IP Mobility: Mobile IP Configuration Guide, Cisco IOS Release 15S
IPv6 ACL Extensions for Mobile IPv6
Downloads: This chapterpdf (PDF - 1.32MB) The complete bookPDF (PDF - 2.04MB) | The complete bookePub (ePub - 110.0KB) | Feedback

IPv6 ACL Extensions for Mobile IPv6

IPv6 ACL Extensions for Mobile IPv6

Mobile IP is part of both IPv4 and IPv6 standards. Mobile IP allows a host device to be identified by a single IP address even though the device may move its physical point of attachment from one network to another. Regardless of movement between different networks, connectivity at the different points is achieved seamlessly without user intervention. Roaming from a wired network to a wireless or wide-area network is also done with ease. Mobile IP provides ubiquitous connectivity for users, whether they are within their enterprise networks or away from home.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Information About IPv6 ACL Extensions for Mobile IPv6

Mobile IPv6 Overview

Mobile IPv4 provides an IPv4 node with the ability to retain the same IPv4 address and maintain uninterrupted network and application connectivity while traveling across networks. In Mobile IPv6, the IPv6 address space enables Mobile IP deployment in any kind of large environment. No foreign agent is needed to use Mobile IPv6.

System infrastructures do not need an upgrade to accept Mobile IPv6 nodes. IPv6 autoconfiguration simplifies mobile node (MN) Care of Address (CoA) assignment.

Mobile IPv6 benefits from the IPv6 protocol itself; for example, Mobile IPv6 uses IPv6 option headers (routing, destination, and mobility) and benefits from the use of neighbor discovery.

Mobile IPv6 provides optimized routing, which helps avoid triangular routing. Mobile IPv6 nodes work transparently even with nodes that do not support mobility (although these nodes do not have route optimization).

Mobile IPv6 is fully backward-compatible with existing IPv6 specifications. Therefore, any existing host that does not understand the new mobile messages will send an error message, and communications with the mobile node will be able to continue, albeit without the direct routing optimization.

How Mobile IPv6 Works

To implement Mobile IPv6, you need a home agent on the home subnet on which the mobile node’s home address resides. The IPv6 home address (HA) is assigned to the mobile node. The mobile node obtains a new IPv6 address (the CoA) on networks to which it connects. The home agent accepts BUs from the mobile node informing the agent of the mobile node’s location. The home agent then acts as proxy for the mobile node, intercepting traffic to the mobile node’s home address and tunneling it to the mobile node.

The mobile node informs a home agent on its original home network about its new address, and the correspondent node communicates with the mobile node about the CoA. Because of the use of ingress filtering, the mobile node reverses tunnel return traffic to the home agent, so that the mobile node source address (that is, its home address) will always be topographically correct.

Mobile IPv6 is the ability of a mobile node to bypass the home agent when sending IP packets to a correspondent node. Optional extensions make direct routing possible in Mobile IPv6, though the extensions might not be implemented in all deployments of Mobile IPv6.

Direct routing is built into Mobile IPv6, and the direct routing function uses the IPv6 routing header and the IPv6 destination options header. The routing header is used for sending packets to the mobile node using its current CoA, and the new home address destination option is used to include the mobile node’s home address, because the current CoA is the source address of the packet.

Packet Headers in Mobile IPv6

The basic IPv6 packet header has 8 fields with a total size of 40 octets (320 bits). Fields were removed from the IPv6 header compared with the IPv4 header because, in IPv6, fragmentation is not handled by routers and checksums at the network layer are not used. Instead, fragmentation in IPv6 is handled by the source of a packet and checksums at the data link layer and transport layer are used. Additionally, the basic IPv6 packet header and options field are aligned to 64 bits, which can facilitate the processing of IPv6 packets.

Mobile IPv6 uses the routing and destination option headers for communications between the mobile node and the correspondent node. The new mobility option header is used only for the BU process.

Several ICMP message types have been defined to support Mobile IPv6. IPv6 access lists can be configured to allow IPv6 access list entries matching Mobile-IPv6-specific ICMP messages to be configured and to allow the definition of entries to match packets containing Mobile IPv6 extension headers.

For further information on IPv6 packet headers, refer to the "Implementing IPv6 Addressing and Basic Connectivity" module.

How to Configure IPv6 ACL Extensions for Mobile IPv6

Enabling Mobile IPv6 on the Router

You can customize interface configuration parameters before you start Mobile IPv6 (see the Customizing Mobile IPv6 on the Interface) or while Mobile IPv6 is in operation.

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    interface type number

    4.    ipv6 mobile home-agent [preference preference-value

    5.    exit

    6.    exit

    7.    show ipv6 mobile globals

    8.    show ipv6 mobile home-agent interface-type interface-number [prefix]]


DETAILED STEPS
     Command or ActionPurpose
    Step 1 enable


    Example:
    Router> enable
     

    Enables privileged EXEC mode.

    • Enter your password if prompted.
     
    Step 2 configure terminal


    Example:
    Router# configure terminal
     

    Enters global configuration mode.

     
    Step 3 interface type number


    Example:
    Router(config)# interface Ethernet 2
     

    Specifies an interface type and number, and places the router in interface configuration mode.

     
    Step 4 ipv6 mobile home-agent [preference preference-value


    Example:
    Router(config-if)# ipv6 mobile home-agent
     

    Initializes and starts the Mobile IPv6 home agent on a specific interface.

     
    Step 5 exit


    Example:
    Router(config-if)# exit
     

    Exits interface configuration mode, and returns the router to global configuration mode.

     
    Step 6 exit


    Example:
    Router(config)# exit
     

    Exits global configuration mode, and returns the router to privileged EXEC mode.

     
    Step 7 show ipv6 mobile globals


    Example:
    Router# show ipv6 mobile globals
     

    Displays global Mobile IPv6 parameters.

     
    Step 8 show ipv6 mobile home-agent interface-type interface-number [prefix]]


    Example:
    Router# show ipv6 mobile home-agent
     

    Displays local and discovered neighboring home agents.

     

    Filtering Mobile IPv6 Protocol Headers and Options

    IPv6 extension headers have been developed to support the use of option headers specific to Mobile IPv6. The IPv6 mobility header, the type 2 routing header, and the destination option header allow the configuration of IPv6 access list entries that match Mobile-IPv6-specific ICMPv6 messages and allow the definition of entries to match packets that contain the new and modified IPv6 extension headers. For more information on how to create, configure, and apply IPv6 access lists, refer to the implementing Traffic Filters and Firewalls for IPv6 Security module.

    SUMMARY STEPS

      1.    enable

      2.    configure terminal

      3.    ipv6 access-list access-list-name

      4.    permit icmp {source-ipv6-prefix / prefix-length | any | host source-ipv6-address| auth} [operator port-number]] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address | auth} [operator [port-number]] [icmp-type [icmp-code] | icmp-message] [dest-option-type [doh-number | doh-type]] [dscp value] [flow-label value] [fragments] [log] [log-input] [mobility] [mobility-type [mh-number | mh-type]] [routing] [routing-type routing-number] [sequence value] [time-range name]


    DETAILED STEPS
       Command or ActionPurpose
      Step 1 enable


      Example:
      Device> enable 
       

      Enables privileged EXEC mode.

      • Enter your password if prompted.
       
      Step 2 configure terminal


      Example:
      Device# configure terminal
       

      Enters global configuration mode.

       
      Step 3 ipv6 access-list access-list-name


      Example:
      Device(config)# ipv6 access-list list1
       

      Defines an IPv6 access list and places the router in IPv6 access list configuration mode.

       
      Step 4 permit icmp {source-ipv6-prefix / prefix-length | any | host source-ipv6-address| auth} [operator port-number]] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address | auth} [operator [port-number]] [icmp-type [icmp-code] | icmp-message] [dest-option-type [doh-number | doh-type]] [dscp value] [flow-label value] [fragments] [log] [log-input] [mobility] [mobility-type [mh-number | mh-type]] [routing] [routing-type routing-number] [sequence value] [time-range name]


      Example:
      Router(config-ipv6-acl)# permit icmp host 2001:DB8:0:4::32 any routing-type 2


      Example:
      Router(config-ipv6-acl)# deny icmp host 2001:DB8:0:4::32 any routing-type 2
       

      Specifies permit or deny conditions for Mobile-IPv6-specific option headers in an IPv6 access list.

      • The icmp-type argument can be (but is not limited to) one of the following Mobile-IPv6-specific options:
        • dhaad-request—numeric value is 144
        • dhaad-reply—numeric value is 145
        • mpd-solicitation—numeric value is 146
        • mpd-advertisement—numeric value is 147
      • When the dest-option-type keyword with the doh-number or doh-type argument is used, IPv6 packets are matched against the destination option extension header within each IPv6 packet header.
      • When the mobility keyword is used, IPv6 packets are matched against the mobility extension header within each IPv6 packet header.
      • When the mobility-type keyword with the mh-number or mh-type argument is used, IPv6 packets are matched against the mobility-type option extension header within each IPv6 packet header.
      • When the routing-type keyword and routing-number argument are used, IPv6 packets are matched against the routing-type option extension header within each IPv6 packet header.
       

      Controlling ICMP Unreachable Messages

      When IPv6 is unable to route a packet, it generates an appropriate ICMP unreachable message directed toward the source of the packet. Perform this task to control ICMP unreachable messages for any packets arriving on a specified interface.

      SUMMARY STEPS

        1.    enable

        2.    configure terminal

        3.    interface type number

        4.    ipv6 unreachables


      DETAILED STEPS
         Command or ActionPurpose
        Step 1 enable


        Example:
        Router> enable 
         

        Enables privileged EXEC mode.

        • Enter your password if prompted.
         
        Step 2 configure terminal


        Example:
        Router# configure terminal 
         

        Enters global configuration mode.

         
        Step 3 interface type number


        Example:
        Router(config)# interface ethernet 0/0
         

        Specifies the interface type and number, and enters interface configuration mode.

         
        Step 4 ipv6 unreachables


        Example:
        Router(config-if)# ipv6 unreachables 
         

        Enables the generation of ICMPv6 unreachable messages for any packets arriving on the specified interface.

         

        Configuration Examples for IPv6 ACL Extensions for Mobile IPv6

        Example: Viewing IPv6 Mobile Information on an Interface

        Device(config-if)# ipv6 nd ra-interval 100 60
        Subsequent use of the show ipv6 interface then displays the interval as follows: 
        
        Router(config)# show ipv6 interface ethernet 1/0 
        Ethernet1/0 is administratively down, line protocol is down 
          IPv6 is enabled, link-local address is FE80::A8BB:CCFF:FE00:5A01 [TEN]
          No Virtual link-local address(es):
          No global unicast address is configured
          Joined group address(es):
            FF02::1
            FF02::2
          MTU is 1500 bytes
          ICMP error messages limited to one every 100 milliseconds
          ICMP redirects are enabled
          ICMP unreachables are sent
          ND DAD is enabled, number of DAD attempts: 1
          ND reachable time is 30000 milliseconds
          ND advertised reachable time is 0 milliseconds
          ND advertised retransmit interval is 0 milliseconds
          ND router advertisements are sent every 60 to 100 seconds
          ND router advertisements live for 1800 seconds
          ND advertised default router preference is Medium
          Hosts use stateless autoconfig for addresses.
        

        Additional References

        Related Documents

        Related Topic

        Document Title

        IPv6 addressing and connectivity

        IPv6 Configuration Guide

        Cisco IOS commands

        Cisco IOS Master Commands List, All Releases

        IPv6 commands

        Cisco IOS IPv6 Command Reference

        Cisco IOS IPv6 features

        Cisco IOS IPv6 Feature Mapping

        Standards and RFCs

        Standard/RFC

        Title

        RFCs for IPv6

        IPv6 RFCs

        MIBs

        MIB

        MIBs Link

        To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

        http:/​/​www.cisco.com/​go/​mibs

        Technical Assistance

        Description

        Link

        The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

        http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

        Feature Information for IPv6 ACL Extensions for Mobile IPv6

        The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

        Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

        Table 1 Feature Information for IPv6 ACL Extensions for Mobile IPv6

        Feature Name

        Releases

        Feature Information

        IPv6 ACL Extensions for Mobile IPv6

        12.4(2)T 12.2(33)SRB

        12.2(33)SXI

        15.0(1)S

        15.0(1)SY

        IPv6 access lists can be configured to allow IPv6 access list entries matching Mobile-IPv6-specific ICMP messages to be configured and to allow the definition of entries to match packets containing Mobile IPv6 extension headers.

        The following commands were introduced or modified: deny, ipv6 access-list, ipv6 unreachables, permit.