Mobile IP Configuration Examples


Mobile IP Configuration Examples
 
This chapter provides information for several configuration examples that can be implemented on the system to support Mobile IP (MIP) data services.
 
Important: This chapter does not discuss the configuration of the local context. Information about the local context can be found in Command Line Reference.
Important: When configuring Mobile IP take into account the MIP timing considerations discussed in Mobile-IP and Proxy-MIP Timer Considerations appendix.
Example 1: Mobile IP Support Using the System as a GGSN/FA
For Mobile IP applications, the system can be configured to perform the function of a Gateway GPRS Support Node/Foreign Agent (GGSN/FA) and/or a Home Agent (HA). This example describes what is needed for and how the system performs the role of the GGSN/FA. Examples 2 and 3 provide information on using the system to provide HA functionality.
 
The system’s GGSN/FA configuration for Mobile IP applications is best addressed with three contexts (one source, one AAA, and one Mobile IP destination) configured as shown in the figure that follows.
Important: A fourth context that serves as a destination context must also be configured if Reverse Tunneling is disabled in the FA service configuration. Reverse Tunneling is enabled by default.
The source context will facilitate the GGSN service(s), and the Ga and Gn interfaces. The AAA context will be configured to provide foreign AAA functionality for subscriber PDP contexts and facilitate the AAA interfaces. The MIP destination context will facilitate the FA service(s) and the Gi interface(s) from the GGSN/FA to the HA.
The optional destination context will allow the routing of data from the mobile node to the packet data network by facilitating a packet data network (PDN) interface. This context will be used only if reverse tunneling is disabled.
Mobile IP Support using the system as a GGSN/FA
Information Required
Prior to configuring the system as shown in this example, there is a minimum amount of information required. The following sections describe the information required to configure the source and destination contexts.
Source Context Configuration
The following table lists the information that is required to configure the source context.
Required Information for Source Context Configuration
NOTE: The name of the source context should be the same as the name of the context in which the FA-context is configured if a separate system is being used to provide GGSN/FA functionality.
Mobile Country Code (MCC): The MCC can be configured to any integer value from 0 to 999.
Mobile Network Code (MNC): The MNC can be configured to any integer value from 0 to 999.
Behavior Bits: If charging characteristics will be configured on the GGSN, behavior bits for the following conditions can be configured:
Profile Index:If the GGSN’s charging characteristics will be used for subscriber PDP contexts, profile indexes can be modified/configured for one or more of the following conditions:
IP address:The IP address of the CGF server to which the GGSN will send accounting information
Priority:If more than on CGF is configured, this is the server’s priority. It is used to determine the rotation order of the CGFs when sending accounting information.
Maximum number of messages:The maximum number of outstanding or unacknowledged GTPP messages allowed for the CGF.
AAA Context Configuration
The following table lists the information that is required to configure the AAA context.
Required Information for AAA Context Configuration
NOTE: If a separate system is used to provide HA functionality, the AAA context name should match the name of the context in which the AAA functionality is configured on the HA machine.
NOTE: The examples discussed in this chapter assumes GTPP is used.
NOTE: The profile index parameters are configured as part of the GGSN service.
Home Agent IP Address: The IP address of an HA with which the system will tunnel subscriber Mobile IP sessions.
Mobile IP Requirement: The APN can be configured to require Mobile IP for all sessions it facilitates. Incoming PDP contexts that do/can not use Mobile IP are dropped.
IP Address: Specifies the IP address of the Foreign RADIUS authentication server the system will communicate with to provide subscriber authentication functions.
Shared Secret: The shared secret is a string between 1 and 15 characters (alpha and/or numeric) that specifies the key that is exchanged between the RADIUS authentication server and the source context.
UDP Port Number: Specifies the port used by the source context and the RADIUS authentication server for communications. The UDP port number can be any integer value between 1 and 65535. The default value is 1812.
IP Address: Specifies the IP address of the foreign RADIUS accounting server that the source context will communicate with to provide subscriber accounting functions.
Shared Secret: The shared secret is a string between 1 and 15 characters (alpha and/or numeric) that specifies the key that is exchanged between the foreign RADIUS accounting server and the source context.
UDP Port Number: Specifies the port used by the source context and the foreign RADIUS Accounting server for communications. The UDP port number can be any integer value between 1 and 65535. The default value is 1813.
Mobile IP Destination Context Configuration
The following table lists the information that is required to configure the Mobile IP destination context.
Required Information for Mobile IP Destination Context Configuration
NOTE: For this configuration, the destination context name should not match the domain name of a specific domain. It should, however, match the name of the context in which the HA service is configured if a separate system is used to provide HA functionality.
HA IP address: Specifies the IP address of the HAs with which the FA service communicates. The FA service allows the creation of a security profile that can be associated with a particular HA.
Index: Specifies the shared SPI between the FA service and a particular HA. The SPI can be configured to any integer value between 256 and 4294967295.Multiple SPIs can be configured if the FA service is to communicate with multiple HAs.
Secrets: Specifies the shared SPI secret between the FA service and the HA. The secret can be between 1 and 127 characters (alpha and/or numeric).An SPI secret is required for each SPI configured.
Hash-algorithm: Specifies the algorithm used to hash the SPI and SPI secret. The possible algorithms that can be configured are MD5 per RFC 1321 and keyed-MD5 per RFC 2002. The default is hmac-md5.A hash-algorithm is required for each SPI configured.
NOTE: The system will only support multiple Mobile IP sessions per subscriber if the subscriber’s mobile node has a static IP address.
Optional Destination Context Configuration
The following table lists the information required to configure the optional destination context. As discussed previously, this context is required if: 1) reverse tunneling is disabled in the FA service, or 2) if access control lists (ACLs) are used
Important: If ACLs are used, the destination context would only consist of the ACL configuration. Interface configuration would not be required.
Required Information for Destination Context Configuration
NOTE: For this configuration, the destination context name should not match the domain name of a specific domain.
How This Configuration Works
The following figure and the text that follows describe how this configuration with a single source and destination context would be used by the system to process a Mobile IP data call.
 
Call Processing When Using the system as a GGSN/FA
 
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
Example 2: Mobile IP Support Using the System as an HA
The system supports both Simple and Mobile IP. For Mobile IP applications, the system can be configured to perform the function of a GGSN/FA and/or a HA. This example describes what is needed for and how the system performs the role of the HA. Example number 1 provides information on using the system to provide GGSN/FA functionality.
 
The system’s HA configuration for Mobile IP applications requires that at least two contexts (one source and one destination) be configured as shown in the following figure.
Mobile IP Support Using the system as an HA
The source context will facilitate the HA service(s), the Gi interfaces from the FA, and the AAA interfaces. The source context will also be configured to provide Home AAA functionality for subscriber sessions. The destination context will facilitate the PDN interface(s).
Information Required
Prior to configuring the system as shown in this example, there is a minimum amount of information required. The following sections describe the information required to configure the source and destination contexts.
Source Context Configuration
The following table lists the information that is required to configure the source context.
Required Information for Source Context Configuration
NOTE: The initial registration and de-registration will still be handled normally)
FA IP address: The HA service allows the creation of a security profile that can be associated with a particular FA.
Index: Specifies the shared SPI between the HA service and a particular FA. The SPI can be configured to any integer value between 256 and 4294967295.
Secret: Specifies the shared SPI secret between the HA service and the FA. The secret can be between 1 and 127 characters (alpha and/or numeric).
Hash-algorithm: Specifies the algorithm used to hash the SPI and SPI secret. The possible algorithms that can be configured are MD5 per RFC 1321 and keyed-MD5 per RFC 2002. The default algorithm is hmac-md5.
Index: Specifies the shared SPI between the HA service and a particular FA. The SPI can be configured to any integer value between 256 and 4294967295.
Secret: Specifies the shared SPI secret between the HA service and the FA. The secret can be between 1 and 127 characters (alpha and/or numeric).
Hash-algorithm: Specifies the algorithm used to hash the SPI and SPI secret. The possible algorithms that can be configured are MD5 per RFC 1321 and keyed-MD5 per RFC 2002. The default algorithm is hmac-md5.
Replay-protection process: Specifies how protection against replay-attacks is implemented. The possible processes are nonce and timestamp. The default is timestamp with a tolerance of 60 seconds.
IP Address: Specifies the IP address of the home RADIUS authentication server the system will communicate with to provide subscriber authentication functions.
Shared Secret: The shared secret is a string between 1 and 15 characters (alpha and/or numeric) that specifies the key that is exchanged between the RADIUS authentication server and the source context.
UDP Port Number: Specifies the port used by the source context and the RADIUS authentication server for communications. The UDP port number can be any integer value between 1 and 65535. The default value is 1812.
IP Address: Specifies the IP address of the home RADIUS accounting server that the source context will communicate with to provide subscriber accounting functions.
Shared Secret: The shared secret is a string between 1 and 15 characters (alpha and/or numeric) that specifies the key that is exchanged between the home RADIUS accounting server and the source context.
UDP Port Number: Specifies the port used by the source context and the home RADIUS Accounting server for communications. The UDP port number can be any integer value between 1 and 65535. The default value is 1813.
NOTE: For this configuration, the IP context name should be identical to the name of the destination context.
Destination Context Configuration
The following table lists the information required to configure the destination context.
Required Information for Destination Context Configuration
NOTE: For this configuration, the destination context name should not match the domain name of a specific domain.
How This Configuration Works
The following figure and the text that follows describe how this configuration with a single source and destination context would be used by the system to process a Mobile IP data call.
 
Call Processing When Using the system as an HA
 
1.
2.
For this example, the result of this process is that the HA service determined that AAA functionality should be provided by the Source context.
3.
4.
Upon successful authentication, the Source context determines which egress context to use for the subscriber session. This process is described in the How the System Selects Contexts section located in the Understanding the System Operation and Configuration chapter of the System Administration Guide.
For this example, the system determines that the egress context is the Destination context based on the configuration of the Default subscriber.
5.
6.
7.
Example 3: HA Using a Single Source Context and Multiple Outsourced Destination Contexts
The system allows the wireless carrier to easily generate additional revenue by providing the ability to configure separate contexts that can then be leased or outsourced to various enterprises or ISPs, each having a specific domain.
 
In order to perform the role of an HA and support multiple outsourced domains, the system must be configured with at least one source context and multiple destination contexts as shown in the following figure. The AAA servers could by owned/maintained by either the carrier or the domain. If they are owned by the domain, the carrier will have to receive the AAA information via proxy.
The system as an HA Using a Single Source Context and Multiple Outsourced Destination Contexts
The source context will facilitate the HA service(s), and the Gi interface(s) to the FA(s).The source context will also be configured with AAA interface(s) and to provide Home AAA functionality for subscriber sessions. The destination contexts will each be configured to facilitate PDN interfaces. In addition, because each of the destination contexts can be outsourced to different domains, they will also be configured with AAA interface(s) and to provide AAA functionality for that domain.
In addition to the source and destination contexts, there are additional system-level AAA parameters that must be configured.
Information Required
Prior to configuring the system as shown in this example, there is a minimum amount of information required. The following sections describe the information required to configure the source and destination contexts.
Source Context Configuration
The following table lists the information that is required to configure the source context.
Required Information for Source Context Configuration
NOTE: The initial registration and de-registration will still be handled normally)
FA IP address: The HA service allows the creation of a security profile that can be associated with a particular FA.
Index: Specifies the shared SPI between the HA service and a particular FA. The SPI can be configured to any integer value between 256 and 4294967295.
Secret: Specifies the shared SPI secret between the HA service and the FA. The secret can be between 1 and 127 characters (alpha and/or numeric).
Hash-algorithm: Specifies the algorithm used to hash the SPI and SPI secret. The possible algorithms that can be configured are MD5 per RFC 1321 and keyed-MD5 per RFC 2002. The default algorithm is hmac-md5.
Index: Specifies the shared SPI between the HA service and a particular FA. The SPI can be configured to any integer value between 256 and 4294967295.
Secret: Specifies the shared SPI secret between the HA service and the FA. The secret can be between 1 and 127 characters (alpha and/or numeric).
Hash-algorithm: Specifies the algorithm used to hash the SPI and SPI secret. The possible algorithms that can be configured are MD5 per RFC 1321 and keyed-MD5 per RFC 2002. The default algorithm is hmac-md5.
Replay-protection process: Specifies how protection against replay-attacks is implemented. The possible processes are nonce and timestamp. The default is timestamp with a tolerance of 60 seconds.
IP Address: Specifies the IP address of the home RADIUS authentication server the system will communicate with to provide subscriber authentication functions.
Shared Secret: The shared secret is a string between 1 and 15 characters (alpha and/or numeric) that specifies the key that is exchanged between the RADIUS authentication server and the source context.
UDP Port Number: Specifies the port used by the source context and the RADIUS authentication server for communications. The UDP port number can be any integer value between 1 and 65535. The default value is 1812.
IP Address: Specifies the IP address of the home RADIUS accounting server that the source context will communicate with to provide subscriber accounting functions.
Shared Secret: The shared secret is a string between 1 and 15 characters (alpha and/or numeric) that specifies the key that is exchanged between the home RADIUS accounting server and the source context.
UDP Port Number: Specifies the port used by the source context and the home RADIUS Accounting server for communications. The UDP port number can be any integer value between 1 and 65535. The default value is 1813.
NOTE: For this configuration, the IP context name should be identical to the name of the destination context.
Destination Context Configuration
The following table lists the information required to configure the destination context. This information will be required for each domain.
Required Information for Destination Context Configuration
This is an identification string between 1 and 79 characters (alpha and/or numeric) by which the destination context will be recognized by the system.NOTE: For this configuration, the destination context name should not match the domain name of a specific domain.
IP Address: Specifies the IP address of the RADIUS authentication server the system will communicate with to provide subscriber authentication functions.
Shared Secret: The shared secret is a string between 1 and 15 characters (alpha and/or numeric) that specifies the key that is exchanged between the RADIUS authentication server and the source context.
UDP Port Number: Specifies the port used by the source context and the RADIUS authentication server for communications. The UDP port number can be any integer value between 1 and 65535. The default value is 1812.
IP Address: Specifies the IP address of the RADIUS accounting server that the source context will communicate with to provide subscriber accounting functions.
Shared Secret: The shared secret is a string between 1 and 15 characters (alpha and/or numeric) that specifies the key that is exchanged between the RADIUS accounting server and the source context.
UDP Port Number: Specifies the port used by the source context and the RADIUS Accounting server for communications. The UDP port number can be any integer value between 1 and 65535. The default value is 1813.
System-Level AAA Configuration
The following table lists the information that is required to configure the system-level AAA parameters.
Required Information for System-Level AAA Configuration
NOTE: The default domain name can be the same as the source context.
NOTE: The last-resort context name can be the same as the source context.
NOTE: The username string is searched from right to left for the separator character. Therefore, if there is one or more separator characters in the string, only the first one that is recognized is considered the actual separator. For example, if the default username format was used, then for the username string user1@enterprise@isp1, the system resolves to the username user1@enterprise with domain isp1.
How This Configuration Works
The following figure and the text that follows describe how this configuration with a single source and destination context would be used by the system to process a Mobile IP data call.
 
Call Processing When Using the system as an HA with a Single Source Context and Multiple Outsourced Destination Contexts
 
1.
2.
Within the Source context, the IP context name was configured as Domainx
Within the Domainx context, the IP context name was configured as Domainx
3.
Sessions are received by the HA service from the FA over the Gi interface for subscriber1@Domain1, subscriber2, and subscriber3@Domain37.
4.
For subscriber1, the HA service determines that a domain name is present and is Domain1.
For subscriber2, the HA service determines that no domain name is present.
For subscriber3, the HA service determines that a domain name is present and is Domain37.
5.
The HA service determi nes which context to use to provide AAA functionality for the session. This process is described in the How the System Selects Contexts section located in the Understanding the System Operation and Configuration chapter of the System Administration Guide.
For subscriber1, the HA service determines that a context was configured with a name (Domain1) that matches the domain name specified in the username string. Therefore, Domain1 is used.
For subscriber2, the HA service determines that Domainx is configured as the default domain name. Therefore, Domainx is used.
For subscriber3, the HA service determines that no context is configured that matches the domain name (Domain37) specified in the username string. Because no last-resort context name was configured, the Source context is used.
6.
7.
Upon successful authentication of all three subscribers, the HA service determines which destination context to use for each of the subscriber sessions. This process is described in the How the System Selects Contexts section located in the Understanding the System Operation and Configuration chapter of the System Administration Guide.
For subscriber1, the HA service receives the SN-VPN-NAME or SN1-VPN-NAME attribute equal to Domain1 as part of the Authentication Accept message from the AAA server on Domain1’s network. Therefore, Domain1 is used as the destination context.
For subscriber2, the HA service determines that the SN-VPN-NAME or SN1-VPN-NAME attribute was not returned with the Authentication Accept response, and determines the subscriber IP context name configured within the Domainx context. Therefore, the Domainx context is used as the destination context.
For subscriber3, the HA service determines that the SN-VPN-NAME or SN1-VPN-NAME attribute was not returned with the Authentication Accept response, and determines the subscriber IP context name configured within the Source context. Therefore, the Source context is used as the destination context.
8.
9.
 

Cisco Systems Inc.
Tel: 408-526-4000
Fax: 408-527-0883