured to detect network address translation (NAT):
Router# show ip mobile binding nai mn@cisco.comMobility Binding List:mn@cisco.com (Bindings 1):Home Addr 10.99.101.1Care-of Addr 192.168.1.202, Src Addr 192.168.157.1Lifetime granted 00:03:00 (180), remaining 00:02:20Flags sbDmg-T-, Identification BCF5F7FF.92C1006FTunnel0 src 192.168.202.1 dest 192.168.157.1 reverse-allowedRouting Options - (D)Direct-to-MN (T)Reverse-tunnelService Options:NAT detectThe following sample output shows that multipath support is enabled:
Router# show ip mobile bindingMobility Binding List:Total 110.1.1.1:Care-of Addr 10.1.1.11, Src Addr 10.1.1.11Lifetime granted 10:00:00 (36000), remaining 09:52:40Flags sbDmg-T-, Identification C5441314.61D36B14Tunnel1 src 12.1.1.10 dest 10.1.1.11 reverse-allowedMR Tunnel1 src 12.1.1.10 dest 10.1.1.11 reverse-allowedRouting Options - (D)Direct-to-MN (T)Reverse-tunnelMobile Networks: 10.38.0.0/255.255.0.0 (D)Roaming IF Attributes: BW 10000 Kbit, ID 3247Description First Lan InterfaceMulti-path Metric bandwidthTable 9 describes the significant fields shown in the display.
Related Commands
show ip mobile binding
To display the mobility binding table, use the show ip mobile binding EXEC command.
show ip mobile binding [ip address | home-agent address | nai string | summary | vrf [realm vrf-realm] [summary]]
Syntax Description
Command Modes
EXEC
Command History
Usage Guidelines
The Home Agent updates the mobility binding table in response to registration events from mobile nodes. If the address argument is specified, bindings are shown for only that mobile node.
Examples
The following is sample output from the show ip mobile binding command:
Router# show ip mobile bindingMobility Binding List:Total 1mwts-mip-r20sit-haslb@ispxyz.com (Bindings 1):Home Addr 40.0.0.2Care-of Addr 20.20.210.10, Src Addr 20.20.210.10Lifetime granted 00:05:00 (300), remaining 00:04:11Flags sBdmg-T-, Identification C70D0890.10000Tunnel0 src 20.20.202.102 dest 20.20.210.10 reverse-allowedTunnel0 Input ACL: mipinaclTunnel0 Output ACL: mipoutaclRouting Options - (B)Broadcast (T)Reverse-tunnelService Options:Dynamic HA assignmentRevocation negotiated - I-bit setAcct-Session-Id: 43Sent on tunnel to MN: 0 packets, 0 bytesReceived on reverse tunnel from MN: 0 packets, 0 bytesRadius Disconnect EnabledDNS Address primary 10.77.155.10 secondary 6.6.6.6DNS Address Assignment enabled with entity Configured at Homeagent(3)Dynamic DNS update to server enabledha2#If the DNS server configs configured locally are used then the show output will include the following:
router# show ip mobile bindingMobility Binding List:Total 1mwts-mip-r20sit-haslb@ispxyz20.com (Bindings 1):Home Addr 40.0.0.2Care-of Addr 20.20.210.10, Src Addr 20.20.210.10Lifetime granted 00:03:00 (180), remaining 00:02:32Flags sBdmg-T-, Identification C6ACD1D7.10000Tunnel0 src 20.20.202.102 dest 20.20.210.10 reverse-allowedRouting Options - (B)Broadcast (T)Reverse-tunnelService Options:Dynamic HA assignmentRevocation negotiated - I-bit setAcct-Session-Id: 23Sent on tunnel to MN: 0 packets, 0 bytesReceived on reverse tunnel from MN: 0 packets, 0 bytesDNS Address primary 10.77.155.10 secondary 5.5.5.5DNS Address Assignment enabled with entity Configured at Homeagent(3)If the DNS server addresses downloaded using a DNS server VSA from HAAA, then the show output will include the following:
router# show ip mobile bindingMobility Binding List:Total 1mwts-mip-r20sit-haslb@ispxyz30.com (Bindings 1):Home Addr 40.0.0.3Care-of Addr 20.20.210.10, Src Addr 20.20.210.10Lifetime granted 00:03:00 (180), remaining 00:02:05Flags sBdmg-T-, Identification C6ACD910.10000Tunnel0 src 20.20.202.102 dest 20.20.210.10 reverse-allowedRouting Options - (B)Broadcast (T)Reverse-tunnelService Options:Dynamic HA assignmentRevocation negotiated - I-bit setAcct-Session-Id: 31Sent on tunnel to MN: 0 packets, 0 bytesReceived on reverse tunnel from MN: 0 packets, 0 bytesDNS Address primary 10.77.155.10 secondary 10.77.155.9DNS Address Assignment enabled with entity From Home AAA(1)
Note
ACLs Applied to a Mobility Binding and Accounting Session ID and Accounting Counters
router# show ip mobile binding 44.0.0.1Mobility Binding List:44.0.0.1:Care-of Addr 55.0.0.11, Src Addr 55.0.0.11Lifetime granted 00:01:30 (90), remaining 00:00:51Flags sbDmg-T-, Identification C661D5A0.4188908Tunnel1 src 46.0.0.3 dest 55.0.0.11 reverse-allowedTunnel1 Input ACL: inaclnameTunnel1 Output ACL: outaclname - Empty list or not configured.MR Tunnel1 src 46.0.0.3 dest 55.0.0.11 reverse-allowedRouting Options - (D)Direct-to-MN (T)Reverse-tunnelMobile Networks: 111.0.0.0/255.0.0.0 (S)Acct-Session-Id: 0Sent on tunnel to MN: 0 packets, 0 bytesReceived on reverse tunnel from MN: 0 packets, 0 bytesrouter# show ip mobile tunnelMobile Tunnels:Total mobile ip tunnels 1Tunnel0:src 46.0.0.3, dest 55.0.0.11encap IP/IP, mode reverse-allowed, tunnel-users 1Input ACL users 1, Output ACL users 1IP MTU 1480 bytesPath MTU Discovery, mtu: 0, ager: 10 mins, expires: neveroutbound interface Ethernet1/0HA created, fast switching enabled, ICMP unreachable enabled5 minute input rate 0 bits/sec, 0 packets/sec5 minute output rate 0 bits/sec, 0 packets/sec0 packets input, 0 bytes, 0 drops0 packets output, 0 bytesThe following is sample output from the show ip mobile binding vrf summary command:
router# show ip mobile binding vrf summaryMobility Binding List:Total number of VRF bindings is 1If the VRF name downloaded from the HAAA and what is configured locally matches , then the show ip mobile binding vrf realm command will display the ouput below:
router# show ip mobile binding vrf realm @ispxyz1.comMobility Binding List:Total bindings for realm @ispxyz1.com under VRF ispxyz-vrf1 is 1mwts-mip-r20sit-haslb1@ispxyz1.com (Bindings 1):Home Addr 50.0.0.2Care-of Addr 20.20.210.10, Src Addr 20.20.210.10Lifetime granted 00:05:00 (300), remaining 00:03:59Flags sBdmg-T-, Identification C6DF047C.10000Tunnel0 src 20.20.204.2 dest 20.20.210.10 reverse-allowedRouting Options - (B)Broadcast (T)Reverse-tunnelService Options:Dynamic HA assignmentRevocation negotiated - I-bit setVRF ispxyz-vrf1Acct-Session-Id: 17Sent on tunnel to MN: 0 packets, 0 bytesReceived on reverse tunnel from MN: 0 packets, 0 bytesRadius Disconnect EnabledDNS Address primary 10.77.155.10 secondary 1.1.1.1DNS Address Assignment enabled with entity Configured at Homeagent(3)Dynamic DNS update to server enabledIf VRF is not configured locally, then the show output will be as below:
router# show ip mobile binding vrf realm @ispxyz1.com summaryMobility Binding List:%VRF is not enabled locally for realm @ispxyz1.com
Table 10 describes the significant fields shown in the display.
show ip mobile binding
To display the mobility binding table, use the show ip mobile binding EXEC command.
show ip mobile binding [ip address | home-agent address | nai string | summary | vrf [realm vrf-realm] [summary]]
Syntax Description
Command Modes
EXEC
Command History
Usage Guidelines
The Home Agent updates the mobility binding table in response to registration events from mobile nodes. If the address argument is specified, bindings are shown for only that mobile node.
Examples
The following is sample output from the show ip mobile binding command:
Router# show ip mobile bindingMobility Binding List:Total 1mwts-mip-r20sit-haslb@ispxyz.com (Bindings 1):Home Addr 40.0.0.2Care-of Addr 20.20.210.10, Src Addr 20.20.210.10Lifetime granted 00:05:00 (300), remaining 00:04:11Flags sBdmg-T-, Identification C70D0890.10000Tunnel0 src 20.20.202.102 dest 20.20.210.10 reverse-allowedTunnel0 Input ACL: mipinaclTunnel0 Output ACL: mipoutaclRouting Options - (B)Broadcast (T)Reverse-tunnelService Options:Dynamic HA assignmentRevocation negotiated - I-bit setAcct-Session-Id: 43Sent on tunnel to MN: 0 packets, 0 bytesReceived on reverse tunnel from MN: 0 packets, 0 bytesRadius Disconnect EnabledDNS Address primary 10.77.155.10 secondary 6.6.6.6DNS Address Assignment enabled with entity Configured at Homeagent(3)Dynamic DNS update to server enabledha2#If the DNS server configs configured locally are used then the show output will include the following:
router# show ip mobile bindingMobility Binding List:Total 1mwts-mip-r20sit-haslb@ispxyz20.com (Bindings 1):Home Addr 40.0.0.2Care-of Addr 20.20.210.10, Src Addr 20.20.210.10Lifetime granted 00:03:00 (180), remaining 00:02:32Flags sBdmg-T-, Identification C6ACD1D7.10000Tunnel0 src 20.20.202.102 dest 20.20.210.10 reverse-allowedRouting Options - (B)Broadcast (T)Reverse-tunnelService Options:Dynamic HA assignmentRevocation negotiated - I-bit setAcct-Session-Id: 23Sent on tunnel to MN: 0 packets, 0 bytesReceived on reverse tunnel from MN: 0 packets, 0 bytesDNS Address primary 10.77.155.10 secondary 5.5.5.5DNS Address Assignment enabled with entity Configured at Homeagent(3)If the DNS server addresses downloaded using a DNS server VSA from HAAA, then the show output will include the following:
router# show ip mobile bindingMobility Binding List:Total 1mwts-mip-r20sit-haslb@ispxyz30.com (Bindings 1):Home Addr 40.0.0.3Care-of Addr 20.20.210.10, Src Addr 20.20.210.10Lifetime granted 00:03:00 (180), remaining 00:02:05Flags sBdmg-T-, Identification C6ACD910.10000Tunnel0 src 20.20.202.102 dest 20.20.210.10 reverse-allowedRouting Options - (B)Broadcast (T)Reverse-tunnelService Options:Dynamic HA assignmentRevocation negotiated - I-bit setAcct-Session-Id: 31Sent on tunnel to MN: 0 packets, 0 bytesReceived on reverse tunnel from MN: 0 packets, 0 bytesDNS Address primary 10.77.155.10 secondary 10.77.155.9DNS Address Assignment enabled with entity From Home AAA(1)
Note
ACLs Applied to a Mobility Binding and Accounting Session ID and Accounting Counters
router# show ip mobile binding 44.0.0.1Mobility Binding List:44.0.0.1:Care-of Addr 55.0.0.11, Src Addr 55.0.0.11Lifetime granted 00:01:30 (90), remaining 00:00:51Flags sbDmg-T-, Identification C661D5A0.4188908Tunnel1 src 46.0.0.3 dest 55.0.0.11 reverse-allowedTunnel1 Input ACL: inaclnameTunnel1 Output ACL: outaclname - Empty list or not configured.MR Tunnel1 src 46.0.0.3 dest 55.0.0.11 reverse-allowedRouting Options - (D)Direct-to-MN (T)Reverse-tunnelMobile Networks: 111.0.0.0/255.0.0.0 (S)Acct-Session-Id: 0Sent on tunnel to MN: 0 packets, 0 bytesReceived on reverse tunnel from MN: 0 packets, 0 bytesrouter# show ip mobile tunnelMobile Tunnels:Total mobile ip tunnels 1Tunnel0:src 46.0.0.3, dest 55.0.0.11encap IP/IP, mode reverse-allowed, tunnel-users 1Input ACL users 1, Output ACL users 1IP MTU 1480 bytesPath MTU Discovery, mtu: 0, ager: 10 mins, expires: neveroutbound interface Ethernet1/0HA created, fast switching enabled, ICMP unreachable enabled5 minute input rate 0 bits/sec, 0 packets/sec5 minute output rate 0 bits/sec, 0 packets/sec0 packets input, 0 bytes, 0 drops0 packets output, 0 bytesThe following is sample output from the show ip mobile binding vrf summary command:
router# show ip mobile binding vrf summaryMobility Binding List:Total number of VRF bindings is 1If the VRF name downloaded from the HAAA and what is configured locally matches , then the show ip mobile binding vrf realm command will display the ouput below:
router# show ip mobile binding vrf realm @ispxyz1.comMobility Binding List:Total bindings for realm @ispxyz1.com under VRF ispxyz-vrf1 is 1mwts-mip-r20sit-haslb1@ispxyz1.com (Bindings 1):Home Addr 50.0.0.2Care-of Addr 20.20.210.10, Src Addr 20.20.210.10Lifetime granted 00:05:00 (300), remaining 00:03:59Flags sBdmg-T-, Identification C6DF047C.10000Tunnel0 src 20.20.204.2 dest 20.20.210.10 reverse-allowedRouting Options - (B)Broadcast (T)Reverse-tunnelService Options:Dynamic HA assignmentRevocation negotiated - I-bit setVRF ispxyz-vrf1Acct-Session-Id: 17Sent on tunnel to MN: 0 packets, 0 bytesReceived on reverse tunnel from MN: 0 packets, 0 bytesRadius Disconnect EnabledDNS Address primary 10.77.155.10 secondary 1.1.1.1DNS Address Assignment enabled with entity Configured at Homeagent(3)Dynamic DNS update to server enabledIf VRF is not configured locally, then the show output will be as below:
router# show ip mobile binding vrf realm @ispxyz1.com summaryMobility Binding List:%VRF is not enabled locally for realm @ispxyz1.com
Table 11 describes the significant fields shown in the display.
show ip mobile globals
To display global information for mobile agents, use the show ip mobile globals command in privileged EXEC mode.
show ip mobile globals
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
This command shows the services provided by the home agent or foreign agent. Note the deviation from RFC 3344: the foreign agent will not display busy or registration required information. Both are handled on a per-interface basis (see the show ip mobile interface command), not at the global foreign agent level.
Examples
The following is sample output from the show ip mobile globals command:
Router# show ip mobile globalsIP Mobility global information:Home AgentRegistration lifetime: 10:00:00 (36000 secs)Broadcast enabledReplay protection time: 7 secsReverse tunnel enabledICMP Unreachable enabledStrip realm enabledNAT detect disabledHA Accounting enabled using method list: mylistAddress 1.1.1.1Virtual networks10.0.0.0/8Foreign AgentPending registrations expire after 120 secondsCare-of address advertisedMobile network route injection enabledMobile network route redistribution disabledMobile network route injection access list mobile-net-listEthernet2/2 (10.10.10.1) - upMobility Agent1 interfaces providing serviceEncapsulations supported: IPIP and GRETunnel fast switching enabled, cef switching enabledDiscovered tunnel MTU aged out after 1:00:00The following example shows that home agent UDP tunneling is enabled with a keepalive timer set at 60 seconds and forced UDP tunneling enabled.
Router# show ip mobile globalsIP Mobility global information:Home agentRegistration lifetime: 10:00:00 (36000 secs)Broadcast disabledReplay protection time: 7 secsReverse tunnel enabledICMP Unreachable enabledStrip realm disabledNAT Traversal disabledHA Accounting disabledNAT UDP Tunneling support enabledUDP Tunnel Keepalive 60Forced UDP Tunneling enabledVirtual networks10.99.101.0/24Foreign agent is not enabled, no care-of address0 interfaces providing serviceEncapsulations supported: IPIP and GRETunnel fast switching enabled, cef switching enabledTunnel path MTU discovery aged out after 10 minThe following example shows that NAT UDP tunneling support is enabled on the foreign agent with a keepalive timer set at 110 seconds and forced UDP tunneling disabled.
Router# show ip mobile globalsIP Mobility global information:Foreign AgentPending registrations expire after 120 secsCare-of addresses advertisedMobile network route injection disabledEthernet2/2 (10.30.30.1) - up1 interface providing serviceEncapsulations supported: IPIP and GRETunnel fast switching enabled, cef switching enabledTunnel path MTU discovery aged out after 10 minNAT UDP Tunneling support enabledUDP Tunnel Keepalive 110Forced UDP Tunneling disabledThe following example output shows that multipath support is enabled:
Router# show ip mobile globalsIP Mobility global information:Home AgentRegistration lifetime: 10:00:00 (36000 secs)Broadcast disabledReplay protection time: 7 secs....UDP Tunnel Keepalive 110Forced UDP Tunneling disabledMultiple Path Support enabledTable 12 describes the significant fields shown in the sample output.
Related Commands
show ip mobile interface
Displays advertisement information for interfaces that are providing foreign agent service or that are home links for mobile nodes.
show ip mobile host
To display mobile node information, use the show ip mobile host command in privileged EXEC mode.
show ip mobile host [address | interface interface | network address | nai string | group | summary]
Syntax Description
Command Modes
Privileged EXEC
Command History
12.0(1)T
This command was introduced.
12.2(2)XC
The nai keyword was added.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Examples
The following is sample output from the show ip mobile host command:
Router# show ip mobile host10.34.253.147:Allowed lifetime 10:00:00 (36000/default)Roam status -Registered-, Home link on virtual network 10.34.253.128 /26Accepted 2082, Last time 02/13/03 01:03:24Overall service time 1w0dDenied 32, Last time 01/03/03 21:13:43Last code 'registration id mismatch (133)'Total violations 32Tunnel to MN - pkts 0, bytes 0Reverse tunnel from MN - pkts 0, bytes 0The following is sample output from the show ip mobile host nai string command:
Router# show ip mobile host nai jane@cisco.comjane@cisco.comAllowed lifetime 10:00:00 (36000/default)Roam status -Registered-, Home link on interface Loopback0Bindings 10.34.253.205Accepted 3705, Last time 02/13/03 01:02:37Overall service time 6d05hDenied 4918, Last time 01/30/03 20:59:14Last code 'administratively prohibited (129)'Total violations 262Tunnel to MN - pkts 0, bytes 0Reverse tunnel from MN - pkts 0, bytes 0Table 13 describes the significant fields shown in the display.
The following is sample output from the show ip mobile host group command for groups configured with the ip mobile host command:
Router# show ip mobile host group20.0.0.1 - 20.0.0.20:Home link on virtual network 20.0.0.0 /8, Care-of ACL -none-Security associations on router, Allowed lifetime 10:00:00 (36000/default)Table 14 describes the significant fields shown in the display.
Related Commands
clear ip mobile host-counters
Clears the mobile node counters.
show ip mobile binding
Displays the mobility binding table.
show ip mobile secure
To display the mobility security associations for the mobile host, mobile visitor, foreign agent, home agent, or proxy Mobile IP host, use the show ip mobile secure command in privileged EXEC mode.
show ip mobile secure {host | visitor | foreign-agent | home-agent | proxy-host | summary} {ip-address | nai string}
Syntax Description
Command Modes
EXEC
Command History
Usage Guidelines
Multiple security associations can exist for each entity.
The proxy-host keyword is only available on PDSN platforms running specific PDSN code images; consult Feature Navigator for your Cisco IOS software release.
Examples
The following is sample output from the show ip mobile secure command:
Router# show ip mobile secureSecurity Associations (algorithm,mode,replay protection,key):10.0.0.6SPI 300, MD5, Prefix-suffix, Timestamp +/- 7,Key 00112233445566778899001122334455Table 15 describes the significant fields shown in the display.
show ip mobile traffic
To display protocol counters, use the show ip mobile traffic command in privileged EXEC mode.
show ip mobile traffic
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Counters can be reset to zero using the clear ip mobile traffic command, which also allows you to undo the reset.
Examples
The following is sample output from the show ip mobile traffic command:
Router# show ip mobile trafficIP Mobility traffic:UDP:Port: 434 (Mobile IP) input drops: 0Advertisements:Solicitations received 0Advertisements sent 0, response to solicitation 0Home Agent Registrations:Register 0, Deregister 0 requestsRegister 0, Deregister 0 repliedAccepted 0, No simultaneous bindings 0Denied 0, Ignored 0Unspecified 0, Unknown HA 0Administrative prohibited 0, No resource 0Authentication failed MN 0, FA 0Bad identification 0, Bad request form 0Unavailable encap 0, reverse tunnel 0Reverse tunnel mandatory 0Binding updates received 0, sent 0 total 0 fail 0Binding update acks received 0, sent 0Binding info request received 0, sent 0 total 0 fail 0Binding info reply received 0 drop 0, sent 0 total 0 fail 0Binding info reply acks received 0 drop 0, sent 0Gratuitous 0, Proxy 0 ARPs sentTotal incoming requests using NAT detect 1Foreign Agent Registrations:Request in 0,Forwarded 0, Denied 0, Ignored 0Unspecified 0, HA unreachable 0Administrative prohibited 0, No resource 0Bad lifetime 0, Bad request form 0Unavailable encapsulation 0, Compression 0Unavailable reverse tunnel 0Reverse tunnel mandatoryReplies in 0Forwarded 0, Bad 0, Ignored 0Authentication failed MN 0, HA 0Received challenge/gen. authentication extension, feature not enabled 0Route Optimization Binding Updates received 0, acks sent 0 neg acks sent 0Unknown challenge 1, Missing challenge 0, Stale challenge 0Table 16 describes the significant fields shown in the display.
show ip mobile tunnel
To display active tunnels, use the show ip mobile tunnel command in EXEC mode.
show ip mobile tunnel [interface]
Syntax Description
Command Modes
EXEC
Command History
Usage Guidelines
This command displays active tunnels created by Mobile IP. When no more users are on the tunnel, the tunnel is released.
Examples
The following is sample output from the show ip mobile tunnel command:
Router# show ip mobile tunnelMobile Tunnels:Tunnel0:src 10.0.0.32, dest 10.0.0.48encap IP/IP, mode reverse-allowed, tunnel-users 1IP MTU 1480 bytesHA created, fast switching enabled, ICMP unreachable enabled0 packets input, 0 bytes, 0 drops1591241 packets output, 1209738478 bytesRoute Map is: MoIPMapRunning template configuration for this tunnel:ip pim sparse-dense-modeThe following is sample output from the show ip mobile tunnel command that verifies that UDP tunneling is established:
Router# show ip mobile tunnelMobile Tunnels:Total mobile ip tunnels 1Tunnel0:src 10.30.30.1, dest 10.10.10.100src port 434, dest port 434encap MIPUDP/IP, mode reverse-allowed, tunnel-users 1IP MTU 1480 bytesPath MTU Discovery, mtu: 0, ager: 10 mins, expires: neveroutbound interface Ethernet2/3FA created, fast switching disabled, ICMP unreachable enabled5 packets input, 600 bytes, 0 drops7 packets output, 780 bytesThe following is sample output from the show ip mobile tunnel command that shows that the mobile node-home agent tunnel is still IP-in-IP, but that the foreign agent-home agent tunnel is UDP:
Router# show ip mobile tunnelMobile Tunnels:Total mobile ip tunnels 2Tunnel0:src 10.2.1.1, dest 10.99.100.2encap IP/IP, mode reverse-allowed, tunnel-users 1IP MTU 1460 bytesPath MTU Discovery, mtu: 0, ager: 10 mins, expires: neveroutbound interface Tunnel1HA created, fast switching enabled, ICMP unreachable enabled11 packets input, 1002 bytes, 0 drops5 packets output, 600 bytesTunnel1:src 10.2.1.1, dest 100.3.1.5src port 434, dest port 434encap MIPUDP/IP, mode reverse-allowed, tunnel-users 1IP MTU 1480 bytesPath MTU Discovery, mtu: 0, ager: 10 mins, expires: neveroutbound interface GigabitEthernet0/2HA created, fast switching disabled, ICMP unreachable enabled11 packets input, 1222 bytes, 0 drops7 packets output, 916 bytesThe following is sample output from the show ip mobile tunnel command that shows that the mobile node has UDP tunneling established with the home agent:
Router# show ip mobile tunnelTotal mobile ip tunnels 1Tunnel0:src 10.10.10.100, dest 10.10.10.50src port 434, dest port 434encap MIPUDP/IP, mode reverse-allowed, tunnel-users 1IP MTU 1480 bytesPath MTU Discovery, mtu: 0, ager: 10 mins, expires: neveroutbound interface Ethernet2/1HA created, fast switching disabled, ICMP unreachable enabled5 packets input, 600 bytes, 0 drops5 packets output, 600 bytesThe following is sample output when the mobile router is configured for multipath support:
Router# show ip mobile tunnelMobile Tunnels:Total mobile ip tunnels 1Tunnel0:src 10.1.1.11, dest 10.1.1.10 Key 6encap IP/IP, mode reverse-allowed, tunnel-users 1IP MTU 1480 bytesPath MTU Discovery, mtu: 0, ager: 10 mins, expires: neveroutbound interface Ethernet1/0MR created, fast switching enabled, ICMP unreachable enabled4 packets input, 306 bytes, 0 drops6 packets output, 436 bytesTemplate configuration:ip pim sparse-dense-modeTable 17 describes the significant fields shown in the display.
Related Commands
show ip mobile violation
To display information about security violations, use the show ip mobile violation command in privileged EXEC mode.
show ip mobile violation [address | nai string]
Syntax Description
address
(Optional) Displays violations from a specific IP address.
nai string
(Optional) Network access identifier.
Command Modes
EXEC
Command History
12.0(1)T
This command was introduced.
12.2(2)XC
The nai keyword and associated parameters were added.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
The most recent violation is saved for all the mobile nodes. A circular log holds up to 50 unknown requesters, which are the violators without security associations. The oldest violations will be purged to make room for new unknown requesters when the log limit is reached.
Security violation messages are logged at the informational level (see the logging global configuration command). When logging is enabled to include this severity level, violation history can be displayed using the show logging command.
Examples
The following is sample output from the show ip mobile violation command:
Router# show ip mobile violationSecurity Violation Log:Mobile Hosts:20.0.0.1:Violations: 1, Last time: 06/18/97 01:16:47SPI: 300, Identification: B751B581.77FD0E40Error Code: MN failed authentication (131), Reason: Bad authenticator (2)Table 18 describes significant fields shown in the display.
show ip route vrf
To display the IP routing table associated with a Virtual Private Network (VPN) routing and forwarding (VRF) instance, use the show ip route vrf command in user EXEC or privileged EXEC mode.
show ip route vrf vrf-name [connected] [protocol [as-number] [tag] [output-modifiers]] [ip-prefix] [list number [output-modifiers]] [profile] [static [output-modifiers]] [summary [output-modifiers]] [supernets-only [output-modifiers]]
Syntax Description
Command Modes
User EXEC
Privileged EXECCommand History
Usage Guidelines
This command displays specified information from the IP routing table of a VRF.
Examples
This example shows the IP routing table associated with the VRF named vrf1:
Router# show ip route vrf vrf1Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGPD - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGPi - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate defaultU - per-user static route, o - ODRT - traffic engineered routeGateway of last resort is not setB 10.0.0.0/8 [200/0] via 10.13.13.13, 00:24:19C 10.0.0.0/8 is directly connected, Ethernet1/3B 10.0.0.0/8 [20/0] via 10.0.0.1, 02:10:22B 10.0.0.0/8 [200/0] via 10.13.13.13, 00:24:20This example shows BGP entries in the IP routing table associated with the VRF named vrf1:
Router# show ip route vrf vrf1 bgpB 10.0.0.0/8 [200/0] via 10.13.13.13, 03:44:14B 10.0.0.0/8 [20/0] via 10.0.0.1, 03:44:12B 10.0.0.0/8 [200/0] via 10.13.13.13, 03:43:14This example shows the IP routing table associated with a VRF named PATH and network 10.22.22.0:
Router# show ip route vrf PATH 10.22.22.0Routing entry for 10.22.22.0/24Known via "bgp 1", distance 200, metric 0Tag 22, type internalLast update from 10.22.5.10 00:01:07 agoRouting Descriptor Blocks:* 10.22.7.8 (Default-IP-Routing-Table), from 10.11.3.4, 00:01:07 agoRoute metric is 0, traffic share count is 1AS Hops 110.22.1.9 (Default-IP-Routing-Table), from 10.11.1.2, 00:01:07 agoRoute metric is 0, traffic share count is 1AS Hops 110.22.6.10 (Default-IP-Routing-Table), from 10.11.6.7, 00:01:07 agoRoute metric is 0, traffic share count is 1AS Hops 110.22.4.10 (Default-IP-Routing-Table), from 10.11.4.5, 00:01:07 agoRoute metric is 0, traffic share count is 1AS Hops 110.22.5.10 (Default-IP-Routing-Table), from 10.11.5.6, 00:01:07 agoRoute metric is 0, traffic share count is 1AS Hops 1Table 19 describes the significant fields shown when the show ip route vrf vrf-name ip-prefix command is used.
Example of Output Using the Cisco IOS Software Modularity for Layer 3 VPNs Feature
The following is sample output from the show ip route vrf command on routers using the Cisco IOS Software Modularity for Layer 3 VPNs feature. The output includes remote label information and corresponding MPLS flags for prefixes that have remote labels stored in the RIB, if BGP is the label distribution protocol:
Router# show ip route vrf v2 10.2.2.2Routing entry for 10.2.2.2/32Known via "bgp 1", distance 200, metric 0, type internalRedistributing via ospf 2Advertised by ospf 2 subnetsLast update from 10.0.0.4 00:22:59 agoRouting Descriptor Blocks:* 10.0.0.4 (Default-IP-Routing-Table), from 10.0.0.31, 00:22:59 agoRoute metric is 0, traffic share count is 1AS Hops 0MPLS label: 1300MPLS Flags: MPLS RequiredTable 20 describes the significant fields shown in the display.
Related Commands
show ip cache
Displays the Cisco Express Forwarding table associated with a VRF.
show ip vrf
Displays the set of defined VRFs and associated interfaces.
snmp-server enable traps ipmobile
To enable Simple Network Management Protocol (SNMP) security notifications for Mobile IP, use the snmp-server enable traps ipmobile command in global configuration mode. To disable SNMP notifications for Mobile IP, use the no form of this command.
snmp-server enable traps ipmobile
no snmp-server enable traps ipmobile
Syntax Description
This command has no arguments or keywords.
Defaults
SNMP notifications are disabled by default.
Command Modes
Global configuration
Command History
Usage Guidelines
SNMP Mobile IP notifications can be sent as traps or inform requests. This command enables both traps and inform requests. This command enables Mobile IP Authentication Failure notifications. This notification is defined in RFC2006-MIB.my as the mipAuthFailure notification type {mipMIBNotifications 1}. This notification, when enabled, is triggered when there is an authentication failure for the Mobile IP entity during validation of the mobile registration request or reply.
For a complete description of this notification and additional MIB functions, see the RFC2006-MIB.my file, available on Cisco.com at http://www.cisco.com/public/mibs/v2/.
The snmp-server enable traps ipmobile command is used in conjunction with the snmp-server host command. Use the snmp-server host global configuration command to specify which host or hosts receive SNMP notifications. To send SNMP notifications, you must configure at least one snmp-server host command.
Examples
The following example enables the router to send Mobile IP informs to the host at the address myhost.cisco.com using the community string defined as public:
snmp-server enable traps ipmobilesnmp-server host myhost.cisco.com informs version 2c publicRelated Commands
snmp-server host
Specifies the recipient of an SNMP notification operation.
snmp-server trap-source
Specifies the interface from which an SNMP trap should originate.
standby track decrement priority
To lower the priority of an particular HA in a redundancy scenario, use the standby track tracking object id decrement priority command in global configuration mode. To disable this function, use the no form of the command.
standby track tracking object id decrement priority
no standby track tracking object id decrement priority
Syntax Description
Defaults
There are no default values.
Command Modes
Global Configuration
Command History
12.3(14)YX
This command was introduced.
12.4(15)T
This command was integrated into Cisco IOS Release 12.4(15)T.
track id application home-agent
To create a tracking object to track the home-agent state, use the track tracking object id application home-agent command in global configuration. To disable this feature, use the no form of the command.
track tracking object id application home-agent
no track tracking object id application home-agent
Syntax Description
Defaults
There are no default values.
Command Modes
Global Configuration
Command History
12.3(14)YX
This command was introduced.
12.4(11)T
This command was integrated into Cisco IOS Release 12.4(11)T.
Examples
The following example illustrates the track application home-agent command:
router# track tracking object id application home-agentvirtual
To configure virtual server attributes, use the virtual command in SLB virtual server configuration mode. To remove the attributes, use the no form of this command.
Encapsulation Security Payload (ESP) and Generic Routing Encapsulation (GRE) Protocols
virtual ip-address [netmask [group]] {esp | gre | protocol}
no virtual ip-address [netmask [group]] {esp | gre | protocol}
TCP and User Datagram Protocol (UDP)
virtual ip-address [netmask [group]] {tcp | udp} [port | any] [service service]
no virtual ip-address [netmask [group]] {tcp | udp} [port | any] [service service]
Syntax Description
Defaults
No default behavior or values.
Command Modes
SLB virtual server configuration (config-slb-vserver)
Command History
Usage Guidelines
The no virtual command is allowed only if the virtual server was removed from service by the no inservice command.
For some applications, it is not feasible to configure all the virtual server TCP or UDP port numbers for IOS SLB. To support such applications, you can configure IOS SLB virtual servers to accept flows destined for all ports. To configure an all-port virtual server, specify a port number of 0 or any.
Note
Specifying port 9201 for connection-oriented WSP mode also activates the Wireless Application Protocol (WAP) finite state machine (FSM), which monitors WSP and drives the session FSM accordingly.
In RADIUS load balancing, IOS SLB maintains session objects in a database to ensure that re-sent RADIUS requests are load-balanced to the same real server.
Examples
The following example specifies that the virtual server with the IP address 10.0.0.1 performs load balancing for TCP connections for the port named www. The virtual server processes HTTP requests.
Router(config)# ip slb vserver PUBLIC_HTTPRouter(config-slb-vserver)# virtual 10.0.0.1 tcp wwwThe following example specifies that the virtual server with the IP address 10.0.0.13 performs load balancing for UDP connections for all ports. The virtual server processes HTTP requests.
Router(config)# ip slb vserver PUBLIC_HTTPRouter(config-slb-vserver)# virtual 10.0.0.13 udp 0Related Commands
ip slb vserver
Identifies a virtual server.
show ip slb vservers
Displays information about the virtual servers defined to IOS Server Load Balancing (IOS SLB).
