Per User Packet Filtering
This chapter discusses Per-User Packet Filtering and its implementation in Cisco IOS Mobile Wireless Home Agent software.
This chapter includes the following sections:
•Mobile-User ACLs in Packet Filtering
•Configuring ACLs on the Tunnel Interface
•Verifying ACLs are Applied to a Tunnel
Mobile-User ACLs in Packet Filtering
The Home Agent supports per user packet filtering. This feature provides that for a successfully authenticated registration request, the RADIUS server will return "inACL" and "outACL" attributes in an access response to the HA. "inACL" and "outACL" attributes identify the pre-configured ACLs on the HA that are applied to mobility bindings. An input ACL will apply to traffic from the user leaving the tunnel. An output ACL will apply to traffic sent to the user using the tunnel. The attributes will be synched to the standby HA during normal sync and bulksync operation.
ACLs applied to a mobility binding can be displayed by show ip mobile binding command. Only the ACLs downloaded at the time of initial authentication will be applied. An ACL downloaded at the time of mobile re-authentication, for lifetime renewal, will not be applied.
The HA will accept one input ACL name and one output ACL name for each user.
Only named extended access-lists are supported for this feature
Note There is significant performance degradation when mobile user ACLs are applied to a large number of mobility bindings.
The Home Agent can filter both egress packets from an external data network and ingress data packets based on the Foreign Agent IP address or the Mobile Node IP address.
Configuring ACLs on the Tunnel Interface
To configure ACLs to block certain traffic using the template tunnel feature, perform the following task:
Router(config)# interface tunnel 10
ip access-group 150 in -------> apply access-list 150
access-list 150 deny any 10.10.0.0 0.255.255.255
access-list permit any any
------> permit all but traffic to 10.10.0.0 network
ip mobile home-agent template tunnel 10 address 10.0.0.1
Configures a tunnel template.
Configures the ACL.
Configures a Home Agent to use the template tunnel.
Verifying ACLs are Applied to a Tunnel
Here is example output of the show ip mobile binding command:
ACLs Applied to a Mobility Binding and Accounting Session ID and Accounting Counters
router# show ip mobile binding
email@example.com (Bindings 1):
Care-of Addr 18.104.22.168, Src Addr 22.214.171.124
Lifetime granted 00:03:20 (200), remaining 00:03:03
Flags sBdmg-T-, Identification CB32792C.A7E22A29
Tunnel0 src 126.96.36.199 dest 188.8.131.52 reverse-allowed
Routing Options - (B)Broadcast (T)Reverse-tunnel
Sent on tunnel to MN: 0 packets, 0 bytes
Received on reverse tunnel from MN: 0 packets, 0 bytes
Radius Disconnect Enabled
router# show ip mobile tunnel
Total mobile ip tunnels 1
src 184.108.40.206, dest 220.127.116.11
encap IP/IP, mode reverse-allowed, tunnel-users 1
Input ACL users 1, Output ACL users 1
Path MTU Discovery, mtu: 0, ager: 10 mins, expires: never
outbound interface Ethernet1/0
HA created, fast switching enabled, ICMP unreachable enabled
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 drops
0 packets output, 0 bytes
In/Out Access List Per NAI/Realm
HA R5.0 supports upstream/downstream (in/out) ACLs for a mobile user if the HA receives the ACL names in the access-response message from AAA. But, if AAA does not send ACL names in the access-response, it is not possible to have in/out ACL applied for a mobile user. HA R5.1 supports in/out ACLs per tunnel using tunnel template, but this is applied on all users on the tunnel. It is not possible to apply ACLs only to specific users or to a set of users.
•This feature supports configuration of in/out ACL names per realm/NAI. The ACLs corresponding to the ACL names are configured by using the ip access-list extended acl-name command.
•If the ACL is modified/updated/created/deleted after associating the ACL name to realm/NAI, the modifications are applied immediately to the mobile users that are using this particular ACL.
•If the in/out ACL name associated with a realm/NAI is modified/added, then the new ACL will be applied to all the current bindings that belong to the realm/NAI.
•If the in/out ACL name associated with a realm/NAI is deleted, then the deleted ACL will not be applied to the current bindings that belong to the realm/NAI.
•Irrespective of whether in/out ACL name is configured for a realm/NAI, if the HA receives in/out ACL names in an access-response message, then the ACL names received from AAA are applied to the mobile user.
Configuring the In/Out Access List Per NAI/Realm Feature
To enable the In/Out Access List per NAI/Realm feature in Cisco HA Release 5.1, perfrom the following task:
Router(config)# ip mobile realm nai | realm in-acl in-acl-name
Router(config)# [no] ip mobile realm nai | realm out-acl out-acl-name
Limitations and Restrictions
•Only named extended ACLs are supported for configuring the in/out ACLs per realm/NAI.
•Only ACL names received in the first successful access-response for the session are applied. ACL names from the subsequent access-responses are not considered.