Table Of Contents
clear ip mobile router registration
clear ip mobile router traffic
ip mobile home-agent aaa user-password
ip mobile home-agent accounting
ip mobile home-agent redundancy
ip mobile home-agent reject-static-addr
ip mobile home-agent resync-sa
ip mobile registration-lifetime
ip mobile router-service collocated
ip mobile router-service collocated registration retry
ip mobile secure foreign-agent
Mobile IP Commands
aaa authorization ipmobile
To authorize Mobile IP to retrieve security associations from the AAA server using TACACS+ or RADIUS, use the aaa authorization ipmobile command in global configuration mode. To remove authorization, use the no form of this command.
aaa authorization ipmobile {[radius | tacacs+] | default} [group server-groupname]
no aaa authorization ipmobile {[radius | tacacs+] | default} [group server-groupname]
Syntax Description
radius
Authorization list named radius.
tacacs+
Authorization list named tacacs+.
default
Default authorization list.
group server-groupname
(Optional) Name of the server group to use.
Defaults
AAA is not used to retrieve security associations for authentication.
Command Modes
Global configuration
Command History
Usage Guidelines
Mobile IP requires security associations for registration authentication. The security associations are configured on the router or on a AAA server. This command is not needed for the former; but in the latter case, this command authorizes Mobile IP to retrieve the security associations from the AAA server.
Once the authorization list is named, it can be used in other areas such as login. You can only use one named authorization list; multiple named authorization lists are not supported.
The aaa authorization ipmobile default group server-groupname command is the most commonly used method to retrieve security associations from the AAA server.
Note
The AAA server does not authenticate the user. It stores the security association that is retrieved by the router to authenticate registration.
Examples
The following example uses TACACS+ to retrieve security associations from the AAA server:
aaa new-modelaaa authorization ipmobile tacacs+tacacs-server host 1.2.3.4tacacs-server key mykeyip mobile host 10.0.0.1 10.0.0.5 virtual-network 10.0.0.0 255.0.0.0 aaaThe following example uses RADIUS as the default group to retrieve security associations from the AAA server:
aaa new-modelaaa authentication login default enableaaa authorization ipmobile default group radiusaaa session-id commonradius-server host 128.107.162.173 auth-port 1645 acct-port 1646radius-server retransmit 3radius-server key ciscoip mobile host 10.0.0.1 10.0.0.5 virtual-network 10.0.0.0 255.0.0.0 aaaRelated Commands
address (mobile router)
To set the home IP address of the mobile router, use the address command in mobile router configuration mode. To remove the address, use the no form of this command.
address address mask
no address address mask
Syntax Description
Defaults
No default behavior or values.
Command Modes
Mobile router configuration
Command History
Usage Guidelines
The address command configures the home IP address and subnet mask of the mobile router. The address and subnet mask identify the home network of the mobile router and are used to discover when the mobile router is at home.
Examples
The following example sets the home IP address and subnet mask of the mobile router:
ip mobile routeraddress 10.1.0.1 255.255.0.0Related Commands
show ip mobile router
Displays configuration information and monitoring information about the mobile router.
clear ip mobile binding
To remove mobility bindings, use the clear ip mobile binding command in EXEC mode.
clear ip mobile binding {all [load standby-group-name] | ip-address | nai string}
Syntax Description
Command Modes
EXEC
Command History
Usage Guidelines
The home agent creates a mobility binding for each roaming mobile node. Associated with the mobility binding is the tunnel to the visited network and a host route to forward packets destined for the mobile node. Typically, there should be no need to clear the binding because it expires after the lifetime is reached or when the mobile node deregisters.
When the mobility binding is removed through this command, the number of users on the tunnel is decremented and the host route is removed from the routing table. The mobile node is not notified.
Use this command with care, because it will disrupt any sessions used by the mobile node. After using this command, the mobile node will need to reregister to continue roaming.
Examples
The following example administratively stops mobile node 10.0.0.1 from roaming:
Router# show ip mobile bindingMobility Binding List:Total 110.2.0.1:Care-of Addr 68.0.0.31, Src Addr 68.0.0.31,Lifetime granted 02:46:40 (10000), remaining 02:46:32Flags SbdmGvt, Identification B750FAC4.C28F56A8,Tunnel100 src 66.0.0.5 dest 68.0.0.31 reverse-allowedRouting Options - (G)GRERouter# clear ip mobile binding 10.2.0.1Router# show ip mobile bindingRelated Commands
clear ip mobile host-counters
To clear the mobility counters specific to each mobile node, use the clear ip mobile host-counters command in EXEC mode.
clear ip mobile host-counters [[ip-address | nai string] undo]]
Syntax Description
ip-address
(Optional) IP address of a mobile node.
nai string
(Optional) Network access identifier of the mobile node.
undo
(Optional) Restores the previously cleared counters.
Command Modes
EXEC
Command History
12.0(1)T
This command was introduced.
12.2(2)XC
The nai keyword was added.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
This command clears the counters that are displayed when you use the show ip mobile host command. The undo keyword restores the counters (this option is useful for debugging).
Examples
The following example shows how the counters can be used for debugging:
Router# show ip mobile host20.0.0.1:Allowed lifetime 10:00:00 (36000/default)Roaming status -registered-, Home link on virtual network 20.0.0.0/8Accepted 2, Last time 04/13/02 19:04:28Overall service time 00:04:42Denied 0, Last time -never-Last code `-never- (0)'Total violations 1Tunnel to MN - pkts 0, bytes 0Reverse tunnel from MN - pkts 0, bytes 0.Router# clear ip mobile host-countersRouter# show ip mobile host-counters20.0.0.1:Allowed lifetime 10:00:00 (36000/default)Roaming status -Unregistered-, Home link on virtual network 20.0.0.0/8Accepted 0, Last time -never-Overall service time -never-Denied 0, Last time -never-Last code `-never- (0)'Total violations 0Tunnel to MN - pkts 0, bytes 0Reverse tunnel from MN - pkts 0, bytes 0Related Commands
clear ip mobile router agent
To delete learned agents and the corresponding care-of address of the foreign agent from the mobile router agent table, use the clear ip mobile router agent command in privileged EXEC mode.
clear ip mobile router agent [ip-address]
Syntax Description
ip-address
(Optional) IP address of an agent. If not specified, all agents are deleted from the agent table.
Defaults
No default behavior or values.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
The mobile router maintains an agent table listing active agents and the corresponding care-of address of the foreign agent. The mobile router uses this agent table to decide which foreign agent to register with. The mobile router updates the table when it receives advertisements. If an advertisement expires, its entry is automatically deleted from the table.
The clear ip mobile router agent ip-address option allows you to remove a specific agent.
Examples
The following example removes all agents from the mobile router agent table:
Router# clear ip mobile router agentRelated Commands
show ip mobile router interface
Displays information about the agents for the mobile router.
clear ip mobile router registration
To delete registration entries from the mobile router registration table, use the clear ip mobile router registration command in privileged EXEC mode.
clear ip mobile router registration [ip-address]
Syntax Description
ip-address
(Optional) IP address of a specific agent. If not specified, all registration entries are deleted.
Defaults
No default behavior or values.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
The mobile router maintains a registration table listing registration entries that are used for retransmissions. For example, a registration request is sent when no reply is received or the lifetime is about to expire.
A registration request can be removed from the table to prevent further registration requests from being sent to the agent. The clear ip mobile router registration ip-address option allows you to remove a registration to a specific agent.
Clearing an active registration will cause the mobile router to attempt to deregister.
Examples
The following example removes all registration entries from the mobile router registration table:
Router# clear ip mobile router registrationRelated Commands
show ip mobile router registration
Displays the pending and accepted registrations of the mobile router.
clear ip mobile router traffic
To clear the counters that the mobile router maintains, use the clear ip mobile router traffic command in privileged EXEC mode.
clear ip mobile router traffic
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Mobile router counters are accumulated during operation. They are useful for debugging and monitoring.
Examples
The following example shows how the mobile router counters can be used for debugging:
Router# show ip mobile router trafficMobile Router Counters:Agent Discovery:Solicitations sent 90, advertisements received 17Agent reboots detected 0Registrations:Register 70, Deregister 0 requests sentRegister 70, Deregister 0 replies receivedRequests accepted 68, denied 1 by HA 1 /FA 0Denied due to mismatched ID 1...Router# clear ip mobile router trafficRouter# show ip mobile router trafficMobile Router Counters:Agent Discovery:Solicitations sent 0, advertisements received 0Agent reboots detected 0Registrations:Register 0, Deregister 0 requests sentRegister 0, Deregister 0 replies receivedRequests accepted 0, denied 0 by HA 0 /FA 0Denied due to mismatched ID 0...Related Commands
show ip mobile router traffic
Displays the counters that the mobile router maintains.
clear ip mobile secure
To clear and retrieve remote security associations, use the clear ip mobile secure command in EXEC mode.
clear ip mobile secure {host lower [upper] | nai string | empty | all} [load]
Syntax Description
Command Modes
EXEC
Command History
12.0(1)T
This command was introduced.
12.2(2)XC
The nai keyword was added.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
Security associations are required for registration authentication. They can be stored on an AAA server. During registration, they may be stored locally after retrieval from the AAA server. The security association on the router may become stale or out of date when the security association on the AAA server changes.
This command clears security associations that have been downloaded from the AAA server.
Note
Examples
In the following example, the AAA server has the security association for user 10.2.0.1 after registration:
Router# show ip mobile secure host 10.2.0.1Security Associations (algorithm,mode,replay protection,key):10.2.0.1:SPI 300, MD5, Prefix-suffix, Timestamp +/- 7,Key `oldkey' 1230552d39b7c1751f86bae5205ec0c8If you change the security association stored on the AAA server for this mobile node, the router clears the security association and reloads it from the AAA server:
Router# clear ip mobile secure host 10.2.0.1 loadRouter# show ip mobile secure host 10.2.0.110.2.0.1:SPI 300, MD5, Prefix-suffix, Timestamp +/- 7,Key `newkey' 1230552d39b7c1751f86bae5205ec0c8Related Commands
ip mobile secure
Specifies the mobility security associations for mobile host, visitor, home agent, and foreign agent.
clear ip mobile traffic
To clear counters, use the clear ip mobile traffic command in EXEC mode.
clear ip mobile traffic [undo]
Syntax Description
Command Modes
EXEC
Command History
Usage Guidelines
Mobile IP counters are accumulated during operation. They are useful for debugging and monitoring.
This command clears all Mobile IP counters. The undo keyword restores the counters (which is useful for debugging). See the show ip mobile traffic command for a description of all counters.
Examples
The following example shows how counters can be used for debugging:
Router# show ip mobile trafficIP Mobility traffic:Advertisements:Solicitations received 0Advertisements sent 0, response to solicitation 0Home Agent Registrations:Register 8, Deregister 0 requestsRegister 7, Deregister 0 repliedAccepted 6, No simultaneous bindings 0Denied 1, Ignored 1Unspecified 0, Unknown HA 0Administrative prohibited 0, No resource 0Authentication failed MN 0, FA 0Bad identification 1, Bad request form 0..Router# clear ip mobile trafficRouter# show ip mobile trafficIP Mobility traffic:Advertisements:Solicitations received 0Advertisements sent 0, response to solicitation 0Home Agent Registrations:Register 0, Deregister 0 requestsRegister 0, Deregister 0 repliedAccepted 0, No simultaneous bindings 0Denied 0, Ignored 0Unspecified 0, Unknown HA 0Administrative prohibited 0, No resource 0Authentication failed MN 0, FA 0Bad identification 0, Bad request form 0Related Commands
clear ip mobile visitor
To remove visitor information, use the clear ip mobile visitor command in EXEC mode.
clear ip mobile visitor [ip-address | nai string [ip-address]]
Syntax Description
Command Modes
EXEC
Command History
12.0(1)T
This command was introduced.
12.2(2)XC
The nai keyword and associated variables were added.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
The foreign agent creates a visitor entry for each accepted visitor. The visitor entry allows the mobile node to receive packets while in a visited network. Associated with the visitor entry is the ARP entry for the visitor. There should be no need to clear the entry because it expires after lifetime is reached or when the mobile node deregisters.
When a visitor entry is removed, the number of users on the tunnel is decremented and the ARP entry is removed from the ARP cache. The visitor is not notified.
Use this command with care because it may terminate any sessions used by the mobile node. After using this command, the visitor will need to reregister to continue roaming.
Examples
The following example administratively stops visitor 172.21.58.16 from visiting:
Router# clear ip mobile visitor 172.21.58.16Related Commands
show ip mobile visitor
Displays the table containing the visitor list of the foreign agent.
collocated single-tunnel
To configure the number of tunnels between the mobile router and home agent when registering with a collocated care-of address (CCoA), use the collocated single-tunnel command in mobile router configuration mode.
collocated single-tunnel
Syntax Description
This command has no arguments or keywords.
Defaults
Defaults to single-tunnel enabled.
Command Modes
Mobile router
Command History
Usage Guidelines
This command is used as a "placeholder" only and defaults to single-tunnel enabled. This command can not be unconfigured. In future Cisco IOS releases, a dual-tunnel capability will be needed for IPSec between the mobile router and the home agent. At that time, this command will be optional with dual tunnels (no collocated single-tunnel) being the default. This command is provided now for backward compatibility when the dual-tunnel capablity is implemented.
description (mobile networks)
To add a description to a mobile router configuration, use the description command in mobile networks configuration mode. To remove the description, use the no form of this command.
description string
no description
Syntax Description
Defaults
No default behavior or values.
Command Modes
Mobile networks configuration
Command History
Usage Guidelines
The description command is meant solely as a comment to be put in the configuration to help you remember information about the configured mobile router or its mobile networks.
Examples
The following example shows how to add a description for the mobile router:
ip mobile mobile-networks 10.2.0.1description mobileunitnetwork 172.6.1.0 255.255.255.0network 172.6.2.0 255.255.255.0Related Commands
show ip mobile mobile-networks
Displays a list of mobile networks associated with the mobile router.
home-agent
To specify the home agent that the mobile router uses during registration, use the home-agent command in mobile router configuration mode. To disable the home agent, use the no form of this command.
home-agent ip-address [priority level]
no home-agent ip-address [priority level]
Syntax Description
Defaults
The default priority level is 100.
Command Modes
Mobile router configuration
Command History
Usage Guidelines
The home-agent command specifies which home agent the mobile router uses for registration and to detect when it is home. The priority level determines which home agent address to register with, although all addresses are on the same home agent. The mobile router registers with the home agent with the highest priority level.
The home agent address list is used to detect when the mobile router is home. The mobile router knows that it is at home when the source of the agent advertisements is an IP source address that exists on the home agent address list.
Examples
The following example shows that the mobile router will use the home agent address 1.1.1.1 during registration and will detect when it is at home after receiving agent advertisements from either address 1.1.1.1 or 2.2.2.2:
router mobileip mobile routeraddress 10.1.0.1 255.255.0.0home-agent 1.1.1.1 priority 101home-agent 2.2.2.2 priority 100Related Commands
show ip mobile router
Displays configuration information and monitoring statistics about the mobile router.
ip mobile foreign-agent
To enable foreign agent service, use the ip mobile foreign-agent command in global configuration mode. To disable this service, use the no form of this command.
ip mobile foreign-agent {care-of interface [interface-only] [transmit-only]] | reg-wait seconds | reverse-tunnel private-address}
no ip mobile foreign-agent {care-of interface [interface-only] [transmit-only]] | reg-wait | reverse-tunnel private-address}
Syntax Description
Defaults
Disabled
Command Modes
Global configuration
Command History
12.0(1)T
This command was introduced.
12.2(13)T
The interface-only, transmit-only, and reverse-tunnel private-address keywords were added.
Usage Guidelines
This command enables foreign agent service when at least one care-of address is configured. When no care-of address exists, foreign agent service is disabled.
The foreign agent is responsible for relaying the registration request to the home agent, setting up a tunnel to the home agent, and forwarding packets to the mobile node. The show commands used to display relevant information are shown in parentheses in the following paragraph.
When a registration request comes in, the foreign agent will ignore requests when foreign agent service is not enabled on an interface or when no care-of address is advertised. If a security association exists for a visiting mobile node, the visitor is authenticated. The registration bitflag is handled as described in Table 1 . The foreign agent checks the validity of the request. If successful, the foreign agent relays the request to the home agent, appending an FH authentication extension if a security association for the home agent exists. The pending registration timer of 15 seconds is started (show ip mobile visitor pending command). At most, five outstanding pending requests per mobile node are allowed. If a validity check fails, the foreign agent sends a reply with error code to the mobile node (reply codes are listed in Table 2). A security violation is logged when visiting mobile node authentication fails (show ip mobile violation command).
When a registration reply comes in, the home agent is authenticated (show ip mobile secure home-agent command) if a security association exists for the home agent (IP source address or home agent address in reply). The reply is relayed to the mobile node.
When registration is accepted, the foreign agent creates or updates the visitor table, which contains the expiration timer. If no binding existed before this registration, a virtual tunnel is created, a host route to the mobile node via the interface (of the incoming request) is added to the routing table (show ip route mobile command), and an ARP entry is added to avoid the sendingof ARP requests for the visiting mobile node. Visitor binding is removed (along with its associated host route, tunnel, and ARP entry) when the registration lifetime expires or deregistration is accepted.
When registration is denied, the foreign agent will remove the request from the pending registration table. The table and timers of the visitor will be unaffected.
When a packet destined for the mobile node arrives on the foreign agent, the foreign agent will deencapsulates the packet and forwards it out its interface to the visiting mobile node, without sending ARP requests.
The care-of address must be advertised by the foreign agent. This adddress is used by the mobile node to register with the home agent. The foreign agent and home agent use this address as the source and destination point of tunnel, respectively. The foreign agent is not enabled until at least one care-of address is available. The foreign agent will advertise on interfaces configured with the ip mobile foreign-service command.
Only care-of addresses with interfaces that are up are considered available.
The interface-only and transmit-only keywords are used in an aysmmetric link environment, such as satellite communications, where separate uplinks and downlinks exist. The ip mobile foreign-agent care-of interface interface-only command enables the interface to advertise only its own address as the care-of address. All other care-of addresses are not advertised. Other foreign agent interfaces configured for foreign-service will not advertise interface-only care-of addresses. The ip mobile foreign-agent care-of interface transmit-only command informs Mobile IP that the interface acts as an uplink. Registration requests and replies received for this care-of address are treated as transmit-only. This interface will not hear any solicitations. Any care-of address can be configured with the interface-only keyword, but only serial interfaces can be configured with the transmit-only keyword.
Use the reverse-tunnel private-address keywords to force a mobile node with a private address to register with reverse tunnel. Private addresses are IP addresses in the following ranges:
•
•
•
Table 1 lists mobile node registration request service bitflags.
Table 2 lists foreign agent reply codes.
Examples
The following example enables foreign agent service on Ethernet interface 1, advertising 10.0.0.1 as the care-of address:
ip mobile foreign-agent care-of Ethernet0interface Ethernet0ip address 10.0.0.1 255.0.0.0interface Ethernet1ip mobile foreign-serviceThe following example enables foreign agent service on serial interface 4, advertising 10.0.0.2 as the only care-of address. The uplink interface is configured as a transmit-only interface.
ip mobile foreign-agent care-of Serial4 interface-only transmit-onlyinterface Serial4! Uplink interfaceip address 10.0.0.2 255.255.255.0ip irdp!ip mobile foreign-service!Related Commands
ip mobile foreign-service
To enable foreign agent service on if care-of addresses are configured, use the ip mobile foreign-service command in interface or global configuration mode. To disable this service, use the no form of this command.
ip mobile foreign-service [challenge [forward-mfce] [timeout value] [window number] | [home-access access-list] [limit number] [registration-required] [reverse-tunnel [mandatory]]
no ip mobile foreign-service [challenge [forward-mfce] [timeout value] [window number] | [home-access access-list | limit number | registration-required | reverse-tunnel]
Syntax Description
Defaults
Foreign agent service is not enabled.
There is no limit to the number of visitors allowed on an interface.
window number: 2
Foreign agent reverse tunneling is not enabled. When foreign agent reverse tunneling is enabled, it is not mandatory by default.Command Modes
Interface configuration
Command History
Usage Guidelines
This command enables foreign agent service on the interface. The foreign agent (F) bit will be set in the agent advertisement, which is appended to the IRDP router advertisement whenever the foreign agent or home agent service is enabled on the interface.
Note
When you use the reverse-tunnel keyword to enable foreign agent reverse tunneling on an interface, the reverse tunneling support (T) bit is set in the agent advertisement.
Cisco Express Forwarding (CEF) switching is currently not supported on a foreign agent when reverse tunneling is enabled. If reverse tunneling is enabled at the foreign agent, disable CEF on the foreign agent, using the no ip cef global configuration command. If the foreign agent does not support reverse tunneling, then there is no need to disable CEF at the global configuration level.
Table 3 lists the advertised bitflags.
Examples
The following example shows how to enable foreign agent service for up to 100 visitors:
interface Ethernet 0ip mobile foreign-service limit 100 registration-requiredThe following example shows how to enable foreign agent reverse tunneling:
interface ethernet 0ip mobile foreign-service reverse-tunnelThe following example shows how to configure foreign agent challenge parameters:
interface ethernet 0ip mobile foreign-service challenge window 2Related Commands
ip mobile home-agent
To enable and control home agent services on the router, use the ip mobile home-agent command in global configuration mode. To disable these services, use the no form of this command.
ip mobile home-agent [address ip-address] [broadcast] [care-of-access access-list] [lifetime number] [nat-detect] [replay seconds] [reverse-tunnel {off | private-address}] [roam-access access-list] [strip-realm] [suppress-unreachable]
no ip mobile home-agent [address ip-address] [broadcast] [care-of-access access-list] [lifetime number] [nat-detect] [replay seconds] [reverse-tunnel {off | private-address}] [roam-access access-list] [strip-realm] [suppress-unreachable]
Syntax Description
Defaults
Command is disabled. Broadcasting is disabled by default. Reverse tunnel support is enabled by default. ICMP Unreachable messages are sent by default. NAT detection is disabled by default.
Command Modes
Global configuration
Command History
12.0(1)T
This command was introduced.
12.2(2)XC
The strip-realm keyword was added.
12.2(13)T
The nat-detect keyword was added.
Usage Guidelines
This command enables and controls home agent services on the router. Changes to service take effect immediately; however, broadcast and lifetime settings for previously registered mobile nodes are unaffected. Tunnels are shared by mobile nodes registered with the same endpoints, so the reverse-tunnel off keywords also affect registered mobile nodes.
The home agent is responsible for processing registration requests from the mobile node and setting up tunnels and routes to the care-of address. Packets to the mobile node are forwarded to the visited network.
The home agent will forward broadcast packets to mobile nodes if they registered with the service. However, heavy broadcast traffic utilizes the CPU of the router. The home agent can control where the mobile nodes roam by the care-of-access parameter, and which mobile node is allowed to roam by the roam-access parameter.
When a registration request comes in, the home agent will ignore requests when home agent service is not enabled or the security association of the mobile node is not configured. The latter condition occurs because the security association must be available for the MH authentication extension in the reply. If a security association exists for the foreign agent (IP source address or care-of address in the request), the foreign agent is authenticated, and then the mobile node is authenticated. The Identification field is verified to protect against replay attack. The home agent checks the validity of the request (see Table 4) and sends a reply. (Reply codes are listed in Table 5.) A security violation is logged when foreign agent authentication, MH authentication, or Identification verification fails. (The violation reasons are listed in Table 6.)
After registration is accepted, the home agent creates or updates the mobility binding of the mobile node, which contains the expiration timer. If no binding existed before this registration, a virtual tunnel is created, a host route to the mobile node via the care-of address is added to the routing table, and gratuitous ARPs are sent out. For deregistration, the host route is removed from the routing table, the virtual tunnel interface is removed (if no mobile nodes are using it), and gratuitous ARPs are sent out if the mobile node is back home. Mobility binding is removed (along with its associated host route and tunnel) when registration lifetime expires or deregistration is accepted.
By default, the home agent uses the entire NAI string as username for authentication (which may be with local security association or retrieved from the AAA server). The strip-nai-realm parameter instructs the home agent to strip off the realm part of NAI (if it exists) before performing authentication. Basically, the mobile node is identified by only the user name part of the NAI. This option is useful if the majority of mobile nodes belong to the same realm, for example, in the case of enterprise networks.
When the packet destined for the mobile node arrives on the home agent, the home agent encapsulates the packet and tunnels it to the care-of address. If the don't Fragment (DF) bit is set in the packet via the ip mobile tunnel path-mtu-discovery global configuration command, the home agent will copy the DF bit from the original packet to th e new tunnel IP header. This allows the Path MTU Discovery to set the MTU of the tunnel. Subsequent packets greater than the MTU of the tunnel will be dropped and an ICMP datagram too big message sent to the source (correspondent node). If the home agent loses the route to the tunnel endpoint, the host route to the mobile node will be removed from the routing table until the tunnel route is available. Packets destined for the mobile node without a host route will be sent out the interface (home network) or to the virtual network (see the description of the suppress-unreachable keyword). For subnet-directed broadcasts to the home link, the home agent will send a copy to all mobile nodes registered with the broadcast routing option.
Some companies block ICMP datagram too big messages. If the message does not reach the original correspondent node sending the packet, the correspondent node will simply resend the same size packet. To work around this problem, turn off Path MTU Discovery with the no ip mobile tunnel path-mtu-discovery command. Now the DF bit is not copied from the original packet and the tunnel packet can be fragmented.
The ip mobile home-agent nat-detect option is supported for mobile nodes using a colocated care-of address only. Mobile nodes using a foreign agent care-of address behind a NAT gateway cannot be detected by the home agent. The mobile node will use the NAT inside address as the colocated care-of address used in its registration requests.
The mobile node requests services from the home agent by setting bits in the registration request. Table 4 shows the services the mobile node can request.
Table 5 lists the home agent registration reply codes. The codes tell the mobile node whether the registration was accepted or denied. If registration is denied, the reply code gives the reason.
Table 6 lists security violation codes.
Table 6 Security Violation Codes
1
No mobility security association.
2
Bad authenticator.
3
Bad identifier.
4
Bad SPI.
5
Missing security extension.
6
Other.
7
Stale request.
Examples
The following example enables broadcast routing and specifies a global registration lifetime of 7200 seconds (2 hours):
ip mobile home-agent broadcast lifetime 7200Related Commands
ip mobile home-agent aaa user-password
To configure an authentication password for the downloading of security associations from a AAA server, use the ip mobile home-agent aaa user-password command in global configuration mode. To remove the password requirement, use the no form of this command.
ip mobile home-agent aaa user-password {0 password | 7 encrypted-password | password}
no ip mobile home-agent aaa user-password
Syntax Description
Defaults
The default password is cisco.
Command Modes
Global configuration
Command History
Usage Guidelines
When a mobile node sends a registration request packet to the home agent, Mobile IP requires a security association for registration authentication. Security associations for a mobile node can be configured on the home agent or retrieved by the home agent from a AAA server.
If security associations are retrieved from a AAA server, the AAA access-request packets used to retrieve the security associations require a challenge and response. If the registration request of the mobile node does not contain a challenge and response, the home agent auto-generates a challenge and creates a response using the default password "cisco" unless you specify a different password using the ip mobile home-agent aaa user-password command. In either case, a single password is used for all mobile nodes.
The AAA server will read the challenge in the access-request packet of the mobile node, and using the password of the mobile node that is stored on the AAA server, create the response to the challenge. It then authenticates the mobile node, identified by its IP address (or network access identifier), by comparing the two responses to ensure they are identical. For this reason, the password configured by the ip mobile home-agent aaa user-password command must match the user password in the user profile on the AAA server.
Mobile nodes that include a challenge and response in their registration request, such as in the case of dynamic security association and key distribution, do not use the defined password. Instead, the home agent copies the challenge/response from the registration request into the AAA access-request packet. Thus, a mobile node in this scenario can have a "unique" password.
You can enable or disable password encryption with the service password-encryption command. If this command is enabled, even if the ip mobile home-agent aaa user-password 0 password is used, the password will be encrypted.
Examples
The following example enables the encrypted password "$1$i5Rkls3L0yxzS8t9" for authenticating the downloading of security associations from the AAA server:
ip mobile home-agent aaa user-password 7 $1$i5Rkls3L0yxzS8t9The following example enables the unencrypted password "pswd2" for authenticating the downloading of security associations from the AAA server:
ip mobile home-agent aaa user-password 0 pwsd2The following example enables the unencrypted password "pswdmobile" for authenticating the downloading of security associations from the AAA server:
ip mobile home-agent aaa user-password pswdmobileRelated Commands
ip mobile home-agent accounting
To enable home agent accounting services on the router, use the ip mobile home-agent accounting command in global configuration mode. To disable these services, use the no form of this command.
ip mobile home-agent accounting {default | list-name}
no ip mobile home-agent accounting {default | list-name}
Syntax Description
Defaults
The command is disabled.
Command Modes
Global configuration
Command History
Usage Guidelines
This command enables and controls home agent accounting services on the router. First, use the aaa accounting global configuration command to define the accounting method list. Next, apply the same accounting method list on the home agent using the ip mobile home-agent accounting global configuration command.
Examples
The following example enables home agent accounting for the list named mobile-list:
ip mobile home-agent accounting mobile-listRelated Commands
aaa accounting
Enables AAA accounting of requested services for billing or security purposes.
ip mobile home-agent redundancy
To configure the home agent for redundancy by using the Hot Standby Router Protocol (HSRP) group name, use the ip mobile home-agent redundancy command in global configuration mode. To remove the address, use the no form of this command.
ip mobile home-agent redundancy hsrp-group-name [[virtual-network] address address]
no ip mobile home-agent redundancy hsrp-group-name [[virtual-network] address address]
Syntax Description
hsrp-group-name
Specifies the HSRP group name.
virtual-network
(Optional) Specifies that the HSRP group is used to support virtual networks.
address address
(Optional) Home agent address.
Defaults
No global home agent addresses are specified.
Command Modes
Global configuration
Command History
12.0(2)T
This command was introduced.
12.2(8)T
The command changed from ip mobile home-agent standby to ip mobile home-agent redundancy.
Usage Guidelines
The virtual-network keyword specifies that the HSRP group supports virtual networks.
Note
When Mobile IP standby is configured, the home agent can request mobility bindings from the peer home agent. When Mobile IP standby is deconfigured, the home agent can remove mobility bindings. Operation of home agent redundancy on physical and virtual networks is described as follows:
•
•
Examples
The following example specifies an HSRP group named SanJoseHA:
ip mobile home-agent redundancy SanJoseHARelated Commands
ip mobile home-agent reject-static-addr
To configure the home agent to reject registration requests from mobile nodes under certain conditions, use the ip mobile home-agent reject-static-addr command in global configuration mode. To disable this service, use the no form of this command.
ip mobile home-agent reject-static-addr
no ip mobile home-agent reject-static-addr
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
12.2(8)BY
This command was introduced.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
By default, the home agent gives an alternative authorized address for a mobile node if the home address in the registration request is already in use. If the ip mobile home-agent reject-static-addr command is configured, the home agent rejects the registration request with error code 130 (insufficient resources).
Examples
In the following example, the home agent will reject the registration request if the home address proposed in the registration request is in use:
ip mobile home-agent reject-static-addrip mobile home-agent resync-sa
To configure the home agent to clear out the old cached security associations and requery the AAA server for a new security association when the mobile node fails authentication, use the ip mobile home-agent resync-sa command in global configuration mode. To disable this functionality, use the no form of this command.
ip mobile home-agent resync-sa seconds
no ip mobile home-agent resync-sa seconds
Syntax Description
Defaults
This command is off by default. The normal behavior of the home agent is to never requery the AAA server for a new security association.
Command Modes
Global configuration
Command History
Usage Guidelines
You must enable security association caching for the ip mobile home-agent resync-sa command to work. Use the ip mobile host aaa load-sa global configuration command to enable caching of security associations retrieved from a AAA server.
When a security association is downloaded for a mobile node from a AAA server, the security association is time stamped. If the mobile node fails reregistration and the time interval since the security association was cached is greater than sec seconds, the home agent will clear out the old security association and requery the AAA server. If the time period is less than the sec value, the home agent will not requery the AAA server for the security association of the mobile node.
The sec value represents the number of seconds the home agent will consider the downloaded security association synchronized with the AAA server. After that time period, it is considered old and can be replaced by a new security association from the AAA server.
This time-based resynchronization process helps prevent denial-of-service attacks on the AAA server and provides a way to synchronize the home agent's cached security association entry when a change to the security association for the mobile node is made at the AAA server and on the mobile node. By using this process, once the mobile node fails reregistration with the old cached security association, the home agent will clear the cache for that mobile node, and resynchronize with the AAA server.
Examples
In the following example, if a registration fails authentication, the home agent retrieves a new security association from the AAA server if the existing security association was downloaded more than 10 seconds ago:
ip mobile home-agent resync-sa 10Related Commands
ip mobile host
To configure the mobile host or mobile node group, use the ip mobile host command in global configuration mode. To disable these services, use the no form of this command.
ip mobile host {lower [upper] | nai string [static-address {addr1 [addr2] [addr3] [addr4] [addr5] | local-pool name}] [address {addr | pool {local name | dhcp-proxy-client [dhcp-server addr]}]} {interface name | virtual-network network-address mask} [aaa [load-sa [permanent]]] [care-of-access access-list] [lifetime number]
no ip mobile host {lower [upper] | nai string [static-address {addr1 [addr2] [addr3] [addr4] [addr5] | local-pool name}] [address {addr | pool {local name | dhcp-proxy-client [dhcp-server addr]}]} {interface name | virtual-network network-address mask} [aaa [load-sa [permanent]]] [care-of-access access-list] [lifetime number]
Syntax Description
lower [upper]
One or a range of mobile host or mobile node group IP addresses. The upper end of the range is optional.
nai string
Network access identifier. The NAI can be a unique identifier (username@realm) or a group identifier (@realm).
static-address
(Optional) Indicates that a static IP address is to be assigned to the flows on this NAI. This parameter is not valid if the NAI is a realm.
addr1, addr2, ...
(Optional) One to a maximum of five IP addresses to be assigned using the static-address keyword.
local-pool name
(Optional) Name of the local pool of addresses to use for assigning a static IP address to this NAI.
address
(Optional) Indicates that a dynamic IP address is to be assigned to the flows on this NAI.
addr
(Optional) IP address to be assigned using the address keyword.
pool
(Optional) Indicates that a pool of addresses is to be used in assigning a dynamic IP address.
local name
(Optional) The name of the local pool to use in assigning addresses.
dhcp-proxy-client
(Optional) Indicates that the DHCP request should be sent to a DHCP server on behalf of the mobile node.
dhcp-server addr
(Optional) IP address of the DHCP server.
interface name
When used with DHCP, specifies the gateway address from which the DHCP server should select the address.
virtual-network network-address mask
Indicates that the mobile station resides in the specified virtual network, which was created using the ip mobile virtual-network command.
aaa
(Optional) Retrieves security associations from a AAA (TACACS+ or RADIUS) server. Allows the home agent to download address configuration details from the AAA server.
load-sa
(Optional) Caches security associations after retrieval by loading the security association into RAM. See Table 8 for details on how security associations are cached for NAI hosts and non-NAI hosts.
permanent
(Optional) Caches security associations in memory after retrieval permanently. Only use this optional keyword for NAI hosts.
care-of-access access-list
(Optional) Access list. This can be a named access list or standard access list with numbers from 1 to 99. Controls where mobile nodes roam—the acceptable care-of addresses.
lifetime number
(Optional) Lifetime (in seconds). The lifetime for each mobile node (group) can be set to override the global value. Possible values are from 3 to 65535 (infinite).
Defaults
No host is configured.
Command Modes
Global configuration
Command History
Usage Guidelines
This command configures the mobile host or mobile node group (ranging from lower address to upper address) to be supported by the home agent. These mobile nodes belong to the network on an interface or a virtual network (via the ip mobile virtual-network command). The security association for each mobile host must be configured using the ip mobile secure command or downloaded from an AAA server.
All hosts must have security associations for registration authentication. Mobile nodes can have more than one security association. The memory consumption calculations shown in Table 7 are based on the assumption of one security association per mobile node. Caching behavior of security associations differ between NAI and non-NAI hosts as described in Table 8.
The nai keyword allows you to specify a particular mobile node or range of mobile nodes. The mobile node can request a static IP address (static-address keyword), which is configured using the addr1 variable (for a specific address) or the local-pool keyword (for an IP address from an address pool; the requested address must be in the pool). Or, the mobile node can request a dynamic address (address keyword), which is configured using the addr variable (for a specific address) or the pool keyword (for an IP address from a pool or DHCP server).
The address pool can be defined by a local pool or using a DHCP proxy client. For DHCP, the interface name keyword and argument combination specifies the gateway address from which the DHCP server should select the address and the dhcp-server keyword specifies the DHCP server address. The NAI is sent in the client-id option of the DHCP packet and can be used to provide dynamic DNS services.
You can also use this command to configure the static IP address or address pool for multiple flows with the same NAI. A flow is a set of {NAI, IP address}.
Security associations can be stored using one of three methods:
•
•
•
Each method has advantages and disadvantages, which are described in Table 7.
The caching behavior of security associations for NAI hosts and non-NAI hosts is described in Table 8.
Examples
The following example configures a mobile node group to reside on virtual network 20.0.0.0 and retrieve mobile node security associations from a AAA server every time the mobile node registers:
ip mobile host 20.0.0.1 20.0.0.3 virtual-network 20.0.0.0 aaaThe following example configures a mobile node group to reside on virtual network 10.99.1.0 and retrieve and cache mobile node security associations from a AAA server. The cached security association is then used for subsequent registrations.
ip mobile host 10.99.1.1 10.99.1.100 virtual-network 10.99.1.0 aaa load-saThe following example configures a local pool of dynamic addresses to be used in assigning IP addresses to mobile nodes in the cisco.com domain:
ip mobile host nai @cisco.com address pool local mobilenodes virtual-network 9.0.0.0 255.0.0.0 aaa lifetime 180The following example configures a local pool of dynamic addresses to be used in assigning IP addresses to mobile nodes in the cisco.com domain. The security associations that are retrieved from the AAA server are cached as long as the binding is present and are deleted on the home agent when the binding is removed (due to manual clearing of the binding or lifetime expiration).
ip mobile host nai @cisco.com address pool local mobilenodes virtual-network 10.2.0.0 255.255.0.0 aaa load-sa lifetime 180The following example configures a local pool of static addresses to be used in assigning IP addresses to mobile nodes in the cisco.com domain:
ip mobile host nai @cisco.com static-address local-pool mobilenodesThe following example configures a local pool of dynamic addresses to be used in assigning IP addresses to mobile nodes in the cisco.com domain. The security associations that are retrieved from the AAA server are cached permanently until cleared manually.
ip mobile host nai @cisco.com address pool local mobilenodes virtual network 10.2.0.0 255.255.0.0 aaa load-sa permanent lifetime 180The following example configures the DHCP proxy client to use a DHCP server located at 10.1.2.3 to allocate a dynamic home address:
ip mobile host nai @dhcppool.com address pool dhcp-proxy-client dhcp-server 10.1.2.3 interface FastEthernet 0/0Related Commands
ip mobile mobile-networks
To associate one or more networks with a mobile router configured as a mobile host and enter mobile networks configuration mode, use the ip mobile mobile-networks command in global configuration mode. To disassociate the networks from the mobile router, use the no form of this command.
ip mobile mobile-networks lower [upper]
no ip mobile mobile-networks lower [upper]
Syntax Description
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
12.2(4)T
This command was introduced.
12.2(13)T
The upper argument was added to allow a range of mobile host or mobile node group addresses.
Usage Guidelines
The home agent supports mobile routers configured with the mobile networks that are roaming with the mobile routers.
The lower [upper] arguments associate the mobile networks with the IP address of the mobile router, which was configured using the ip mobile host command. You can use the upper range only with dynamic mobile network registration. Static mobile network configurations are not permitted for a range of hosts.
You can configure the home agent to dynamically learn of the mobile networks during registration as shown in the following example:
ip mobile host 10.0.0.1 10.0.0.10 virtual-networks 10.0.0.0 255.0.0.0ip mobile mobile-networks 10.0.0.1 10.0.0.10!dynamic registrationregisterYou can configure the home agent to learn of the mobile networks through static configuration as shown in the following example:
ip mobile host 10.0.0.1 virtual-networks 10.0.0.0 255.0.0.0ip mobile host 10.0.0.2 virtual-networks 10.0.0.0 255.0.0.0!ip mobile mobile-networks 10.0.0.1!static configurationnetwork 172.16.1.0 255.255.255.0ip mobile mobile-networks 10.0.0.2!static configurationnetwork 172.16.2.0 255.255.255.0You cannot configure the range as shown in the following static configuration:
!static configuration not permitted for range of hostsip mobile mobile-networks 10.0.0.1 10.0.0.10network 172.16.2.0The mobile router configuration is allowed only for one mobile router or an entire range of mobile routers in the mobile host group, exclusively. You cannot configure a partial range of mobile routers as shown in the following example:
ip mobile host 10.0.0.1 10.0.0.10 virtual-network 10.0.0.0 255.0.0.0!Partial range shown below is prohibitedip mobile mobile-networks 10.0.0.1 10.0.0.3registerYou cannot combine full ranges and partial ranges of IP addresses in a configuration as shown in the following example:
ip mobile host 10.0.0.1 10.0.0.10 virtual-network 10.0.0.0 255.0.0.0ip mobile mobile-networks 10.0.0.1 10.0.0.10registerip mobile mobile-networks 10.0.0.2network 172.16.2.0 255.255.255.0Examples
The following example configures the mobile host, which is a mobile router at 10.1.1.10, and associates it with the mobile networks that it is supporting:
ip mobile host 10.1.1.10 virtual-network 10.0.0.0 255.0.0.0ip mobile mobile-networks 10.1.1.10network 172.6.2.0 255.255.255.0ip mobile secure host 10.1.1.10 spi 100 key hex 12345678123456781234567812345678The following example shows the mobile router configured for both static and dynamic mobile networks:
ip mobile host 10.1.1.10 virtual-network 10.0.0.0 255.0.0.0ip mobile mobile-networks 10.1.1.10network 172.16.1.0 255.255.255.0registerRelated Commands
ip mobile prefix-length
To append the prefix-length extension to the advertisement, use the ip mobile prefix-length command in interface configuration mode. To restore the default, use the no form of this command.
ip mobile prefix-length
no ip mobile prefix-length
Syntax Description
This command has no arguments or keywords.
Defaults
The prefix-length extension is not appended.
Command Modes
Interface configuration
Command History
Usage Guidelines
The prefix-length extension is used for movement detection. When a mobile node registered with one foreign agent receives an agent advertisement from another foreign agent, the mobile node uses the prefix-length extension to determine whether the advertisements arrived on the same network. The mobile node needs to register with the second foreign agent if it is on a different network. If the second foreign agent is on the same network, reregistration is not necessary.
Examples
The following example appends the prefix-length extension to agent advertisements sent by a foreign agent:
ip mobile prefix-lengthRelated Commands
show ip mobile interface
Displays advertisement information for interfaces that are providing foreign agent service or are home links for mobile nodes.
ip mobile registration-lifetime
To set the registration lifetime value advertised, use the ip mobile registration-lifetime command in interface configuration mode.
ip mobile registration-lifetime seconds
Syntax Description
Defaults
36000 seconds
Command Modes
Interface configuration
Command History
Usage Guidelines
This command allows an administrator to control the advertised lifetime on the interface. The foreign agent uses this command to control duration of registration. Visitors requesting longer lifetimes will be denied.
Examples
The following example sets the registration lifetime to 10 minutes on interface Ethernet 1 and 1 hour on interface Ethernet 2:
interface e1ip mobile registration-lifetime 600interface e2ip mobile registration-lifetime 3600Related Commands
show ip mobile interface
Displays advertisement information for interfaces that are providing foreign agent service or are home links for mobile nodes.
ip mobile router
To enable the mobile router and enter mobile router configuration mode, use the ip mobile router command in global configuration mode. To disable the mobile router, use the no form of this command.
ip mobile router
no ip mobile router
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Global configuration
Command History
Usage Guidelines
The mobile router is a router that operates as a mobile node. The mobile router can roam from its home network and still provide connectivity for devices on its networks. The mobile networks are locally attached to the router.
Examples
The following example enables the mobile router:
ip mobile routerRelated Commands
show ip mobile router
Displays configuration information and monitoring statistics about the mobile router.
ip mobile router-service
To enable mobile router service on an interface, use the ip mobile router-service command in interface configuration mode. To disable this service, use the no form of this command.
ip mobile router-service {hold-down seconds | roam [priority value] | solicit [interval seconds] [retransmit initial minimum-seconds maximum seconds retry number]}
no ip mobile router-service {hold-down seconds | roam [priority value] | solicit [interval seconds] [retransmit initial minimum-seconds maximum seconds retry number]}
Syntax Description
Defaults
Mobile router service is disabled.
Command Modes
Interface configuration
Command History
Usage Guidelines
The mobile router discovers home agents (HAs) and foreign agents (FAs) by receiving agent advertisements.
When a wireless link connected to an interface is lossy, the mobile router must not register with the FA even when heard on a preferred interface. The ip mobile router-service hold-down seconds command allows communications to continue with mobile networks while the mobile router gauges the quality of the link to the new FA.
The ip mobile router-service solicit command instructs the mobile router to send agent solicitation messages periodically. Some networks send out agent advertisements only periodically or when solicited. For networks on which agents do not advertise periodically, this function must be enabled to detect agents. The mobile router always sends solicitation messages when roaming interfaces come up.
Note
If a mobile router interface is configured for solicitations, you should set both ip irdp maxadvertinterval seconds and ip irdp holdtime seconds to 0 seconds on the FA. These settings ensure that the FA will not send out any ICMP Router Discovery Protocol (IRDP) advertisements unless solicited. If a FA or HA is sending IRDP advertisements periodically, then a solicitation will trigger the agent to send an advertisement immediately instead of at the next-time interval.
Use the show ip mobile router agent command to display agents learned from advertisements. Use the show ip mobile router interface command to display the configuration of the interfaces used for roaming.
Examples
The following example configures roaming interfaces, solicitation services, and hold-down timers on serial interface 0 and roaming interfaces and hold-down timers on Ethernet interface 0 of the mobile router:
interface serial0ip mobile router-service roam! Serial interface 0 solicits every 5 seconds.ip mobile router-service solicit interval 5ip mobile router-service hold-down 20interface ethernet0ip mobile router-service roam priority 101ip mobile router-service hold-down 20In this example, the mobile router has two interfaces. The serial interface is connected to a serial interface of a FA and the Ethernet interface is connected to an Ethernet interface of a FA. If the mobile router does not receive any agent advertisements on the Ethernet interface, it will use the serial interface to solicit FAs.
If the Ethernet interface hears a new FA advertisement after the mobile router has already registered using the serial interface, it will wait the duration of the hold-down timer (20 seconds) before registering with the FA on the Ethernet interface.
The ip mobile router-service hold-down seconds command allows communications to continue with mobile networks while the mobile router gauges the quality of the link to the new FA. The Ethernet interface is configured with a higher priority so the mobile router prefers to register with this interface. Once it receives an agent advertisement on the Ethernet interface, it will use the Ethernet interface to register to its HA.
Related Commands
ip mobile router-service collocated
To enable static collocated care-of address (CCoA) processing on a mobile router interface, use the ip mobile router-service collocated command in interface configuration mode. To disable static CCoA processing, use the no form of this command.
ip mobile router-service collocated [gateway ip-address]
no ip mobile router-service collocated
Syntax Description
gateway ip-address
(Optional) Next hop IP address for the mobile router to forward packets. The gateway ip-address combination is required only for Ethernet interfaces.
Defaults
No default behavior or values
Command Modes
Interface configuration
Command History
Usage Guidelines
The primary IP address of the interface is used as the CCoA. The interface must already be configured as a roaming interface using the ip mobile router-service roam interface configuration command.
The gateway IP address is the next-hop IP address for registration packets. Upon successful registration, this address will be used as the default gateway and default route.
You need not specify the gateway ip-address combination if using a serial interface. The gateway ip-address combination is required on all non point-to-point interfaces such as Ethernet LANs and must be on the same logical subnet as the primary interface IP address.
Examples
The following example enables static CCoA processing on a mobile router interface:
interface FastEthernet0/0! Primary IP address is the CCoAip address 172.21.58.23 255.255.255.0ip mobile router-service roam! Gateway IP address is next-hop destinationip mobile router-service collocated gateway 172.21.58.1Related Commands
ip mobile router-service collocated registration retry
To configure the time period that the mobile router waits before sending another registration request after a registration failure, use the ip mobile router-service collocated registration retry command in interface configuration mode. To disable this functionality, use the no form of this command.
ip mobile router-service collocated registration retry seconds
no ip mobile router-service collocated registration retry
Syntax Description
Defaults
60 seconds
Command Modes
Interface configuration.
Command History
Usage Guidelines
An interface configured for static collocated care-of address (CCoA) will not have foreign agent advertisements to use to trigger new registration attempts. Any foreign agent advertisements detected on that interface are ignored.
The default retry value is 60 seconds. You need to use this command only when a different retry interval is desired.
Examples
The following example shows that the mobile router will wait 30 seconds before sending another registration request after a registration failure:
interface FastEthernet0/0! Primary IP address is the CCoAip address 172.21.58.23 255.255.255.0ip mobile router-service roamip mobile router-service collocated gateway 172.21.58.1ip mobile router-service collocated registration retry 30Related Commands
ip mobile router-service collocated
Enables static CCoA processing on a mobile router interface.
ip mobile secure aaa-download
To specify that authentication, authorization, and accounting (AAA) mobility security associations (SAs) are downloaded from the AAA server and at what rate the information is downloaded, use the ip mobile secure aaa-download command in global configuration mode. To delete the AAA download rate, use the no form of this command.
ip mobile secure aaa-download rate seconds
no ip mobile secure aaa-download rate seconds
Syntax Description
rate
Rate at which the AAA SA is downloaded.
•
Defaults
No AAA SAs are downloaded.
Command Modes
Global configuration
Command History
Usage Guidelines
SAs are downloaded from a AAA server on the first use. This command allows the home agent (HA) to prepopulate an SA table.
Examples
The following example shows a download rate of 35 seconds:
ip mobile secure aaa-download rate 35Related Commands
ip mobile secure foreign-agent
To specify the mobility security associations (SAs) for a foreign agent (FA), use the ip mobile secure foreign-agent command in global configuration mode. To remove the mobility SAs, use the no form of this command.
ip mobile secure foreign-agent lower-address [upper-address] {inbound-spi {hex-in | decimal decimal-in} outbound-spi {hex-out | decimal decimal-out} | spi {hex-value | decimal decimal-value}} key {ascii string | hex string} [replay timestamp within seconds] [algorithm {hmac-md5 | md5 mode prefix-suffix}]
no ip mobile secure foreign-agent lower-address [upper-address] {inbound-spi {hex-in | decimal decimal-in} outbound-spi {hex-out | decimal decimal-out} | spi {hex-value | decimal decimal-value}}
Syntax Description
Defaults
No SA is specified for FAs.
Command Modes
Global configuration
Command History
12.0(1)T
This command was introduced.
12.2
The lower-address and upper-address arguments were added.
12.2(13)T
The hmac-md5 keyword was added.
Usage Guidelines
The SA consists of an entity address, SPI, key, replay protection method, authentication algorithm, and authentication algorithm mode (prefix-suffix).
On a FA, the SA of the visiting mobile host and the SA of the home agent (HA) are optional. Multiple SAs for each entity can be configured.
The SA of a visiting mobile host on the MFAE and the SA of the HA on the FHAE are optional on the FA as long as they are not specified on the other entity. Multiple SAs for each entity can be configured.
Note
Examples
The following example shows the configuration of an FA with an IP address of 209.165.200/254:
ip mobile secure foreign-agent 209.165.200/254 inbound-spi 203 outbound-spi 150 key hex ffffffffRelated Commands
ip mobile secure home-agent
To specify the mobility security associations (SAs) for a home agent (HA), use the ip mobile secure home-agent command in global configuration mode. To remove the mobility SAs, use the no form of this command.
ip mobile secure home-agent lower-address [upper-address] {inbound-spi {hex-in | decimal decimal-in} outbound-spi {hex-out | decimal decimal-out} | spi {hex-value | decimal decimal-value}} key {ascii string | hex string} [replay timestamp within seconds] [algorithm {hmac-md5 | md5 mode prefix-suffix}] [ignore-spi]
np ip mobile secure home-agent lower-address [upper-address] {inbound-spi {hex-in | decimal decimal-in} outbound-spi {hex-out | decimal decimal-out} | spi {hex-value | decimal decimal-value}}
Syntax Description
Defaults
No SA is specified for HAs.
Command Modes
Global configuration
Command History
12.0(1)T
This command was introduced.
12.2
The lower-address and upper-address arguments were added.
12.2(13)T
The hmac-md5 keyword was added.
Usage Guidelines
The SA consists of an entity address, SPI, key, replay protection method, authentication algorithm, and authentication algorithm mode (prefix-suffix).
The HA may have multiple SAs for each peer. The SPI specifies which SA to use for the peer and selects the specific security parameters to be used to authenticate the peer.
On an HA, the SA of the mobile host is mandatory for mobile host authentication and allows the HA to compute the MHAE for mobile host authentication. If desired, configure a foreign agent (FA) SA on your HA.
The mobile IP protocol automatically synchronizes the time stamp used by the mobile node (MN) in its registration requests. If the MN registration request time stamp is outside the HA permitted replay protection time interval, the HA will respond with the number of seconds by which the MN time stamp is off relative to the HA clock. This allows the MN to adjust its time stamp and use synchronized time stamps in subsequent registration attempts.
If you prefer that the MN first registration attempt always fall within the HA replay protection time interval, use Network Time Protocol (NTP) to synchronize the MN and HA.
Note
Examples
The following example shows the configuration of an SA for an HA with an IP address of 10.0.0.4:
ip mobile secure home-agent 10.0.0.4 spi 100 key hex ffffffffRelated Commands
ip mobile secure host
To specify the mobility security associations (SAs) for a mobile host, use the ip mobile secure host command in global configuration mode. To remove the mobility SAs, use the no form of this command.
ip mobile secure host {lower-address [upper-address] | nai nai-string} {inbound-spi {hex-in | decimal decimal-in} outbound-spi {hex-out | decimal decimal-out} | spi {hex-value | decimal decimal-value}} key {ascii string | hex string} [replay timestamp within seconds] [algorithm {hmac-md5 | md5 mode prefix-suffix}]
no mobile secure host {lower-address [upper-address] | nai nai-string} {inbound-spi {hex-in | decimal decimal-in} outbound-spi {hex-out | decimal decimal-out} | spi {hex-value | decimal decimal-value}}
Syntax Description
Defaults
No SA is specified for mobile hosts.
Command Modes
Global configuration
Command History
Usage Guidelines
The SA consists of an entity address, SPI, key, replay protection method, authentication algorithm, and authentication algorithm mode (prefix-suffix).
The SA of a visiting mobile host on the MFAE and the SA of the home agent (HA) on the FHAE are optional as long as they are not specified on the other entity. Multiple SAs for each entity can be configured.
The HMAC-MD5 authentication algorithm is mandatory for MHAE, MFAE, and FHAE.
Note
Examples
The following example shows the configuration of an SA for a host:
ip mobile secure host 10.0.0.4 spi 100 key hex 12345678123456781234567812345678Related Commands
ip mobile secure mn-aaa
To specify non-standard security parameter index (SPI) values in the MN-AAA authentication extension that need to be accepted by the home agent or the foreign agent, use the ip mobile secure mn-aaa command in global configuration mode. To disable this functionality, use the no form of this command.
ip mobile secure mn-aaa spi {hex-value | decimal decimal-value} algorithm md5 mode ppp-chap-style
no ip mobile secure mn-aaa spi {hex-value | decimal decimal-value} algorithm md5 mode ppp-chap-style
Syntax Description
Defaults
The home agent or foreign agent only accept the standard SPI value in the MN-AAA authentication extension that specifes CHAP-style authentication using MD5. The standard value for the SPI is 2.
Command Modes
Global configuration
Command History
Usage Guidelines
The SPI is the 4-byte index that selects the specific security parameters to be used to authenticate the peer. The security parameters consist of the authentication algorithm and mode.
A mobile node configured to be authenticated via an MN-AAA authentication extension is required to use an SPI value of 2 to indicate CHAP-style authentication using MD5 as specified by RFC 3012, Mobile IPv4 Challenge/Response Extensions.
Some network implementations need the flexibility to allow an SPI value other than 2 even though the mobile node is authenticated using CHAP. The ip mobile secure mn-aaa command maps new SPI values in the MN-AAA extension of the registration message to the SPI value pre-defined by RFC 3012. When a registration request arrives at the foreign agent or home agent with the MN-AAA extension containing an SPI value specified by the ip mobile secure mn-aaa command, the foreign agent or home agent will process it as if the value was 2 instead of rejecting the request.
Use this command with caution because it is non-standard behavior. For example, different vendors might use the same non-standard SPI to denote different authentication methods and this could affect interoperability. In general, Cisco recommends the use of standard SPI values to be used in the MN-AAA authentication extension by the mobile node.
Examples
In the following example, the foreign agent or home agent will process the registration request even though the CHAP SPI value is not 2:
ip mobile secure mn-aaa spi 1234 algorithm md5 mode ppp-chap-styleip mobile secure proxy-host
To specify the mobility security associations (SAs) for a proxy host, use the ip mobile secure proxy-host command in global configuration mode. To remove the mobility SAs, use the no form of this command.
ip mobile secure proxy-host {lower-address [upper-address] | nai nai-string} {inbound-spi spi-in outbound-spi spi-out | spi {hex-value | decimal decimal-value}} key {ascii string | hex string} [replay timestamp seconds] [algorithm {md5 mode prefix-suffix | hmac-md5}]
no ip mobile secure proxy-host {lower-address [upper-address] | nai nai-string} {inbound-spi spi-in outbound-spi spi-out | spi {hex-value | decimal decimal-value}} key {ascii string | hex string} [replay timestamp seconds] [algorithm {md5 mode prefix-suffix | hmac-md5}]
Syntax Description
Defaults
No SA is specified for proxy hosts.
Command Modes
Global configuration
Command History
Usage Guidelines
The SA consists of an entity address, SPI, key, replay protection method, authentication algorithm, and authentication algorithm mode (prefix-suffix).
The HMAC-MD5 authentication algorithm is mandatory for MHAE, MFAE, and FHAE.
Note
Note
Examples
The following example shows the configuration of an SA for a proxy host:
ip mobile secure proxy-host 10.0.0.4 spi 100 key hex 12345678123456781234567812345678Related Commands
ip mobile secure visitor
To specify the mobility security associations (SAs) for a visitor, use the ip mobile secure visitor command in global configuration mode. To remove the mobility security associations, use the no form of this command.
ip mobile secure visitor {lower-address [upper-address] | nai nai-string} {inbound-spi spi-in outbound-spi spi-out | spi {hex-value | decimal decimal-value}} key {ascii string | hex string} [replay timestamp seconds] [algorithm {md5 mode prefix-suffix | hmac-md5}]
no ip mobile secure visitor {lower-address [upper-address] | nai nai-string} {inbound-spi spi-in outbound-spi spi-out | spi {hex-value | decimal decimal-value}} key {ascii string | hex string} [replay timestamp seconds] [algorithm {md5 mode prefix-suffix | hmac-md5}]
Syntax Description
Defaults
No SA is specified for visitors.
Command Modes
Global configuration
Command History
Usage Guidelines
The SA consists of an entity address, SPI, key, replay protection method, authentication algorithm, and authentication algorithm mode (prefix-suffix).
The SA of a visiting mobile host on the MFAE and the SA of the home agent (HA) on the FHAE are optional as long as they are not specified on the other entity. Multiple SAs for each entity can be configured.
The Mobile IP protocol automatically synchronizes the time stamp used by the MN in its registration requests. If the MN registration request time stamp is outside the visitor permitted replay protection time interval, the visitor will respond with the number of seconds the MN time stamp is off relative to the visitor clock. This allows the MN to adjust its time stamp and use synchronized time stamps in subsequent registration attempts.
If you prefer that the MN first registration attempt always fall within the visitor replay protection time interval, use Network Time Protocol (NTP) to synchronize the MN and visitor.
The HMAC-MD5 authentication algorithm is mandatory for MHAE, MFAE, and FHAE.
Note
Examples
The following example shows the configuration of an SA for a visitor:
ip mobile secure visitor 10.0.0.4 spi 100 key hex 12345678123456781234567812345678Related Commands
ip mobile tunnel
To specify the settings of tunnels created by Mobile IP, use the ip mobile tunnel command in global configuration mode. To disable the setting of tunnels created by Mobile IP, use the no form of this command.
ip mobile tunnel {route-cache [cef] | path-mtu-discovery [age-timer {minutes | infinite}] |
nat {inside | outside} | route-map map-tag}no ip mobile tunnel {route-cache [cef] | path-mtu-discovery [age-timer {minutes | infinite}] |
nat {inside | outside} | route-map map-tag}Syntax DescriptionI
Defaults
Disabled.
If enabled, default value for the minutes argument is 10 minutes.
Command Modes
Global configuration
Command History
Usage Guidelines
Path MTU Discovery is used by end stations to find a packet size that does not need fragmentation between them. Tunnels must adjust their MTU to the smallest MTU interior to achieve this condition, as described in RFC 2003.
The discovered tunnel MTU should be aged out periodically to possibly recover from a case where suboptimum MTU existed at time of discovery. It is reset to the outgoing MTU of the interface.
The no ip mobile tunnel route-cache command disables fast switching and CEF switching (if CEF is enabled) on Mobile IP tunnels. The no ip mobile tunnel route-cache cef command disables CEF switching only.
CEF switching is currently not supported on a foreign agent when reverse tunneling is enabled. If reverse tunneling is enabled at the foreign agent, disable CEF on the foreign agent using the no ip cef global configuration command. If the foreign agent does not support reverse tunneling, there is no need to disable CEF at the global configuration level.
Examples
The following example sets the discovered tunnel MTU to expire in 10 minutes (600 seconds):
ip mobile tunnel path-mtu-discovery age-timer 600Related Commands
ip cef
Enables CEF on the RP card.
show ip mobile tunnel
Displays active tunnels.
ip mobile virtual-network
To define a virtual network, use the ip mobile virtual-network command in global configuration mode. To remove the virtual network, use the no form of this command.
ip mobile virtual-network net mask [address address]
no ip mobile virtual-network net mask
Syntax Description
Defaults
No home agent addresses are specified.
Command Modes
Global configuration
Command History
12.0(1)T
This command was introduced.
12.0(2)T
The address keyword and address argument were added.
Usage Guidelines
This command inserts the virtual network into the routing table to allow mobile nodes to use the virtual network as their home network. The network is propagated when redistributed to other routing protocols.
Note
Examples
The following example adds the virtual network 20.0.0.0 to the routing table and specifies that the home agent IP address is configured on the loopback interface for that virtual network:
interface ethernet 0ip address 1.0.0.1 255.0.0.0standby ip 1.0.0.10standby name SanJoseHAinterface loopback 0ip address 20.0.0.1 255.255.255.255ip mobile home-agentip mobile virtual-network 20.0.0.0 255.255.0.0 address 20.0.0.1ip mobile home-agent standby SanJoseHA virtual-networkip mobile secure home-agent 1.0.0.2 spi 100 hex 00112233445566778899001122334455Related Commands
ip mobile host
Configures the mobile host or mobile node group.
redistribute mobile
Redistributes routes from one routing domain into another routing domain.
ip mobile vpn-realm
To define the virtual private network (VPN) realms to be used in home agent policy routing, use the ip mobile vpn-realm command in global configuration mode. To remove the VPN realms, use the no form of this command.
ip mobile vpn-realm realm-name {route-map-sequence sequence-number}
no ip mobile vpn-realm realm-name {route-map-sequence sequence-number}
Syntax Description
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Usage Guidelines
The sequence-number argument must match that configured in the route-map sequence-number command.
Examples
The following example shows two realms configured on the router:
ip mobile vpn-realm company1.com route-map-sequence 20ip mobile vpn-realm company2.com route-map-sequence 10Related Commands
