 Feedback
|
Table Of Contents
Cisco Mobile Wireless Home Agent
User Authentication and Authorization
Supported Standards, MIBs, and RFCs
Basic IOS Configuration on MWAM and Catalyst 6500
Configuring AAA in the Home Agent Environment
Configuring RADIUS in the Home Agent Environment
Configuring Mobile IP Security Associations
Configuring HSRP Group Attributes
Enabling HA Redundancy for a Physical Network
Enabling HA Redundancy for a Virtual Network Using One Physical Network
Configuring Network Management
Configuring the Cisco Home Agent
Monitoring and Maintaining the HA
Cisco Home Agent Configuration
Home Agent Redundancy Configuration
Home Agent IPSec Configuration
ip mobile home-agent reject-static-addr
ip mobile home-agent redundancy
ip mobile home-agent resync-sa
snmp-server enable traps ipmobile
Cisco Mobile Wireless Home Agent
Feature History
12.2(8)BY
This feature was introduced on the Cisco 7200 Series Router.
12.2(8)ZB
This feature was introduced on the Cisco Catalyst 6500 Switch.
This feature module describes the Cisco Mobile Wireless Home Agent. It includes information on the features and functions of the product, supported platforms, related documents, and configuration tasks.
This document includes the following sections:
•
Supported Standards, MIBs, and RFCs
•
Feature Overview
Cisco's Mobile Wireless Packet Data Solution includes the Packet Data Serving Node (PDSN) with foreign agent functionality (FA), the Cisco Mobile Wireless Home Agent (HA), AAA servers, and several other security products and features. The solution is standards compliant, and is designed to meet the needs of mobile wireless industry as it transitions towards third-generation cellular data services.
The Home Agent is the anchor point for mobile terminals for which MobileIP or Proxy MobileIP services are provided. Traffic sent to the terminal is routed via the Home Agent. With reverse tunneling, traffic from the terminal is also routed via the Home Agent.
A PDSN provides access to the Internet, intranets, and Wireless Application Protocol (WAP) servers for mobile stations using a Code Division Multiple Access 2000 (CDMA2000) Radio Access Network (RAN). The Cisco PDSN is a Cisco IOS software feature that runs on Cisco 7200 routers and Catalyst 6500 switches, and acts as an access gateway for Simple IP and Mobile IP stations. It provides foreign agent (FA) support and packet transport for virtual private networking (VPN). It also acts as an Authentication, Authorization, and Accounting (AAA) client.
The Cisco PDSN, and the Cisco Home Agent support all relevant 3GPP2 standards, including those that define the overall structure of a CDMA2000 network, and the interfaces between radio components, the Home Agent, and the PDSN.
System Overview
CDMA is one of the standards for mobile communication. A typical CDMA2000 network includes terminal equipment, mobile termination, base transceiver stations (BTSs), base station controllers (BSCs), PDSNs, and other CDMA network and data network entities. The PDSN is the interface between a BSC and a network router.
Figure 1 illustrates the relationship of the components of a typical CDMA2000 network, including a PDSN and a Home Agent. In this illustration, a roaming mobile station user is receiving data services from a visited access provider network, rather than from the mobile station user's subscribed access provider network.
Figure 1 The CDMA Network
As the illustration shows, the mobile station, which must support either Simple IP or Mobile IP, connects to a radio tower and BTS. The BTS connects to a BSC, which contains a component called the Packet Control Function (PCF). The PCF communicates with the Cisco PDSN through an A10/A11 interface. The A10 interface is for user data and the A11 interface is for control messages. This interface is also known as the RAN-to-PDSN (R-P) interface. For the Cisco Home Agent Release 1.2, you must use a Fast Ethernet (FE) interface as the R-P interface on the 7200 platform, and a Giga Ethernet (GE) interface on the MWAM platform.
The IP networking between the PDSN and external data networks is through the PDSN-to-intranet/Internet (Pi) interface. For the Cisco Home Agent Release 1.2, you can use either an FE or GE interface as the Pi interface.
For "back office" connectivity, such as connections to a AAA server, the interface is media independent. Any of the interfaces supported on the Cisco 7206 can be used to connect to these types of services, but Cisco recommends that you use either an FE or GE interface as the Pi interface.
Cisco Home Agent Network
Figure 2 illustrates the functional elements in a typical CDMA2000 packet data system, and Cisco products that are currently available to support this solution. The Home Agent, in conjunction with the PDSN/Foreign Agent, allows a mobile station with Mobile IP client function, to access the internet or corporate intranet using Mobile IP-based service access. Mobile IP extends user mobility beyond the coverage area of the current, serving PDSN/Foreign Agent. If another PDSN is allocated to the call(following a handoff), the target PDSN performs a Mobile IP registration with the Home Agent; this ensures that the same home address is allocated to the mobile. Additionally, clients without a Mobile IP client can also make use of these services by using the Proxy Mobile IP capability provided by the PDSN
The Home Agent, then, is the anchor point for mobile terminals for which MobileIP or Proxy MobileIP services are provided. Traffic is routed via the home agent, and the home agent also provides Proxy ARP services. In the case of reverse tunneling, traffic from the terminal is also routed via the Home Agent.
Figure 2 Cisco Products for CDMA2000 Packet Data Services Solution
For Mobile IP services, the Home Agent would typically be located within an ISP network, or within a corporate domain. However, many ISPs and/or corporate entities may not be ready to provision Home Agents by the time service providers begin rollout of third-generation packet data services. As a remedy, Access service providers could provision Home Agents within their own domains, and then forward packets to ISPs or corporate domains via VPDN services. Figure 3 illustrates the functional elements that are necessary to support Mobile IP-based service access when the Home Agent is located in the service provider domain.
Figure 3
Cisco Mobile IP Based Service Access With Home Agent in Service Provider Network
For Mobile IP and Proxy-Mobile IP types of access, these solutions allow a mobile user to roam within and beyond it's service provider boundaries, while always being reachable and addressable via the IP address assigned on initial session establishment. Details of Mobile IP and Proxy Mobile IP Services can be found in Packet Data Services.
Packet Data Services
In the context of a CDMA2000 network, the Cisco Home Agent supports two types of packet data services: Mobile-IP and Proxy Mobile-IP services. From the perspective of the Cisco Home Agent, these services are identical.
Cisco Mobile IP Service
With Mobile IP, the mobile station can roam beyond the coverage area of a given PDSN and still maintain the same IP address and application-level connections.
Figure 4 shows the placement of the Cisco Home Agent in a Mobile IP scenario.
Figure 4
CDMA Network —Mobile IP Scenario
The communication process occurs in the following order:
1.
2.
As part of the registration process, the Cisco HA creates a binding table entry to associate the mobile station's home address with its care of address.
Note
3.
4.
5.
6.
7.
Note
Cisco Proxy Mobile IP Service
Currently, there is a lack of commercially-available Mobile IP client software. Conversely, PPP, which is widely used to connect to an Internet Service Provider (ISP), is ubiquitous in IP devices. As an alternative to Mobile IP, you can use Cisco's proxy Mobile IP feature. This capability of the Cisco PDSN, which is integrated with PPP, enables the PDSN, functioning as a Foreign Agent, and a Mobile IP client, to provide mobility to authenticated PPP users.
The communication process occurs in the following order:
1.
2.
3.
4.
5.
6.
Note
Features
This section describes the following key features of the Cisco PDSN/HA:
•
•
Feature Support
In addition to supporting Cisco IOS networking features, a Cisco 7200 router, or 6500 switch configured as a Home Agent, supports the following Home Agent-specific features:
•
–
–
•
–
–
•
•
•
–
–
–
•
–
–
•
•
•
–
–
•
•
•
–
•
–
–
•
•
Benefits
The following list identifies some of the key benefits that the Cisco Home Agent provides:
•
•
•
Note
•
•
•
•
•
•
•
•
The Home Agent
The Home Agent (HA) maintains mobile user registrations and tunnels packets destined for the mobile to the PDSN/FA. It supports reverse tunneling, and can securely tunnel packets to the PDSN using IPSec. Broadcast packets are not tunneled. Additionally, the HA performs dynamic home address assignment for the mobile. Home address assignment can be from address pools configured locally, through either DHCP server access, or from the AAA server.
The Cisco HA supports proxy Mobile IP functionality, and is available on the 7200 and 6500 series platforms. A 7200-based Cisco HA supports up to 262,000 mobile bindings, can process 100 bindings per second, and is RFC 2002, 2003, 2005 and 2006 compliant.
A 6500-based Cisco HA with 2 MWAM cards housing 5 active HA images and 5 standby images, would support the above figures multiplied by 5.
For more information on Mobile IP as it relates to Home Agent configuration tasks, please refer to the following url:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t1/mobileip.htm.
Dynamic Home Agent Assignment
The Home Agent can be dynamically assigned in a CDMA2000 network when the following qualifications exist.
The first qualification is that the Home Agent receives a mobile IP Registration Request with a value of 0.0.0.0 in the "Home Agent" field. Upon authentication/authorization, the PDSN retrieves the HA's IP address. The PDSN then uses this address to forward the Registration Request to the HA, but does not update the actual HA address field in the Registration Request.
The Home Agent sends a Registration Reply, and places it's own IP address in the "Home Agent" field. At this point, any re-registration request that are received would contain the Home Agent's IP address in the "Home Agent" field.
The second qualification is a function of the PDSN/Foreign Agent, and is included here for completeness. In this case, a AAA server is used to perform the dynamic Home Agent assignment function. Depending on network topology, either the local-AAA, or the home-AAA server would perform this function. When an access service provider is also serving as an ISP, Home Agents would be located in the access provider network. In this service scenario, a local-AAA server would perform Home Agent assignment function. Based on the user NAI received in the access request message, the AAA server would return a elected Home Agent's address in an access reply message to the PDSN.
A pool of Home Agent addresses is typically configured at the AAA server. For the access provider serving as an ISP, multiple pools of Home Agents could be configured at the local AAA server; however, this depends on SLAs with the domains for which Mobile IP, or proxy-Mobile IP services are supported. You can configure the Home Agent selection procedure at the AAA server, using either a round-robin or a hashing algorithm over user NAI selection criteria.
The PDSN/Foreign Agent sends the Registration Request to the Home Agent; however, there is no IP address in the HA field of the MIP RRQ (it is 0.0.0.0). When the PDSN retrieves the IP address from AAA, it does not update the MIP RRQ; instead, it forwards the RRQ to the HA address retrieved. The PDSN cannot alter the MIP RRQ because it does not know the MN-HA SPI, and key value (which contains the IP address of the Home Agent in the "Home Agent" field). Depending on network topology, either the local-AAA, or the home-AAA server would perform this function. In situations where the Home Agents are located in the access provider network, the local-AAA server would perform Home Agent assignment function. Additionally, multiple pools of Home Agents could be configured at the local-AAA server, depending on SLAs with the domains for which Mobile IP or proxy-Mobile IP services are supported.
Home Agent Redundancy
Cisco Home Agents can be configured to provide 1:1 redundancy. Two Home Agents are configured in hot-standby mode, based on Cisco Hot Standby Routing Protocol (HSRP in RFC 2281).1 This enables the active Home Agent to continually copy mobile session-related information to the standby Home Agent, and maintains synchronized state information at both Home Agents. In case an active Home Agent fails, the standby home agent takes over without service disruption.
During the Mobile IP registration process, an HA creates a mobility binding table that maps the home IP address of an MN to the current care-of address of the MN. If the HA fails, the mobility binding table will be lost and all MNs registered with the HA will lose their connectivity. To reduce the impact of an HA failure, Cisco IOS software supports the HA redundancy feature.
Note
The functionality of HA redundancy runs on top of the Hot Standby Router Protocol (HSRP). HSRP is a protocol developed by Cisco that provides network redundancy in a way that ensures that user traffic will immediately and transparently recover from failures.
HSRP Groups
Before configuring HA redundancy, you must understand the concept of HSRP groups.
An HSRP group is composed of two or more routers that share an IP address and a MAC (Layer 2) address and act as a single virtual router. For example, your Mobile IP topology can include one active HA and one or more standby HAs that the rest of the topology view as a single virtual HA.
You must define certain HSRP group attributes on the interfaces of the HAs so that Mobile IP can implement the redundancy. You can use the groups to provide redundancy for MNs with a home link on either the interface of the group (a physical network) or on virtual networks. Virtual networks are logical circuits that are programmed and share a common physical infrastructure.
How HA Redundancy Works
The HA redundancy feature enables you to configure an active HA and one or more standby HAs. The HAs in a redundancy group may be configured in an Active HA-Standby HA role if the HAs are supporting physical networks, or in a Peer HA-Peer HA role if they are supporting virtual networks.
In the first case, the Active HA assumes the lead HA role, and synchronizes the Standby HA. In the case of virtual network support, Peer HAs share the lead HA role and "update" each other. The Peer HA configuration allows for load balancing of the incoming RRQs, as either HA may receive RRQs. In either scenario, the HAs participating in the redundancy group should be configured similarly. The current support structure is 1 to1 to provide the maximum robustness and transparency in failover.
HA functionality is a service provided by the router and is not interface specific. Therefore, the HA and the MN must agree on which HA interface the MN should send its registration requests, and conversely, on which HA interface the HA should receive the registration requests. This agreement must factor in the following two scenarios:
•
•
For MNs on physical networks, an active HA accepts registration requests from the MN and sends binding updates to the standby HA. This process keeps the mobility binding table on the active and standby HAs synchronized.
For MNs on virtual networks, the active and standby HAs are peers—either HA can handle registration requests from the MN and update the mobility binding table on the peer HA.
When a standby HA comes up, it must request all mobility binding information from the active HA. The active HA responds by downloading the mobility binding table to the standby HA. The standby HA acknowledges that it has received the requested binding information. Figure 5 illustrates an active HA downloading the mobility bindings to a standby HA. A main concern in this stage of the process is which HA IP interface the standby HA should use to retrieve the appropriate mobility binding table, and on which interface of the standby HA the binding request should be sent.
Figure 5
Overview of HA Redundancy and Mobility Binding Process
Note
Physical Network Support
For MNs on physical networks, the HAs are configured in the Active HA-Standby HA configurations as shown in Figure 6 and Figure 7. The MNs that are supported on this physical network are configured with the HSRP virtual group address as the HA address. Hence, only the Active HA can accept RRQs from the MN since it is the 'owner' of the HSRP virtual group address. Upon receipt of an authenticated RRQ, the Active HA sends a Binding Update to the Standby HA.
HA Redundancy for physical networks can support multiple HAs in the redundancy group, although only one HA can be in Active state and only one HA can be in Standby state. For example, consider the scenario where there are 4 HAs in the redundancy group, i.e., one Active HA, one Standby HA, and two HAs in Listen state. If the Active HA fails, the Standby HA becomes the Active HA, and the HA in Listen state with higher priority becomes the Standby HA.
Figure 6
Virtual Network Support Using One Physical Network (Peer HA-Peer HA)
Figure 7
Virtual Network Support Using Multiple Physical Networks (Peer HA-Peer HA)
Home Address Assignment
The Home Agent assigns a home address to the mobile based on user NAI received during Mobile IP registration. The IP addresses assigned to a mobile station may be statically or dynamically assigned. The Home Agent will not permit simultaneous registrations for different NAIs with the same IP address, whether it is statically or dynamically assigned.
Static IP Address
A static IP address is an address that is pre-assigned to the mobile station, and possibly pre-configured at the mobile device. The Home Agent supports static addresses that might be public IP addresses, or addresses in private domain.
Note
The mobile user proposes the configured/available address as a non-zero home address in the Registration Request message. The Home Agent may accept this address or return another address in the Registration Reply message. The Home Agent may obtain the IP address by accessing the home-AAA server or DHCP server. The home-AAA server may return the name of a local pool, or a single IP address. On successful Mobile IP registration, Mobile IP based services are made available to the user.
Dynamic IP Address
It is not necessary for a home IP address to be configured in the mobile station in order to access packet data services. A mobile user may request a dynamically assigned address by proposing an all-zero home address in the Registration Request message. The Home Agent assigns a home address and returns it to the mobile in the Registration Reply message. The Home Agent obtains the IP address by accessing the home AAA-server. The AAA server returns the name of a local pool or a single IP address. On successful registration, Mobile IP based services are made available to the user.
Address Assignment for Same NAI - Multiple Static Addresses
The Cisco Home Agent supports multiple Mobile IP registrations for the same NAI with different static addresses. This is accomplished by configuring static-ip-address pool(s) at the home-AAA or DHCP server. When the HA receives a Registration Request message from the mobile user, the HA accesses the home-AAA for authentication, and possibly for assignment of an IP address. The NAI provided by the mobile user is sent to the home-AAA. The home-AAA server returns a list of static-IP-addresses or the static-ip-pool name corresponding to this NAI.
Address Assignment For Same NAI - Different Mobile Terminal
When the same NAI is used for registration from two different mobiles, the behavior is as follows:
•
•
•
•
3 DES Encryption
The Cisco Home Agent 1.2 release include 3DES encryption, which supports IPSec on the HA. To accomplish this on the 7200 router platform, Cisco supplies an SA-ISA card for hardware provided IPsec. On the 6500 platform, the MWAM utilizes the Cisco IPSec Acceleration Card.
In this release the HA requires you to configure the parameters for each PDSN before a mobile ip data traffic tunnel is established between the PDSN and the HA.
Note
Mobile IP IPSec
The Internet Engineering Task Force (IETF) has developed a framework of open standards called IP Security (IPSec) that provides data confidentiality, data integrity, and data authentication between participating peers. IPSec provides these security services at the IP layer; it uses Internet Key Exchange (IKE) to handle negotiation of protocols and algorithms based on local policy, and to generate the encryption and authentication keys to be used by IPSec. IPSec can be used to protect one or more data flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a host.
IS835-B specifies three mechanisms for providing IPSec security:
•
•
•
Note
Note
IPSec-based security may be applied on tunnels between the PDSN and the HA depending on parameters received from Home AAA server. A single tunnel may be established between each PDSN-HA pair. It is possible for a single tunnel between the PDSN-HA pair to have three types of traffic streams: Control Messages, Data with IP-in-IP encapsulation, and Data with GRE-in-IP encapsulation. All traffic carried in the tunnel will have same level of protection provided by IPSec.
IS835 defines MobileIP service as described in RFC 2002; the Cisco HA provides Mobile IP service and Proxy Mobile IP service.
In Proxy Mobile service, the Mobile-Node is connected to the PDSN/FA through Simple IP, and the PDSN/FA acts as Mobile IP Proxy for the MN to the HA.
Once Security Associations (SAs or tunnels) are established, they remain active until there is traffic on the tunnel, or the lifetime of the SAs expire.
Figure 8 illustrates the IS835 IPSec network topology.
Figure 8 IS835 IPSec Network
User Profiles
The Home Agent maintains a per NAI profile that contains the following parameters:
•
•
•
•
•
•
Additionally, the Home Agent supports an intelligent security association caching mechanism that optimizes the session establishment rate and mimimizes the time for session establishment.
The Home Agent supports the local configuration of a maximum of 200000 user profiles; on the MWAM, the HA supports 5 x 200000 user profiles. The User profile, identified by the NAI, can be configured locally, or retrieved from a AAA server.
Mobility Binding Association
The mobility binding is identified in the home agent in the following ways:
•
•
The binding association contains the following information:
•
•
•
•
User Authentication and Authorization
The Home Agent can be configured to authenticate a user using either PAP or CHAP. The Foreign Agent Challenge procedures are supported (RFC 3012) and includes the following extensions:
•
•
•
Note
When configured to authenticate a user with the Home AAA-server, if the Home Agent receives the MN-AAA Authentication Extension in the Registration Request, the contents are used. If the extension is absent, a default configurable password is used.
The Home Agent accepts and maintains the MN-FA challenge extension, and MN-AAA authentication extension (if present), from the original registration for use in later registration updates.
If the Home Agent does not receive a response from the AAA server within a configurable timeout, the message can be retransmitted a configurable number of times. The Home Agent can be configured to communicate with a group of AAA servers, the server being chosen in round-robin fashion from the available configured servers.
Note
HA Binding Update
When a mobile first registers for packet data services, a PPP session and associated Mobile IP flow(s) are established at the PDSN. In the event of an inter-PDSN handoff, another PPP session is established at the target PDSN, and the mobile registers with the Home Agent via the new PDSN/FA. If PPP idle-timeout is configured on the PDSN virtual-template, the maximum mobile IP lifetime advertised to the mobile will be 1 second less than the idle-timeout.
Idle, or unused PPP sessions at a PDSN/Foreign Agent consume valuable resources. The Cisco PDSN/Foreign Agent and Home Agent support Binding Update and Binding Acknowledge messages to release such idle PPP sessions as soon as possible. In the event of an inter-PDSN handoff and Mobile IP registration, the Home Agent updates mobility binding information for the mobile with the Care-of-Address (CoA) of the new PDSN/FA.
If simultaneous bindings are not enabled, the Home Agent sends a notification in the form of a Binding Update message to the previous PDSN/FA. The previous PDSN/FA acknowledges with a Binding Acknowledge, if required, and deletes the visitor list entry for the Mobile IP session. The previous PDSN/FA initiates the release of the PPP session when there are no active flows for that mobile station.
Note
Packet Filtering
The Home Agent can filter both egress packets from an external data network and ingress data packets based on the Foreign Agent IP address or the Mobile Node IP address.
Security
The HA uses any present statically configured shared secret(s) when processing authentication extension(s) present in mobile IP registration messages.
Restrictions
Simultaneous Bindings
The Cisco Home Agent does not support simultaneous bindings. When multiple flows are established for the same NAI, a different IP address is assigned to each flow. This means that simultaneous binding is not required, because it is used to maintain more than one flow to the same IP address.
IP Reachability
The Home Agent does not support dynamic DNS updates. Hence the CDMA2000 feature, IP Reachability, is not supported.
Security
The HA supports IPSec, IKE, IPSec Authentication Header (AH) and IP Encapsulating Security Payload (ESP) as required in IS-835-B. The Home Agent does not support security for control or user traffic independently. Either both are secured, or neither.
The Home Agent does not support dynamically assigned keys or shared secrets as defined in IS-835-B.
Related Documents
For additional information about the Cisco PDSN Release 1.2 software, refer to the following documents:
•
•
•
For more information about:
•
•
•
•
Supported Platforms
Cisco 7200 Router Platform
The Cisco Home Agent is supported on Cisco's 7206VXR routing platform. The Home Agent supports all physical interfaces currently supported on the 7206VXR platform. These interfaces include Fast Ethernet.
For a complete list of interfaces supported on 7206VXR platform, please refer to the on-line product information at Cisco CCO home page. For hardware details on 7206VXR platform, please refer to C7200 product specifications at http://www.cisco.com/warp/public/cc/pd/rt/7200/index.shtml).
The recommended hardware configuration for PDSN Release 1.2 is based on C7206VXR chassis with an NPE-400 processor, 512 MB DRAM, and two FE port adaptors. The I/O controller on the NPE-400 processor supports two more 10/100 based Ethernet ports. A service adaptor, SA_ISA, is required for hardware support of IPSec.
Cisco MWAM on the Catalyst 6500 Switch Support
The Cisco Home Agent is also supported on Cisco's Multi-processor WAN Application Module (MWAM) on the 6500 Catalyst Switch. Each Catalyst 6500 can support up to 6 MWAM modules. Each MWAM has 3 gigabit ethernet interfaces internally connected to the Cat6500 backplane with 802.1q trunking. There are no external visible ports on an MWAM.
The recommended hardware configuration for Home Agent Release 1.2 is based on a Catalyst 6500 chassis with a SUP2, and 512 MB of DRAM.
The recommended MWAM configuration calls for 512 Meg RAM per processor, totalling 1Gigabyte per processor complex.
An IPSec Services Module (VPNSM) is required for hardware support of IPSec.
Each MWAM supports up to 5 IOS images, and each of them can function the same as a Home Agent running on 7200VXR platform. There are no significant feature differences between a Home Agent on an MWAM and a Home Agent on the 7200VXR platform. However, configuring IP sec on the Cisco IPSec Services Module (VPNSM) is completely different than from the 7200. All configuration is done on the Supervisor card and not on the MWAM.
48 port FE or 16 port GE
Note
For a complete list of interfaces supported on 6500 platform, please refer to the on-line product information at Cisco.com home page. For hardware details on 6500 platform, please refer to the Catalyst 6500 product specifications at http://www.cisco.com/en/US/products/hw/switches/ps708/index.html).
Determining Platform Support Through Cisco Feature Navigator
Cisco IOS software is packaged in feature sets that support specific platforms. To get updated information regarding platform support for this feature, access Cisco Feature Navigator. Cisco Feature Navigator dynamically updates the list of supported platforms as new platform support is added for the feature.
Cisco Feature Navigator is a web-based tool that enables you to determine which Cisco IOS software images support a specific set of features and which features are supported in a specific Cisco IOS image. You can search by feature or release. Under the release section, you can compare releases side by side to display both the features unique to each software release and the features in common.
To access Cisco Feature Navigator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions at http://www.cisco.com/register.
Cisco Feature Navigator is updated regularly when major Cisco IOS software releases and technology releases occur. For the most current information, go to the Cisco Feature Navigator home page at the following URL:
Availability of Cisco IOS Software Images
Platform support for particular Cisco IOS software releases is dependent on the availability of the software images for those platforms. Software images for some platforms may be deferred, delayed, or changed without prior notice. For updated information about platform support and availability of software images for each Cisco IOS software release, refer to the online release notes or, if supported, Cisco Feature Navigator.
Supported Standards, MIBs, and RFCs
The Cisco PDSN Home Agent is compliant with the following standards:
Standards
•
•
MIBs
The Home Agent supports the following MIBs:
•
•
To obtain lists of supported MIBs by platform and Cisco IOS release, and to download MIB modules, go to the Cisco MIB website on Cisco.com at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
RFCs
•
•
•
•
•
•
•
•
•
•
•
•
•
Configuration Tasks
The Cisco Home Agent software includes two images, one for the Cisco 7200 and one for the Catalyst 6500. This section describes the steps for configuring the Cisco Home Agent. Each image is described by platform number.
•
•
Upgrading a Home Agent Image
To upgrade an image, you will need a compact flash card that has the MP partition from the current image or later, and a recent supervisor image. To locate the images, please go to the Software Center at Cisco.com (http://www.cisco.com/public/sw-center/).
To perform the upgrade perform the following procedure:
Step 1
router #hw-module module 3 reset cf:1Device BOOT variable for reset = > <cf:1> Warning: Device list is not verified.>> Proceed with reload of module? [confirm] % reset issued for module 3>router#Step 2
copy tftp: tftp file location pclc# linecard #-fs:
The upgrade file uses a special format that makes this process slow. The following example illustrates the upgrade process output:
router #copy tftp://198.133.219.33/images/c6svcmwam-c6is-mz.bin pclc#3-fs:> Destination filename [c6svcmwam-c6is-mz.bin]?> Accessing tftp://198.133.219.33/images/c6svcmwam-c6is-mz.bin...> Loading images/c6svcmwam-c6is-mz.bin from 64.102.16.25 (via Vlan1):> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!> [OK - 29048727/58096640 bytes]> 29048727 bytes copied in 1230.204 secs (23616 bytes/sec)router #> 2d21h: %SVCLC-SP-5-STRRECVD: mod 3: <Application upgrade has started>> 2d21h: %SVCLC-SP-5-STRRECVD: mod 3: <Do not reset the module till upgrade completes!!>> router #> 2d21h: %SVCLC-SP-5-STRRECVD: mod 3: <Application upgrade has succeded>> 2d21h: %SVCLC-SP-5-STRRECVD: mod 3: <You can now reset the moduleStep 3
router#hw-module module 3 reset
Loading the IOS Image to MWAM
The image download process automatically loads an IOS image onto the three Processor complexes on the MWAM. All three complexes on the card run the same version of IOS, so they share the same image source. The software for MWAM bundles the images it needs in flash memory on the PC complex. For more information, refer to the Cisco Multi-processor WAN Application Module Installation and Configuration Note.
Configuring the Home Agent
A typical HA configuration requires that you define interfaces in three directions: PDSN/FA, home network, and AAA server. If HA redundancy is required, then you must configure another interface for HSRP binding updates between HAs. If you are running the HA on the MWAM, the HA will see the access to one GE port that will connect to Catalyst 6500 backplane. That port can be configured as a trunk port with subinterfaces provided for each necessary network access.
VLANs can be defined corresponding to each interface: PDSN/FA, home network, AAA. In the case of multiple HA instances in the same Catalyst 6500 chassis, the same VLAN can be used for all of them.
The Cisco Home Agent can provide two classes of user services: Mobile IP, and proxy Mobile IP. The following sections describe the configuration tasks for implementing the Cisco Home Agent.
MWAM Configuration Tasks (Required for All Scenarios)
•
AAA and RADIUS Configuration Tasks (Required for All Scenarios)
To configure the AAA and RADIUS in the Home Agent environment, complete the following tasks.
•
•
Mobile IP Configuration Tasks (Required for Mobile IP)
To configure Mobile IP on the Home Agent, complete the following task:
•
Home Agent Redundancy Tasks (Required for Mobile IP)
Network Management Configuration Tasks
•
Cisco Home Agent Configuration Tasks
•
IP Sec Configuration Tasks
Maintaining the HA
•
Basic IOS Configuration on MWAM and Catalyst 6500
To configure the Supervisor engine recognize the MWAM modules, and to establish physical connections to the backplane, use the following commands:
Note
Configuring AAA in the Home Agent Environment
Access control is the way you manage who is allowed access to the network server and what services they are allowed to use. AAA network security services provide the primary framework through which you set up access control on your router or access server. For detailed information about AAA configuration options, refer to the "Configuring Authentication," and "Configuring Accounting" chapters in the Cisco IOS Security Configuration Guide.
To configure AAA in the HA environment, use the following commands in global configuration mode:
Configuring RADIUS in the Home Agent Environment
RADIUS is a method for defining the exchange of AAA information in the network. In the Cisco implementation, RADIUS clients run on Cisco routers and send authentication requests to a RADIUS server that contains all user authentication and network server access information. For detailed information about RADIUS configuration options, refer to the "Configuring RADIUS" chapter in the Cisco IOS Security Configuration Guide.
To configure RADIUS in the HA environment, use the following commands in global configuration mode:
Configuring Mobile IP Security Associations
To configure security associations for mobile hosts, FAs, and HAs, use one of the following commands in global configuration mode:
Configuring HA Redundancy
To configure your routers for Mobile IP HA redundancy, perform the required tasks described in the following sections:
•
•
•
•
Enabling Mobile IP
To enable Mobile IP on the router, use the following command in global configuration mode:
Enabling HSRP
To enable HSRP on an interface, use the following command in interface configuration mode:
Configuring HSRP Group Attributes
To configure HSRP group attributes that affect how the local router participates in HSRP, use either of the following commands in interface configuration mode:
Enabling HA Redundancy for a Physical Network
To enable HA redundancy for a physical network, use following commands beginning in interface configuration mode:
Enabling HA Redundancy for a Virtual Network Using One Physical Network
To enable HA redundancy for a virtual network and a physical network, use the following commands beginning in interface configuration mode:
Configuring Network Management
To enable SNMP network management for the HA, use the following commands in global configuration mode:
Configuring the Cisco Home Agent
To configure the Cisco HA, use the following commands in global configuration mode:
Configuring IPSec for the HA
To configure IPSec for the HA, use the following commands in global configuration mode:
Monitoring and Maintaining the HA
To monitor and maintain the HA, use the following commands in privileged EXEC mode:
Configuration Examples
This section provides the following configuration examples:
•
•
•
Cisco Home Agent Configuration
Figure 9 and the information that follows is an example of the placement of a Cisco HA and it's configuration.
Figure 9 Home Agent —A Network Map
Example 1
hostname ha1-7206!aaa new-model!aaa authentication login default group radiusaaa authentication login CONSOLE noneaaa authorization config-commandsaaa authorization ipmobile default group radiusaaa authorization network default group radiusaaa session-id common!interface FastEthernet0/1description To FA/PDSNip address 3.3.3.1 255.255.255.0!interface FastEthernet0/2description To AAAip address 30.30.30.1 255.0.0.0!router mobile!ip local pool ha-pool1 35.35.35.1 35.35.35.254ip mobile home-agent broadcastip mobile virtual-network 35.35.35.0 255.255.255.0ip mobile host nai @xyz.com address pool local ha-pool1 virtual-network 35.35.35.0 255.255.255.0 aaa load-sa lifetime 65535!radius-server host 30.0.0.10 auth-port 1645 acct-port 1646 key cisco!line con 0exec-timeout 0 0login authentication CONSOLE________________________________________________________Example 2 Home Agent Configuration
Cisco_HA#sh runBuilding configuration...Current configuration : 4532 bytes!version 12.2no parser cacheservice timestamps debug uptimeservice timestamps log uptimeno service password-encryptionservice internalservice udp-small-serversservice tcp-small-servers!hostname USER_HA!aaa new-model!!aaa authentication ppp default group radiusaaa authorization config-commandsaaa authorization ipmobile default group radiusaaa authorization network default group radiusaaa authorization configuration default group radiusaaa session-id common!username simulator password 0 ciscousername userc-moip password 0 ciscousername pdsn password 0 ciscousername userc password 0 ciscousername USER_PDSNip subnet-zeroip cef!!no ip domain-lookup!! !!interface Loopback0ip address 2.2.2.2 255.255.255.0!interface Tunnel1no ip address!interface FastEthernet0/0ip address 9.15.68.14 255.255.0.0duplex halfspeed 100no cdp enable!interface FastEthernet0/1no ip addressshutdownduplex halfspeed 10no cdp enable!interface FastEthernet1/0ip address 92.92.92.2 255.255.0.0duplex autospeed autono cdp enable!interface FastEthernet1/1ip address 5.5.5.3 255.255.255.0 secondaryip address 5.5.5.1 255.255.255.0shutdownduplex autospeed autono cdp enable!!router mobile!ip local pool ha-pool 6.0.0.1 6.0.15.254ip local pool ha-pool1 4.4.4.100 4.4.4.255ip default-gateway 9.15.0.1ip classlessip route 3.3.3.1 255.255.255.255 FastEthernet1/1ip route 9.100.0.1 255.255.255.255 9.15.0.1ip route 17.17.17.17 255.255.255.255 FastEthernet1/0no ip http serverip pim bidir-enableip mobile home-agentip mobile host nai userc-moip address pool local ha-pool interface FastEthernet1/0ip mobile host nai userc address pool local pdsn-pool interface Loopback0 aaaip mobile secure host nai userc-moip spi 100 key hex ffffffffffffffffffffffffffffffff replay timestamp within 150!!radius-server host 9.15.200.1 auth-port 1645 acct-port 1646 key ciscoradius-server retransmit 3call rsvp-sync!!mgcp profile default!dial-peer cor custom!!gatekeepershutdown!!line con 0exec-timeout 0 0line aux 0line vty 5 15!!endHome Agent Redundancy Configuration
PDSN Configuration
~~~~~~~~~~~~~~version 12.2no service padservice timestamps debug uptimeservice timestamps log uptimeno service password-encryptionservice internalservice cdma pdsn!hostname mwt10-7206a!aaa new-model!aaa authentication ppp default local group radiusaaa authorization config-commandsaaa authorization network default group radiusaaa session-id common!ip subnet-zeroip cef!virtual-profile aaa!interface Loopback0ip address 6.0.0.1 255.0.0.0no ip route-cacheno ip mroute-cache!interface CDMA-Ix1ip address 5.0.0.1 255.0.0.0tunnel source 5.0.0.1!interface FastEthernet1/0description to PCFip address 4.0.0.101 255.0.0.0no ip route-cache cefduplex half!interface Ethernet2/0description to HAip address 7.0.0.1 255.0.0.0no ip route-cache cefduplex half!interface Ethernet2/1description to AAAip address 150.1.1.9 255.255.0.0no ip route-cache cefduplex half!interface Virtual-Template1ip unnumbered Loopback0ip mobile foreign-service challengeip mobile foreign-service reverse-tunnelip mobile registration-lifetime 60000no keepaliveno peer default ip addressppp authentication chap pap optionalppp accounting none!router mobile!ip local pool pdsn-pool 11.0.0.1 11.0.0.255ip classlessip route 9.0.0.0 255.0.0.0 7.0.0.2ip route 10.0.0.0 255.0.0.0 7.0.0.2no ip http serverip pim bidir-enableip mobile foreign-agent care-of Ethernet2/0!dialer-list 1 protocol ip permitdialer-list 1 protocol ipx permit!radius-server host 150.1.0.2 auth-port 1645 acct-port 1646 key ciscoradius-server retransmit 3cdma pdsn virtual-template 1cdma pdsn a10 max-lifetime 65535cdma pdsn timeout mobile-ip-registration 300cdma pdsn mip-reg-fail-no-closesessioncdma pdsn secure pcf 4.0.0.1 spi 100 key ascii ciscocdma pdsn secure pcf 4.0.0.2 spi 100 key ascii ciscocall rsvp-sync!mgcp profile default!dial-peer cor custom!gatekeepershutdown!line con 0exec-timeout 0 0line aux 0line vty 0 4!endActive-HA configuration
~~~~~~~~~~~~~~~~~~~version 12.2no service padservice timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname mwt10-7206b!aaa new-model!aaa authentication ppp default local group radiusaaa authorization config-commandsaaa authorization ipmobile default group radiusaaa authorization network default group radiusaaa session-id common!ip subnet-zeroip cef!interface Ethernet2/0description to PDSN/FAip address 7.0.0.2 255.0.0.0no ip route-cacheno ip mroute-cacheduplex halfstandby ip 7.0.0.4standby priority 110standby preempt delay sync 100standby name cisco!interface Ethernet2/2description to AAAip address 150.2.1.8 255.255.0.0no ip route-cacheno ip mroute-cacheduplex half!router mobile!ip local pool ha-pool 10.0.0.1 10.0.0.255ip classlessno ip http serverip pim bidir-enableip mobile home-agentip mobile home-agent redundancy ciscoip mobile host nai mwts-mip-np-user1@ispxyz.com static-address 40.0.0.1 interface Ethernet2/0 aaaip mobile secure home-agent 7.0.0.3 spi 100 key ascii redundancy algorithm md5 mode prefix-suffix!radius-server host 150.2.0.2 auth-port 1645 acct-port 1646radius-server retransmit 3radius-server key ciscocall rsvp-sync!mgcp profile default!dial-peer cor custom!gatekeepershutdown!line con 0line aux 0line vty 0 4!endStandby-HA configuration
~~~~~~~~~~~~~~~~~~~~version 12.2no service padservice timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname mwt10-7206b!aaa new-model!aaa authentication ppp default local group radiusaaa authorization config-commandsaaa authorization ipmobile default group radiusaaa authorization network default group radiusaaa session-id common!ip subnet-zeroip cef!interface Ethernet2/0description to PDSN/FAip address 7.0.0.3 255.0.0.0no ip route-cacheno ip mroute-cacheduplex halfstandby ip 7.0.0.4standby name cisco!interface Ethernet2/2description to AAAip address 150.2.1.7 255.255.0.0no ip route-cacheno ip mroute-cacheduplex half!router mobile!ip local pool ha-pool 10.0.0.1 10.0.0.255ip classlessno ip http serverip pim bidir-enableip mobile home-agentip mobile home-agent redundancy ciscoip mobile host nai mwts-mip-np-user1@ispxyz.com static-address 40.0.0.1 interface Ethernet2/0 aaaip mobile secure home-agent 7.0.0.2 spi 100 key ascii redundancy algorithm md5 mode prefix-suffix!radius-server host 150.2.0.2 auth-port 1645 acct-port 1646radius-server retransmit 3radius-server key ciscocall rsvp-sync!mgcp profile default!dial-peer cor custom!gatekeepershutdown!line con 0line aux 0line vty 0 4!endHome Agent IPSec Configuration
Note
Note
access-list 101 deny ip any anyaccess-list 103 deny ip any any-------------------------------------------------------!! No configuration change since last restart!version 12.2service timestamps debug datetimeservice timestamps log datetimeservice password-encryption!hostname 7206f1!aaa new-model!!aaa authentication login CONSOLE noneaaa authentication login NO_AUTHENT noneaaa authentication ppp default group radiusaaa authorization config-commandsaaa authorization ipmobile default group radiusaaa authorization network default group radiusaaa session-id commonenable password 7 151E0A0E!username xxx privilege 15 nopasswordip subnet-zeroip cef!!no ip domain-lookup!!crypto isakmp policy 1authentication pre-sharecrypto isakmp key cisco address 1.1.1.4crypto isakmp key cisco address 172.18.60.30!!crypto ipsec transform-set esp-des-sha-transport esp-des esp-sha-hmacmode transport!crypto map tosim 10 ipsec-isakmpset peer 1.1.1.4set transform-set esp-des-sha-transportmatch address 101!crypto map tosim3 10 ipsec-isakmpset peer 172.18.60.30set transform-set esp-des-sha-transportmatch address 103!!interface Loopback0ip address 9.0.0.1 255.0.0.0!interface Loopback1ip address 12.0.0.1 255.0.0.0!interface Loopback10ip address 10.1.1.1 255.255.255.0!interface FastEthernet0/0ip address 1.1.1.1 255.255.255.0load-interval 30duplex fullspeed 100crypto map tosim!interface FastEthernet0/1ip address 2.1.1.1 255.0.0.0load-interval 30duplex fullspeed 100!interface FastEthernet1/0ip address 3.1.1.1 255.255.255.0load-interval 30duplex full!interface FastEthernet2/0ip address 172.18.60.10 255.255.255.0load-interval 30duplex fullcrypto map tosim3!router mobile!ip local pool ispabc-pool1 12.0.0.2 12.1.0.1ip local pool ispabc-pool1 12.1.0.2 12.2.0.1ip local pool ispxyz-pool1 9.0.0.2 9.1.0.1ip local pool ispxyz-pool1 9.1.0.2 9.2.0.1ip classlessip route 172.18.49.48 255.255.255.255 172.18.60.1no ip http serverip pim bidir-enableip mobile home-agent address 10.1.1.1ip mobile host nai @ispabc.com address pool local ispabc-pool1 virtual-network 12.0.0.0 255.0.0.0 aaa load-sa lifetime 65535ip mobile host nai @ispxyz.com address pool local ispxyz-pool1 virtual-network 9.0.0.0 255.0.0.0 aaa load-sa lifetime 65535!!access-list 101 permit ip host 10.1.1.1 host 1.1.1.4access-list 101 deny ip any anyaccess-list 103 permit ip host 10.1.1.1 host 172.18.60.30access-list 103 deny ip any any!!radius-server host 172.18.49.48 auth-port 1645 acct-port 1646 key 7 094F471A1A0Aradius-server retransmit 3radius-server key 7 02050D480809call rsvp-sync!!mgcp profile default!dial-peer cor custom!!gatekeepershutdown!!line con 0exec-timeout 0 0line aux 0line vty 0 4exec-timeout 0 0!exception protocol ftpexception dump 64.102.16.25exception memory minimum 1000000ntp clock-period 17179878ntp server 172.18.60.1!endCommand Reference
This section documents new or modified commands. All other commands used with this feature are documented in the Cisco IOS Release 12.2 command reference publications.
•
•
•
•
•
access list
To configure the access list mechanism for filtering frames by protocol type or vendor code, use the access-list global configuration command. Use the no form of this command to remove the single specified entry from the access list.
access-list access-list-number {permit | deny} {type-code wild-mask | address mask}
no access-list access-list-number {permit | deny} {type-code wild-mask | address mask}
Syntax Description
Defaults
No numbered encryption access lists are defined, and therefore no traffic will be encrypted/decrypted. After being defined, all encryption access lists contain an implicit "deny" ("do not encrypt/decrypt") statement at the end of the list..
Command Modes
Global configuration
Command History
Usage Guidelines
Use encryption access lists to control which packets on an interface are encrypted/decrypted, and which are transmitted as plain text (unencrypted).
When a packet is examined for an encryption access list match, encryption access list statements are checked in the order that the statements were created. After a packet matches the conditions in a statement, no more statements will be checked. This means that you need to carefully consider the order in which you enter the statements.
To use the encryption access list, you must first specify the access list in a crypto map and then apply the crypto map to an interface, using the crypto map (CET global configuration) and crypto map (CET interface configuration) commands.
Fragmented IP packets, other than the initial fragment, are immediately accepted by any extended IP access list. Extended access lists used to control virtual terminal line access or restrict contents of routing updates must not match the TCP source port, the type of service value, or the packet's precedence.
Note
Caution
Note
Examples
The following example creates a numbered encryption access list that specifies a class C subnet for the source and a class C subnet for the destination of IP packets. When the router uses this encryption access list, all TCP traffic that is exchanged between the source and destination subnets will be encrypted.
access-list 101 permit tcp 172.21.3.0 0.0.0.255 172.22.2.0 0.0.0.255aaa authorization ipmobile
To authorize Mobile IP to retrieve security associations from the AAA server using TACACS+ or RADIUS, use the aaa authorization ipmobile global configuration command. Use the no form of this command to remove authorization.
aaa authorization ipmobile {tacacs+ | radius}
no aaa authorization ipmobile {tacacs+ | radius}
Syntax Description
Defaults
AAA is not used to retrieve security associations for authentication.
Command Modes
Global configuration
Command History
Usage Guidelines
Mobile IP requires security associations for registration authentication. The security associations are configured on the router or on an AAA server. This command is not need for the former; but in the latter case, this command authorizes Mobile IP to retrieve the security associations from the AAA server.
Note
Examples
The following example uses TACACS+ to retrieve security associations from the AAA server:
aaa new-modelaaa authorization ipmobile tacacs+tacacs-server host 1.2.3.4tacacs-server key mykeyip mobile host 10.0.0.1 10.0.0.5 virtual-network 10.0.0.0 255.0.0.0 aaaRelated Commands
clear ip mobile binding
To remove mobility bindings, use the clear ip mobile binding EXEC command.
clear ip mobile binding {all [load standby-group-name] | ip-address | nai string ip_address}
Syntax Description
Command Modes
EXEC
Command History
Usage Guidelines
The home agent creates a mobility binding for each roaming mobile node. The mobility binding allows the mobile node to exchange packets with the correspondent node. Associated with the mobility binding is the tunnel to the visited network and a host route to forward packets destined for the mobile node. There should be no need to clear the binding because it expires after lifetime is reached or when the mobile node deregisters.
When the mobility binding is removed, the number of users on the tunnel is decremented and the host route is removed from the routing table. The mobile node is not notified.
Use this command with care, because it may terminate any sessions used by the mobile node. After using this command, the visitor will need to reregister to continue roaming.
Examples
The following example administratively stops mobile node 10.0.0.1 from roaming:
Router# clear ip mobile binding 10.0.0.1Router# show ip mobile bindingMobility Binding List:Total 110.0.0.1:Care-of Addr 68.0.0.31, Src Addr 68.0.0.31,Lifetime granted 02:46:40 (10000), remaining 02:46:32Flags SbdmGvt, Identification B750FAC4.C28F56A8,Tunnel100 src 66.0.0.5 dest 68.0.0.31 reverse-allowedRouting Options - (G)GRERelated Commands
clear ip mobile host-counters
To clear the mobility counters specific to each mobile station, use the clear ip mobile host-counters EXEC command.
clear ip mobile host-counters [[ip-address | nai string ip_address] undo]]
Syntax Description
ip-address
(Optional) IP address of a mobile node.
nai string
(Optional) Network access identifier of the mobile node.
undo
(Optional) Restores the previously cleared counters.
Command Modes
EXEC
Command History
12.0(1)T
This command was introduced.
12.2(2)XC
The nai keyword and associated variables were added.
Usage Guidelines
This command clears the counters that are displayed when you use the show ip mobile host command. The undo keyword restores the counters (this is useful for debugging).
Examples
The following example shows how the counters can be used for debugging:
Router# show ip mobile host20.0.0.1:Allowed lifetime 10:00:00 (36000/default)Roaming status -Unregistered-, Home link on virtual network 20.0.0.0/8Accepted 0, Last time -never-Overall service time -never-Denied 0, Last time -never-Last code `-never- (0)'Total violations 0Tunnel to MN - pkts 0, bytes 0Reverse tunnel from MN - pkts 0, bytes 0Router# clear ip mobile host-countersRouter# show ip mobile host-counters20.0.0.1:Allowed lifetime 10:00:00 (36000/default)Roaming status -Unregistered-, Home link on virtual network 20.0.0.0/8Accepted 0, Last time -never-Overall service time -never-Denied 0, Last time -never-Last code `-never- (0)'Total violations 0Tunnel to MN - pkts 0, bytes 0Reverse tunnel from MN - pkts 0, bytes 0Related Commands
clear ip mobile secure
To clear and retrieve remote security associations, use the clear ip mobile secure EXEC command.
clear ip mobile secure {host lower [upper] | nai string | empty | all} [load]
Syntax Description
Command Modes
EXEC
Command History
12.0(1)T
This command was introduced.
12.2(2)XC
The nai keyword and associated variables were added.
Usage Guidelines
Security associations are required for registration authentication. They can be stored on an AAA server. During registration, they may be stored locally after retrieval from the AAA server. The security association on the router may become stale or out of date when the security association on the AAA server changes.
This command clears security associations that have been downloaded from the AAA server.
Note
Examples
In the following example, the AAA server has the security association for user 10.0.0.1 after registration:
Router# show ip mobile secure host 10.0.0.1Security Associations (algorithm,mode,replay protection,key):10.0.0.1:SPI 300, MD5, Prefix-suffix, Timestamp +/- 7,Key `oldkey' 1230552d39b7c1751f86bae5205ec0c8The security association of the AAA server changes as follows:
Router# clear ip mobile secure host 10.0.0.1 loadRouter# show ip mobile secure host 10.0.0.110.0.0.1:SPI 300, MD5, Prefix-suffix, Timestamp +/- 7,Key `newkey' 1230552d39b7c1751f86bae5205ec0c8Related Commands
ip mobile secure
Specifies the mobility security associations for mobile host, visitor, home agent, and foreign agent.
clear ip mobile traffic
To clear counters, use the clear ip mobile traffic EXEC command.
clear ip mobile traffic
Syntax Description
This command has no arguments or keywords.
Command Modes
EXEC
Command History
Usage Guidelines
Mobile IP counters are accumulated during operation. They are useful for debugging and monitoring.
This command clears all Mobile IP counters. The undo keyword restores the counters (this is useful for debugging.) See the show ip mobile traffic command for a list and description of all counters.
Examples
The following example shows how the counters can be used for debugging:
Router# show ip mobile trafficIP Mobility traffic:Advertisements:Solicitations received 0Advertisements sent 0, response to solicitation 0Home Agent Registrations:Register 8, Deregister 0 requestsRegister 7, Deregister 0 repliedAccepted 6, No simultaneous bindings 0Denied 1, Ignored 1Unspecified 0, Unknown HA 0Administrative prohibited 0, No resource 0Authentication failed MN 0, FA 0Bad identification 1, Bad request form 0..Router# clear ip mobile trafficRouter# show ip mobile trafficIP Mobility traffic:Advertisements:Solicitations received 0Advertisements sent 0, response to solicitation 0Home Agent Registrations:Register 0, Deregister 0 requestsRegister 0, Deregister 0 repliedAccepted 0, No simultaneous bindings 0Denied 0, Ignored 0Unspecified 0, Unknown HA 0Administrative prohibited 0, No resource 0Authentication failed MN 0, FA 0Bad identification 0, Bad request form 0Related Commands
crypto map (global IPSec)
To create or modify a crypto map entry and enter the crypto map configuration mode, use the crypto map global configuration command. To delete a crypto map entry or set, use the no form of this command.
crypto map map-name seq-num ipsec-manual
crypto map map-name seq-num ipsec-isakmp [dynamic dynamic-map-name] [discover]
no crypto map map-name [seq-num]
Syntax Description
Command Modes
Global configuration.
Command History
Usage Guidelines
Issue the crypto map map-name seq-num command without a keyword to modify an existing crypto map entry.
Examples
The following example creates a crypto map entry and indicates that IKE will not be used to establish the IPSec security associations for protecting the traffic:
Router# crypto map map-name seq-num ipsec-manualip mobile home-agent
To enable and control home agent services on the router, use the ip mobile home-agent global configuration command. To disable these services, use the no form of this command.
ip mobile home-agent [home-agent address] [broadcast] [care-of-access acl] [lifetime number] [replay seconds] [reverse-tunnel off] [roam-access acl] [strip-nai-realm] [suppress-unreachable] [local-timezone]
no ip mobile home-agent [broadcast] [care-of-access acl] [lifetime number] [replay seconds] [reverse-tunnel private address] [roam-access acl] [strip-nai-realm] [suppress-unreachable] [local-timezone]
Syntax Description
Defaults
Disabled. Broadcasting is disabled by default. Reverse tunnel support is enabled by default. ICMP Unreachable messages are sent by default.
Command Modes
Global configuration
Command History
12.0(1)T
This command was introduced.
12.2(2)XC
The strip-nai-realm and local-timezone keywords were added.
Usage Guidelines
This command enables and controls home agent services on the router. Changes to service take effect immediately; however, broadcast and lifetime settings for previously registered mobile nodes are unaffected. Tunnels are shared by mobile nodes registered with the same endpoints, so the reverse-tunnel-off keyword also affects registered mobile nodes.
The home agent is responsible for processing registration requests from the mobile node and setting up tunnels and routes to the care-of address. Packets to the mobile node are forwarded to the visited network.
The home agent will forward broadcast packets to mobile nodes if they registered with the service. However, heavy broadcast traffic utilizes the CPU of the router. The home agent can control where the mobile nodes roam by the care-of-access parameter, and which mobile node is allowed to roam by the roam-access parameter.
When a registration request comes in, the home agent will ignore requests when home agent service is not enabled or the security association of the mobile node is not configured. The latter condition occurs because the security association must be available for the MH authentication extension in the reply. If a security association exists for the foreign agent (IP source address or care-of address in request), the foreign agent is authenticated, and then the mobile node is authenticated. The Identification field is verified to protect against replay attack. The home agent checks the validity of the request (see Table 1) and sends a reply. (Replay codes are listed in Table 2.) A security violation is logged when foreign agent authentication, MH authentication, or Identification verification fails. (The violation reasons are listed in Table 3.)
After registration is accepted, the home agent creates or updates the mobility binding of the mobile node, which contains the expiration timer. If no binding existed before this registration, a virtual tunnel is created, a host route to the mobile node via the care-of address is added to the routing table, and gratuitous ARPs are sent out. For deregistration, the host route is removed from the routing table, the virtual tunnel interface is removed (if no mobile nodes are using it), and gratuitous ARPs are sent out if the mobile node is back home. Mobility binding is removed (along with its associated host route and tunnel) when registration lifetime expires or deregistration is accepted.
By default, the HA uses the entire NAI string as username for authentication (which may be with local security association or retrieved from the AAA server). The strip-nai-realm parameter instructs the HA to strip off the realm part of NAI (if it exists) before performing authentication. Basically, the mobile station is identified by only the username part of NAI.
When the packet destined for the mobile node arrives on the home agent, the home agent encapsulates the packet and tunnels it to the care-of address. If the Don't fragment bit is set in the packet, the outer bit of the IP header is also set. This allows the Path MTU Discovery to set the MTU of the tunnel. Subsequent packets greater than the MTU of the tunnel will be dropped and an ICMP datagram too big message sent to the source. If the home agent loses the route to the tunnel endpoint, the host route to the mobile node will be removed from the routing table until tunnel route is available. Packets destined for the mobile node without a host route will be sent out the interface (home link) or to the virtual network (see the description of suppress-unreachable keyword). For subnet-directed broadcasts to the home link, the home agent will send a copy to all mobile nodes registered with the broadcast routing option.
Table 1 describes how the home agent treats registrations with various bits set when authentication and identification are passed.
Table 2 lists the home agent registration reply codes.
Table 3 lists security violation codes.
Table 3 Security Violation Codes
1
No mobility security association.
2
Bad authenticator.
3
Bad identifier.
4
Bad SPI.
5
Missing security extension.
6
Other.
Examples
The following example enables broadcast routing and specifies a global registration lifetime of 7200 seconds (2 hours):
ip mobile home-agent broadcast lifetime 7200Router (config)#ip mobile home-agent reverse-tunnel ?off Disable reverse tunnel modeprivate-address Reverse Tunneling Mandatory for Private Mobile IP addressesRelated Commands
ip mobile home-agent reject-static-addr
To configure the HA to reject RRQs from MNs under certain conditions, use the ip mobile home-agent reject-static-addr sub-command under the ip mobile home-agent global configuration command.
ip mobile home-agent reject-static-addr
Syntax Description
This command has not arguments or keywords
Command Modes
Sub-command of the ip mobile home-agent global configuration command.
Command History
Usage Guidelines
You must first configure the ip mobile home-agent command to use this sub-command.
If an MN which has binding to the HA with a static address, and tries to register with the same static address again, then the HA rejects the second RRQ from MN.
Examples
The following example illustrates the ip mobile home-agent reject-static-addr command:
Router# ip mobile home-agent reject-static-addr
ip mobile home-agent redundancy
To configure the home agent for redundancy by using the Hot Standby Router Protocol (HSRP) group name, use the ip mobile home-agent redundancy subcommand under the ip mobile home-agent global configuration command. To remove the address, use the no form of this command.
ip mobile home-agent redundancy hsrp-group-name [[virtual-network] address addr]
no ip mobile home-agent redundancy hsrp-group-name [[virtual-network] address addr]
Syntax Description
hsrp-group-name
Specifies HSRP group name.
virtual-network
(Optional) Specifies that the HSRP group is used to support virtual networks.
address addr
(Optional) Home agent address.
Defaults
No global home agent addresses are specified.
Command Modes
Subcommand of the ip mobile home-agent global configuration command.
Command History
Usage Guidelines
You must first configure the ip mobile home-agent command to use this sub-command.
The virtual-network keyword specifies that the HSRP group supports virtual networks.
Note
When Mobile IP standby is configured, the home agent can request mobility bindings from the peer home agent. When the command is deconfigured, the home agent can remove mobility bindings. The following describes how home agent redundancy operates on physical and virtual networks.
Physical network:
Only the active home agent will receive registrations. It updates the standby home agent. The standby home agent requests the mobility binding table from the active home agent. When Mobile IP standby is deconfigured, the standby home agent removes all bindings, but the active home agent keeps all bindings.
Virtual network:
Both active and standby home agents receive registrations if the loopback interface is used; each will update the peer after accepting a registration. Otherwise, the active home agent receives registrations. Both active and standby home agents request mobility binding tables from each other. When Mobile IP standby is deconfigured, the standby or active home agent removes all bindings.
Examples
The following is sample output from the ip mobile home-agent redundancy command that specifies an HSRP group name of SanJoseHA:
Router# ip mobile home-agent redundancy SanJoseHA
ip mobile home-agent resync-sa
To configure the HA to clear out the old cached security associations and requery the AAA server, use the ip mobile home-agent resync-sa command global configuration command.
ip mobile home-agent resync-sa x
Syntax Description
Command Modes
Global configuration.
Command History
Usage Guidelines
When a MN tries to reregister with the HA, the time change from the original timestamp is checked. If that time period is less than x, and the MN fails authentication, then the HA will not requery the AAA server for another SA.
If the MN reregisters with the HA, and the time between registrations is greater than x, and the MN fails registrations, then the HA will clear out the old SA and requery the AAA server.
Examples
The following example illustrates the ip mobile home-agent resync-sa command:
Router# ip mobile home-agent resync-sa 10
ip mobile host
To configure the mobile host or mobile node group, use the ip mobile host global configuration command. For PDSN, use this command to configure the static IP address or address pool for multiple flows with the same NAI.
ip mobile host {lower [upper] | nai string {static-address {addr1 [addr2] [addr3] [addr4] [addr5] | local-pool name} | address {addr | pool {local name | dhcp-proxy-client [dhcp-server addr]} {interface name | virtual-network network_address mask} [aaa [load-sa]] [care-of-access acl] [lifetime number]
no ip mobile host {lower [upper] | nai string {static-address {addr1 [addr2] [addr3] [addr4] [addr5] | local-pool name} | address {addr | pool {local name | dhcp-proxy-client [dhcp-server addr]} {interface name | virtual-network network_address mask} [aaa [load-sa]] [care-of-access acl] [lifetime number]
Syntax Description
Defaults
No host is configured.
Command Modes
Global configuration
Command History
12.0(1)T
This command was introduced.
12.2(2)XC
The nai keyword and associated parameters were added.
Usage Guidelines
This command configures the mobile host or mobile node group (ranging from lower address to upper address) to be supported by the home agent. These mobile nodes belong to the network on an interface or a virtual network (via the ip mobile virtual-network command). The security association for each mobile host must be configured using the ip mobile secure command or downloaded from an AAA server. When using an AAA server, the router will attempt to download all security associations when the command is entered. If no security associations are retrieved, retrieval will be attempted when a registration request arrives or the clear ip mobile secure command is entered.
All hosts must have security associations for registration authentication. Mobile nodes can have more than one security association. The memory consumption calculations shown in Table 4 are based on the assumption of one security association per mobile node.
The nai keyword allows you to specify a particular mobile station or range of mobile stations. The mobile station can request a static IP address (static-address keyword), which is configured using the addr1 variable (for a specific address) or the local-pool keyword (for an IP address from an address pool). Or, the mobile station can request a dynamic address (address keyword), which is configured using the addr variable (for a specific address) or the pool keyword (for an IP address from a pool or DHCP server). If this command is used with the PDSN proxy Mobile IP feature and a realm is specified in the ip mobile proxy-host nai command, then only a pool of addresses can be specified in this command.
The address pool can be defined by a local pool or using a DHCP proxy client. For DHCP, the interface name specifies the address pool from which the DHCP server selects and dhcp-server specifies DHCP server address.
Security associations can be stored using one of three methods:
•
•
•
Each method has advantages and disadvantages, which are described in Table 4.
Examples
The following example configures a mobile node group to reside on virtual network 20.0.0.0 and store its security associations on the AAA server:
ip mobile host 20.0.0.1 20.0.0.3 virtual-network 20.0.0.0 aaaThe following example configures a local pool of dynamic addresses to be used in assigning IP addresses to mobile stations in the cisco.com domain.
ip mobile host nai @cisco.com address pool local mobilenodes virtual-network 9.0.0.0 255.0.0.0 aaa lifetime 65535The following example configures a local pool of static addresses to be used in assigning IP addresses to mobile stations in the cisco.com domain.
ip mobile host nai @cisco.com static-address local-pool mobilenodesRelated Commands
ip mobile secure
To specify the mobility security associations for the mobile host, visitor, home agent, foreign agent, and proxy host, use the ip mobile secure global configuration command. To remove the mobility security associations, use the no form of this command.
ip mobile secure {host lower-address [upper-address] | visitor address | home-agent address | foreign-agent address} {inbound-spi spi-in outbound-spi spi-out | spi spi} key hex string [replay timestamp [number] algorithm md5 mode prefix-suffix]
no ip mobile secure {host lower-address [upper-address] | visitor address | home-agent address | foreign-agent address} {inbound-spi spi-in outbound-spi spi-out | spi spi} key hex string [replay timestamp [number] algorithm md5 mode prefix-suffix]
Syntax Description
Defaults
No security association is specified.
Command Modes
Global configuration
Command History
12.0(1)T
This command was introduced.
12.2
The lower-address and upper-address arguments were added.
Usage Guidelines
The security association consists of the entity address, SPI, key, replay protection method, authentication algorithm, and mode.
The SPI is the 4-byte index that selects the specific security parameters to be used to authenticate the peer. The security parameters consist of the authentication algorithm and mode, replay attack protection method, timeout, and IP address.
On a home agent, the security association of the mobile host is mandatory for mobile host authentication. If desired, configure a foreign agent security association on your home agent. On a foreign agent, the security association of the visiting mobile host and security association of the home agent are optional. Multiple security associations for each entity can be configured.
If registration fails because the timestamp value is out of bounds, the time stamp of the home agent is returned so the mobile node can reregister with the time-stamp value closer to that of the home agent, if desired.
Note
Examples
The following example shows mobile node 20.0.0.1, which has a key that is generated by the MD5 hash of the string:
Router# ip mobile secure host 20.0.0.1 spi 100 key hex 12345678123456781234567812345678Related Commands
ip mobile tunnel
To specify the settings of tunnels created by Mobile IP, use the ip mobile tunnel interface configuration command.
ip mobile tunnel {crypto map map-name | route-cache | path-mtu-discovery | nat {inside | outside}}
Syntax Description
Defaults
Disabled.
Command Modes
Global configuration.
Command History
Usage Guidelines
Path MTU discovery is used by end stations to find a packet size that does not need fragmentation between them. Tunnels have to adjust their MTU to the smallest MTU interior to achieve this. This is described in RFC 2003.
The discovered tunnel MTU should be aged out periodically to possibly recover from case where sub-optimum MTU existed at time of discovery. It is reset to the outgoing interface's MTU.
Examples
The following example sets the discovered tunnel MTU to expire in ten minutes:
Router# ip mobile tunnel reset-mtu-time 600
ip mobile virtual-network
To define a virtual network, use the ip mobile virtual-network global configuration command. To remove the virtual network, use the no form of this command.
ip mobile virtual-network net mask [address addr]
no ip mobile virtual-network net mask [address addr]
Syntax Description
Defaults
No home agent addresses are specified.
Command Modes
Global configuration.
Command History
Usage Guidelines
This command inserts the virtual network into the routing table to allow mobile nodes to use the virtual network as their home network. The network is propagated when redistributed to other routing protocols.
Note
Examples
The following example adds the virtual network 20.0.0.0 to the routing table and specifies that the HA IP address is configured on the loopback interface for that virtual network:
Router# ip mobile virtual-network
int e0ip addr 1.0.0.1 255.0.0.0standby ip 1.0.0.10standby name SanJoseHAint lo0ip addr 20.0.0.1 255.255.255.255ip mobile home-agentip mobile virtual-network 20.0.0.0 255.255.0.0 20.0.0.1ip mobile home-agent standby SanJoseHA virtual-networkip mobile secure home-agent 1.0.0.2 spi 100 hex 00112233445566778899001122334455radius-server host
To specify a RADIUS server host, use the radius-server host command in global configuration mode. To delete the specified RADIUS host, use the no form of this command.
radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string] [alias {hostname | ip-address}]
no radius-server host {hostname | ip-address}
Defaults
The auth-port port number defaults to 1645; the acct-port port number defaults to 1646.
Command Modes
Global configuration
Command History
Examples
The following example shows the radius-server host command:
Router# radius server host 20.1.1.1router mobile
To enable Mobile IP on the router, use the router mobile global configuration command. To disable Mobile IP, use the no form of this command.
router mobile
no router mobile
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled.
Command Modes
Global configuration.
Command History
Usage Guidelines
This command must be used in order to run Mobile IP on the router, as either a home agent or a foreign agent. The process is started and counters begin. Disabling
Mobile IP will remove all related configuration commands, both global and interface.
Examples
The following example enables Mobile IP:
Router# router mobile
show ip mobile binding
To display the mobility binding table, use the show ip mobile binding EXEC command.
show ip mobile binding [ip address | home-agent address | nai string | summary]
Syntax Description
Command Modes
EXEC
Command History
Usage Guidelines
The home agent updates the mobility binding table in response to registration events from mobile nodes. If the address argument is specified, bindings are shown for only that mobile node.
Examples
The following is sample output from the show ip mobile binding command:
Router# show ip mobile bindingMobility Binding List:Total 120.0.0.1:Care-of Addr 68.0.0.31, Src Addr 68.0.0.31,Lifetime granted 02:46:40 (10000), remaining 02:46:32Flags SbdmGvt, Identification B750FAC4.C28F56A8,Tunnel100 src 66.0.0.5 dest 68.0.0.31 reverse-allowedRouting Options - (G)GRETable 5 describes the significant fields shown in the display.
show ip mobile globals
To display global information for Mobile Agents, use the show ip mobile globals EXEC command.
show ip mobile globals
Syntax Description
This command has no arguments or keywords.
Command Modes
EXEC
Command History
Usage Guidelines
This command shows which services are provided by the home agent and/or foreign agent. Note the deviation from RFC 2006; the foreign agent will not display busy or registration required information. Both are handled on a per interface basis (see the show ip mobile interface command), not at the global foreign agent level.
Examples
The following is sample output from the show ip mobile globals command:
Router# show ip mobile globalsIP Mobility global information:Home AgentRegistration lifetime: 10:00:00 (36000 secs)Broadcast enabledReplay protection time: 7 secsReverse tunnel enabledICMP Unreachable enabledVirtual networks20.0.0.0/8Foreign Agent is not enabled, no care-of address0 interfaces providing serviceEncapsulations supported: IPIP and GRETunnel fast switching enabledDiscovered tunnel MTU aged out after 1:00:00Table 6 describes the significant fields shown in the display.
show ip mobile host
To display mobile station counters and information, use the show ip mobile host EXEC command.
show ip mobile host [address | interface interface | network address | nai string | group [nai string] | summary]
Syntax Description
Command Modes
EXEC
Command History
Examples
The following is sample output from the show ip mobile host command:
Router# show ip mobile host20.0.0.1:Allowed lifetime 10:00:00 (36000/default)Roaming status -Unregistered-, Home link on virtual network 20.0.0.0/8Accepted 0, Last time -never-Overall service time -never-Denied 0, Last time -never-Last code `-never- (0)'Total violations 0Tunnel to MN - pkts 0, bytes 0Reverse tunnel from MN - pkts 0, bytes 0Table 7 describes the significant fields shown in the display.
The following is sample output from the show ip mobile host group command for groups configured with the ip mobile host command:
Router# show ip mobile host group20.0.0.1 - 20.0.0.20:Home link on virtual network 20.0.0.0 /8, Care-of ACL -none-Security associations on router, Allowed lifetime 10:00:00 (36000/default)Table 8 describes the significant fields shown in the display.
Related Commands
show ip mobile binding
Displays the mobility binding table.
clear ip mobile host-counters
Clears the mobile station-specific counters.
show ip mobile secure
To display the mobility security associations for the mobile host, mobile visitor, foreign agent, home agent, or proxy Mobile IP host use the show ip mobile secure EXEC command.
show ip mobile secure {host | home-agent | summary} {address}
Syntax Description
Command Modes
EXEC
Command History
12.0(1)T
This command was introduced.
12.2(2)XC
The nai and proxy-host keywords were added.
Usage Guidelines
Multiple security associations can exist for each entity.
Examples
The following is sample output from the show ip mobile secure command:
Router# show ip mobile secureSecurity Associations (algorithm,mode,replay protection,key):20.0.0.6SPI 300, MD5, Prefix-suffix, Timestamp +/- 7,Key 00112233445566778899001122334455Table 9 describes the significant fields shown in the display.
show ip mobile traffic
To display Home Agent protocol counters, use the show ip mobile traffic EXEC command.
show ip mobile traffic
Syntax Description
This command has no arguments or keywords.
Command Modes
EXEC
Command History
Usage Guidelines
Counters can be reset to zero (0) using the clear ip mobile traffic command, which also allows you to undo the reset.
Examples
The following is sample output from the show ip mobile traffic command:
Router# show ip mobile trafficIP Mobility traffic:Advertisements:Solicitations received 0Advertisements sent 0, response to solicitation 0Home Agent Registrations:Register requests rcvd 7242, denied 2, ignored 0, dropped 0, replied 7242Register requests accepted 7240, No simultaneous bindings 0Register requests rcvd initial 7241, re-register 0, de-register 1Register requests accepted initial 7239, re-register 0, de-register 1Register requests replied 7241, de-register 1Register requests denied initial 2, re-register 0, de-register 0Register requests ignored initial 0, re-register 0, de-register 0Registration Request Errors:Unspecified 0, Unknown HA 0, NAI check failures 0Administrative prohibited 0, No resource 0Authentication failed MN 0, FA 0, active HA 0Bad identification 2, Bad request form 0Unavailable encap 0, reverse tunnel 0Reverse tunnel mandatory 0Unrecognized VendorID or CVSE-Type in CVSE sent by MN to HA 0Unrecognized VendorID or CVSE-Type in CVSE sent by FA to HA 0Binding Updates received 0, sent 0 total 0 fail 0Binding Update acks received 0 sent 0Binding info requests received 0, sent 0 total 0 fail 0Binding info reply received 0 drop 0, sent 0 total 0 fail 0Binding info reply acks received 0 drop 0, sent 0Gratuitous 0, Proxy 0 ARPs sentRoute Optimization Binding Updates sent 0, acks received 0 neg acks received 0Table 10 describes the significant fields shown in the display.
show ip mobile violation
To display information about security violations, use the show ip mobile violation EXEC command.
show ip mobile violation [address | nai string]
Syntax Description
address
(Optional) Displays violations from a specific IP address.
nai string
(Optional) Network access identifier.
Command Modes
EXEC
Command History
12.0(1)T
This command was introduced.
12.2(2)XC
The nai keyword and associated parameters were added.
Usage Guidelines
The most recent violation is saved for all the mobile nodes. A circular log holds up to 50 unknown requesters, violators without security association. The oldest violations will be purged to make room for new unknown requesters when the log limit is reached.
Security violation messages are logged at the informational level (see the logging global configuration command). When logging is enabled to include this severity level, violation history can be displayed using the show logging command.
Examples
The following is sample output from the show ip mobile violation command:
Router# show ip mobile violationSecurity Violation Log:Mobile Hosts:20.0.0.1:Violations: 1, Last time: 06/18/97 01:16:47SPI: 300, Identification: B751B581.77FD0E40Error Code: MN failed authentication (131), Reason: Bad authenticator (2)Table 11 describes significant fields shown in the display.
snmp-server enable traps ipmobile
To configure Simple Network Management Protocol (SNMP) security notifications for Mobile IP, use the snmp-server enable traps ipmobile command in global configuration mode. To disable SNMP notifications for Mobile IP, use the no form of this command.
snmp-server enable traps ipmobile
no snmp-server enable traps ipmobile
Syntax Description
This command has no arguments or keywords.
Defaults
SNMP notifications are disabled by default.
Command Modes
Global Configuration
Command History
Usage Guidelines
SNMP Mobile IP notifications can be sent as traps or inform requests. This command enables both traps and inform requests.
For a complete description of this notification and additional MIB functions, see the RFC2006-MIB.my file, available on Cisco.com at
http://www.cisco.com/public/mibs/v2/.
The snmp-server enable traps ipmobile command is used in conjunction with the snmp-server host command. Use the snmp-server host global configuration command to specify which host or hosts receive SNMP notifications. To send SNMP notifications, you must configure at least one snmp-server host command.
Examples
The following example enables the router to send Mobile IP informs to the host at the address myhost.cisco.com using the community string defined as public:
snmp-server enable traps ipmobilesnmp-server host myhost.cisco.com informs version 2c publicDebug Commands
This section identifies the debug commands for the Cisco Mobile Wireless Home Agent. For more information, refer to the Cisco IOS Debug Command Reference.
debug ip mobile advertise
Use the debug ip mobile advertise EXEC command to display advertisement information.
debug ip mobile advertise
no debug ip mobile advertise
Syntax Description
This command has no arguments or keywords.
Defaults
No default values.
Command History
Examples
The following is sample output from the debug ip mobile advertise command. Table 12 describes significant fields shown in the display.
Router# debug ip mobile advertiseMobileIP: Agent advertisement sent out Ethernet1/2: type=16, len=10, seq=1,lifetime=36000,flags=0x1400(rbhFmGv-rsv-),Care-of address: 68.0.0.31Prefix Length ext: len=1 (8 )Table 12 Debug IP Mobile Advertise Field Descriptions
debug ip mobile host
Use the debug ip mobile host EXEC command to display IP mobility events.
debug ip mobile host acl
no debug ip mobile host
Syntax Description
Defaults
No default values.
Command History
Examples
The following is sample output from the debug ip mobile host command:
Router# debug ip mobile hostMobileIP: HA received registration for MN 20.0.0.6 on interface Ethernet1 using COA68.0.0.31 HA 66.0.0.5 lifetime 30000 options sbdmgvTMobileIP: Authenticated FA 68.0.0.31 using SPI 110 (MN 20.0.0.6)MobileIP: Authenticated MN 20.0.0.6 using SPI 300MobileIP: HA accepts registration from MN 20.0.0.6MobileIP: Mobility binding for MN 20.0.0.6 updatedMobileIP: Roam timer started for MN 20.0.0.6, lifetime 30000MobileIP: MH auth ext added (SPI 300) in reply to MN 20.0.0.6MobileIP: HF auth ext added (SPI 220) in reply to MN 20.0.0.6MobileIP: HA sent reply to MN 20.0.0.6debug ip mobile redundancy
Use the debug ip mobile host EXEC command to display IP mobility events.
debug ip mobile redundancy
no debug ip mobile redundancy
Syntax Description
This command has no keywords or arguments.
Defaults
No default values.
Command History
Examples
The following is sample output from the debug ip mobile redundancy command:
Router# debug ip mobile redundancy00:19:21: MobileIP: Adding MN service flags to bindupdate00:19:21: MobileIP: Adding MN service flags 0 init registration flags 100:19:21: MobileIP: Adding a hared version cvse - bindupdate00:19:21: MobileIP: HARelayBindUpdate version number 2MobileIP: MN 40.0.0.20 - sent BindUpd to HA 7.0.0.3 HAA 7.0.0.400:19:21: MobileIP: HA standby maint started - cnt 100:19:21: MobileIP: MN 40.0.0.20 - HA rcv BindUpdAck accept from 7.0.0.3 HAA 7.0.0.400:19:22: MobileIP: HA standby maint started - cnt 1Glossary
3GPP2—3rd Generation Partnership Project 2
AAA —Authentication, Authorization and Accounting
AH— Authentication Header
APN— Access Point Name
BG —Border Gateway
BSC —Base Station Controller
BSS— Base Station Subsystem
BTS —Base Transceiver Station
CHAP— Challenge Handshake Authentication Protocol
CoA— Care-Of Address
DSCP—Differentiated Services Code Point
DNS —Domain Name Server
ESN— Electronic Serial Number
FA— Foreign Agent
FAC —Foreign Agent Challenge (also FA-CHAP)
HA —Home Agent
HDLC— High-Level Data Link Control
HLR— Home Location Register
HSRP —Hot Standby Router Protocol
IP —Internet Protocol
IPCP— IP Control Protocol
IS835—
ISP —Internet Service Provider
ITU —International Telecommunications Union
L2_Relay— Layer Two Relay protocol (Cisco proprietary)
L2TP— Layer 2 Tunneling Protocol
LCP— Link Control Protocol
LNS —L2TP Network Server
MAC —Medium Access Control
MIP— Mobile IP
MS— Mobile Station (= TE + MT)
MT —Mobile Termination
NAI —Network Access Identifier
NAS —Network Access Server
P-MIP— Proxy-Mobile IP
PAP— Password Authentication Protocol
PCF— Packet Control Function
PDN— Packet Data Network
PDSN —Packet Data Serving Node
PPP— Point-to-Point Protocol
PPTP— Point-to-Point Tunneling Protocol
SLA—Service Level Agreement
TE —Terminal Equipment
TID —Tunnel Identifier
VPDN —Virtual Packet Data Network
1 NAI support in Mobile IP HA Redundancy feature provides CDMA2000 specific capabilities for Home Agent redundancy. The CDMA2000 framework requires address assignment based on NAI, and support of multiple static IP addresses per user NAI.
