Table Of Contents
clear ip mobile router registration
clear ip mobile router traffic
ip mobile authentication ignore-spi
ip mobile foreign-agent inject-mobile-networks
ip mobile foreign-agent nat traversal
ip mobile foreign-agent skip-aaa-reauthentication
ip mobile home-agent aaa user-password
ip mobile home-agent accounting
ip mobile home-agent nat traversal
ip mobile home-agent redundancy
ip mobile home-agent reject-static-address
ip mobile home-agent resync-sa
ip mobile registration-lifetime
ip mobile router-service collocated
ip mobile router-service collocated registration retry
ip mobile router-service tunnel mode
ip mobile secure foreign-agent
Mobile IP Commands
aaa authorization ipmobile
To authorize Mobile IP to retrieve security associations from the AAA server using TACACS+ or RADIUS, use the aaa authorization ipmobile command in global configuration mode. To remove authorization, use the no form of this command.
aaa authorization ipmobile {[radius | tacacs+] | default} [group server-groupname]
no aaa authorization ipmobile {[radius | tacacs+] | default} [group server-groupname]
Syntax Description
radius
Authorization list named radius.
tacacs+
Authorization list named tacacs+.
default
Default authorization list.
group server-groupname
(Optional) Name of the server group to use.
Defaults
AAA is not used to retrieve security associations for authentication.
Command Modes
Global configuration
Command History
Usage Guidelines
Mobile IP requires security associations for registration authentication. The security associations are configured on the router or on a AAA server. This command is not needed for the former; but in the latter case, this command authorizes Mobile IP to retrieve the security associations from the AAA server.
Once the authorization list is named, it can be used in other areas such as login. You can only use one named authorization list; multiple named authorization lists are not supported.
The aaa authorization ipmobile default group server-groupname command is the most commonly used method to retrieve security associations from the AAA server.
Note
The AAA server does not authenticate the user. It stores the security association that is retrieved by the router to authenticate registration.
Examples
The following example uses TACACS+ to retrieve security associations from the AAA server:
aaa new-modelaaa authorization ipmobile tacacs+tacacs-server host 1.2.3.4tacacs-server key mykeyip mobile host 10.0.0.1 10.0.0.5 virtual-network 10.0.0.0 255.0.0.0 aaaThe following example uses RADIUS as the default group to retrieve security associations from the AAA server:
aaa new-modelaaa authentication login default enableaaa authorization ipmobile default group radiusaaa session-id commonradius-server host 128.107.162.173 auth-port 1645 acct-port 1646radius-server retransmit 3radius-server key ciscoip mobile host 10.0.0.1 10.0.0.5 virtual-network 10.0.0.0 255.0.0.0 aaaRelated Commands
address (mobile router)
To set the home IP address of the mobile router, use the address command in mobile router configuration mode. To remove the address, use the no form of this command.
address address mask
no address address mask
Syntax Description
Defaults
No default behavior or values.
Command Modes
Mobile router configuration
Command History
Usage Guidelines
The address command configures the home IP address and subnet mask of the mobile router. The address and subnet mask identify the home network of the mobile router and are used to discover when the mobile router is at home.
Examples
The following example sets the home IP address and subnet mask of the mobile router:
ip mobile routeraddress 10.1.0.1 255.255.0.0Related Commands
show ip mobile router
Displays configuration information and monitoring information about the mobile router.
clear ip mobile binding
To remove mobility bindings, use the clear ip mobile binding command in privileged EXEC mode.
clear ip mobile binding {all [load standby-group-name] | ip-address | nai string [session-id string]}
Syntax Description
Command Modes
Privileged EXEC
Command History
Usage Guidelines
The home agent creates a mobility binding for each roaming mobile node. Associated with the mobility binding is the tunnel to the visited network and a host route to forward packets destined for the mobile node. Typically, there should be no need to clear the binding because it expires after the lifetime is reached or when the mobile node deregisters.
When the mobility binding is removed through use of this command, the number of users on the tunnel is decremented and the host route is removed from the routing table. The mobile node is not notified.
If the nai string session-id string option is specified, only the binding entry with that session identifier is cleared. If the session-id keyword is not specified, all binding entries (potentially more than one, with different session identifiers) for that NAI are cleared. You can determine the session-id string value by using the show ip mobile binding command.
Use this command with care, because it will disrupt any sessions used by the mobile node. After you use this command, the mobile node will need to reregister to continue roaming.
Examples
The following example administratively stops mobile node 10.2.0.1 from roaming:
Router# show ip mobile bindingMobility Binding List:Total 110.2.0.1:Care-of Addr 68.0.0.31, Src Addr 68.0.0.31,Lifetime granted 02:46:40 (10000), remaining 02:46:32Flags SbdmGvt, Identification B750FAC4.C28F56A8,Tunnel100 src 66.0.0.5 dest 68.0.0.31 reverse-allowedRouting Options - (G)GRERouter# clear ip mobile binding 10.2.0.1Router# show ip mobile bindingRelated Commands
clear ip mobile host-counters
To clear the mobility counters specific to each mobile node, use the clear ip mobile host-counters command in EXEC mode.
clear ip mobile host-counters [[ip-address | nai string] undo]]
Syntax Description
ip-address
(Optional) IP address of a mobile node.
nai string
(Optional) Network access identifier of the mobile node.
undo
(Optional) Restores the previously cleared counters.
Command Modes
EXEC
Command History
12.0(1)T
This command was introduced.
12.2(2)XC
The nai keyword was added.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
This command clears the counters that are displayed when you use the show ip mobile host command. The undo keyword restores the counters (this option is useful for debugging).
Examples
The following example shows how the counters can be used for debugging:
Router# show ip mobile host10.0.0.1:Allowed lifetime 10:00:00 (36000/default)Roaming status -registered-, Home link on virtual network 20.0.0.0/8Accepted 2, Last time 04/13/02 19:04:28Overall service time 00:04:42Denied 0, Last time -never-Last code `-never- (0)'Total violations 1Tunnel to MN - pkts 0, bytes 0Reverse tunnel from MN - pkts 0, bytes 0.Router# clear ip mobile host-countersRouter# show ip mobile host-counters20.0.0.1:Allowed lifetime 10:00:00 (36000/default)Roaming status -Unregistered-, Home link on virtual network 20.0.0.0/8Accepted 0, Last time -never-Overall service time -never-Denied 0, Last time -never-Last code `-never- (0)'Total violations 0Tunnel to MN - pkts 0, bytes 0Reverse tunnel from MN - pkts 0, bytes 0Related Commands
clear ip mobile router agent
To delete learned agents and the corresponding care-of address of the foreign agent from the mobile router agent table, use the clear ip mobile router agent command in privileged EXEC mode.
clear ip mobile router agent [ip-address]
Syntax Description
ip-address
(Optional) IP address of an agent. If not specified, all agents are deleted from the agent table.
Defaults
No default behavior or values.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
The mobile router maintains an agent table listing active agents and the corresponding care-of address of the foreign agent. The mobile router uses this agent table to decide which foreign agent to register with. The mobile router updates the table when it receives advertisements. If an advertisement expires, its entry is automatically deleted from the table.
The clear ip mobile router agent ip-address option allows you to remove a specific agent.
Examples
The following example removes all agents from the mobile router agent table:
Router# clear ip mobile router agentRelated Commands
show ip mobile router interface
Displays information about the agents for the mobile router.
clear ip mobile router registration
To delete registration entries from the mobile router registration table, use the clear ip mobile router registration command in privileged EXEC mode.
clear ip mobile router registration [ip-address]
Syntax Description
ip-address
(Optional) IP address of a specific agent. If not specified, all registration entries are deleted.
Defaults
No default behavior or values.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
The mobile router maintains a registration table listing registration entries that are used for retransmissions. For example, a registration request is sent when no reply is received or the lifetime is about to expire.
A registration request can be removed from the table to prevent further registration requests from being sent to the agent. The clear ip mobile router registration ip-address option allows you to remove a registration to a specific agent.
Clearing an active registration will cause the mobile router to attempt to deregister.
Examples
The following example removes all registration entries from the mobile router registration table:
Router# clear ip mobile router registrationRelated Commands
show ip mobile router registration
Displays the pending and accepted registrations of the mobile router.
clear ip mobile router traffic
To clear the counters that the mobile router maintains, use the clear ip mobile router traffic command in privileged EXEC mode.
clear ip mobile router traffic
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Mobile router counters are accumulated during operation. They are useful for debugging and monitoring.
Examples
The following example shows how the mobile router counters can be used for debugging:
Router# show ip mobile router trafficMobile Router Counters:Agent Discovery:Solicitations sent 90, advertisements received 17Agent reboots detected 0Registrations:Register 70, Deregister 0 requests sentRegister 70, Deregister 0 replies receivedRequests accepted 68, denied 1 by HA 1 /FA 0Denied due to mismatched ID 1...Router# clear ip mobile router trafficRouter# show ip mobile router trafficMobile Router Counters:Agent Discovery:Solicitations sent 0, advertisements received 0Agent reboots detected 0Registrations:Register 0, Deregister 0 requests sentRegister 0, Deregister 0 replies receivedRequests accepted 0, denied 0 by HA 0 /FA 0Denied due to mismatched ID 0...Related Commands
show ip mobile router traffic
Displays the counters that the mobile router maintains.
clear ip mobile secure
To clear and retrieve remote security associations, use the clear ip mobile secure command in EXEC mode.
clear ip mobile secure {host lower [upper] | nai string | empty | all} [load]
Syntax Description
Command Modes
EXEC
Command History
12.0(1)T
This command was introduced.
12.2(2)XC
The nai keyword was added.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
Security associations are required for registration authentication. They can be stored on an AAA server. During registration, they may be stored locally after retrieval from the AAA server. The security association on the router may become stale or out of date when the security association on the AAA server changes.
This command clears security associations that have been downloaded from the AAA server.
Note
Examples
In the following example, the AAA server has the security association for user 10.2.0.1 after registration:
Router# show ip mobile secure host 10.2.0.1Security Associations (algorithm,mode,replay protection,key):10.2.0.1:SPI 300, MD5, Prefix-suffix, Timestamp +/- 7,Key `oldkey' 1230552d39b7c1751f86bae5205ec0c8If you change the security association stored on the AAA server for this mobile node, the router clears the security association and reloads it from the AAA server:
Router# clear ip mobile secure host 10.2.0.1 loadRouter# show ip mobile secure host 10.2.0.110.2.0.1:SPI 300, MD5, Prefix-suffix, Timestamp +/- 7,Key `newkey' 1230552d39b7c1751f86bae5205ec0c8Related Commands
ip mobile secure
Specifies the mobility security associations for mobile host, visitor, home agent, and foreign agent.
clear ip mobile traffic
To clear counters, use the clear ip mobile traffic command in EXEC mode.
clear ip mobile traffic [undo]
Syntax Description
Command Modes
EXEC
Command History
Usage Guidelines
Mobile IP counters are accumulated during operation. They are useful for debugging and monitoring.
This command clears all Mobile IP counters. The undo keyword restores the counters (which is useful for debugging). See the show ip mobile traffic command for a description of all counters.
Examples
The following example shows how counters can be used for debugging:
Router# show ip mobile trafficIP Mobility traffic:Advertisements:Solicitations received 0Advertisements sent 0, response to solicitation 0Home Agent Registrations:Register 8, Deregister 0 requestsRegister 7, Deregister 0 repliedAccepted 6, No simultaneous bindings 0Denied 1, Ignored 1Unspecified 0, Unknown HA 0Administrative prohibited 0, No resource 0Authentication failed MN 0, FA 0Bad identification 1, Bad request form 0.Router# clear ip mobile trafficRouter# show ip mobile trafficIP Mobility traffic:Advertisements:Solicitations received 0Advertisements sent 0, response to solicitation 0Home Agent Registrations:Register 0, Deregister 0 requestsRegister 0, Deregister 0 repliedAccepted 0, No simultaneous bindings 0Denied 0, Ignored 0Unspecified 0, Unknown HA 0Administrative prohibited 0, No resource 0Authentication failed MN 0, FA 0Bad identification 0, Bad request form 0Related Commands
clear ip mobile visitor
To remove visitor information, use the clear ip mobile visitor command in privileged EXEC mode.
clear ip mobile visitor [ip-address | nai string [session-id string] [ip-address]]
Syntax Description
Command Modes
EXEC
Command History
Usage Guidelines
The foreign agent creates a visitor entry for each accepted visitor. The visitor entry allows the mobile node to receive packets while in a visited network. Associated with the visitor entry is the Address Resolution Protocol (ARP) entry for the visitor. There should be no need to clear the entry because it expires after lifetime is reached or when the mobile node deregisters.
When a visitor entry is removed, the number of users on the tunnel is decremented and the ARP entry is removed from the ARP cache. The visitor is not notified.
If the nai string session-id string option is specified, only the visitor entry with that session identifier is cleared. If the session-id keyword is not specified, all visitor entries (potentially more than one, with different session identifiers) for that NAI are cleared. You can determine the session-id string value by using the show ip mobile visitor command.
Use this command with care because it may terminate any sessions used by the mobile node. After you use this command, the visitor will need to reregister to continue roaming.
Examples
The following example administratively stops visitor 172.21.58.16 from visiting:
Router# clear ip mobile visitor 172.21.58.16Related Commands
show ip mobile visitor
Displays the table containing the visitor list of the foreign agent.
collocated single-tunnel
To configure the number of tunnels between the mobile router and home agent when registering with a collocated care-of address (CCoA), use the collocated single-tunnel command in mobile router configuration mode.
collocated single-tunnel
Syntax Description
This command has no arguments or keywords.
Defaults
Defaults to single-tunnel enabled.
Command Modes
Mobile router
Command History
Usage Guidelines
This command is used as a "placeholder" only and defaults to single-tunnel enabled. This command can not be unconfigured. In future Cisco IOS releases, a dual-tunnel capability will be needed for IPSec between the mobile router and the home agent. At that time, this command will be optional with dual tunnels (no collocated single-tunnel) being the default. This command is provided now for backward compatibility when the dual-tunnel capablity is implemented.
description (mobile networks)
To add a description to a mobile router configuration, use the description command in mobile networks configuration mode. To remove the description, use the no form of this command.
description string
no description
Syntax Description
Defaults
No default behavior or values.
Command Modes
Mobile networks configuration
Command History
Usage Guidelines
The description command is meant solely as a comment to be put in the configuration to help you remember information about the configured mobile router or its mobile networks.
Examples
The following example shows how to add a description for the mobile router:
ip mobile mobile-networks 10.2.0.1description mobileunitnetwork 172.6.1.0 255.255.255.0network 172.6.2.0 255.255.255.0Related Commands
show ip mobile mobile-networks
Displays a list of mobile networks associated with the mobile router.
home-agent
To specify the home agent that the mobile router uses during registration, use the home-agent command in mobile router configuration mode. To disable the home agent, use the no form of this command.
home-agent ip-address [priority level]
no home-agent ip-address [priority level]
Syntax Description
Defaults
The default priority level is 100.
Command Modes
Mobile router configuration
Command History
Usage Guidelines
The home-agent command specifies which home agent the mobile router uses for registration and to detect when it is home. The priority level determines which home agent address to register with, although all addresses are on the same home agent. The mobile router registers with the home agent with the highest priority level.
The home agent address list is used to detect when the mobile router is home. The mobile router knows that it is at home when the source of the agent advertisements is an IP source address that exists on the home agent address list.
Examples
The following example shows that the mobile router will use the home agent address 1.1.1.1 during registration and will detect when it is at home after receiving agent advertisements from either address 1.1.1.1 or 2.2.2.2:
router mobileip mobile routeraddress 10.1.0.1 255.255.0.0home-agent 1.1.1.1 priority 101home-agent 2.2.2.2 priority 100Related Commands
show ip mobile router
Displays configuration information and monitoring statistics about the mobile router.
ip dhcp client mobile renew
To configure the number of renewal attempts and the interval between attempts for renewing the current IP address acquired by DHCP, use the ip dhcp client mobile renew command in interface configuration mode. To disable this functionality, use the no form of this command.
ip dhcp client mobile renew count number interval msec
no ip dhcp client mobile renew count number interval msec
Syntax Description
Defaults
count number: 2
interval msec: 50Command Modes
Interface configuration
Command History
Usage Guidelines
Mobile DHCP clients automatically attempt to renew an existing IP address in response to certain events, such as moving between wireless access points. The number of renewal attempts, and the interval between those attempts, depending on network conditions, can be modified by using the ip dhcp client mobile renew command.
Examples
In the following example, the DHCP client will make four attempts to renew its current IP address with an interval of 30 milliseconds between attempts :
interface FastEthernet0ip dhcp client mobile renew count 4 interval 30Related Commands
ip mobile authentication ignore-spi
To enable the home agent or foreign agent to accept RFC-2002 based mobile nodes or foreign agents that don't include the security parameter index (SPI) in the authentication extension of the registration message, use the ip mobile authentication ignore-spi command in global configuration mode. To disable this functionality, use the no form of this command.
ip mobile authentication ignore-spi
no ip mobile authentication ignore-spi
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
Global configuration.
Command History
12.2(8)BY
This command was introduced.
12.3(4)T
This command was integrated into Cisco IOS Release 12.3(4)T.
Usage Guidelines
Cisco IOS software supports the Mobile-Home Authentication Extension (MHAE). All registration messages between a mobile and a home agent include a mandatory authentication extension.
In RFC 2002, the SPI field was not included to calculate the authenticator value in the authentication extension of the registration message. In RFC 3220 and 3344, the SPI field in the authentication extension is used as part of the data over which the authentication algorithm must be computed.
The command turns off authentication and allows an RFC-2002 based mobile node and foreign agent to register with the home agent even though the SPI field is not included in the authentication extension of the registration message. The foreign agent will accept both RFC 2002 and RFC 3220/3344 based visitors and the home agent will accept both RFC 2002 and RFC 3220/3344 based mobile nodes and foreign agents.
Examples
The following example allows the home agent to accept registration messages without the SPI in the authentication extension:
ip mobile authentication ignore-spiip mobile bindupdate
To enable a home agent to send a binding update message to a foreign agent, use the ip mobile bindupdate command in global configuration mode. To disable this functionality, use the no form of this command.
ip mobile bindupdate [acknowledge] [maximum seconds] [minimum seconds] [retry number]
no ip mobile bindupdate [acknowledge] [maximum seconds] [minimum seconds] [retry number]
Syntax Description
Defaults
maximum seconds: 10 seconds
minimum seconds: 1 second
retry number: 4 retriesCommand Modes
Global configuration
Command History
12.2(8)BY
This command was introduced.
12.3(4)T
This command was integrated into Cisco IOS Release 12.3(4)T.
Usage Guidelines
This command enables the home agent to send a binding update message to the previous foreign agent when the mobile node moves to a new care-of address. The binding update message informs the foreign agent that a mobile node has moved and it can reclaim resources associated with that mobile node such as a visitor entry or visitor route.
Typically, resources on the foreign agent are not reclaimed until the mobility binding lifetime expires for that mobile node. By using this command, the foreign agent does not have to wait to reclaim resources used by the mobile node when that mobile node is no longer associated with the foreign agent.
Without this command configured, when a mobile node moves from foreign agent 1 to foreign agent 2 or when the home agent removes the binding, foreign agent 1 does not know that the mobile node has moved and the resources on foreign agent 1 associated with the mobile node will not be cleared until the lifetime expires for the mobile node.
If the acknowledge keyword is specified, the home agent periodically retransmits a binding update message until it receives a binding acknowledgement from the foreign agent or until the number of retries is exceeded.
The home agent and foreign agent must share a security association. The binding update message from the home agent and the binding update acknowledgement from the foreign agent must contain a FHAE (Foreign-Home Authentication Extension). If the FHAE is not configured on the home agent with the ip mobile secure command, the home agent will not send a binding update message even if the ip mobile bindupdate command is configured.
Examples
The following example configures the home agent to wait a maximum of 8 seconds before retransmitting a binding update message to a foreign agent. The foreign agent must send an acknowledgement of this binding update message upon receipt.
ip mobile bindupdate acknowledge maximum 8 retry 3ip mobile secure foreign-agent 10.31.1.1 spi 100 key hex 23456781234567812345678123456781The following example configures the security association on the foreign agent. Without the security association configured on the home agent and the foreign agent, the binding update message would not be sent or processed.
ip mobile secure home-agent 172.31.10.1 spi 100 key hex 23456781234567812345678123456781ip mobile foreign-agent
To enable foreign agent service, use the ip mobile foreign-agent command in global configuration mode. To disable this service, use the no form of this command.
ip mobile foreign-agent [care-of interface [interface-only] [transmit-only] | reg-wait seconds | local-timezone | reverse-tunnel private-address]
no ip mobile foreign-agent [care-of interface [interface-only] [transmit-only] | reg-wait seconds | local-timezone | reverse-tunnel private-address]
Syntax Description
Defaults
reg-wait seconds: 15
Command Modes
Global configuration
Command History
Usage Guidelines
This command enables foreign agent service when at least one care-of address is configured. When no care-of address exists, foreign agent service is disabled.
The foreign agent is responsible for relaying the registration request to the home agent, setting up a tunnel to the home agent, and forwarding packets to the mobile node. The show commands used to display relevant information are shown in parentheses in the following paragraph.
When a registration request comes in, the foreign agent will ignore requests when foreign agent service is not enabled on an interface or when no care-of address is advertised. If a security association exists for a visiting mobile node, the visitor is authenticated. The registration bitflag is handled as described in Table 1. The foreign agent checks the validity of the request. If successful, the foreign agent relays the request to the home agent, appending an FH authentication extension if a security association for the home agent exists. The pending registration timer of 15 seconds is started (show ip mobile visitor pending command). At most, five outstanding pending requests per mobile node are allowed. If a validity check fails, the foreign agent sends a reply with error code to the mobile node (reply codes are listed in Table 2). A security violation is logged when visiting mobile node authentication fails (show ip mobile violation command).
When a registration reply comes in, the home agent is authenticated (show ip mobile secure home-agent command) if a security association exists for the home agent (IP source address or home agent address in reply). The reply is relayed to the mobile node.
When registration is accepted, the foreign agent creates or updates the visitor table, which contains the expiration timer. If no binding existed before this registration, a virtual tunnel is created, a host route to the mobile node via the interface (of the incoming request) is added to the routing table (show ip route mobile command), and an ARP entry is added to avoid the sendingof ARP requests for the visiting mobile node. Visitor binding is removed (along with its associated host route, tunnel, and ARP entry) when the registration lifetime expires or deregistration is accepted.
When registration is denied, the foreign agent will remove the request from the pending registration table. The table and timers of the visitor will be unaffected.
When a packet destined for the mobile node arrives on the foreign agent, the foreign agent deencapsulates the packet and forwards it out its interface to the visiting mobile node, without sending ARP requests.
The care-of address must be advertised by the foreign agent. This adddress is used by the mobile node to register with the home agent. The foreign agent and home agent use this address as the source and destination point of tunnel, respectively. The foreign agent is not enabled until at least one care-of address is available. The foreign agent will advertise on interfaces configured with the ip mobile foreign-service command.
Only care-of addresses with interfaces that are up are considered available.
The interface-only and transmit-only keywords are used in an aysmmetric link environment, such as satellite communications, where separate uplinks and downlinks exist. The ip mobile foreign-agent care-of interface interface-only command enables the specified interface to advertise only its own address as the care-of address. All other care-of addresses are not advertised. Other foreign agent interfaces configured for foreign-service will not advertise interface-only care-of addresses. The ip mobile foreign-agent care-of interface transmit-only command informs Mobile IP that the interface acts as an uplink. Registration requests and replies received for this care-of address are treated as transmit-only. This interface will not hear any solicitations.
Use the reverse-tunnel private-address keywords to force a mobile node with a private address to register with reverse tunnel. Private addresses are IP addresses in the following ranges:
•
•
•
Table 1 lists mobile node registration request service bitflags.
Table 2 lists foreign agent reply codes.
Examples
The following example enables foreign agent service on Ethernet interface 1, advertising 10.0.0.1 as the care-of address:
ip mobile foreign-agent care-of Ethernet0interface Ethernet0ip address 10.0.0.1 255.0.0.0interface Ethernet1ip mobile foreign-serviceThe following example enables foreign agent service on serial interface 4, advertising 10.0.0.2 as the only care-of address. The uplink interface is configured as a transmit-only interface.
ip mobile foreign-agent care-of Serial4 interface-only transmit-onlyinterface Serial4! Uplink interfaceip address 10.0.0.2 255.255.255.0ip irdp!ip mobile foreign-service!Related Commands
ip mobile foreign-agent inject-mobile-networks
To enable direct routing to mobile networks via the foreign agent, use the ip mobile foreign-agent inject-mobile-networks command in global configuration mode. To disable this functionality, use the no form of this command.
ip mobile foreign-agent inject-mobile-networks [mobnetacl access-list-identifier]
no ip mobile foreign-agent inject-mobile-networks [mobnetacl access-list-identifier]
Syntax Description
Defaults
Direct routing via the foreign agent is disabled.
Command Modes
Global configuration
Command History
Usage Guidelines
Configure the ip mobile foreign-agent inject-mobile-networks command on the foreign agent to enable direct routing.
The value entered for the access-list-identifier argument must match the name of an access list defined using the ip access-list command or the number of an access list defined using the access-list command.
Examples
The following example configures the access list named mobile-net-list and enables direct routing via the foreign agent for mobile networks specified on that access list.
ip access-list standard mobile-net-listpermit any!ip mobile foreign-agent inject-mobile-networks mobnetacl mobile-net-listRelated Commands
ip mobile foreign-agent nat traversal
To enable NAT traversal support for mobile IP (MIP) foreign agents (FAs), use the ip mobile foreign-agent nat traversal command in global configuration mode. To disable NAT traversal support, use the no form of this command.
ip mobile foreign-agent nat traversal [keepalive keepalive-time] [force]
no ip mobile foreign-agent nat traversal [keepalive keepalive-time] [force]
Syntax Description
Defaults
Network Address Translation (NAT) traversal support for FAs is disabled.
Command Modes
Global configuration
Command History
Usage Guidelines
You need to enable this command under the following circumstances:
•
•
A likely scenario for using this command and when to set the force bit is when there is a firewall between a FA and HA. The firewall blocks IP-in-IP and GRE packets but permits UDP packets.
Examples
The following example shows a FA configuration with a keepalive time of 45 and forced UDP tunneling.
ip mobile foreign-agent care-of Ethernet2/2ip mobile foreign-agent nat traversal keepalive 45 forceRelated Commands
ip mobile foreign-agent skip-aaa-reauthentication
To enable FA-CHAP during Mobile IP registration, and then to skip it in all subsequent re-registrations, use the ip mobile foreign-agent skip-aaa-reauthentication command in global configuration mode. To disable this feature, use the no form of this command.
ip mobile foreign-agent skip-aaa-reauthentication
no ip mobile foreign-agent skip-aaa-reauthentication
Syntax Description
There are no keywords or arguments for this commmand.
Defaults
Disabled
Command Modes
Global configuration
Command History
Usage Guidelines
FA-CHAP is a mechanism for authentication in Mobile IP. As per IS835, FA-CHAP is mandatory during Mobile IP call setup (registration), and requires access to a AAA server. A Mobile IP call has a parameter lifetime, so in order to continue a Mobile IP call, re-registration is required before the lifetime expires, and this re-registration leads to extending of lifetime.
Because FA-CHAP is mandatory, and the call is authenticated during registration, it may be undesirable to access AAA during re-registration of the Mobile IP call. The ip mobile foreign-agent skip-aaa-reauthentication command provides flexibility in this scenario.
When this command is configured, FA-CHAP is performed during Mobile IP registration, and is skipped in all subsequent re-registrations.
The default value is "false", implying that AAA access is not skipped during Mobile IP re-registration.
Examples
The following example shows that FA-CHAP is enabled during Mobile IP registration, but disabled for all subsequent re-registrations:
ip mobile foreign-agent skip-aaa-reauthenticationip mobile foreign-service
To enable foreign agent service if care-of addresses are configured, use the ip mobile foreign-service command in interface configuration mode. To disable this service, use the no form of this command.
ip mobile foreign-service [home-access access-list] [limit number] [registration-required] [challenge {timeout value | window number | forward-mfce}] [reverse-tunnel [mandatory]]
no ip mobile foreign-service [home-access access-list] [limit number] [registration-required] [challenge {timeout value | window number | forward-mfce}] [reverse-tunnel [mandatory]]
Syntax Description
Defaults
Foreign agent service is not enabled.
There is no limit to the number of visitors allowed on an interface.
window number: 2
Foreign agent reverse tunneling is not enabled. When foreign agent reverse tunneling is enabled, it is not mandatory by default.Command Modes
Interface configuration and global configuration
Command History
Usage Guidelines
This command enables foreign agent service on the interface or all interfaces (in global configuration mode). The foreign agent (F) bit will be set in the agent advertisement, which is appended to the IRDP router advertisement whenever the foreign agent or home agent service is enabled on the interface.
Note
When you use the reverse-tunnel keyword to enable foreign agent reverse tunneling on an interface, the reverse tunneling support (T) bit is set in the agent advertisement.
Cisco Express Forwarding (CEF) switching is currently not supported on a foreign agent when reverse tunneling is enabled. If reverse tunneling is enabled at the foreign agent, disable CEF on the foreign agent, using the no ip cef global configuration command. If the foreign agent does not support reverse tunneling, then there is no need to disable CEF at the global configuration level.
Table 3 lists the advertised bitflags.
Examples
The following example shows how to enable foreign agent service for up to 100 visitors:
interface Ethernet 0ip mobile foreign-service limit 100 registration-requiredThe following example shows how to enable foreign agent reverse tunneling:
interface ethernet 0ip mobile foreign-service reverse-tunnelThe following example shows how to configure foreign agent challenge parameters:
interface ethernet 0ip mobile foreign-service challenge window 2Related Commands
ip mobile home-agent
To enable and control home agent (HA) services, use the ip mobile home-agent command in global configuration mode. To disable these services, use the no form of this command.
ip mobile home-agent [address ip-address] [broadcast] [care-of-access access-list] [lifetime seconds] [nat-detect] [replay seconds] [reverse-tunnel-off] [roam-access access-list] [strip-nai-realm] [suppress-unreachable] [local-timezone] [unknown-ha [accept [reply] | deny]] [send-mn-address]
no ip mobile home-agent [address ip-address] [broadcast] [care-of-access access-list] [lifetime seconds] [nat-detect] [replay seconds] [reverse-tunnel-off] [roam-access access-list] [strip-nai-realm] [suppress-unreachable] [local-timezone] [unknown-ha [accept [reply] | deny]] [send-mn-address]
Syntax Description
Defaults
The command is disabled. Broadcasting is disabled. Reverse tunnel support is enabled. ICMP unreachable messages are sent. NAT detection is disabled.
Command Modes
Global configuration
Command History
Usage Guidelines
This command enables and controls HA services on a router. Changes to service take effect immediately; however, broadcast and lifetime settings for previously registered MNs are unaffected. Tunnels are shared by MNs registered with the same endpoints, so the reverse-tunnel-off keyword also affects registered MNs.
The HA processes registration requests from the MN and sets up tunnels and routes to the CoA. Packets to the MN are forwarded to the visited network.
The HA will forward broadcast packets to MNs if the MNs are registered with the service. However, heavy broadcast traffic uses the CPU of the router.
The HA can control where the MNs roam by the care-of-access keyword, and which MN is allowed to roam by the roam-access keyword.
When a registration request comes in, the HA ignores requests when HA service is not enabled or the security association of the MN is not configured. The latter condition occurs because the security association must be available for the MH authentication extension in the reply. If a security association exists for the FA (IP source address or CoA in the request), the FA is authenticated, and then the MN is authenticated. The Identification field is verified to protect against replay attack. The HA checks the validity of the request (see Table 4) and sends a reply. (Reply codes are listed in Table 5.) A security violation is logged when FA authentication, MH authentication, or identification verification fails. (The violation reasons are listed in Table 6.)
After registration is accepted, the HA creates or updates the mobility binding of the MN, which contains the expiration timer. If no binding existed before this registration, a virtual tunnel is created, a host route to the MN via the care-of address is added to the routing table, and gratuitous ARPs are sent out. For deregistration, the host route is removed from the routing table, the virtual tunnel interface is removed (if no MNs are using it), and gratuitous ARP messages are sent out if the MN is back home. Mobility binding is removed (along with its associated host route and tunnel) when registration lifetime expires or deregistration is accepted.
By default, the HA uses the entire NAI string as the username for authentication (which may be with local security association or retrieved from the AAA server). The strip-nai-realm keyword instructs the HA to strip off the realm part of NAI (if it exists) before performing authentication. Basically, the MN is identified by only the user name part of the NAI. This option is useful if the majority of MNs belong to the same realm, for example, in the case of enterprise networks.
When the packet destined for the MN arrives on the HA, the HA encapsulates the packet and tunnels it to the care-of address. If the Don't Fragment (DF) bit is set in the packet via the ip mobile tunnel path-mtu-discovery global configuration command, the HA will copy the DF bit from the original packet to the new tunnel IP header. This allows the path MTU discovery to set the MTU of the tunnel. Subsequent packets greater than the MTU of the tunnel will be dropped and an ICMP datagram too big message will be sent to the source (correspondent node). If the HA loses the route to the tunnel endpoint, the host route to the MN will be removed from the routing table until the tunnel route is available. Packets destined for the MN without a host route will be sent out the interface (home network) or to the virtual network (see the description of the suppress-unreachable keyword). For subnet-directed broadcasts to the home link, the HA will send a copy to all MNs registered with the broadcast routing option.
Some companies block ICMP datagram too big messages. If the message does not reach the original correspondent node sending the packet, the correspondent node will simply resend the same size packet. To work around this problem, turn off Path MTU Discovery with the no ip mobile tunnel path-mtu-discovery command. The DF bit will not be copied from the original packet and the tunnel packet can be fragmented.
The ip mobile home-agent nat-detect option is supported for MNs using a collocated care-of address and registering through the FA. The MN will use the NAT inside address as the collocated care-of address used in its registration requests. If a MN is using an FA CoA address, the MN can be detected behind a NAT gateway.
The ip mobile home-agent unknown-ha option can be useful in a testing environment when the HA is using a private address behind a NAT gateway. A MN would need to access the HA through the NAT box while it is on a public network domain. However, NAT will translate the destination IP address of the registration request to the private address of the HA. When the HA checks the HA field in the registration request, it does not match one of the interfaces. The packet can not be processed properly and the tunnels are not set up properly. The ip mobile home-agent unknown-ha command allows the HA to accept the unknown (translated) address and process the registration request.
The send-mn-address keyword is available only on PDSN platforms running specific PDSN code images; consult Feature Navigator for your Cisco IOS software release.
The MN requests services from the HA by setting bits in the registration request. Table 4 shows the services the MN can request.
Table 5 lists the HA registration reply codes. The codes tell the MN whether the registration was accepted or denied. If registration is denied, the reply code gives the reason.
Table 6 lists security violation codes.
Table 6 Security Violation Codes
1
No mobility security association.
2
Bad authenticator.
3
Bad identifier.
4
Bad SPI.
5
Missing security extension.
6
Other.
7
Stale request.
Examples
The following example enables broadcast routing and specifies a global registration lifetime of 7200 seconds (2 hours):
ip mobile home-agent broadcast lifetime 7200Related Commands
ip mobile home-agent aaa user-password
To configure an authentication password for the downloading of security associations from a AAA server, use the ip mobile home-agent aaa user-password command in global configuration mode. To remove the password requirement, use the no form of this command.
ip mobile home-agent aaa user-password {0 password | 7 encrypted-password | password}
no ip mobile home-agent aaa user-password
Syntax Description
Defaults
The default password is cisco.
Command Modes
Global configuration
Command History
Usage Guidelines
When a mobile node sends a registration request packet to the home agent, Mobile IP requires a security association for registration authentication. Security associations for a mobile node can be configured on the home agent or retrieved by the home agent from a AAA server.
If security associations are retrieved from a AAA server, the AAA access-request packets used to retrieve the security associations require a challenge and response. If the registration request of the mobile node does not contain a challenge and response, the home agent auto-generates a challenge and creates a response using the default password "cisco" unless you specify a different password using the ip mobile home-agent aaa user-password command. In either case, a single password is used for all mobile nodes.
The AAA server will read the challenge in the access-request packet of the mobile node, and using the password of the mobile node that is stored on the AAA server, create the response to the challenge. It then authenticates the mobile node, identified by its IP address (or network access identifier), by comparing the two responses to ensure they are identical. For this reason, the password configured by the ip mobile home-agent aaa user-password command must match the user password in the user profile on the AAA server.
Mobile nodes that include a challenge and response in their registration request, such as in the case of dynamic security association and key distribution, do not use the defined password. Instead, the home agent copies the challenge/response from the registration request into the AAA access-request packet. Thus, a mobile node in this scenario can have a "unique" password.
You can enable or disable password encryption with the service password-encryption command. If this command is enabled, even if the ip mobile home-agent aaa user-password 0 password is used, the password will be encrypted.
Examples
The following example enables the encrypted password "$1$i5Rkls3L0yxzS8t9" for authenticating the downloading of security associations from the AAA server:
ip mobile home-agent aaa user-password 7 $1$i5Rkls3L0yxzS8t9The following example enables the unencrypted password "pswd2" for authenticating the downloading of security associations from the AAA server:
ip mobile home-agent aaa user-password 0 pwsd2The following example enables the unencrypted password "pswdmobile" for authenticating the downloading of security associations from the AAA server:
ip mobile home-agent aaa user-password pswdmobileRelated Commands
ip mobile home-agent accounting
To enable home agent accounting services on the router, use the ip mobile home-agent accounting command in global configuration mode. To disable these services, use the no form of this command.
ip mobile home-agent accounting {default | list-name}
no ip mobile home-agent accounting {default | list-name}
Syntax Description
Defaults
The command is disabled.
Command Modes
Global configuration
Command History
Usage Guidelines
This command enables and controls home agent accounting services on the router. First, use the aaa accounting global configuration command to define the accounting method list. Next, apply the same accounting method list on the home agent using the ip mobile home-agent accounting global configuration command.
Examples
The following example enables home agent accounting for the list named mobile-list:
ip mobile home-agent accounting mobile-listRelated Commands
aaa accounting
Enables AAA accounting of requested services for billing or security purposes.
ip mobile home-agent nat traversal
To enable NAT traversal support for Mobile IP (MIP) home agents (HAs), use the ip mobile home-agent nat traversal command in global configuration mode. To disable Network Address Translation (NAT) traversal support for MIP for the HA, use the no form of this command.
ip mobile home-agent nat traversal [keepalive keepalive time] [forced {accept | reject}]
no ip mobile home-agent nat traversal
Syntax Description
Defaults
NAT traversal support for MIP is disabled for the HA.
Command Modes
Global configuration
Command History
Usage Guidelines
Enable this command if your MNs will roam behind a NAT-enabled router or firewall.
Examples
The following example shows an HA configured with a keepalive timer set to 56 seconds and forced to accept UDP tunneling.
ip mobile home-agent nat traversal 56 forced acceptip mobile home-agent replay 255ip mobile home-agent redundancy Phy1 virtual-networkRelated Commands
ip mobile home-agent redundancy
To configure the home agent for redundancy by using the Hot Standby Router Protocol (HSRP) group name, use the ip mobile home-agent redundancy command in global configuration mode. To remove the address, use the no form of this command.
ip mobile home-agent redundancy hsrp-group-name [[virtual-network] address address]
no ip mobile home-agent redundancy hsrp-group-name [[virtual-network] address address]
Syntax Description
hsrp-group-name
Specifies the HSRP group name.
virtual-network
(Optional) Specifies that the HSRP group is used to support virtual networks.
address address
(Optional) Home agent address.
Defaults
No global home agent addresses are specified.
Command Modes
Global configuration
Command History
12.0(2)T
This command was introduced.
12.2(8)T
The command changed from ip mobile home-agent standby to ip mobile home-agent redundancy.
Usage Guidelines
The virtual-network keyword specifies that the HSRP group supports virtual networks.
Note
When Mobile IP standby is configured, the home agent can request mobility bindings from the peer home agent. When Mobile IP standby is deconfigured, the home agent can remove mobility bindings. Operation of home agent redundancy on physical and virtual networks is described as follows:
•
•
Examples
The following example specifies an HSRP group named SanJoseHA:
ip mobile home-agent redundancy SanJoseHARelated Commands
ip mobile home-agent reject-static-address
To configure the home agent to reject registration requests from mobile nodes under certain conditions, use the ip mobile home-agent reject-static-address command in global configuration mode. To disable this service, use the no form of this command.
ip mobile home-agent reject-static-address
no ip mobile home-agent reject-static-address
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
12.2(8)BY
This command was introduced.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
By default, the home agent gives an alternative authorized address for a mobile node if the home address in the registration request is already in use. If the ip mobile home-agent reject-static-address command is configured, the home agent rejects the registration request with error code 130 (insufficient resources).
Examples
In the following example, the home agent will reject the registration request if the home address proposed in the registration request is in use:
ip mobile home-agent reject-static-addressip mobile home-agent resync-sa
To configure the home agent to clear out the old cached security associations and requery the AAA server for a new security association when the mobile node fails authentication, use the ip mobile home-agent resync-sa command in global configuration mode. To disable this functionality, use the no form of this command.
ip mobile home-agent resync-sa seconds
no ip mobile home-agent resync-sa seconds
Syntax Description
Defaults
This command is off by default. The normal behavior of the home agent is to never requery the AAA server for a new security association.
Command Modes
Global configuration
Command History
Usage Guidelines
You must enable security association caching for the ip mobile home-agent resync-sa command to work. Use the ip mobile host aaa load-sa global configuration command to enable caching of security associations retrieved from a AAA server.
When a security association is downloaded for a mobile node from a AAA server, the security association is time stamped. If the mobile node fails reregistration and the time interval since the security association was cached is greater than sec seconds, the home agent will clear out the old security association and requery the AAA server. If the time period is less than the sec value, the home agent will not requery the AAA server for the security association of the mobile node.
The sec value represents the number of seconds the home agent will consider the downloaded security association synchronized with the AAA server. After that time period, it is considered old and can be replaced by a new security association from the AAA server.
This time-based resynchronization process helps prevent denial-of-service attacks on the AAA server and provides a way to synchronize the home agent's cached security association entry when a change to the security association for the mobile node is made at the AAA server and on the mobile node. By using this process, once the mobile node fails reregistration with the old cached security association, the home agent will clear the cache for that mobile node, and resynchronize with the AAA server.
Examples
In the following example, if a registration fails authentication, the home agent retrieves a new security association from the AAA server if the existing security association was downloaded more than 10 seconds ago:
ip mobile home-agent resync-sa 10Related Commands
ip mobile host
To configure the mobile host or mobile node group, use the ip mobile host command in global configuration mode. To disable these services, use the no form of this command.
ip mobile host {lower [upper] | nai string [static-address {addr1 [addr2] [addr3] [addr4] [addr5] | local-pool name}] [address {addr | pool {local name | dhcp-proxy-client [dhcp-server addr]}]} {interface name | virtual-network network-address mask} [aaa [load-sa [permanent]]] [authorized-pool name] [skip-aaa-reauthentication][care-of-access access-list] [lifetime seconds]
no ip mobile host {lower [upper] | nai string [static-address {addr1 [addr2] [addr3] [addr4] [addr5] | local-pool name}] [address {addr | pool {local name | dhcp-proxy-client [dhcp-server addr]}]} {interface name | virtual-network network-address mask} [aaa [load-sa [permanent]]] [authorized-pool name] [skip-aaa-reauthentication] [care-of-access access-list] [lifetime seconds]
Syntax Description
lower [upper]
One or a range of mobile host or mobile node group IP addresses. The upper end of the range is optional.
nai string
Network access identifier. The NAI can be a unique identifier (username@realm) or a group identifier (@realm).
static-address
(Optional) Indicates that a static IP address is to be assigned to the flows on this NAI. This parameter is not valid if the NAI is a realm.
addr1, addr2, ...
(Optional) One to a maximum of five IP addresses to be assigned using the static-address keyword.
local-pool name
(Optional) Name of the local pool of addresses to use for assigning a static IP address to this NAI.
address
(Optional) Indicates that a dynamic IP address is to be assigned to the flows on this NAI.
addr
(Optional) IP address to be assigned using the address keyword.
pool
(Optional) Indicates that a pool of addresses is to be used in assigning a dynamic IP address.
local name
(Optional) The name of the local pool to use in assigning addresses.
dhcp-proxy-client
(Optional) Indicates that the DHCP request should be sent to a DHCP server on behalf of the mobile node.
dhcp-server addr
(Optional) IP address of the DHCP server.
interface name
When used with DHCP, specifies the gateway address from which the DHCP server should select the address.
virtual-network network-address mask
Indicates that the mobile station resides in the specified virtual network, which was created using the ip mobile virtual-network command.
aaa
(Optional) Retrieves security associations from a AAA (TACACS+ or RADIUS) server. Allows the home agent to download address configuration details from the AAA server.
load-sa
(Optional) Caches security associations after retrieval by loading the security association into RAM. See Table 8 for details on how security associations are cached for NAI hosts and non-NAI hosts.
permanent
(Optional) Caches security associations in memory after retrieval permanently. Use this optional keyword only for NAI hosts.
authorized-pool name
(Optional) Verifies the IP address assigned to the mobile node if it is within the pool specified by the name argument.
skip-aaa-reauthentication
(Optional) When configured, the home agent does not send an access request for authentication for mobile IP re-registration requests. When disabled, the home agent sends an access request for all Mobile IP registration requests.
care-of-access access-list
(Optional) Access list. This can be a named access list or standard access list. The range is from 1 to 99. Controls where mobile nodes roam—the acceptable care-of addresses.
lifetime seconds
(Optional) Lifetime (in seconds). The lifetime for each mobile node (group) can be set to override the global value. The range is from 3 to 65535 (infinite).
Defaults
No host is configured.
Command Modes
Global configuration
Command History
Usage Guidelines
This command configures the mobile host or mobile node group (ranging from lower address to upper address) to be supported by the home agent. These mobile nodes belong to the network on an interface or a virtual network (via the ip mobile virtual-network command). The security association for each mobile host must be configured using the ip mobile secure command or downloaded from a AAA server.
All hosts must have security associations for registration authentication. Mobile nodes can have more than one security association. The memory consumption calculations shown in Table 7 are based on the assumption of one security association per mobile node. Caching behavior of security associations differs between NAI and non-NAI hosts as described in Table 8.
The nai keyword allows you to specify a particular mobile node or range of mobile nodes. The mobile node can request a static IP address (static-address keyword), which is configured using the addr1 variable (for a specific address) or the local-pool keyword (for an IP address from an address pool; the requested address must be in the pool). Or, the mobile node can request a dynamic address (address keyword), which is configured using the addr variable (for a specific address) or the pool keyword (for an IP address from a pool or DHCP server). If this command is used with the Packet Data Serving Node (PDSN) proxy Mobile IP feature and a realm is specified in the ip mobile proxy-host nai command, then only a pool of addresses can be specified in this command.
The address pool can be defined by a local pool or by use of a DHCP proxy client. For DHCP, the interface name keyword and argument combination specifies the gateway address from which the DHCP server should select the address and the dhcp-server keyword specifies the DHCP server address. The NAI is sent in the client-id option of the DHCP packet and can be used to provide dynamic DNS services.
You can also use this command to configure the static IP address or address pool for multiple flows with the same NAI. A flow is a set of {NAI, IP address}.
Security associations can be stored using one of three methods:
•
•
•
Each method has advantages and disadvantages, which are described in Table 7.
The caching behavior of security associations for NAI hosts and non-NAI hosts is described in Table 8.
Examples
The following example configures a mobile node group to reside on virtual network 20.0.0.0 and retrieve mobile node security associations from a AAA server every time the mobile node registers:
ip mobile host 20.0.0.1 20.0.0.3 virtual-network 20.0.0.0 aaaThe following example configures a mobile node group to reside on virtual network 10.99.1.0 and retrieve and cache mobile node security associations from a AAA server. The cached security association is then used for subsequent registrations.
ip mobile host 10.99.1.1 10.99.1.100 virtual-network 10.99.1.0 aaa load-saThe following example configures a local pool of dynamic addresses to be used in assigning IP addresses to mobile nodes in the cisco.com domain:
ip mobile host nai @cisco.com address pool local mobilenodes virtual-network 9.0.0.0 255.0.0.0 aaa lifetime 180The following example configures a local pool of dynamic addresses to be used in assigning IP addresses to mobile nodes in the cisco.com domain. The security associations that are retrieved from the AAA server are cached as long as the binding is present and are deleted on the home agent when the binding is removed (due to manual clearing of the binding or lifetime expiration).
ip mobile host nai @cisco.com address pool local mobilenodes virtual-network 10.2.0.0 255.255.0.0 aaa load-sa lifetime 180The following example configures a local pool of static addresses to be used in assigning IP addresses to mobile nodes in the cisco.com domain:
ip mobile host nai @cisco.com static-address local-pool mobilenodesThe following example configures a local pool of dynamic addresses to be used in assigning IP addresses to mobile nodes in the cisco.com domain. The security associations that are retrieved from the AAA server are cached permanently until cleared manually.
ip mobile host nai @cisco.com address pool local mobilenodes virtual network 10.2.0.0 255.255.0.0 aaa load-sa permanent lifetime 180The following example configures the DHCP proxy client to use a DHCP server located at 10.1.2.3 to allocate a dynamic home address:
ip mobile host nai @dhcppool.com address pool dhcp-proxy-client dhcp-server 10.1.2.3 interface FastEthernet 0/0Related Commands
ip mobile mobile-networks
To associate one or more networks with a mobile router configured as a mobile host and enter mobile networks configuration mode, use the ip mobile mobile-networks command in global configuration mode. To disassociate the networks from the mobile router, use the no form of this command.
ip mobile mobile-networks lower [upper]
no ip mobile mobile-networks lower [upper]
Syntax Description
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
12.2(4)T
This command was introduced.
12.2(13)T
The upper argument was added to allow a range of mobile host or mobile node group addresses.
Usage Guidelines
The home agent supports mobile routers configured with the mobile networks that are roaming with the mobile routers.
The lower [upper] arguments associate the mobile networks with the IP address of the mobile router, which was configured using the ip mobile host command. You can use the upper range only with dynamic mobile network registration. Static mobile network configurations are not permitted for a range of hosts.
You can configure the home agent to dynamically learn of the mobile networks during registration as shown in the following example:
ip mobile host 10.0.0.1 10.0.0.10 virtual-networks 10.0.0.0 255.0.0.0ip mobile mobile-networks 10.0.0.1 10.0.0.10!dynamic registrationregisterYou can configure the home agent to learn of the mobile networks through static configuration as shown in the following example:
ip mobile host 10.0.0.1 virtual-networks 10.0.0.0 255.0.0.0ip mobile host 10.0.0.2 virtual-networks 10.0.0.0 255.0.0.0!ip mobile mobile-networks 10.0.0.1!static configurationnetwork 172.16.1.0 255.255.255.0ip mobile mobile-networks 10.0.0.2!static configurationnetwork 172.16.2.0 255.255.255.0You cannot configure the range as shown in the following static configuration:
!static configuration not permitted for range of hostsip mobile mobile-networks 10.0.0.1 10.0.0.10network 172.16.2.0The mobile router configuration is allowed only for one mobile router or an entire range of mobile routers in the mobile host group, exclusively. You cannot configure a partial range of mobile routers as shown in the following example:
ip mobile host 10.0.0.1 10.0.0.10 virtual-network 10.0.0.0 255.0.0.0!Partial range shown below is prohibitedip mobile mobile-networks 10.0.0.1 10.0.0.3registerYou cannot combine full ranges and partial ranges of IP addresses in a configuration as shown in the following example:
ip mobile host 10.0.0.1 10.0.0.10 virtual-network 10.0.0.0 255.0.0.0ip mobile mobile-networks 10.0.0.1 10.0.0.10registerip mobile mobile-networks 10.0.0.2network 172.16.2.0 255.255.255.0Examples
The following example configures the mobile host, which is a mobile router at 10.1.1.10, and associates it with the mobile networks that it is supporting:
ip mobile host 10.1.1.10 virtual-network 10.0.0.0 255.0.0.0ip mobile mobile-networks 10.1.1.10network 172.6.2.0 255.255.255.0ip mobile secure host 10.1.1.10 spi 100 key hex 12345678123456781234567812345678The following example shows the mobile router configured for both static and dynamic mobile networks:
ip mobile host 10.1.1.10 virtual-network 10.0.0.0 255.0.0.0ip mobile mobile-networks 10.1.1.10network 172.16.1.0 255.255.255.0registerRelated Commands
ip mobile prefix-length
To append the prefix-length extension to the advertisement, use the ip mobile prefix-length command in interface or global configuration mode. To restore the default, use the no form of this command.
ip mobile prefix-length
no ip mobile prefix-length
Syntax Description
This command has no arguments or keywords.
Defaults
The prefix-length extension is not appended.
Command Modes
Interface configuration and global configuration
Command History
12.0(1)T
This command was introduced.
12.3(11)T
Global configuration mode was added.
Usage Guidelines
The prefix-length extension is used for movement detection. When a mobile node registered with one foreign agent receives an agent advertisement from another foreign agent, the mobile node uses the prefix-length extension to determine whether the advertisements arrived on the same network. The mobile node needs to register with the second foreign agent if it is on a different network. If the second foreign agent is on the same network, reregistration is not necessary.
Examples
The following example appends the prefix-length extension to agent advertisements sent by a foreign agent:
ip mobile prefix-lengthRelated Commands
show ip mobile interface
Displays advertisement information for interfaces that are providing foreign agent service or are home links for mobile nodes.
ip mobile proxy-host
To locally configure the proxy Mobile IP attributes, use the ip mobile proxy-host command in global configuration mode. To remove the configuration, use the no form of this command.
ip mobile proxy-host nai username@realm [flags rrq-flags] [home-agent ip-address] [home-addr home-address] [lifetime seconds] [local-timezone]
no ip mobile proxy-host nai username@realm [flags rrq-flags] [home-agent ip-address] [home-addr home-address] [lifetime seconds] [local-timezone]
Syntax Description
Defaults
No security association is specified.
Command Modes
Global configuration
Command History
12.2(2)XC
This command was introduced.
12.3(4)T
This command was integrated into Cisco IOS Release 12.3(4)T for Packet Data Serving Node (PDSN) platforms.
Usage Guidelines
This command is only available on PDSN platforms running specific PDSN code images; consult Feature Navigator for your Cisco IOS software release.
All proxy Mobile IP attributes can be retrieved from the AAA server. You can use this command to configure the attributes locally.
If only a realm is specified, the home address cannot be specified.
Examples
The following example configures the Mobile IP proxy host with an IP address of 10.3.3.1 and a lifetime value of 6000 seconds:
ip mobile proxy-host nai moiproxy1@cisco.com flags 40 home-agent 10.3.3.1 lifetime 6000Related Commands
ip mobile registration-lifetime
To set the registration lifetime value advertised, use the ip mobile registration-lifetime command in interface or global configuration mode.
ip mobile registration-lifetime seconds
Syntax Description
Defaults
36000 seconds
Command Modes
Interface and global configuration
Command History
12.0(1)T
This command was introduced.
12.3(11)T
Global configuration mode was added.
Usage Guidelines
This command allows an administrator to control the advertised lifetime on the interface. The foreign agent uses this command to control duration of registration. Visitors requesting longer lifetimes will be denied.
Examples
The following example sets the registration lifetime to 10 minutes on interface Ethernet 1 and 1 hour on interface Ethernet 2:
interface e1ip mobile registration-lifetime 600interface e2ip mobile registration-lifetime 3600Related Commands
show ip mobile interface
Displays advertisement information for interfaces that are providing foreign agent service or are home links for mobile nodes.
ip mobile router
To enable the mobile router and enter mobile router configuration mode, use the ip mobile router command in global configuration mode. To disable the mobile router, use the no form of this command.
ip mobile router
no ip mobile router
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Global configuration
Command History
Usage Guidelines
The mobile router is a router that operates as a mobile node. The mobile router can roam from its home network and still provide connectivity for devices on its networks. The mobile networks are locally attached to the router.
Examples
The following example enables the mobile router:
ip mobile routerRelated Commands
show ip mobile router
Displays configuration information and monitoring statistics about the mobile router.
ip mobile router-service
To enable mobile router service on an interface, use the ip mobile router-service command in interface configuration mode. To disable this service, use the no form of this command.
ip mobile router-service {hold-down [foreign-agent seconds | reassociate msec] | roam [priority value] | solicit [interval seconds] [retransmit initial minimum maximum seconds retry number]}
no ip mobile router-service {hold-down [foreign-agent seconds | reassociate msec] | roam [priority value] | solicit [interval seconds] [retransmit initial minimum maximum seconds retry number]}
Syntax Description
Defaults
hold-down foreign agent seconds: zero
hold-down reassociate msec: 1000
priority value: 100
interval seconds: 600 seconds
retransmit initial minimum maximum seconds: 1000 milliseconds (1 second)
retry number : Three retriesCommand Modes
Interface configuration
Command History
12.2(4)T
This command was introduced.
12.3(14)T
The foreign-agent seconds and reassociate msec keywords and arguments were added.
Usage Guidelines
The mobile router discovers home agents and foreign agents by receiving agent advertisements.
Note
When a wireless link connected to an interface is lossy, the mobile router must not immediately register with the foreign agent even when heard on a preferred interface. The ip mobile router-service hold-down foreign-agent seconds command allows existing communications to continue with mobile networks while the mobile router gauges the quality of the link to the new foreign agent.
The ip mobile router-service solicit command instructs the mobile router to send agent solicitation messages periodically. Some networks only send out agent advertisements periodically or when solicited. For networks on which agents do not advertise periodically, this function must be enabled to detect agents. The mobile router always sends solicitation messages when roaming interfaces come up.
If a mobile router interface is configured for solicitations, you should set both ip irdp maxadvertinterval seconds and ip irdp holdtime seconds to 0 seconds on the foreign agent. These settings ensure that the foreign agent will not send out any IRDP advertisements unless solicited. If a foreign agent or home agent are sending IRDP advertisements periodically, then a solicitation will trigger the agent to send an advertisement immediately instead of at the next time interval.
The solicit timer for the ip mobile router-service solicit command is reset and no solicitation is sent out on the roaming interface if the mobile router receives an advertisement from a foreign agent before the solicit timer expires. For example, if the mobile router is configured to solicit every 10 seconds and the foreign agent advertises every 3 seconds, the mobile router will never solicit.
Use the ip mobile router-service hold-down reassociate msec command to specify the interval of time that the mobile router will wait, after receiving an SNMP linkDown trap, for a linkUp trap from the Wireless Mobile Interface Card (WMIC) indicating that the wireless link is available for use. This hold-down delay should be long enough for the WMIC to establish connectivity with a new AP or bridge when roaming.
Use the show ip mobile router agent command to display agents learned from advertisements and the mobile router's available CCoAs. Use the show ip mobile router interface command to display the configuration of the interfaces used for roaming.
Examples
The following example configures roaming interfaces, solicitation services, and hold-down timers on serial interface 0 and roaming interfaces and hold-down timers on Ethernet interface 0 of the mobile router.
In this example, the mobile router has two interfaces. The serial interface is connected to a serial interface of a foreign agent and the Ethernet interface is connected to an Ethernet interface of a foreign agent. The mobile router will prefer to register on the Ethernet interface if possible because it has a higher priority than the serial interface. If the mobile router does not receive any agent advertisements on the Ethernet interface, it will use the serial interface to solicit foreign agents.
If the Ethernet interface hears a new foreign agent advertisement after the mobile router has already registered using the serial interface, it will wait the duration of the hold-down timer (20 seconds) before registering with the foreign agent on the Ethernet interface. The ip mobile router-service hold-down foreign-agent seconds command allows communications to continue with mobile networks while the mobile router gauges the quality of the link to the new foreign agent. The Ethernet interface is configured with a higher priority so the mobile router prefers to register with this interface.
Once it receives an agent advertisement on the Ethernet interface, it will use the Ethernet interface to register to its home agent.
interface s0ip mobile router-service roam! s0 solicits every 5 seconds after last advertisement received on the interfaceip mobile router-service solicit interval 5ip mobile router-service hold-down foreign-agent 20interface e0ip mobile router-service roam priority 101ip mobile router-service hold-down foreign-agent 20In the following example, the mobile router is configured to receive dynamic CCoA from DHCP. The mobile router will wait 2000 milliseconds for the SNMP linkUp trap from the WMIC indicating that layer 2 has reassociated. This interval of time allows the mobile router to roam and still maintain wireless connectivity.
interface FastEthernet0ip address dhcpip dhcp client mobile renew count 3 interval 20ip mobile router-service roamip mobile router-service collocatedip mobile router-service hold-down reassociate 2000Related Commands
ip mobile router-service collocated
To enable static or dynamic collocated care-of address (CCoA) processing on a mobile router interface, use the ip mobile router-service collocated command in interface configuration mode. To disable static or dynamic CCoA processing, use the no form of this command.
ip mobile router-service collocated [gateway ip-address] [ccoa-only]
no ip mobile router-service collocated [gateway ip-address] [ccoa-only]
Syntax Description
Defaults
No default behavior or values
Command Modes
Interface configuration
Command History
12.2(15)T
This command was introduced.
12.3(4)T
The ccoa-only keyword was added. Dynamic CCoA functionality was added.
Usage Guidelines
The primary IP address of the interface is used as the CCoA. The interface must already be configured as a roaming interface using the ip mobile router-service roam interface configuration command for both static and dynamic CCoA processing.
The mobile router can register with the home agent using a CCoA that was acquired dynamically via the IP Control Protocol (IPCP).
The gateway IP address is the next-hop IP address for registration packets. Upon successful registration, this address will be used as the default gateway and default route.
You need not specify the gateway ip-address combination if using a serial interface. The gateway ip-address combination is required on all non point-to-point interfaces such as Ethernet LANs and must be on the same logical subnet as the primary interface IP address.
You can configure the mobile router interface to register only its CCoA and ignore foreign agent advertisements by using the ip mobile router-service collocated ccoa-only option. Using this command on an interface already registered with a foreign agent CoA will cause the mobile router to re-register immediately with a CCoA.
Using the no ip mobile router-service collocated ccoa-only command on an interface already registered with a CCoA will cause the interface to deregister its CCoA and begin foreign agent discovery.
Examples
The following example enables static CCoA processing on a mobile router interface:
interface FastEthernet0/0! Primary IP address is the static CCoAip address 172.21.58.23 255.255.255.0ip mobile router-service roam! Gateway IP address is next-hop destinationip mobile router-service collocated gateway 172.21.58.1The following example enables dynamic CCoA processing on a mobile router interface:
interface Serial 3/1ip address negotiatedencapsulation pppip mobile router-service roamip mobile router-service collocatedThe following example enables static CCoA-only processing. The interface will not listen to foreign agent advertisements.
interface Ethernet 1/0ip address 10.0.1.1 255.255.255.0ip mobile router-service roamip mobile router-service collocated gateway 10.0.1.2 ccoa-onlyip mobile router-service collocated registration retry 30The following example enables dynamic CCoA-only processing. The interface will not listen to foreign agent advertisements.
interface Serial 1/0ip address negotiatedencapsulation pppip mobile router-service roamip mobile router-service collocated ccoa-onlyRelated Commands
ip mobile router-service collocated registration retry
To configure the time period that the mobile router waits before sending another registration request after a registration failure, use the ip mobile router-service collocated registration retry command in interface configuration mode. To disable this functionality, use the no form of this command.
ip mobile router-service collocated registration retry seconds
no ip mobile router-service collocated registration retry
Syntax Description
Defaults
60 seconds
Command Modes
Interface configuration.
Command History
Usage Guidelines
An interface configured for static collocated care-of address (CCoA) will not have foreign agent advertisements to use to trigger new registration attempts. Any foreign agent advertisements detected on that interface are ignored.
The default retry value is 60 seconds. You need to use this command only when a different retry interval is desired.
Examples
The following example shows that the mobile router will wait 30 seconds before sending another registration request after a registration failure:
interface FastEthernet0/0! Primary IP address is the CCoAip address 172.21.58.23 255.255.255.0ip mobile router-service roamip mobile router-service collocated gateway 172.21.58.1ip mobile router-service collocated registration retry 30Related Commands
ip mobile router-service collocated
Enables static CCoA processing on a mobile router interface.
ip mobile router-service tunnel mode
To set the encapsulation mode for a mobile router interface, use the ip mobile router-service tunnel mode command in interface configuration mode. To restore the default encapsultion mode on an interface, use the no form of this command.
ip mobile router-service tunnel mode {gre | ipip}
no ip mobile router-service tunnel mode
Syntax Description
gre
Specifies that the mobile router will attempt to register with Generic Routing Encapsulation (GRE) on the interface.
ipip
Specifies that IP-in-IP encapsulation will be used on the interface.
Defaults
The default encapsulation mode for Mobile IP is IP-in-IP encapsulation.
Command Modes
Interface configuration
Command History
Usage Guidelines
If the ip mobile router-service tunnel mode gre command is configured, the mobile router will request GRE encapsulation in the registration request only if the foreign agent (FA) advertises that it is capable of GRE encapsulation (the G bit is set in the advertisement). If the registration request is successful, packets will be tunneled using GRE.
If the ip mobile router-service tunnel mode gre command is enabled and collocated care-of address (CCoA) is configured, the mobile router will attempt to register with the home agent (HA) using GRE encapsulation. If the registration request is successful, packets will be tunneled using GRE.
If the mobile router receives a denied registration reply with error code 72 (foreign agent required encapsulation unavailable) or error code 139 (home agent unsupported encapsulation), the mobile router will send another registration request with the G bit unset and IP-in-IP encapsulation will be used.
The no ip mobile router-service tunnel mode command instructs the mobile router to revert to the default encapsulation mode and register with IP-in-IP encapsulation.
Note
Once GRE encapsulation is enabled, GRE keepalives can be configured on an interface using the keepalive command. GRE keepalives check for a failure in the end-to-end tunnel at a configurable interval. If the connection to the HA is lost, the mobile router will attempt to reregister. GRE keepalives must be configured on the mobile router only—no configuration is required on the HA.
Note
Examples
The following example configures GRE encapsulation and GRE keepalive messages on an interface of a mobile router:
interface FastEthernet0/0ip address 10.52.52.2 255.255.255.0ip mobile router-service roamip mobile router-service tunnel mode gre!interface tunnel 121keepalive 5 3!ip mobile routertemplate tunnel 121Related Commands
ip mobile secure aaa-download
To specify that authentication, authorization, and accounting (AAA) mobility security associations (SAs) are downloaded from the AAA server and the rate at which the information is downloaded, use the ip mobile secure aaa-download command in global configuration mode. To delete the AAA download rate, use the no form of this command.
ip mobile secure aaa-download rate seconds
no ip mobile secure aaa-download rate seconds
Syntax Description
rate
Rate at which the AAA SA is downloaded.
•
Defaults
No AAA SAs are downloaded.
Command Modes
Global configuration
Command History
Usage Guidelines
SAs are downloaded from a AAA server on the first use. This command allows the home agent (HA) to prepopulate an SA table.
Examples
The following example shows a download rate of 35 seconds:
ip mobile secure aaa-download rate 35Related Commands
ip mobile secure foreign-agent
To specify the mobility security associations (SAs) for a foreign agent (FA), use the ip mobile secure foreign-agent command in global configuration mode. To remove the mobility SAs, use the no form of this command.
ip mobile secure foreign-agent lower-address [upper-address] {inbound-spi spi-in outbound-spi spi-out | spi {hex-value | decimal decimal-value}} key {ascii string | hex string} [replay timestamp seconds] [algorithm {md5 mode prefix-suffix | hmac-md5}]
no ip mobile secure foreign-agent lower-address [upper-address] {inbound-spi spi-in outbound-spi spi-out | spi {hex-value | decimal decimal-value}} key {ascii string | hex string} [replay timestamp seconds] [algorithm {md5 mode prefix-suffix | hmac-md5}]
Syntax Description
Defaults
No SA is specified for FAs.
Command Modes
Global configuration
Command History
12.0(1)T
This command was introduced.
12.2
The lower-address and upper-address arguments were added.
12.2(13)T
The hmac-md5 keyword was added.
Usage Guidelines
The SA consists of an entity address, SPI, key, replay protection method, authentication algorithm, and authentication algorithm mode (prefix-suffix).
On a FA, the SA of the visiting mobile host and the SA of the home agent (HA) are optional. Multiple SAs for each entity can be configured.
The SA of a visiting mobile host on the MFAE and the SA of the HA on the FHAE are optional on the FA as long as they are not specified on the other entity. Multiple SAs for each entity can be configured.
Note
Examples
The following example shows the configuration of an FA with an IP address of 209.165.200/254:
ip mobile secure foreign-agent 209.165.200/254 inbound-spi 203 outbound-spi 150 key hex ffffffffRelated Commands
ip mobile secure home-agent
To specify the mobility security associations (SAs) for a home agent (HA), use the ip mobile secure home-agent command in global configuration mode. To remove the mobility SAs, use the no form of this command.
ip mobile secure home-agent lower-address [upper-address] {inbound-spi spi-in outbound-spi spi-out | spi {hex-value | decimal decimal-value}} key {ascii string | hex string} [replay timestamp seconds] [algorithm {md5 mode prefix-suffix | hmac-md5}]
no ip mobile secure home-agent lower-address [upper-address[ {inbound-spi spi-in outbound-spi spi-out | spi {hex-value | decimal decimal-value}} key {ascii string | hex string} [replay timestamp seconds] [algorithm {md5 mode prefix-suffix | hmac-md5}]
Syntax Description
Defaults
No SA is specified for HAs.
Command Modes
Global configuration
Command History
12.0(1)T
This command was introduced.
12.2
The lower-address and upper-address arguments were added.
12.2(13)T
The hmac-md5 keyword was added.
Usage Guidelines
The SA consists of an entity address, SPI, key, replay protection method, authentication algorithm, and authentication algorithm mode (prefix-suffix).
The HA may have multiple SAs for each peer. The SPI specifies which SA to use for the peer and selects the specific security parameters to be used to authenticate the peer.
On an HA, the SA of the mobile host is mandatory for mobile host authentication and allows the HA to compute the MHAE for mobile host authentication. If desired, configure a foreign agent (FA) SA on your HA.
The mobile IP protocol automatically synchronizes the time stamp used by the mobile node (MN) in its registration requests. If the MN registration request time stamp is outside the HA permitted replay protection time interval, the HA will respond with the number of seconds by which the MN time stamp is off relative to the HA clock. This allows the MN to adjust its time stamp and use synchronized time stamps in subsequent registration attempts.
If you prefer that the MN first registration attempt always fall within the HA replay protection time interval, use Network Time Protocol (NTP) to synchronize the MN and HA.
Note
Examples
The following example shows the configuration of an SA for an HA with an IP address of 10.0.0.4:
ip mobile secure home-agent 10.0.0.4 spi 100 key hex ffffffffRelated Commands
ip mobile secure host
To specify the mobility security associations (SAs) for a mobile host, use the ip mobile secure host command in global configuration mode. To remove the mobility SAs, use the no form of this command.
ip mobile secure host {lower-address [upper-address] | nai nai-string} {inbound-spi spi-in outbound-spi spi-out | spi {hex-value | decimal decimal-value}} key {ascii string | hex string} [replay timestamp seconds] [algorithm {md5 mode prefix-suffix | hmac-md5}] [skip-aaa-reauthentication]
no ip mobile secure host {lower-address [upper-address] | nai nai-string} {inbound-spi spi-in outbound-spi spi-out | spi {hex-value | decimal decimal-value}} key {ascii string | hex string} [replay timestamp seconds] [algorithm {md5 mode prefix-suffix | hmac-md5}] [skip-aaa-reauthentication]
Syntax Description
Defaults
No SA is specified for mobile hosts.
Command Modes
Global configuration
Command History
Usage Guidelines
The SA consists of an entity address, SPI, key, replay protection method, authentication algorithm, and authentication algorithm mode (prefix-suffix).
The SA of a visiting mobile host on the MFAE and the SA of the home agent (HA) on the FHAE are optional as long as they are not specified on the other entity. Multiple SAs for each entity can be configured.
The HMAC-MD5 authentication algorithm is mandatory for MHAE, MFAE, and FHAE.
Note
Examples
The following example shows the configuration of a host:
ip mobile secure host 10.0.0.4 spi 100 key hex 12345678123456781234567812345678Related Commands
ip mobile secure mn-aaa
To specify non-standard security parameter index (SPI) values in the MN-AAA authentication extension that need to be accepted by the home agent or the foreign agent, use the ip mobile secure mn-aaa command in global configuration mode. To disable this functionality, use the no form of this command.
ip mobile secure mn-aaa spi {hex-value | decimal decimal-value} algorithm md5 mode ppp-chap-style
no ip mobile secure mn-aaa spi {hex-value | decimal decimal-value} algorithm md5 mode ppp-chap-style
Syntax Description
Defaults
The home agent or foreign agent only accept the standard SPI value in the MN-AAA authentication extension that specifes CHAP-style authentication using MD5. The standard value for the SPI is 2.
Command Modes
Global configuration
Command History
Usage Guidelines
The SPI is the 4-byte index that selects the specific security parameters to be used to authenticate the peer. The security parameters consist of the authentication algorithm and mode.
A mobile node configured to be authenticated via an MN-AAA authentication extension is required to use an SPI value of 2 to indicate CHAP-style authentication using MD5 as specified by RFC 3012, Mobile IPv4 Challenge/Response Extensions.
Some network implementations need the flexibility to allow an SPI value other than 2 even though the mobile node is authenticated using CHAP. The ip mobile secure mn-aaa command maps new SPI values in the MN-AAA extension of the registration message to the SPI value pre-defined by RFC 3012. When a registration request arrives at the foreign agent or home agent with the MN-AAA extension containing an SPI value specified by the ip mobile secure mn-aaa command, the foreign agent or home agent will process it as if the value was 2 instead of rejecting the request.
Use this command with caution because it is non-standard behavior. For example, different vendors might use the same non-standard SPI to denote different authentication methods and this could affect interoperability. In general, Cisco recommends the use of standard SPI values to be used in the MN-AAA authentication extension by the mobile node.
Examples
In the following example, the foreign agent or home agent will process the registration request even though the CHAP SPI value is not 2:
ip mobile secure mn-aaa spi 1234 algorithm md5 mode ppp-chap-styleip mobile secure proxy-host
To specify the mobility security associations (SAs) for a proxy host, use the ip mobile secure proxy-host command in global configuration mode. To remove the mobility SAs, use the no form of this command.
ip mobile secure proxy-host {lower-address [upper-address] | nai nai-string} {inbound-spi spi-in outbound-spi spi-out | spi {hex-value | decimal decimal-value}} key {ascii string | hex string} [replay timestamp seconds] [algorithm {md5 mode prefix-suffix | hmac-md5}]
no ip mobile secure proxy-host {lower-address [upper-address] | nai nai-string} {inbound-spi spi-in outbound-spi spi-out | spi {hex-value | decimal decimal-value}} key {ascii string | hex string} [replay timestamp seconds] [algorithm {md5 mode prefix-suffix | hmac-md5}]
Syntax Description
Defaults
No SA is specified for proxy hosts.
Command Modes
Global configuration
Command History
Usage Guidelines
The SA consists of an entity address, SPI, key, replay protection method, authentication algorithm, and authentication algorithm mode (prefix-suffix).
The HMAC-MD5 authentication algorithm is mandatory for MHAE, MFAE, and FHAE.
Note
Note
Examples
The following example shows the configuration of a proxy host:
ip mobile secure proxy-host 10.0.0.4 spi 100 key hex 12345678123456781234567812345678Related Commands
ip mobile secure visitor
To specify the mobility security associations (SAs) for a visitor, use the ip mobile secure visitor command in global configuration mode. To remove the mobility security associations, use the no form of this command.
ip mobile secure visitor {lower-address [upper-address] | nai nai-string} {inbound-spi spi-in outbound-spi spi-out | spi {hex-value | decimal decimal-value}} key {ascii string | hex string} [replay timestamp seconds] [algorithm {md5 mode prefix-suffix | hmac-md5}]
no ip mobile secure visitor {lower-address [upper-address] | nai nai-string} {inbound-spi spi-in outbound-spi spi-out | spi {hex-value | decimal decimal-value}} key {ascii string | hex string} [replay timestamp seconds] [algorithm {md5 mode prefix-suffix | hmac-md5}]
Syntax Description
Defaults
No SA is specified for visitors.
Command Modes
Global configuration
Command History
Usage Guidelines
The SA consists of an entity address, SPI, key, replay protection method, authentication algorithm, and authentication algorithm mode (prefix-suffix).
The SA of a visiting mobile host on the MFAE and the SA of the home agent (HA) on the FHAE are optional as long as they are not specified on the other entity. Multiple SAs for each entity can be configured.
The mobile IP protocol automatically synchronizes the time stamp used by the MN in its registration requests. If the MN registration request time stamp is outside the visitor permitted replay protection time interval, the visitor will respond with the number of secondsby which the MN time stamp is off relative to the visitor clock. This allows the MN to adjust its time stamp and use synchronized time stamps in subsequent registration attempts.
If you prefer that the MN first registration attempt always fall within the visitor replay protection time interval, use Network Time Protocol (NTP) to synchronize the MN and visitor.
The HMAC-MD5 authentication algorithm is mandatory for MHAE, MFAE, and FHAE.
Note
Examples
The following example shows the configuration of a visitor:
ip mobile secure visitor 10.0.0.4 spi 100 key hex 12345678123456781234567812345678Related Commands
ip mobile tunnel
To specify the settings of tunnels created by Mobile IP, use the ip mobile tunnel command in global configuration mode. To disable the setting of tunnels created by Mobile IP, use the no form of this command.
ip mobile tunnel {crypto map map-name | route-cache [cef] | path-mtu-discovery [age-timer {minutes | infinite}] | nat {inside | outside} | route-map map-tag}
no ip mobile tunnel {crypto map map-name | route-cache [cef] | path-mtu-discovery [age-timer {minutes | infinite}] | nat {inside | outside} | route-map map-tag}
Syntax DescriptionI
Defaults
Disabled.
If enabled, default value for the minutes argument is 10 minutes.
Command Modes
Global configuration
Command History
Usage Guidelines
Path MTU Discovery is used by end stations to find a packet size that does not need to be fragmented when being sent between the end stations. Tunnels must adjust their MTU to the smallest MTU interior to achieve this condition, as described in RFC 2003.
The discovered tunnel MTU should be aged out periodically to possibly recover from a case where suboptimum MTU existed at time of discovery. It is reset to the outgoing MTU of the interface.
The no ip mobile tunnel route-cache command disables fast switching and CEF switching (if CEF is enabled) on Mobile IP tunnels. The no ip mobile tunnel route-cache cef command disables CEF switching only.
CEF switching is currently not supported on a foreign agent when reverse tunneling is enabled. If reverse tunneling is enabled at the foreign agent, disable CEF on the foreign agent using the no ip cef global configuration command. If the foreign agent does not support reverse tunneling, there is no need to disable CEF at the global configuration level.
The crypto map map-name keyword and argument combination are available only on platforms running specific PDSN code images; consult Feature Navigator for your Cisco IOS software release.
Examples
The following example sets the discovered tunnel MTU to expire in 10 minutes (600 seconds):
ip mobile tunnel path-mtu-discovery age-timer 600Related Commands
ip cef
Enables CEF on the RP card.
show ip mobile tunnel
Displays active tunnels.
ip mobile virtual-network
To define a virtual network, use the ip mobile virtual-network command in global configuration mode. To remove the virtual network, use the no form of this command.
ip mobile virtual-network net mask [address address]
no ip mobile virtual-network net mask [address address]
Syntax Description
Defaults
No home agent addresses are specified.
Command Modes
Global configuration
Command History
12.0(1)T
This command was introduced.
12.0(2)T
The address keyword and address argument were added.
Usage Guidelines
This command inserts the virtual network into the routing table to allow mobile nodes to use the virtual network as their home network. The network is propagated when redistributed to other routing protocols.
Note
Examples
The following example adds the virtual network 20.0.0.0 to the routing table and specifies that the home agent IP address is configured on the loopback interface for that virtual network:
interface ethernet 0ip address 1.0.0.1 255.0.0.0standby ip 1.0.0.10standby name SanJoseHAinterface loopback 0ip address 20.0.0.1 255.255.255.255ip mobile home-agentip mobile virtual-network 20.0.0.0 255.255.0.0 address 20.0.0.1ip mobile home-agent standby SanJoseHA virtual-networkip mobile secure home-agent 1.0.0.2 spi 100 hex 00112233445566778899001122334455Related Commands
ip mobile host
Configures the mobile host or mobile node group.
redistribute mobile
Redistributes routes from one routing domain into another routing domain.
ip mobile vpn-realm
To define the virtual private network (VPN) realms to be used in home agent policy routing, use the ip mobile vpn-realm command in global configuration mode. To remove the VPN realms, use the no form of this command.
ip mobile vpn-realm realm-name {route-map-sequence sequence-number}
no ip mobile vpn-realm realm-name {route-map-sequence sequence-number}
Syntax Description
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Usage Guidelines
The sequence-number argument must match that configured in the route-map sequence-number command.
Examples
The following example shows two realms configured on the router:
ip mobile vpn-realm company1.com route-map-sequence 20ip mobile vpn-realm company2.com route-map-sequence 10Related Commands
