Table Of Contents
Cisco Mobile Wireless Home Agent Command Reference for IOS Release 12.4(15)XM2
ip mobile cdma ha-chap send attribute
ip mobile home-agent accounting
ip mobile home-agent debug include username
ip mobile home-agent dfp-max-weight
ip mobile home-agent dynamic-address
ip mobile home-agent host-config url
ip mobile home-agent max-binding
ip mobile home-agent redundancy
ip mobile home-agent redundancy periodic-sync
ip mobile home-agent reject-static-addr
ip mobile home-agent resync-sa
ip mobile home-agent revocation
ip mobile home-agent revocation ignore
ip mobile home-agent service-policy
ip mobile home-agent template tunnel
radius-server attribute 32 include-in-access-req
radius-server attribute 55 access-request include
radius-server vsa send accounting wimax
radius-server vsa send authentication wimax
show ip mobile binding vrf realm
snmp-server enable traps ipmobile
standby track decrement priority
track id application home-agent
Cisco Mobile Wireless Home Agent Command Reference for IOS Release 12.4(15)XM2
This section documents new or modified commands. All other commands used with this feature are documented in the Cisco IOS Release 12.4 command reference publications.
•
clear ip mobile host-counters
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
aaa accounting
To enable authentication, authorization, and accounting (AAA) accounting of requested services for billing or security purposes when you use RADIUS or TACACS+, use the aaa accounting command in global configuration mode. To disable AAA accounting, use the no form of this command.
aaa accounting {auth-proxy | system | network | exec | connection | commands level} {default | list-name} {start-stop | stop-only | none} [broadcast] group groupname
no aaa accounting {auth-proxy | system | network | exec | connection | commands level} {default | list-name} [broadcast] group groupname
Syntax Description
auth-proxy
Provides information about all authenticated-proxy user events.
system
Performs accounting for all system-level events not associated with users, such as reloads.
network
Runs accounting for all network-related service requests, including SLIP1 , PPP2 , PPP NCPs3 , and ARAP4 .
exec
Runs accounting for EXEC shell session. This keyword might return user profile information such as what is generated by the autocommand command.
connection
Provides information about all outbound connections made from the network access server, such as Telnet, LAT5 , TN3270, PAD6 , and rlogin.
commands level
Runs accounting for all commands at the specified privilege level. Valid privilege level entries are integers from 0 through 15.
default
Uses the listed accounting methods that follow this argument as the default list of methods for accounting services.
list-name
Character string used to name the list of at least one of the accounting methods described in Table 3.
start-stop
Sends a "start" accounting notice at the beginning of a process and a "stop" accounting notice at the end of a process. The "start" accounting record is sent in the background. The requested user process begins regardless of whether the "start" accounting notice was received by the accounting server.
stop-only
Sends a "stop" accounting notice at the end of the requested user process.
none
Disables accounting services on this line or interface.
broadcast
(Optional) Enables sending accounting records to multiple AAA servers. Simultaneously sends accounting records to the first server in each group. If the first server is unavailable, fail over occurs using the backup servers defined within that group.
group groupname
At least one of the keywords described in Table 2.
1 SLIP = Serial Line Internet Protocol
2 PPP = Point-to-Point Protocol
3 PPP NCPs = Point-to-Point Protocol Network Control Protocols
4 ARAP = AppleTalk Remote Access Protocol
5 LAT = local-area transport
6 PAD = packet assembler/disassembler
Defaults
AAA accounting is disabled.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the aaa accounting command to enable accounting and to create named method lists defining specific accounting methods on a per-line or per-interface basis.
Table 2 contains descriptions of accounting method keywords.
In Table 1, the group radius and group tacacs+ methods refer to a set of previously defined RADIUS or TACACS+ servers. Use the radius-server host and tacacs-server host commands to configure the host servers. Use the aaa group server radius and aaa group server tacacs+ commands to create a named group of servers.
Cisco IOS software supports the following two methods of accounting:
•
•
Method lists for accounting define the way accounting will be performed. Named accounting method lists enable you to designate a particular security protocol to be used on specific lines or interfaces for particular types of accounting services. Create a list by entering the list-name and the method, where list-name is any character string used to name this list (excluding the names of methods, such as radius or tacacs+) and method identifies the methods to be tried in sequence as given.
If the aaa accounting command for a particular accounting type is issued without a named method list specified, the default method list is automatically applied to all interfaces or lines (where this accounting type applies) except those that have a named method list explicitly defined. (A defined method list overrides the default method list.) If no default method list is defined, then no accounting takes place.
Named accounting method lists are specific to the indicated type of accounting. Method list keywords are described in Table 3.
Note
For minimal accounting, include the stop-only keyword to send a "stop" record accounting notice at the end of the requested user process. For more accounting, you can include the start-stop keyword, so that RADIUS or TACACS+ sends a "start" accounting notice at the beginning of the requested process and a "stop" accounting notice at the end of the process. Accounting is stored only on the RADIUS or TACACS+ server. The none keyword disables accounting services for the specified line or interface.
When AAA accounting is activated, the network access server monitors either RADIUS accounting attributes or TACACS+ AV pairs pertinent to the connection, depending on the security method you have implemented. The network access server reports these attributes as accounting records, which are then stored in an accounting log on the security server. For a list of supported RADIUS accounting attributes, refer to the appendix "RADIUS Attributes" in the Cisco IOS Security Configuration Guide. For a list of supported TACACS+ accounting AV pairs, refer to the appendix "TACACS+ Attribute-Value Pairs" in the Cisco IOS Security Configuration Guide.
Note
Examples
The following example defines a default commands accounting method list, where accounting services are provided by a TACACS+ security server, set for privilege level 15 commands with a stop-only restriction.
aaa accounting commands 15 default stop-only group tacacs+The following example defines a default auth-proxy accounting method list, where accounting services are provided by a TACACS+ security server with a stop-only restriction. The aaa accounting command activates authentication proxy accounting.
aaa new-modelaaa authentication login default group tacacs+aaa authorization auth-proxy default group tacacs+aaa accounting auth-proxy default start-stop group tacacs+Related Commands
aaa accounting update
To enable periodic interim accounting records to be sent to the accounting server, use the aaa accounting update command in global configuration mode. To disable interim accounting updates, use the no form of this command.
aaa accounting update [newinfo] [periodic number]
no aaa accounting update
Syntax Description
Defaults
Disabled
Command Modes
Global configuration
Command History
Usage Guidelines
When aaa accounting update is activated, the Cisco IOS software issues interim accounting records for all users on the system. If the keyword newinfo is used, interim accounting records will be sent to the accounting server every time there is new accounting information to report. An example of this would be when IP Control Protocol (IPCP) completes IP address negotiation with the remote peer. The interim accounting record will include the negotiated IP address used by the remote peer.
When used with the keyword periodic, interim accounting records are sent periodically as defined by the argument number. The interim accounting record contains all of the accounting information recorded for that user up to the time the accounting record is sent.
When using both the newinfo and periodic keywords, interim accounting records are sent to the accounting server every time there is new accounting information to report, and accounting records are sent to the accounting server periodically as defined by the argument number. For example, if you configure aaa accounting update newinfo periodic number, all users currently logged in will continue to generate periodic interim accounting records while new users will generate accounting records based on the newinfo algorithm.
Caution
Examples
The following example sends PPP accounting records to a remote RADIUS server. When IPCP completes negotiation, this command sends an interim accounting record to the RADIUS server that includes the negotiated IP address for this user; it also sends periodic interim accounting records to the RADIUS server at 30 minute intervals.
aaa accounting network default start-stop group radiusaaa accounting update newinfo periodic 30Related Commands
aaa accounting
Enables AAA accounting of requested services for billing or security purposes.
aaa authorization ipmobile
To authorize Mobile IP to retrieve security associations from the AAA server using TACACS+ or RADIUS, use the aaa authorization ipmobile global configuration command. Use the no form of this command to remove authorization.
aaa authorization ipmobile {tacacs+ | radius}
no aaa authorization ipmobile {tacacs+ | radius}
Syntax Description
Defaults
AAA is not used to retrieve security associations for authentication.
Command Modes
Global configuration
Command History
Usage Guidelines
Mobile IP requires security associations for registration authentication. The security associations are configured on the router or on an AAA server. This command is not need for the former; but in the latter case, this command authorizes Mobile IP to retrieve the security associations from the AAA server.
Note
Examples
The following example uses TACACS+ to retrieve security associations from the AAA server:
aaa new-modelaaa authorization ipmobile tacacs+tacacs-server host 1.2.3.4tacacs-server key mykeyip mobile host 10.0.0.1 10.0.0.5 virtual-network 10.0.0.0 255.0.0.0 aaaRelated Commands
aaa pod server
To enable inbound user sessions to be disconnected when specific session attributes are presented, use the aaa pod server global configuration command. To disable this feature, use the no form of this command.
aaa pod server [port port-number] [auth-type {any | all | session-key}] server-key string
no aaa pod server
Syntax Description
Defaults
The POD server function is disabled.
Command Modes
Global configuration
Command History
Usage Guidelines
For a session to be disconnected, the values in one or more of the key fields in the POD request must match the values for a session on one of the network access server ports. Which values must match depends on the auth-type attribute defined in the command. If no auth-type is specified, all four values must match. If no match is found, all connections remain intact and an error response is returned. The key fields are as follows:
•
•
•
•
Examples
The following example enables POD and sets the secret key to "ab9123."
router (config)# aaa pod server server-key ab9123access list
To configure the access list mechanism for filtering frames by protocol type or vendor code, use the access-list global configuration command. Use the no form of this command to remove the single specified entry from the access list.
access-list access-list-number {permit | deny} {type-code wild-mask | address mask}
no access-list access-list-number {permit | deny} {type-code wild-mask | address mask}
Syntax Description
Defaults
No numbered encryption access lists are defined, and therefore no traffic will be encrypted/decrypted. After being defined, all encryption access lists contain an implicit "deny" ("do not encrypt/decrypt") statement at the end of the list..
Command Modes
Global configuration
Command History
Usage Guidelines
Use encryption access lists to control which packets on an interface are encrypted/decrypted, and which are transmitted as plain text (unencrypted).
When a packet is examined for an encryption access list match, encryption access list statements are checked in the order that the statements were created. After a packet matches the conditions in a statement, no more statements will be checked. This means that you need to carefully consider the order in which you enter the statements.
To use the encryption access list, you must first specify the access list in a crypto map and then apply the crypto map to an interface, using the crypto map (CET global configuration) and crypto map (CET interface configuration) commands.
Fragmented IP packets, other than the initial fragment, are immediately accepted by any extended IP access list. Extended access lists used to control virtual terminal line access or restrict contents of routing updates must not match the TCP source port, the type of service value, or the packet's precedence.
Note
Caution
Note
Examples
The following example creates a numbered encryption access list that specifies a class C subnet for the source and a class C subnet for the destination of IP packets. When the router uses this encryption access list, all TCP traffic that is exchanged between the source and destination subnets will be encrypted.
access-list 101 permit tcp 172.21.3.0 0.0.0.255 172.22.2.0 0.0.0.255clear ip mobile binding
To remove mobility bindings, use the clear ip mobile binding EXEC command.
clear ip mobile binding {all [load standby-group-name] | ip-address | nai string ip_address | vrf realm realm} [synch]
Syntax Description
Command Modes
EXEC
Command History
Usage Guidelines
The Home Agent creates a mobility binding for each roaming mobile node. The mobility binding allows the mobile node to exchange packets with the correspondent node. Associated with the mobility binding is the tunnel to the visited network and a host route to forward packets destined for the mobile node. There should be no need to clear the binding because it expires after lifetime is reached or when the mobile node deregisters.
When the mobility binding is removed, the number of users on the tunnel is decremented and the host route is removed from the routing table. The mobile node is not notified.
When the synch option is specified, bindings that are administratively cleared on the active HA are synched to the standby HA, and the bindings will be deleted on the standby HA. When the redundancy mode is active-standby, the synch option will not take effect if the clear command is issued on the standby HA.
Note
Examples
The following example administratively stops mobile node 10.0.0.1 from roaming:
Router# clear ip mobile binding 10.0.0.1Router# show ip mobile bindingMobility Binding List:Total 110.0.0.1:Care-of Addr 68.0.0.31, Src Addr 68.0.0.31,Lifetime granted 02:46:40 (10000), remaining 02:46:32Flags SbdmGvt, Identification B750FAC4.C28F56A8,Tunnel100 src 66.0.0.5 dest 68.0.0.31 reverse-allowedRouting Options - (G)GRERelated Commands
clear ip mobile host-counters
To clear the mobility counters specific to each mobile station, use the clear ip mobile host-counters EXEC command.
clear ip mobile host-counters [[ip-address | nai string ip_address] undo]]
Syntax Description
ip-address
(Optional) IP address of a mobile node.
nai string
(Optional) Network access identifier of the mobile node.
undo
(Optional) Restores the previously cleared counters.
Command Modes
EXEC
Command History
12.0(1)T
This command was introduced.
12.2(2)XC
The nai keyword and associated variables were added.
12.4(15)XM
Added support to clear HA policing statistics.
Usage Guidelines
This command clears the counters that are displayed when you use the show ip mobile host command. The undo keyword restores the counters (this is useful for debugging).
Examples
The following example shows how the counters can be used for debugging:
Router# show ip mobile host20.0.0.1:Allowed lifetime 10:00:00 (36000/default)Roaming status -Unregistered-, Home link on virtual network 20.0.0.0/8Accepted 0, Last time -never-Overall service time -never-Denied 0, Last time -never-Last code `-never- (0)'Total violations 0Tunnel to MN - pkts 0, bytes 0Reverse tunnel from MN - pkts 0, bytes 0Router# clear ip mobile host-countersRouter# show ip mobile host-counters20.0.0.1:Allowed lifetime 10:00:00 (36000/default)Roaming status -Unregistered-, Home link on virtual network 20.0.0.0/8Accepted 0, Last time -never-Overall service time -never-Denied 0, Last time -never-Last code `-never- (0)'Total violations 0Tunnel to MN - pkts 0, bytes 0Reverse tunnel from MN - pkts 0, bytes 0Related Commands
clear ip mobile secure
To clear and retrieve remote security associations, use the clear ip mobile secure EXEC command.
clear ip mobile secure {host lower [upper] | nai string | empty | all} [load]
Syntax Description
Command Modes
EXEC
Command History
12.0(1)T
This command was introduced.
12.2(2)XC
The nai keyword and associated variables were added.
Usage Guidelines
Security associations are required for registration authentication. They can be stored on an AAA server. During registration, they may be stored locally after retrieval from the AAA server. The security association on the router may become stale or out of date when the security association on the AAA server changes.
This command clears security associations that have been downloaded from the AAA server.
Note
You can use the clear ip mobile secure all command clears all the keys MN, FA and HA-RK, generated and downloaded from AAA.
Examples
In the following example, the AAA server has the security association for user 10.0.0.1 after registration:
Router# show ip mobile secure host 10.0.0.1Security Associations (algorithm,mode,replay protection,key):10.0.0.1:SPI 300, MD5, Prefix-suffix, Timestamp +/- 7,Key `oldkey' 1230552d39b7c1751f86bae5205ec0c8The security association of the AAA server changes as follows:
Router# clear ip mobile secure host 10.0.0.1 loadRouter# show ip mobile secure host 10.0.0.110.0.0.1:SPI 300, MD5, Prefix-suffix, Timestamp +/- 7,Key `newkey' 1230552d39b7c1751f86bae5205ec0c8Related Commands
ip mobile secure
Specifies the mobility security associations for mobile host, visitor, Home Agent, and Foreign Agent.
clear ip mobile traffic
To clear counters, use the clear ip mobile traffic Privileged EXEC command.
clear ip mobile traffic
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Mobile IP counters are accumulated during operation. They are useful for debugging and monitoring.
This command clears all Mobile IP counters. The undo keyword restores the counters (this is useful for debugging.) See the show ip mobile traffic command for a list and description of all counters.
Examples
The following example shows how the counters can be used for debugging:
Router# show ip mobile trafficIP Mobility traffic:Advertisements:Solicitations received 0Advertisements sent 0, response to solicitation 0Home Agent Registrations:Register 8, Deregister 0 requestsRegister 7, Deregister 0 repliedAccepted 6, No simultaneous bindings 0Denied 1, Ignored 1Unspecified 0, Unknown HA 0Administrative prohibited 0, No resource 0Authentication failed MN 0, FA 0Bad identification 1, Bad request form 0..Router# clear ip mobile trafficRouter# show ip mobile trafficIP Mobility traffic:Advertisements:Solicitations received 0Advertisements sent 0, response to solicitation 0Home Agent Registrations:Register 0, Deregister 0 requestsRegister 0, Deregister 0 repliedAccepted 0, No simultaneous bindings 0Denied 0, Ignored 0Unspecified 0, Unknown HA 0Administrative prohibited 0, No resource 0Authentication failed MN 0, FA 0Bad identification 0, Bad request form 0Related Commands
crypto map (global IPSec)
To create or modify a crypto map entry and enter the crypto map configuration mode, use the crypto map global configuration command. To delete a crypto map entry or set, use the no form of this command.
crypto map map-name seq-num ipsec-manual
crypto map map-name seq-num ipsec-isakmp [dynamic dynamic-map-name] [discover]
no crypto map map-name [seq-num]
Syntax Description
Command Modes
Global configuration.
Command History
Usage Guidelines
Issue the crypto map map-name seq-num command without a keyword to modify an existing crypto map entry.
Examples
The following example creates a crypto map entry and indicates that IKE will not be used to establish the IPSec security associations for protecting the traffic:
Router# crypto map map-name seq-num ipsec-manualdebug aaa accounting
To display information on accountable events as they occur, use the debug aaa accounting command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug aaa accounting
no debug aaa accounting
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Usage Guidelines
The information displayed by the debug aaa accounting command is independent of the accounting protocol used to transfer the accounting information to a server. Use the debug tacacs and debug radius protocol-specific commands to get more detailed information about protocol-level issues.
You can also use the show accounting command to step through all active sessions and to print all the accounting records for actively accounted functions. The show accounting command allows you to display the active "accountable events" on the system. It provides systems administrators a quick look at what is happening, and may also be useful for collecting information in the event of a data loss of some kind on the accounting server. The show accounting command displays additional data on the internal state of the authentication, authorization, and accounting (AAA) security system if debug aaa accounting is turned on as well.
Examples
The following is sample output from the debug aaa accounting command:
Router# debug aaa accounting16:49:21: AAA/ACCT: EXEC acct start, line 1016:49:32: AAA/ACCT: Connect start, line 10, glare16:49:47: AAA/ACCT: Connection acct stop:task_id=70 service=exec port=10 protocol=telnet address=172.31.3.78 cmd=glare bytes_in=308 bytes_out=76 paks_in=45 paks_out=54 elapsed_time=14debug aaa authentication
To display information on authentication, authorization, and accounting (AAA) TACACS+ authentication, use the debug aaa authentication command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug aaa authentication
no debug aaa authentication
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Usage Guidelines
Use this command to learn the methods of authentication being used and the results of these methods.
Examples
The following is sample output from the debug aaa authentication command. A single EXEC login that uses the "default" method list and the first method, TACACS+, is displayed. The TACACS+ server sends a GETUSER request to prompt for the username and then a GETPASS request to prompt for the password, and finally a PASS response to indicate a successful login. The number 50996740 is the session ID, which is unique for each authentication. Use this ID number to distinguish between different authentications if several are occurring concurrently.
Router# debug aaa authentication6:50:12: AAA/AUTHEN: create_user user='' ruser='' port='tty19' rem_addr='172.31.60.15' authen_type=1 service=1 priv=16:50:12: AAA/AUTHEN/START (0): port='tty19' list='' action=LOGIN service=LOGIN6:50:12: AAA/AUTHEN/START (0): using "default" list6:50:12: AAA/AUTHEN/START (50996740): Method=TACACS+6:50:12: TAC+ (50996740): received authen response status = GETUSER6:50:12: AAA/AUTHEN (50996740): status = GETUSER6:50:15: AAA/AUTHEN/CONT (50996740): continue_login6:50:15: AAA/AUTHEN (50996740): status = GETUSER6:50:15: AAA/AUTHEN (50996740): Method=TACACS+6:50:15: TAC+: send AUTHEN/CONT packet6:50:15: TAC+ (50996740): received authen response status = GETPASS6:50:15: AAA/AUTHEN (50996740): status = GETPASS6:50:20: AAA/AUTHEN/CONT (50996740): continue_login6:50:20: AAA/AUTHEN (50996740): status = GETPASS6:50:20: AAA/AUTHEN (50996740): Method=TACACS+6:50:20: TAC+: send AUTHEN/CONT packet6:50:20: TAC+ (50996740): received authen response status = PASS6:50:20: AAA/AUTHEN (50996740): status = PASSdebug aaa pod
To display debug information for Radius Disconnect message processing at AAA subsystem level , use the debug aaa pod command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug aaa pod
no debug aaa pod
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Examples
The following is sample output from the debug aaa pod command:
Router#sh debuggingGeneral OS:AAA POD packet processing debugging is onThe scenario is a POD request is received from RADIUS 17.17.17.18 with the set of attributes displayed below and after processing PDSN sends back an ACK
Router#03:30:05: POD: 17.17.17.18 request queued03:30:05: ++++++ POD Attribute List ++++++03:30:05: 63ECE94C 0 00000009 username(336) 12 sri-sip-user03:30:05: 65FCEB50 0 00000009 clid(27) 11 0000000000103:30:05: 65FCEB64 0 00000021 cdma-disconnect-reason(420) 4 1(1)03:30:05: 65FCEB78 0 00000029 cdma-correlation-id(374) 8 0000000203:30:05:03:30:05: POD: Sending ACK from port 1700 to 17.17.17.18/1700debug condition
To limit output for some debug commands based on specified conditions, use the debug condition command in privileged EXEC mode. To remove the specified condition, use the no form of this command.
debug condition {username username | called dial-string | caller dial-string | vcid vc-id | ip ip-address | calling tid/imsi string]}
no debug condition {condition-id | all}
Syntax Description
Defaults
All debugging messages for enabled protocol-specific debug commands are generated.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use the debug condition command to restrict the debug output for some commands. If any debug condition commands are enabled, output is only generated for interfaces associated with the specified keyword. In addition, this command enables debugging output for conditional debugging events. Messages are displayed as different interfaces meet specific conditions.
If multiple debug condition commands are enabled, output is displayed if at least one condition matches. All the conditions do not need to match.
The no form of this command removes the debug condition specified by the condition identifier. The condition identifier is displayed after you use a debug condition command or in the output of the show debug condition command. If the last condition is removed, debugging output resumes for all interfaces. You will be asked for confirmation before removing the last condition or all conditions.
Not all debugging output is affected by the debug condition command. Some commands generate output whenever they are enabled, regardless of whether they meet any conditions. The commands that are affected by the debug condition commands are generally related to dial access functions, where a large amount of output is expected. Output from the following commands is controlled by the debug condition command:
•
•
•
•
•
Ensure that you enable TID/IMSI-based conditional debugging by entering debug condition calling before configuring debug gprs gtp and debug gprs charging. In addition, ensure that you disable the debug gprs gtp and debug gprs charging commands using the no debug all command before disabling conditional debugging using the no debug condition command. This will prevent a flood of debugging messages when you disable conditional debugging.
Examples
Example 1
In the following example, the router displays debugging messages only for interfaces that use a username of fred. The condition identifier displayed after the command is entered identifies this particular condition.
Router# debug condition username fredCondition 1 setExample 2
The following example specifies that the router should display debugging messages only for VC 1000:
Router# debug condition vcid 1000Condition 1 set01:12:32: 1000 Debug: Condition 1, vcid 1000 triggered, count 101:12:32: 1000 Debug: Condition 1, vcid 1000 triggered, count 1Other debugging commands are enabled, but they will only display debugging for VC 1000.
Router# debug mpls l2transport vc eventAToM vc event debugging is onRouter# debug mpls l2transport vc fsmAToM vc fsm debugging is onThe following commands shut down the interface where VC 1000 is established.
Router(config)# interface s3/1/0Router(config-if)# shutThe debugging output shows the change to the interface where VC 1000 is established.
01:15:59: AToM MGR [13.13.13.13, 1000]: Event local down, state changed from establishedto remote ready01:15:59: AToM MGR [13.13.13.13, 1000]: Local end down, vc is down01:15:59: AToM SMGR [13.13.13.13, 1000]: Processing imposition update, vc_handle 6227BCF0,update_action 0, remote_vc_label 1801:15:59: AToM SMGR [13.13.13.13, 1000]: Imposition Disabled01:15:59: AToM SMGR [13.13.13.13, 1000]: Processing disposition update, vc_handle6227BCF0, update_action 0, local_vc_label 75501:16:01:%LINK-5-CHANGED: Interface Serial3/1/0, changed state to administratively down01:16:02:%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial3/1/0, changed state todowndebug ip mobile
To display IP mobility activities, use the debug ip mobile command in privileged EXEC mode.
debug ip mobile [advertise | dfp | host [access-list-number] | local-area | redundancy | router | upd-tunneling | vpdn-tunneling]
Syntax Description
Defaults
No default behavior or values.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use the debug ip mobile redundancy command to troubleshoot redundancy problems.
No per-user debugging output is shown for mobile nodes using the network access identifier (NAI) for the debug ip mobile host command. Debugging of specific mobile nodes using an IP address is possible through the access list.
Examples
The following is sample output from the debug ip mobile command when Foreign Agent reverse tunneling is enabled:
MobileIP:MN 14.0.0.30 deleted from ReverseTunnelTable of Ethernet2/1(Entries 0)The following is sample output from the debug ip mobile command:
Router# debug ip mobile ?advertise Mobility Agent advertisementsdfp DFP Agenthost Mobile host activitieslocal-area Local area mobilityredundancy Mobile redundancy activitiesrouter Mobile router activitiesudp-tunneling UDP Tunnelingvpdn-tunneling VPDN TunnelingThe following is sample output from the debug ip mobile advertise command:
debug ip mobile advertiseMobileIP: Agent advertisement sent out Ethernet1/2: type=16, len=10, seq=1, lifetime=36000,flags=0x1400(rbhFmGv-rsv-),Care-of address: 68.0.0.31Prefix Length ext: len=1 (8 )FA Challenge value:769C808DTable 4 Debug IP Mobile Advertise Field Descriptions
The following is sample output from the debug ip mobile udp-tunneling command:
Router# debug ip mobile udp-tunnelingMobileIP: Received UDP Keep-Alive message from tunnel 7.0.0.2:434 - 7.0.0.15:16MobileIP: Sending UDP Keep-Alive message for tunnel 7.0.0.2:434 - 7.0.0.15:16MobileIP: MN 40.0.0.101 - HA rcv BindUpdAck accept from 7.0.0.67 HAA 7.0.0.2MobileIP: UDP Keep-Alive check point time for tunnel 7.0.0.2:434 - 7.0.0.15:16debug ip mobile host
Use the debug ip mobile host EXEC command to display IP mobility events.
debug ip mobile host acl [nai]
no debug ip mobile host [nai]
Syntax Description
Defaults
No default values.
Command History
Examples
The following is sample output from the debug ip mobile host command:
Router# debug ip mobile hostMobileIP: HA received registration for MN 20.0.0.6 on interface Ethernet1 using COA68.0.0.31 HA 66.0.0.5 lifetime 30000 options sbdmgvTMobileIP: Authenticated FA 68.0.0.31 using SPI 110 (MN 20.0.0.6)MobileIP: Authenticated MN 20.0.0.6 using SPI 300MobileIP: HA accepts registration from MN 20.0.0.6MobileIP: Mobility binding for MN 20.0.0.6 updatedMobileIP: Roam timer started for MN 20.0.0.6, lifetime 30000MobileIP: MH auth ext added (SPI 300) in reply to MN 20.0.0.6MobileIP: HF auth ext added (SPI 220) in reply to MN 20.0.0.6MobileIP: HA sent reply to MN 20.0.0.6debug ip mobile redundancy
Use the debug ip mobile redundancy EXEC command to display IP mobility events.
debug ip mobile redundancy
no debug ip mobile redundancy
Syntax Description
This command has no keywords or arguments.
Defaults
No default values.
Command History
Examples
The following is sample output from the debug ip mobile redundancy command:
Router# debug ip mobile redundancy00:19:21: MobileIP: Adding MN service flags to bindupdate00:19:21: MobileIP: Adding MN service flags 0 init registration flags 100:19:21: MobileIP: Adding a hared version cvse - bindupdate00:19:21: MobileIP: HARelayBindUpdate version number 2MobileIP: MN 40.0.0.20 - sent BindUpd to HA 7.0.0.3 HAA 7.0.0.400:19:21: MobileIP: HA standby maint started - cnt 100:19:21: MobileIP: MN 40.0.0.20 - HA rcv BindUpdAck accept from 7.0.0.3 HAA 7.0.0.400:19:22: MobileIP: HA standby maint started - cnt 1debug ip mobile vpdn-tunnel
To display debugging output for the MIP-LAC feature, use the debug ip mobile vpdn-tunnel command in Privileged EXEC mode. Use the no form of the command to disable the feature.
debug ip mobile vpdn-tunnel [events | detail]
no debug ip mobile vpdn-tunnel [events | detail]
Syntax Description
Defaults
There are no default values.
Command Modes
Privileged EXEC
Command History
Examples
The following example displays debugging output for the debug ip mobile vpdn-tunnel detail command:
Router# debug ip mobile vpdn-tunnel detaildebug radius
To display information associated with RADIUS, use the debug radius command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug radius [accounting | authentication | brief | elog | failover | retransmit | verbose ]
no debug radius [accounting | authentication | brief | elog | failover | retransmit | verbose ]
Syntax Description
Defaults
Debugging output in ASCII format is enabled.
Command Modes
Privileged EXEC
Command History
11.2(1)T
This command was introduced.
12.2(11)T
The brief and hex keywords were added. The default output format became ASCII rather than hexadecimal.
Usage Guidelines
RADIUS is a distributed security system that secures networks against unauthorized access. Cisco supports RADIUS under the authentication, authorization, and accounting (AAA) security system. When RADIUS is used on the router, you can use the debug radius command to display detailed debugging and troubleshooting information in ASCII format. Use the debug radius brief command for abbreviated output displaying client/server interaction and minimum packet information. Use the debug radius hex command to display packet dump information that has not been truncated in hex format.
Examples
The following is sample output from the debug radius command:
Router# debug radiusRadius protocol debugging is onRadius packet hex dump debugging is offRouter#00:02:50: RADIUS: ustruct sharecount=300:02:50: Radius: radius_port_info() success=0 radius_nas_port=100:02:50: RADIUS: Initial Transmit ISDN 0:D:23 id 0 10.0.0.1:1824, Accounting-Request, len 35800:02:50: RADIUS: NAS-IP-Address [4] 6 10.0.0.000:02:50: RADIUS: Vendor, Cisco [26] 19 VT=02 TL=13 ISDN 0:D:2300:02:50: RADIUS: NAS-Port-Type [61] 6 Async00:02:50: RADIUS: User-Name [1] 12 "4085554206"00:02:50: RADIUS: Called-Station-Id [30] 7 "52981"00:02:50: RADIUS: Calling-Station-Id [31] 12 "4085554206"00:02:50: RADIUS: Acct-Status-Type [40] 6 Start00:02:50: RADIUS: Service-Type [6] 6 Login00:02:50: RADIUS: Vendor, Cisco [26] 27 VT=33 TL=21 h323-gw-id=5300_43.00:02:50: RADIUS: Vendor, Cisco [26] 55 VT=01 TL=49 h323-incoming-conf-id=8F3A3163 B4980003 0 29BD000:02:50: RADIUS: Vendor, Cisco [26] 31 VT=26 TL=25 h323-call-origin=answer00:02:50: RADIUS: Vendor, Cisco [26] 32 VT=27 TL=26 h323-call-type=Telephony00:02:50: RADIUS: Vendor, Cisco [26] 57 VT=25 TL=51 h323-setup-time=*16:02:48.681 PST Fri Dec 31 199900:02:50: RADIUS: Vendor, Cisco [26] 46 VT=24 TL=40 h323-conf-id=8F3A3163 B4980003 0 29BD000:02:50: RADIUS: Acct-Session-Id [44] 10 "00000002"00:02:50: RADIUS: Delay-Time [41] 6 000:02:51: RADIUS: Received from id 0 1.7.157.1:1824, Accounting-response, len 2000:02:51: %ISDN-6-CONNECT: Interface Serial0:22 is now connected to 408527420600:03:01: RADIUS: ustruct sharecount=300:03:01: Radius: radius_port_info() success=0 radius_nas_port=100:03:01: RADIUS: Initial Transmit ISDN 0:D:23 id 1 1.7.157.1:1823, Access-Request, len 17100:03:01: RADIUS: NAS-IP-Address [4] 6 10.0.0.000:03:01: RADIUS: Vendor, Cisco [26] 19 VT=02 TL=13 ISDN 0:D:2300:03:01: RADIUS: NAS-Port-Type [61] 6 Async00:03:01: RADIUS: User-Name [1] 8 "123456"00:03:01: RADIUS: Vendor, Cisco [26] 46 VT=24 TL=40 h323-conf-id=8F3A3163 B4980003 0 29BD000:03:01: RADIUS: Calling-Station-Id [31] 12 "4085554206"00:03:01: RADIUS: User-Password [2] 18 *00:03:01: RADIUS: Vendor, Cisco [26] 36 VT=01 TL=30 h323-ivr-out=transactionID:000:03:01: RADIUS: Received from id 1 1.7.157.1:1823, Access-Accept, len 11500:03:01: RADIUS: Service-Type [6] 6 Login00:03:01: RADIUS: Vendor, Cisco [26] 29 VT=101 TL=23 h323-credit-amount=4500:03:01: RADIUS: Vendor, Cisco [26] 27 VT=102 TL=21 h323-credit-time=3300:03:01: RADIUS: Vendor, Cisco [26] 26 VT=103 TL=20 h323-return-code=000:03:01: RADIUS: Class [25] 7 6C6F63616C00:03:01: RADIUS: saved authorization data for user 62321E14 at 6233D25800:03:13: %ISDN-6-DISCONNECT: Interface Serial0:22 disconnected from 4085274206, call lasted 22 seconds00:03:13: RADIUS: ustruct sharecount=200:03:13: Radius: radius_port_info() success=0 radius_nas_port=100:03:13: RADIUS: Sent class "local" at 6233D2C4 from user 62321E1400:03:13: RADIUS: Initial Transmit ISDN 0:D:23 id 2 1.7.157.1:1824, Accounting-Request, len 77500:03:13: RADIUS: NAS-IP-Address [4] 6 10.0.0.000:03:13: RADIUS: Vendor, Cisco [26] 19 VT=02 TL=13 ISDN 0:D:2300:03:13: RADIUS: NAS-Port-Type [61] 6 Async00:03:13: RADIUS: User-Name [1] 8 "123456"00:03:13: RADIUS: Called-Station-Id [30] 7 "52981"00:03:13: RADIUS: Calling-Station-Id [31] 12 "4085274206"00:03:13: RADIUS: Acct-Status-Type [40] 6 Stop00:03:13: RADIUS: Class [25] 7 6C6F63616C00:03:13: RADIUS: Undebuggable [45] 6 0000000100:03:13: RADIUS: Service-Type [6] 6 Login00:03:13: RADIUS: Vendor, Cisco [26] 27 VT=33 TL=21 h323-gw-id=5300_43.00:03:13: RADIUS: Vendor, Cisco [26] 55 VT=01 TL=49 h323-incoming-conf-id=8F3A3163 B4980003 0 29BD000:03:13: RADIUS: Vendor, Cisco [26] 31 VT=26 TL=25 h323-call-origin=answer00:03:13: RADIUS: Vendor, Cisco [26] 32 VT=27 TL=26 h323-call-type=Telephony00:03:13: RADIUS: Vendor, Cisco [26] 57 VT=25 TL=51 h323-setup-time=*16:02:48.681 PST Fri Dec 31 199900:03:13: RADIUS: Vendor, Cisco [26] 59 VT=28 TL=53 h323-connect-time=*16:02:48.946 PST Fri Dec 31 199900:03:13: RADIUS: Vendor, Cisco [26] 62 VT=29 TL=56in=000:03:13: RADIUS: Vendor, Cisco [26] 23 VT=01 TL=17 pre-bytes-out=000:03:13: RADIUS: Vendor, Cisco [26] 21 VT=01 TL=15 pre-paks-in=000:03:13: RADIUS: Vendor, Cisco [26] 22 VT=01 TL=16 pre-paks-out=000:03:13: RADIUS: Vendor, Cisco [26] 22 VT=01 TL=16 nas-rx-speed=000:03:13: RADIUS: Vendor, Cisco [26] 22 VT=01 TL=16 nas-tx-speed=000:03:13: RADIUS: Delay-Time [41] 6 000:03:13: RADIUS: Received from id 2 1.7.157.1:1824, Accounting-response, len 20h323-disconnect-time=*16:03:11.306 PST Fri Dec 31 199900:03:13: RADIUS: Vendor, Cisco [26] 32 VT=30 TL=26 h323-disconnect-cause=1000:03:13: RADIUS: Vendor, Cisco [26] 28 VT=31 TL=22 h323-voice-quality=000:03:13: RADIUS: Vendor, Cisco [26] 46 VT=24 TL=40 h323-conf-id=8F3A3163 B4980003 0 29BD000:03:13: RADIUS: Acct-Session-Id [44] 10 "00000002"00:03:13: RADIUS: Acct-Input-Octets [42] 6 000:03:13: RADIUS: Acct-Output-Octets [43] 6 8800000:03:13: RADIUS: Acct-Input-Packets [47] 6 000:03:13: RADIUS: Acct-Output-Packets [48] 6 55000:03:13: RADIUS: Acct-Session-Time [46] 6 2200:03:13: RADIUS: Vendor, Cisco [26] 30 VT=01 TL=24 subscriber=RegularLine00:03:13: RADIUS: Vendor, Cisco [26] 35 VT=01 TL=29 h323-ivr-out=Tariff:Unknown00:03:13: RADIUS: Vendor, Cisco [26] 22 VT=01 TL=16 pre-bytes-The following is sample output from the debug radius brief command:
Router# debug radius briefRadius protocol debugging is onRadius packet hex dump debugging is offRadius protocol in brief format debugging is on00:05:21: RADIUS: Initial Transmit ISDN 0:D:23 id 6 10.0.0.1:1824, Accounting-Request, len 35800:05:21: %ISDN-6-CONNECT: Interface Serial0:22 is now connected to 408527420600:05:26: RADIUS: Retransmit id 600:05:31: RADIUS: Tried all servers.00:05:31: RADIUS: No valid server found. Trying any viable server00:05:31: RADIUS: Tried all servers.00:05:31: RADIUS: No response for id 700:05:31: RADIUS: Initial Transmit ISDN 0:D:23 id 8 10.0.0.0:1823, Access-Request, len 17100:05:36: RADIUS: Retransmit id 800:05:36: RADIUS: Received from id 8 1.7.157.1:1823, Access-Accept, len 11500:05:47: %ISDN-6-DISCONNECT: Interface Serial0:22 disconnected from 4085274206, call lasted 26 seconds00:05:47: RADIUS: Initial Transmit ISDN 0:D:23 id 9 10.0.0.1:1824, Accounting-Request, len 77500:05:47: RADIUS: Received from id 9 1.7.157.1:1824, Accounting-response, len 20debug tacacs
To display information associated with TACACS, use the debug tacacs command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug tacacs [accounting | authentication | authorization | events | packet]
no debug tacacs [accounting | authentication | authorization | events | packet]
Syntax Description
Command Modes
Privileged EXEC
Usage Guidelines
TACACS is a distributed security system that secures networks against unauthorized access. Cisco supports TACACS under the authentication, authorization, and accounting (AAA) security system.
Use the debug aaa authentication command to get a high-level view of login activity. When TACACS is used on the router, you can use the debug tacacs command for more detailed debugging information.
Examples
The following is sample output from the debug aaa authentication command for a TACACS login attempt that was successful. The information indicates that TACACS+ is the authentication method used.
Router# debug aaa authentication14:01:17: AAA/AUTHEN (567936829): Method=TACACS+14:01:17: TAC+: send AUTHEN/CONT packet14:01:17: TAC+ (567936829): received authen response status = PASS14:01:17: AAA/AUTHEN (567936829): status = PASSThe following is sample output from the debug tacacs command for a TACACS login attempt that was successful, as indicated by the status PASS:
Router# debug tacacs14:00:09: TAC+: Opening TCP/IP connection to 192.168.60.15 using source 10.116.0.7914:00:09: TAC+: Sending TCP/IP packet number 383258052-1 to 192.168.60.15 (AUTHEN/START)14:00:09: TAC+: Receiving TCP/IP packet number 383258052-2 from 192.168.60.1514:00:09: TAC+ (383258052): received authen response status = GETUSER14:00:10: TAC+: send AUTHEN/CONT packet14:00:10: TAC+: Sending TCP/IP packet number 383258052-3 to 192.168.60.15 (AUTHEN/CONT)14:00:10: TAC+: Receiving TCP/IP packet number 383258052-4 from 192.168.60.1514:00:10: TAC+ (383258052): received authen response status = GETPASS14:00:14: TAC+: send AUTHEN/CONT packet14:00:14: TAC+: Sending TCP/IP packet number 383258052-5 to 192.168.60.15 (AUTHEN/CONT)14:00:14: TAC+: Receiving TCP/IP packet number 383258052-6 from 192.168.60.1514:00:14: TAC+ (383258052): received authen response status = PASS14:00:14: TAC+: Closing TCP/IP connection to 192.168.60.15The following is sample output from the debug tacacs command for a TACACS login attempt that was unsuccessful, as indicated by the status FAIL:
Router# debug tacacs13:53:35: TAC+: Opening TCP/IP connection to 192.168.60.15 using source192.48.0.7913:53:35: TAC+: Sending TCP/IP packet number 416942312-1 to 192.168.60.15(AUTHEN/START)13:53:35: TAC+: Receiving TCP/IP packet number 416942312-2 from 192.168.60.1513:53:35: TAC+ (416942312): received authen response status = GETUSER13:53:37: TAC+: send AUTHEN/CONT packet13:53:37: TAC+: Sending TCP/IP packet number 416942312-3 to 192.168.60.15(AUTHEN/CONT)13:53:37: TAC+: Receiving TCP/IP packet number 416942312-4 from 192.168.60.1513:53:37: TAC+ (416942312): received authen response status = GETPASS13:53:38: TAC+: send AUTHEN/CONT packet13:53:38: TAC+: Sending TCP/IP packet number 416942312-5 to 192.168.60.15(AUTHEN/CONT)13:53:38: TAC+: Receiving TCP/IP packet number 416942312-6 from 192.168.60.1513:53:38: TAC+ (416942312): received authen response status = FAIL13:53:40: TAC+: Closing TCP/IP connection to 192.168.60.15firewall ip access-group
To specify that the IP firewall is profile-based, use the firewall ip access-group command in hotline-rules subcommand configuration mode. Use the no form to disable this feature.
firewall ip access-group {acl-no | word} {in | out}
no firewall ip access-group {acl-no | word} {in | out}
Syntax Description
Defaults
There are no default values.
Command Modes
hotline-rules subcommand mode.
Command History
Usage Guidelines
Examples
The following example illustrates the firewall ip access-group command:
router (hotline-rules) # firewall ip access-group 199ip local pool
To configure a local pool of IP addresses to be used when a remote peer connects to a point-to-point interface, to generate traps when pool utilization reaches a high or low threshold in percentage, use the ip local pool command in global configuration mode. To remove a range of addresses from a pool (the longer of the no forms of this command), or to delete an address pool (the shorter of the no forms of this command), use one of the no forms of this command.
ip local pool {default | poolname} [low-ip-address [high-ip-address]] [group group-name] [cache-size size] [priority 0-255] [theshold low-threshold high-threshold]
no ip local pool poolname low-ip-address [high-ip-address]
no ip local pool {default | poolname}
Syntax Description
Defaults
No address pools are configured. Any pool created without the optional group keyword is a member of the base system group.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the ip local pool command to create one or more local address pools from which IP addresses are assigned when a peer connects. You may also add another range of IP addresses to an existing pool. To use a named IP address pool on an interface, use the peer default ip address pool interface configuration command. A pool name can also be assigned to a specific user using authentication, authorization, and accounting (AAA) RADIUS and TACACS functions.
If no named local IP address pool is created, a default address pool is used on all point-to-point interfaces after the ip address-pool local global configuration command is issued. If no explicit IP address pool is assigned, but pool use is requested by use of the ip address-pool local command, the special pool named "default" is used.
The optional group keyword and associated group name allows the association of an IP address pool with a named group. Any IP address pool created without the group keyword automatically becomes a member of a base system group.
An IP address pool name can be associated with only one group. Subsequent use of the same pool name, within a pool group, is treated as an extension of that pool, and any attempt to associate an existing local IP address pool name with a different pool group is rejected. Therefore, each use of a pool name is an implicit selection of the associated pool group.
Note
All IP address pools within a pool group are checked to prevent overlapping addresses; however, no checks are made between any group pool member and a pool not in a group. The specification of a named pool within a pool group allows the existence of overlapping IP addresses with pools in other groups, and with pools in the base system group, but not among pools within a group. Otherwise, processing of the IP address pools is not altered by their membership in a group. In particular, these pool names can be specified in peer commands and returned in RADIUS and AAA functions with no special processing.
IP address pools can be associated with Virtual Private Networks (VPNs). This association permits flexible IP address pool specifications that are compatible with a VPN and a VPN routing and forwarding instance (VRF).
The IP address pools can also be used with the translate commands for one-step vty-async connections and in certain AAA or TACACS+ authorization functions. Refer to the chapter "Configuring Protocol Translation and Virtual Asynchronous Devices" in the Cisco IOS Terminal Services Configuration Guide and the "System Management" part of the Cisco IOS Configuration Fundamentals Configuration Guide for more information.
Low and High Thresholds
Cisco Mobile Wireless Home Agent Release 3.1 enhanced the CISCO-IP-LOCAL-POOL-MIB to generate traps when pool utilization reached a low threshold or high threshold in percentage. Objects "cIpLocalPoolPercentAddrThldLo" and "cIpLocalPoolPercentAddrThldHi" are defined for the high and low threshold watermark, respectively.
When the percentage of used addresses in an IP local pool equals or exceeds the high threshold, a "cilpPercentAddrUsedHiNotif" notification is generated. Once the notification is generated, it is disarmed and will not be generated again until the number of used addresses falls below the value indicated by "cIpLocalPoolPercentAddrThldLo".
When the percentage of used addresses in an IP local pool falls below the low threshold, a "cilpPercentAddrUsedLoNotif" notification will be generated. Once the notification is generated, it is disarmed and will not be generated again until the number of used addresses equals or exceeds the value indicated by "cIpLocalPoolPercentAddrThldHi".
IP address pools are displayed with the show ip local pool EXEC command.
Examples
The following example creates a pool of local IP addresses named "XYZPool," which contain all IP addresses in the range 100.1.1.1 to 100.1.1.10. The group is named "MWG", and the command specifies a cache size of 50, and a low and high threshold of 50 and 90:
Router(config)# ip local pool XYZPool 100.1.1.1 100.1.1.10 group MWG cache-size 50 threshold 50 90The following example creates a group of local IP address pools named "pool2," which contains all IP addresses in the range 172.16.23.0 to 172.16.23.255:
ip local pool pool2 172.16.23.0 172.16.23.255The following example configures a pool of 1024 IP addresses:
no ip local pool defaultip local pool default 10.1.1.0 10.1.4.255
Note
The following example configures multiple ranges of IP addresses into one pool:
ip local pool default 10.1.1.0 10.1.9.255ip local pool default 10.2.1.0 10.2.9.255The following examples show how to configure two pool groups and IP address pools in the base system group:
ip local pool p1_g1 10.1.1.1 10.1.1.50 group grp1ip local pool p2_g1 10.1.1.100 10.1.1.110 group grp1ip local pool p1_g2 10.1.1.1 10.1.1.40 group grp2ip local pool lp1 10.1.1.1 10.1.1.10ip local pool p3_g1 10.1.2.1 10.1.2.30 group grp1ip local pool p2_g2 10.1.1.50 10.1.1.70 group grp2ip local pool lp2 10.1.2.1 10.1.2.10
In the example:
•
•
•
Note that IP address 10.1.1.1 overlaps groups grp1, grp2, and the base system group. Also note that there is no overlap within any group including the base system group, which is unnamed.
The following examples show configurations of IP address pools and groups for use by a VPN and VRF:
ip local pool p1_vpn1 10.1.1.1 10.1.1.50 group vpn1ip local pool p2_vpn1 10.1.1.100 10.1.1.110 group vpn1ip local pool p1_vpn2 10.1.1.1 10.1.1.40 group vpn2ip local pool lp1 10.1.1.1 10.1.1.10ip local pool p3_vpn1 10.1.2.1 10.1.2.30 group vpn1ip local pool p2_vpn2 10.1.1.50 10.1.1.70 group vpn2ip local pool lp2 10.1.2.1 10.1.2.10
The examples show configuration of two pool groups, including pools in the base system group, as follows:
•
•
•
Note that IP address 10.1.1.1 overlaps groups vpn1, vpn2, and the base system group. Also note that there is no overlap within any group including the base system group, which is unnamed.
The VPN needs a configuration that selects the proper group by selecting the proper pool based on remote user data. Thus, each user in a given VPN can select an address space using the pool and associated group appropriate for that VPN. Duplicate addresses in other VPNs (other group names) are not a concern, because the address space of a VPN is specific to that VPN.
In the example, a user in group vpn1 is associated with some combination of the pools p1_vpn1, p2_vpn1, and p3_vpn1, and is allocated addresses from that address space. Addresses are returned to the same pool from which they were allocated.
Related Commands
ip mobile cdma ha-chap send attribute
To include the Mobile Equipment Identifier (MEID) in the HA-CHAP access request, use the ip mobile cdma ha-chap send attribute command in global configuration mode. To disable this feature, use the no form of the command.
ip mobile cdma ha-chap send attribute [A1 | A2 | A3]
no ip mobile cdma ha-chap send attribute [A1 | A2 | A3]
Syntax Description
A1
(Optional) Send A1 (Calling Station id) in ha-chap.
A2
(Optional) Send A2(ESN) in ha-chap.
A3
(Optional) Send A3(MEID) in ha-chap.
Defaults
There are no default values.
Command Modes
Global configuration
Command History
Usage Guidelines
The MEID is a new attribute introduced in IS-835D that will eventually replace the ESN. In the interim, both attributes are supported on the Home Agent.
The MEID NVSE will be appended by the PDSN node to the Mobile IP RRQ. When the MEID NVSE is received on the HA, and the ip mobile cdma ha-chap send attribute A3 command is configured, then the MEID value is included in the HA-CHAP access request.
Examples
The following example illustrates the ip mobile cdma ha-chap send attribute A3 command:
ip mobile cdma ha-chap send attribute A3ip mobile home-agent
To enable and control Home Agent services on the router, use the ip mobile home-agent global configuration command. To disable these services, use the no form of this command.
ip mobile home-agent [home-agent address] [accounting] [broadcast] [care-of-access acl] [dynamic-address] [lifetime number] [aaa | attribute framed-pool] [nat-detect] [redundancy] [reject-static-addr] [revocation] [replay seconds] [resync-sa] [reverse-tunnel off] [roam-access acl] [hotline profile profile-id] [strip-realm] [suppress-unreachable] [local-timezone] [nat] [unknown-ha [accept | deny]] [send-mn-address]
no ip mobile home-agent [home-agent address] [accounting] [broadcast] [care-of-access acl] [dynamic-address] [lifetime number] [aaa | attribute framed-pool] [nat-detect] [redundancy] [reject-static-addr] [revocation] [replay seconds] [resync-sa] [reverse-tunnel off] [roam-access acl] [hotline profile profile-id] [strip-realm] [suppress-unreachable] [local-timezone] [nat] [unknown-ha [accept | deny]] [send-mn-address]
Syntax Description
Defaults
This command is disabled by default. Broadcasting is disabled by default. Reverse tunnel support is enabled by default. ICMP Unreachable messages are sent by default.
Command Modes
Global configuration
Command History
Usage Guidelines
This command enables and controls Home Agent services on the router. Changes to service take effect immediately; however, broadcast and lifetime settings for previously registered mobile nodes are unaffected. Tunnels are shared by mobile nodes registered with the same endpoints, so the reverse-tunnel-off keyword also affects registered mobile nodes.
The Home Agent is responsible for processing registration requests from the mobile node and setting up tunnels and routes to the care-of address. Packets to the mobile node are forwarded to the visited network.
The Home Agent will forward broadcast packets to mobile nodes if they registered with the service. However, heavy broadcast traffic utilizes the CPU of the router. The Home Agent can control where the mobile nodes roam by the care-of-access parameter, and which mobile node is allowed to roam by the roam-access parameter.
When a registration request comes in, the Home Agent will ignore requests when Home Agent service is not enabled or the security association of the mobile node is not configured. The latter condition occurs because the security association must be available for the MH authentication extension in the reply. If a security association exists for the Foreign Agent (IP source address or care-of address in request), the Foreign Agent is authenticated, and then the mobile node is authenticated. The Identification field is verified to protect against replay attack. The Home Agent checks the validity of the request (see Table 5) and sends a reply. (Replay codes are listed in Table 6.) A security violation is logged when Foreign Agent authentication, MH authentication, or Identification verification fails. (The violation reasons are listed in Table 7.)
After registration is accepted, the Home Agent creates or updates the mobility binding of the mobile node, which contains the expiration timer. If no binding existed before this registration, a virtual tunnel is created, a host route to the mobile node via the care-of address is added to the routing table, and gratuitous ARPs are sent out. For deregistration, the host route is removed from the routing table, the virtual tunnel interface is removed (if no mobile nodes are using it), and gratuitous ARPs are sent out if the mobile node is back home. Mobility binding is removed (along with its associated host route and tunnel) when registration lifetime expires or deregistration is accepted.
By default, the HA uses the entire NAI string as username for authentication (which may be with local security association or retrieved from the AAA server). The strip-nai-realm parameter instructs the HA to strip off the realm part of NAI (if it exists) before performing authentication. Basically, the mobile station is identified by only the username part of NAI.
When the packet destined for the mobile node arrives on the Home Agent, the Home Agent encapsulates the packet and tunnels it to the care-of address. If the Don't fragment bit is set in the packet, the outer bit of the IP header is also set. This allows the Path MTU Discovery to set the MTU of the tunnel. Subsequent packets greater than the MTU of the tunnel will be dropped and an ICMP datagram too big message sent to the source. If the Home Agent loses the route to the tunnel endpoint, the host route to the mobile node will be removed from the routing table until tunnel route is available. Packets destined for the mobile node without a host route will be sent out the interface (home link) or to the virtual network (see the description of suppress-unreachable keyword). For subnet-directed broadcasts to the home link, the Home Agent will send a copy to all mobile nodes registered with the broadcast routing option.
Table 5 describes how the Home Agent treats registrations with various bits set when authentication and identification are passed.
Table 6 lists the Home Agent registration reply codes.
Table 7 lists security violation codes.
Table 7 Security Violation Codes
1
No mobility security association.
2
Bad authenticator.
3
Bad identifier.
4
Bad SPI.
5
Missing security extension.
6
Other.
Examples
The following example enables broadcast routing and specifies a global registration lifetime of 7200 seconds (2 hours):
ip mobile home-agent ?aaa HA AAA access settingsaccounting Enable Home Agent accountingaddress HA address for virtual networksbroadcast Enable forwarding of broadcast packetscare-of-access Care-of roaming capability access-listdynamic-address Configure Dynamic HA assignment addresslifetime Global lifetime for mobile hostslocal-timezone Use Local Time Zone to generate Identification Fieldsnat NAT traversal settingsnat-detect Enable NAT detect on Home Agentredundancy Home Agent redundancy operationreject-static-addr Reject Used Mobile Node Static IP Addr Requestreplay Set replay protection timestamp value for all SAsresync-sa Turn on resync of SA after failurereverse-tunnel Reverse Tunneling for Mobile IPrevocation Enable Registration Revocationroam-access Mobile host roaming capability access-listsend-mn-address Send MN address as Framed-IP-Address in HA-CHAPstrip-realm Strip off NAI realm partsuppress-unreachable Disable sending ICMP unreachabletemplate Configure a tunnel template for tunnels to the Home Agentunknown-ha Unknown HA address in registration requestHere is an example of the framed-pool attribute:
ip mobile home-agent aaa attribute Framed-Poolip local pool haPool 70.1.1.1 70.1.1.254ip mobile home-agentip mobile virtual-network 70.1.1.0 255.255.255.0ip mobile host nai @cisco.com interface FastEthernet1/0 aaa load-saRelated Commands
ip mobile home-agent accounting
To enable the Home Agent accounting feature, use the ip mobile home-agent accounting command in global configuration mode.
ip mobile home-agent accounting {method name| default}
Syntax Description
Defaults
There are no default values for this command.
Command Modes
Global configuration
Command History
Usage Guidelines
The Home Agent cannot open more than 100k bindings if HA Accounting feature is enabled.
Examples
The following example illustrates the ip mobile home-agent accounting command:
Router# ip mobile home-agent accounting method name
ip mobile home-agent debug include username
To display the username or IMSI condition with each debug statement, use the ip mobile home-agent debug include username command. To disable this function, use the no form of the command.
ip mobile home-agent debug include username
no ip mobile home-agent debug include username
Syntax Description
There are no keywords or arguments for this command.
Defaults
There are no default values for this command.
Command Modes
Global configuration
Command History
Usage Guidelines
The following example illustrates the ip mobile home-agent debug include username command:
Router# ip mobile home-agent debug include username
ip mobile home-agent dfp-max-weight
To configure the maximum dfp weight that is allowed on the HA, use the ip mobile home-agent dfp-max-weight command in global configuration mode. Use the no form of the command to disable this feature.
ip mobile home-agent dfp-max-weight dfp-max-weight-value
no ip mobile home-agent dfp-max-weight
Syntax Description
Defaults
The dfp-max-weight-value is 24.
Command Modes
Global configuration
Command History
Examples
The following example illustrates the ip mobile home-agent dfp-max-weight command:
Router(config)# ip mobile home-agent 24
ip mobile home-agent dynamic-address
To set the Home Agent Address field in a Registration Response packet, use the ip mobile home-agent dynamic-address command in global configuration. Use the no form of the command to disable this feature, or to reset the field.
ip mobile home-agent dynamic-address ip address
no ip mobile home-agent dynamic-address ip address
Syntax Description
Defaults
The Home Agent Address field will be set to ip address.
Command Modes
Global configuration
Command History
Examples
The following example illustrates the ip mobile home-agent dynamic address command:
Router# ip mobile home-agent dynamic address 1.1.1.1ip mobile home-agent host-config url
To configure a URLon the HA that allows the MN to download configuration parameters, use the ip mobile home-agent host-config url command in globabl configuration mode. Use the no form of the command to disable the feature.
ip mobile home-agent host-config url
no ip mobile home-agent host-config url
Syntax Description
url
The generic url that you can specify that allows the MN to download its configuration parameters.
Defaults
This command is disabled by default.
Command Modes
Global configuration
Command History
Usage Guidelines
This command is necessary because sometimes the HA is not able to provide the configuration requested by the MN. This command configures a generic site specified by the URL that helps the MN to download its configuration parameters.
Examples
The following example illustrates the ip mobile home-agent host-config command:
Router(config)# ip mobile home-agent host-config http://www.cisco.com
ip mobile home-agent hotline
To distinguish Profile or Rule based hot-lining for each user (MN), and to enter the hotline-rules sub configuration mode, use the ip mobile home-agent hotline command in global configuration mode. Use the no form of the command to disable this feature.
ip mobile home-agent hotline [profile word]
no ip mobile home-agent hotline [profile word]
Syntax Description
profile word
(Optional) Denotes whether hotlining will be profile based, or rule based. If not configured, hotlining will be rule based.
Defaults
The default value is rule based hotlining.
Command Modes
Global configuration
Command History
Examples
The following example illustrates the ip mobile home-agent hotline command:
Router(config)# [no] ip mobile home-agent hotline profile wordRouter(hotline-rules)#Router(hotline-rules)#?exit Exit from hotline profile configuration modefirewall Firewall Rulesno Negate the hotline rulesredirect Redirection Rulesip mobile home-agent max-binding
To limit the number of bindings that can be opened on the HA, use the ip mobile home-agent max-binding command in global configuration mode. Use the no form of the command to disable the feature.
ip mobile home-agent max-binding max-binding value
no ip mobile home-agent max-binding max-binding value
Syntax Description
Defaults
The default value of max-binding-value is 235,000. When Accounting is enabled the supported value is 150,000.
Command Modes
Global configuration
Command History
Examples
The following example illustrates the ip mobile home-agent max-binding command:
Router# ip mobile home-agent max-binding 235000ip mobile home-agent max-cps
To configure the maximum cps that is allowed on the HA, use the ip mobile home-agent max-cps command in global configuration mode. Use the no form of the command to disable this feature.
ip mobile home-agent max-cps max-cps-value
no ip mobile home-agent max-cps
Syntax Description
max-cps-value
The maximum cps value that is allowed on the HA. The default value is 160cps with accounting support.
Defaults
The default value is 160cps with accounting support.
Command Modes
Global configuration
Command History
Examples
The following example illustrates the ip mobile home-agent max-cps command:
Router(config)# ip mobile home-agent max-cps 160
ip mobile home-agent redundancy
To configure the Home Agent for redundancy by using the Hot Standby Router Protocol (HSRP) group name, use the ip mobile home-agent redundancy subcommand under the ip mobile home-agent global configuration command. To remove the address, use the no form of this command.
ip mobile home-agent redundancy hsrp-group-name [[virtual-network] address addr] [mode active-standby] [swact-notification] [periodic-sync]
no ip mobile home-agent redundancy hsrp-group-name [[virtual-network] address addr] [mode active-standby] [swact-notification] [periodic-sync]
Syntax Description
Defaults
No global Home Agent addresses are specified.
Command Modes
Subcommand of the ip mobile home-agent global configuration command.
Command History
12.0(2)T
This command was introduced.
12.3(7)XJ1
The mode active-standby option was added.
Usage Guidelines
You must first configure the ip mobile home-agent command to use this sub-command.
The virtual-network keyword specifies that the HSRP group supports virtual networks.
Note
When Mobile IP standby is configured, the Home Agent can request mobility bindings from the peer Home Agent. When the command is deconfigured, the Home Agent can remove mobility bindings. The following describes how Home Agent redundancy operates on physical and virtual networks.
Physical network:
Only the active Home Agent will receive registrations. It updates the standby Home Agent. The standby Home Agent requests the mobility binding table from the active Home Agent. When Mobile IP standby is deconfigured, the standby Home Agent removes all bindings, but the active Home Agent keeps all bindings.
Virtual network:
Both active and standby Home Agents receive registrations if the loopback interface is used; each will update the peer after accepting a registration. Otherwise, the active Home Agent receives registrations. Both active and standby Home Agents request mobility binding tables from each other. When Mobile IP standby is deconfigured, the standby or active Home Agent removes all bindings.
Note
Examples
The following is sample output from the ip mobile home-agent redundancy command that specifies an HSRP group name of SanJoseHA:
Router# ip mobile home-agent redundancy SanJoseHA
ip mobile home-agent redundancy periodic-sync
To sync the byte and packet counts for each binding to the standby unit using an accounting update event, use the ip mobile home-agent redundancy periodic-sync command in global configuration mode. Use the no form of the command to disable this feature.
ip mobile home-agent method redundancy [virtual-network address address] periodic-sync
no ip mobile home-agent method redundancy [virtual-network address address] periodic-sync
Syntax Description
Defaults
There are no default values for this command.
Command Modes
Global configuration
Command History
Usage Guidelines
The the byte and packet counts for each binding are synced to the standby unit using an accounting update event only if the byte counts have changed since the last sync.
Examples
The following example illustrates the ip mobile home-agent redundancy periodic-sync command:
Router# ip mobile home-agent method redundancy periodic-sync
ip mobile home-agent reject-static-addr
To configure the HA to reject Registration Requests from MNs under certain conditions, use the ip mobile home-agent reject-static-addr sub-command under the ip mobile home-agent global configuration command.
ip mobile home-agent reject-static-addr
Syntax Description
This command has not arguments or keywords
Command Modes
Sub-command of the ip mobile home-agent global configuration command.
Command History
Usage Guidelines
You must first configure the ip mobile home-agent command to use this sub-command.
If an MN which has binding to the HA with a static address, and tries to register with the same static address again, then the HA rejects the second RRQ from MN.
Examples
The following example illustrates the ip mobile home-agent reject-static-addr command:
Router# ip mobile home-agent reject-static-addr
ip mobile home-agent resync-sa
To configure the HA to clear out the old cached security associations and requery the AAA server, use the ip mobile home-agent resync-sa command global configuration command.
ip mobile home-agent resync-sa x
Syntax Description
Command Modes
Global configuration.
Command History
Usage Guidelines
When a MN tries to reregister with the HA, the time change from the original timestamp is checked. If that time period is less than x, and the MN fails authentication, then the HA will not requery the AAA server for another SA.
If the MN reregisters with the HA, and the time between registrations is greater than x, and the MN fails registrations, then the HA will clear out the old SA and requery the AAA server.
Examples
The following example illustrates the ip mobile home-agent resync-sa command:
Router# ip mobile home-agent resync-sa 10
ip mobile home-agent revocation
To enable support for MIPv4 Registration Revocation on the HA, use the ip mobile home-agent revocation command in global configuration mode. Use the no form of the command to disable this feature.
ip mobile home-agent revocation [timeout 1-100] [retransmit 0-100] [timestamp msec]
no ip mobile home-agent revocation [timeout 1-100] [retransmit 0-100] [timestamp msec]
Syntax Description
Defaults
The timeout default setting is 5 seconds, the retransmit default setting is 3 retransmissions, and the default timestamp setting is seconds.
Command Modes
Global configuration.
Command History
Examples
The following example illustrates the ip mobile home-agent revocation command:
Router# (config)#ip mobile home-agent revoc timeout ?
<1-100> Wait time (default 3 secs)
Router# (config)#ip mobile home-agent revoc retransmit ?
<0-100> Number of retries for a transaction (default 3)
ip mobile home-agent revocation ignore
To enable the HA to send a revocation acknowledgement to the PDSN/FA but not delete the binding, use the ip mobile home-agent revocation ignore command in global configuration mode. Use the no form of the command to disable this function.
ip mobile home-agent revocation ignore fa acl
no ip mobile home-agent revocation ignore fa acl
Syntax Description
Defaults
There are no default values.
Command Modes
Global configuration.
Command History
Usage Guidelines
When a subscriber roams between their service provider's network and another partner service provider's network, the PDSN gateway sends a Resource Revocation message to the Home Agent to remove the subscriber. This causes timing problems, so Selective FA Revocation selectively ignores these "remove subscriber" requests. Revocation is done on a Foreign Agent basis. Thus, a given HA will statically configure a list of Foreign Agents from which to ignore the "remove subscriber" messages.With Selectable FA Revocation, the Hybrid PDSN/FA will go through the above conditions and send the revocation to the Home Agent. However, in this case the HA ignores the revocation, but sends a RR response to the PDSN.
As a result, the MN and Home Agent still have a binding state but the PDSN/FA no longer has a PPP session/visitor table entry. Eventually, the mobile goes active and has Data Ready to Send, where the 1x RF channel DRS=1 is included. In this scenario, the VLR is not queried and the OpenRP message to the PDSN has MEI set to 1. Regardless of the MEI value, the PDSN will initiate PPP, and send a RRQ with the previously assigned home address. In this case HA will accept the Re-registration.
Note
Examples
Here is an example of the ip mobile home-agent revocation ignore command:
You can ignore revocation from the FA by specifying the standard access-list number or standard access-list name.
Configuring access-list name to ignore the requests from COA 5.1.1.4
Router(config)#ip access-list standard ?<1-99> Standard IP access-list number<1300-1999> Standard IP access-list number (expanded range)WORD Access-list nameRouter(config)#ip access-list standard fa_acl1Router(config-std-nacl)#permit 5.1.1.4Configuring access-list number to ignore the requests from COA 5.1.1.5
Router(config)#ip access-list standard ?<1-99> Standard IP access-list number<1300-1999> Standard IP access-list number (expanded range)WORD Access-list nameRouter(config)#ip access-list standard 1Router(config-std-nacl)#permit 5.1.1.5Configuring access-list name to selectively ignore requests from FA 5.1.1.4 . This is to associate the above created acl with the ip mobile home-agent revocation ignore command.
Router((config)#ip mobile home-agent revocation ignore ?<1-99> fa Access-list numberWORD fa Access-list nameRouter(config)#ip mobile home-agent revocation ignore fa_acl1Configuring the access-list number to selectively ignore requests from FA 5.1.1.5
Router(config)#ip mobile home-agent revocation ignore 1ip mobile home-agent service-policy
To attach the HA to the QoS police function, and identify the HA by associating a service-policy to the HA virtual interface object, use the ip mobile home-agent service-policy command in global configuration mode. The command is configured for both traffic directions. Use the no form of the command to disable this feature.
ip mobile home-agent service-policy [input policy-name] [output policy-name]
no ip mobile home-agent service-policy [input policy-name] [output policy-name]
Syntax Description
Defaults
The Home Agent Address field will be set to ip address.
Command Modes
Global configuration
Command History
Examples
The following example illustrates the ip mobile home-agent dynamic address command:
Router(config)# ip mobile home-agent service-policy input policy-mip-flowoutput policy-mip-flowip mobile home-agent template tunnel
To configure a Home Agent to use the template tunne, use the ip mobile home-agent template tunnel command in global configuration. Use the no form to disable this feature.
ip mobile home-agent template tunnel interface id address home agent address
no ip mobile home-agent template tunnel interface id address home agent address
Syntax Description
Defaults
There are no default values.
Command Modes
Global configuration.
Command History
Examples
The following example illustrates the ip mobile home-agent template tunnel command:
Router(config)# interface tunnel 10
ip access-group 150 in -------> apply access-list 150
Router (config)# access-list 150 deny any 10.10.0.0 0.255.255.255access-list permit any any
------> permit all but traffic to 10.10.0.0 network
Router (config)# ip mobile home-agent template tunnel 10 address 10.0.0.1
ip mobile host
To configure the mobile host or mobile node group, use the ip mobile host global configuration command. For PDSN, use this command to configure the static IP address or address pool for multiple flows with the same NAI.
ip mobile host {lower [upper] | nai string {static-address {addr1 [addr2] [addr3] [addr4] [addr5] | local-pool name} | address {addr | pool {local name | vpdn-tunnel | dhcp-proxy-client [dhcp-server addr]} {interface name | virtual-network network_address mask} [skip-chap | aaa [load-sa permanent]] [authorized-pool pool] [skip-aaa-reauthentication]] [care-of-access acl] [lifetime number]
no ip mobile host {lower [upper] | nai string {static-address {addr1 [addr2] [addr3] [addr4] [addr5] | local-pool name} | address {addr | pool {local name | vpdn-tunnel | dhcp-proxy-client [dhcp-server addr]} {interface name | virtual-network network_address mask} [skip-chap | aaa [load-sa permanent]] [authorized-pool pool] [skip-aaa-reauthentication]] [care-of-access acl] [lifetime number]
Syntax Description
Defaults
No host is configured.
Command Modes
Global configuration
Command History
Usage Guidelines
This command configures the mobile host or mobile node group (ranging from lower address to upper address) to be supported by the Home Agent. These mobile nodes belong to the network on an interface or a virtual network (using the ip mobile virtual-network command). The security association for each mobile host must be configured using the ip mobile secure command or downloaded from an AAA server. When using an AAA server, the router will attempt to download all security associations when the command is entered. If no security associations are retrieved, retrieval will be attempted when a registration request arrives or the clear ip mobile secure command is entered.
All hosts must have security associations for registration authentication. Mobile nodes can have more than one security association. The memory consumption calculations shown in Table 8 are based on the assumption of one security association per mobile node.
The nai keyword allows you to specify a particular mobile station or range of mobile stations. The mobile station can request a static IP address (static-address keyword), which is configured using the addr1 variable (for a specific address) or the local-pool keyword (for an IP address from an address pool). Or, the mobile station can request a dynamic address (address keyword), which is configured using the addr variable (for a specific address) or the pool keyword (for an IP address from a pool or DHCP server). If this command is used with the PDSN proxy Mobile IP feature and a realm is specified in the ip mobile proxy-host nai command, then only a pool of addresses can be specified in this command.
The vpdn-tunnel option is added to the ip mobile host command. This keyword is mandatory to bring up MIP-LAC tunnel. You must also configure the vpdn-tunnel virtual-template option of the ip mobile realm command to enable the MIP-LAC feature. Every MIP session matching this realm will be mapped to a corresponding L2TP session. When MIP-LAC is enabled for user(s), and the HA does not go to AAA for authentication / authorization, local configuration will be checked for VPDN parameters.
The address pool can be defined by a local pool or using a DHCP proxy client. For DHCP, the interface name specifies the address pool from which the DHCP server selects and dhcp-server specifies DHCP server address.
Security associations can be stored using one of three methods:
•
•
•
Each method has advantages and disadvantages, which are described in Table 8
.
Note
Note
If the aaa load-sa option is configured, the Home Agent caches the SA locally on first registration. In this case the Home Agent will not invoke the RADIUS authorization procedure for re-registration.
If aaa load-sa skip-aaa-reauthentication is configured, the Home Agent caches the SA locally on first registration; however, the Home Agent will not invoke HA-CHAP procedure for re-registration.
The aaa load-sa permanent option is not supported on the Mobile Wireless Home Agent, and should not be configured.Examples
The following example configures a mobile node group to reside on virtual network 20.0.0.0 and store its security associations on the AAA server:
ip mobile host 20.0.0.1 20.0.0.3 virtual-network 20.0.0.0 aaaThe following example configures a local pool of dynamic addresses to be used in assigning IP addresses to mobile stations in the cisco.com domain.
ip mobile host nai @cisco.com address pool local mobilenodes virtual-network 9.0.0.0 255.0.0.0 aaa lifetime 65535The following example configures a local pool of static addresses to be used in assigning IP addresses to mobile stations in the cisco.com domain.
ip mobile host nai @cisco.com static-address local-pool mobilenodesRelated Commands
ip mobile radius disconnect
To enable the processing Radius Disconnect messages on the HA, use the ip mobile radius disconnect command in global configuration mode. Use the no form of this command to disable processing Radius Disconnect messages on the HA.
ip mobile radius disconnect
no ip mobile radius disconnect
Syntax Description
There are no arguments or keywords for this command.
Defaults
The default setting is that there is no processing of Radius Disconnect messages.
Command Modes
Global configuration.
Command History
Usage Guidelines
Note
Note
Examples
The following example illustrates the ip mobile radius disconnect command:
Router# ip mobile radius disconnect
ip mobile realm
To enable inbound user sessions to be disconnected when specific session attributes are presented, and to configure policy parameters on the Home Agent and attach/identify them to QoS through an APN interface, use the ip mobile realm command in global configuration mode. Use the no form of the command to disable this feature.
ip mobile realm {realm | nai} vrf vrf-name ha-addr ip-address [aaa-group [accounting aaa-acct-group | authentication aaa-auth-group]] [dns dynamic-update method word] [dns server primary dns server address secondary dns server address [assign]] [hotline [capability profile-based redirect [ip | http] | rule-based flag]] [vpdn-tunnel virtual-template number [setup-time number]] [service-policy {input policy-name [peak-rate rate] | output policy-name [peak-rate rate]}] [any-traffic | next-hop next-hop-ipadress]
no ip mobile realm ip mobile realm {realm | nai} vrf vrf-name ha-addr ip-address [aaa-group [accounting aaa-acct-group] [dns dynamic-update method word] [dns server primary dns server address secondary dns server address [assign]] [[hotline [capability [all | httpredir
| ipfilter | ipredir | profile] redirect [ip | http] | rule-based flag]] [vpdn-tunnel virtual-template number [setup-time number]] [service-policy {input policy-name [peak-rate rate] | output policy-name [peak-rate rate]}] [any-traffic | next-hop next-hop-ipadress]Syntax Description
Defaults
When the setup-time is not specified, the default value is 60.
Command Modes
Global configuration
Command History
Usage Guidelines
This command defines the VRF for the domain "@xyz.com". The IP address of the Home Agent corresponding to the VRF is also defined at which the MOIP tunnel will terminate. IP address of the Home Agent should be a routable IP address on the box. Optionally, the AAA accounting and/or authentication server groups can be defined per VRF. If AAA accounting server group is defined, all accounting records for the users of the realm will be sent to the specified group. If AAA authentication server group is defined, HA-CHAP is sent to the server(s) defined in the group.
The word argument should be specified as nai/realm and in the format of @cisco.com/username@cisco.com. Otherwise, the command will give error message. At least one form of hot-lining should be selected. There is no default rule to activate rule-based hot-lining for the user. Un-configuring this CLI will erase the rule-based hot-lining capability for the user. The values in above command are mentioned as flags. The flag values are explained here:
0x00000001 Profile-based Hot-Lining is supported (Using RADIUS Filter-Id attributes)
0x00000002 Rule-based Hot-Lining is supported using Filter Rule
0x00000004 Rule-based Hot-Lining is supported using HTTP Redirection Rule.
0x00000008 Rule-based Hot-Lining is supported using IP Redirection Rule.The [service-policy {input policy-name [peak-rate rate] | output policy-name [peak-rate rate]}] variables allows you to configure a policy and associated rate for one or more user bindings belonging to that policy on the basis of NAI/realm. This can be configured for both upstream and downstream traffic. The burst and the peak-burst can be configured under the policy-map configuration.
The setup-time for the vpdn-tunnel configuration is optional. The range of values for setup-time is from 5 secs to 300 secs. The default value for setup-time is 60 seconds. The default value is taken in to consideration, when user does not specify the setup-time option explicitly.
Configured setup-time is the maximum tolerance time, starting from the creation of the PPP IDB within which a regenerated PPP session has to come fully up. If this period of time has elapsed and the L2TP tunnel is not up yet, the mobile IP module proceeds to tear down this session's L2TP session, PPP IDB and mobile binding. Also, please note that the number option of tunnel vtemplate number must match the number configured in the corresponding interface virtual-template command.
Examples
The following example identifies the DNS dynamic update keyword:
router(config)#ip mobile realm @ispxyz1.com dns ?dynamic-update Enable 3GPP2 IP reachabilityserver DNS server configurationThe following example identifies the hotlining and vrf keywords:
router(config)# ip mobile realm @ispxyz1.com ?dns Configure DNS detailshotline Hotlining of the mobile hostsvrf VRF for the realmRouter(config)#ip mobile realm {realm | nai} hotline ?capability Hotlining Capability of the mobile hostsredirect Redirect ip address for upstream trafficRouter(config)#[no] ip mobile realm {realm | nai} hotline capability ?all Support all Hotline Capabilitieshttpredir HTTPRedir Rule-based Hot-Liningipfilter IPFilter Rule-based Hot-Liningipredir IPRedir Rule-based Hot-Liningprofile Profile-based Hot-LiningRouter(config)#Here is a policy map configuration example:
Router(config)#ip mobile realm <nai | realm> ?dns Configure DNS detailshotline Hotlining of the mobile hostsservice-policy QoS service policy attachmentvrf VRF for the realmRouter(config)#ip mobile realm <nai | realm> service-policy ?input Attach policy-map in input direction (downstream)output Attach policy-map in output direction (upstream)<cr>Router(config)#ip mobile realm <nai | realm> service-policy input ?WORD Policy-map name in input directionRouter(config)#ip mobile realm <nai | realm> service-policy input <policyname> ?output Attach policy-map in output direction (upstream)peak-rate Police rate<cr>Router(config)#ip mobile realm <nai | realm> service-policy input <policyname> peak-rate ?<8000-2000000000> Police rate value in bpsRouter(config)#ip mobile realm <nai | realm> service-policy input <policyname> peak-rate <rate> ?output Attach policy-map in output direction (upstream)<cr>Router(config)#ip mobile realm <nai | realm> service-policy input <policyname> peak-rate <rate> output ?WORD Policy-map name in output directionRouter(config)#ip mobile realm <nai | realm> service-policy input <policyname> peak-rate <rate> output <policyname> ?peak-rate Police rateRouter(config)#ip mobile realm <nai | realm> service-policy input <policyname> peak-rate <rate> output <policyname> peak-rate ?<8000-2000000000> Police rate value in bpsRouter(config)#ip mobile realm <nai | realm> service-policy input <policyname> peak-rate <rate> output <policyname> peak-rate <rate>ip mobile secure
To specify the mobility security associations for the mobile host, visitor, Home Agent, Foreign Agent, and proxy host, use the ip mobile secure global configuration command. To remove the mobility security associations, use the no form of this command.
ip mobile secure {host lower-address [upper-address] | visitor address | home-agent address | foreign-agent address} {inbound-spi spi-in | outbound-spi spi-out | spi spi} key hex string [replay timestamp [number] algorithm md5 mode prefix-suffix]
no ip mobile secure {host lower-address [upper-address] | visitor address | home-agent address | foreign-agent address} {inbound-spi spi-in | outbound spi-out | spi spi} key hex string [replay timestamp [number] algorithm md5 mode prefix-suffix]
Syntax Description
Defaults
No security association is specified.
Command Modes
Global configuration
Command History
12.0(1)T
This command was introduced.
12.2
The lower-address and upper-address arguments were added.
Usage Guidelines
The security association consists of the entity address, SPI, key, replay protection method, authentication algorithm, and mode.
The SPI is the 4-byte index that selects the specific security parameters to be used to authenticate the peer. The security parameters consist of the authentication algorithm and mode, replay attack protection method, timeout, and IP address.
On a Home Agent, the security association of the mobile host is mandatory for mobile host authentication. If desired, configure a Foreign Agent security association on your Home Agent. On a Foreign Agent, the security association of the visiting mobile host and security association of the Home Agent are optional. Multiple security associations for each entity can be configured.
If registration fails because the timestamp value is out of bounds, the time stamp of the Home Agent is returned so the mobile node can reregister with the time-stamp value closer to that of the Home Agent, if desired.
Note
Examples
The following example shows mobile node 20.0.0.1, which has a key that is generated by the MD5 hash of the string:
Router# ip mobile secure host 20.0.0.1 spi 100 key hex 12345678123456781234567812345678Related Commands
ip mobile tunnel
To specify the settings of tunnels created by Mobile IP, use the ip mobile tunnel interface configuration command.
ip mobile tunnel {crypto map map-name | route-cache | path-mtu-discovery | nat {inside | outside}}
Syntax Description
Defaults
Disabled.
Command Modes
Interface configuration.
Command History
Usage Guidelines
Path MTU discovery is used by end stations to find a packet size that does not need fragmentation between them. Tunnels have to adjust their MTU to the smallest MTU interior to achieve this. This is described in RFC 2003.
The discovered tunnel MTU should be aged out periodically to possibly recover from case where sub-optimum MTU existed at time of discovery. It is reset to the outgoing interface's MTU.
Examples
The following example sets the discovered tunnel MTU to expire in ten minutes:
Router# ip mobile tunnel reset-mtu-time 600
ip mobile virtual-network
To define a virtual network, use the ip mobile virtual-network global configuration command. To remove the virtual network, use the no form of this command.
ip mobile virtual-network net mask [address addr]
no ip mobile virtual-network net mask [address addr]
Syntax Description
Defaults
No Home Agent addresses are specified.
Command Modes
Global configuration.
Command History
Usage Guidelines
This command inserts the virtual network into the routing table to allow mobile nodes to use the virtual network as their home network. The network is propagated when redistributed to other routing protocols.
Note
Examples
The following example adds the virtual network 20.0.0.0 to the routing table and specifies that the HA IP address is configured on the loopback interface for that virtual network:
Router# ip mobile virtual-network
int e0ip addr 1.0.0.1 255.0.0.0standby ip 1.0.0.10standby name SanJoseHAint lo0ip addr 20.0.0.1 255.255.255.255ip mobile home-agentip mobile virtual-network 20.0.0.0 255.255.0.0 20.0.0.1ip mobile home-agent standby SanJoseHA virtual-networkip mobile secure home-agent 1.0.0.2 spi 100 hex 00112233445566778899001122334455match flow mip-bind
To classify packets for each binding that belong to a class of MN users with a specified rate, use the match flow mip-bind command in MQC class-map config mode. Use the no form of the command to delete the classification.
match flow mip-bind
no match flow mip-bind
Syntax Description
There are no keywords or arguments for this command.
Defaults
There are no default values.
Command Modes
MQC class-map configuration submode.
Command History
Examples
The following example illustrates the match flow mip-bind command:
Router(config-cmap)# match flow mip-bindmatch flow pdp
To classify an HA flow, use the match flow pdp command in global class-map configuration mode.
match flow pdp
no match flow pdp
Syntax Description
There are no keywords or arguments for this command.
Defaults
There are no default values.
Command Modes
Global class-map configuration.
Command History
Examples
The following example illustrates the match flow pdp command:
Router(conf t)# class-map <class-name>Router(config-cmap)#match flow ?pdp PDP context of flowRouter(config-cmap)# match flow pdpRouter(config-cmap)# endpolice rate mip-binding
To police the individual MN binding already identified to MQC, based on the specified rate, use the police rate mip-binding command specified in policy-map config mode specific to a configured class. Use the no form of the command to disable this feature.
police rate mip-binding [bc bytes] [peak-rate mip-binding [be bytes]]
no police rate mip-binding [bc bytes] [peak-rate mip-binding [be bytes]]
Syntax Description
bc bytes
Specifies the.
peak-rate mip-binding
Specifies the peak rate mip binding.
be bytes
Specifies the
Defaults
There are no default values.
Command Modes
Policy-map configuration submode.
Command History
Examples
The following example illustrates the police rate mip-binding command:
Router (config-pmap-c)# class-map class-mipmatch flow mip-bindingpolicy-map policy-mip-flowclass class-mippolice rate mip-binding [bc bytes] [peak-rate mip-binding [be byes]] conform-action action exceed-action action violate-action actionpolice rate pdp
To invoke police action on a binding flow, use the police rate pdp command in global policy-map configuration mode.
police rate pdp [burst bytes] [peak-rate pdp [peak-burst bytes]] conform-action action [exceed-action action [violate-action action]]
no police rate pdp [burst bytes] [peak-rate pdp [peak-burst bytes]] conform-action action [exceed-action action [violate-action action]]
Syntax Description
Defaults
There are no default values.
Command Modes
Policy-map configuration submode.
Command History
Usage Guidelines
The peak-rate pdp parameter ensures that policing is done based on a rate specified for each binding flow. The actual rate is specified using the mobile ip command described above.
The peak-rate pdp parameter has the following restrictions:
•
•
•
Examples
The following example illustrates the police rate pdp command:
Router(config)# policy-map <policyname>Router(config)# class <class-name>Router(config-pmap-c)# ?police PoliceRouter(config-pmap-c)#police ?<8000-2000000000> Bits per secondcir Committed information raterate Specify police rateRouter(config-pmap-c)#police rate ?pdp APN PDP contextRouter(config-pmap-c)#police rate pdp ?burst Specify 'burst' parameterconform-action action when rate is less than conform burstpeak-burst Specify 'peak-burst' parameter for 'peak-rate'peak-rate Specify peak rate<cr>Router(config-pmap-c)#police rate pdp burst 1000 peak-rate ?pdp APN PDP contextRouter(config-pmap-c)#police rate pdp burst 1000 peak-rate pdp ?conform-action action when rate is less than conform burstpeak-burst Specify 'peak-burst' parameter for 'peak-rate'Router(config-pmap-c)#police rate pdp burst 1000 peak-rate pdp peak-burst 5000 ?conform-action action when rate is less than conform burst<cr>Router(config-pmap-c)#police rate pdp burst 1000 peak-rate pdp peak-burst 5000 conform-action <transmit> ?exceed-action action when rate is within conform and conform + exceed burst<cr>Router(config-pmap-c)#police rate pdp burst 1000 peak-rate pdp peak-burst 5000 conform-action <transmit> exceed-action <drop> ?violate-action action when rate is greater than conform + exceed burst<cr>radius-server attribute 32 include-in-access-req
To send RADIUS attribute 32 (NAS-Identifier) in an access-request or accounting-request, use the radius-server attribute 32 include-in-access-req global configuration command. To disable sending RADIUS attribute 32, use the no form of this command.
radius-server attribute 32 include-in-access-req [format]
no radius-server attribute 32 include-in-access-req
Syntax Description
format
(Optional) A string sent in attribute 32 containing an IP address (%i), a hostname (%h), or a domain name (%d).
Defaults
RADIUS attribute 32 is not sent in access-request or accounting-request packets.
Command Modes
Global configuration.
Command History
Usage Guidelines
Using the radius-server attribute 32 include-in-access-req makes it possible to identify the network access server (NAS) manufacturer to the RADIUS server by sending RADIUS attribute 32 (NAS-Identifier) in an access-request or accounting-request. If you configure the format argument, the string sent in attribute 32 will include an IP address, a hostname, or a domain name; otherwise, the Fully Qualified Domain Name (FQDN) is sent by default.
Examples
The following example shows a configuration that sends RADIUS attribute 32 in the access-request with the format configured to identify a Cisco NAS:
router (config)# radius-server attribute 32 include-in-access-req format cisco %h.%d %i! The following string will be sent in attribute 32 (NAS-Identifier)."cisco router.nlab.cisco.com 10.0.1.67"radius-server attribute 55 access-request include
To send RADIUS attribute 55 Event-Timestamp in Access-Request, use the radius-server attribute 55 access-request include global configuration command. To disable sending this attribute, use the no form of this command.
radius-server attribute 55 access-request include
no radius-server attribute 55 access-request include
Syntax Description
There are no keywords or arguments.
Defaults
There are no default values.
Command Modes
Global configuration.
Command History
Usage Guidelines
Examples
The following example illustrates how to configure the radius-server attribute 55 access-request include command:
router (config)# radius-server attribute 55 access-request includeradius-server host
To specify a RADIUS server host, use the radius-server host command in global configuration mode. To delete the specified RADIUS host, use the no form of this command.
radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string] [alias {hostname | ip-address}]
no radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string] [alias {hostname | ip-address}]
Syntax Description
Defaults
The auth-port port number defaults to 1645; the acct-port port number defaults to 1646.
Command Modes
Global configuration
Command History
Examples
The following example shows the radius-server host command:
Router# radius server host 20.1.1.1radius-server vsa send accounting wimax
To configure the WiMAX VSAs included in RADIUS accounting messages generated by the HA, use the radius-server vsa send accounting wimax command in global configuration mode. Use the no form of the command to disable this feature.
radius-server vsa send accounting wimax
no radius-server vsa send accounting wimax
Syntax Description
There are no keywords or arguments for this command.
Defaults
There are no default values.
Command Modes
Global configuration
Command History
Usage Guidelines
When this command is enabled, the following following RADIUS attributes will be included in accounting messages generated by the HA.
•
•
•
•
•
•
•
•
Examples
The following example shows the radius-server vsa send accounting wimax command:
Router# radius-server vsa send accounting wimaxradius-server vsa send authentication wimax
To configure WiMAX VSAs included in RADIUS Access-Request messages, use the radius-server vsa send authentication wimax command in global configuration mode. Use the no form of the command to disable this feature.
radius-server vsa send authentication wimax
no radius-server vsa send authentication wimax
Syntax Description
There are no keywords or arguments for this command.
Defaults
There are no default values.
Command Modes
Global configuration
Command History
Usage Guidelines
When this command is enabled, the following following RADIUS attributes will be included in Access-Request messages generated by the HA.
•
•
•
•
•
•
•
•
Examples
The following example shows the radius-server vsa send authentication wimax command:
Router# radius-server vsa send authentication wimaxredirect ip access-group
To specify that IP be the redirected profile-based configuration, use the redirect ip access-group command in hotline-rules sub-command configuration mode. Use the no form of the command to disable this feature.
redirect ip access-group { acl-no | word } {in | out} {redirect ip-addr [port]}
no redirect ip access-group { acl-no | word } {in | out} {redirect ip-addr [port]}
Syntax Description
Defaults
There are no default values.
Command Modes
Global configuration
Command History
Usage Guidelines
The configured acl should be an extended acl. ACL numbers range from 100-199 & 2000-2699.
Examples
The following example illustrates the redirect ip access-group command:
redirect ip access-group 100 in redirect 20.20.20.20 1router mobile
To enable Mobile IP on the router, use the router mobile global configuration command. To disable Mobile IP, use the no form of this command.
router mobile
no router mobile
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled.
Command Modes
Global configuration.
Command History
Usage Guidelines
This command must be used in order to run Mobile IP on the router, as either a Home Agent or a Foreign Agent. The process is started and counters begin. Disabling
Mobile IP will remove all related configuration commands, both global and interface.
Examples
The following example enables Mobile IP:
Router# router mobile
show ip mobile binding
To display the mobility binding table, use the show ip mobile binding EXEC command.
show ip mobile binding [ip address | home-agent address | nai string | summary | vrf | qos police flowid id | police nai @example.com]
Syntax Description
Command Modes
Privileged EXEC
Command History
Usage Guidelines
The Home Agent updates the mobility binding table in response to registration events from mobile nodes. If the address argument is specified, bindings are shown for only that mobile node.
Examples
The following is sample output from the show ip mobile binding command:
Router# show ip mobile bindingMobility Binding List:Total 1Total VPDN Tunnel'ed 1mip-lac-user1@ispxyz.com (Bindings 1):Home Addr 30.0.0.5Care-of Addr 7.0.0.1, Src Addr 7.0.0.1Lifetime granted 00:30:00 (1800), remaining 00:28:56Flags sBdmg-T-, Identification CA932143.10000Tunnel0 src 7.0.0.2 dest 7.0.0.1 reverse-allowedRouting Options - (B)Broadcast (T)Reverse-tunnelService Options:VPDN Tunnel (setup-time 90 secs)Revocation negotiated - I-bit setIf the DNS server configs configured locally are used then the show output will include the following:
router# show ip mobile bindingMobility Binding List:Total 1mwts-mip-r20sit-haslb@ispxyz20.com (Bindings 1):Home Addr 40.0.0.2Care-of Addr 20.20.210.10, Src Addr 20.20.210.10Lifetime granted 00:03:00 (180), remaining 00:02:32Flags sBdmg-T-, Identification C6ACD1D7.10000Tunnel0 src 20.20.202.102 dest 20.20.210.10 reverse-allowedRouting Options - (B)Broadcast (T)Reverse-tunnelService Options:Dynamic HA assignmentRevocation negotiated - I-bit setAcct-Session-Id: 23Sent on tunnel to MN: 0 packets, 0 bytesReceived on reverse tunnel from MN: 0 packets, 0 bytesDNS Address primary 10.77.155.10 secondary 5.5.5.5DNS Address Assignment enabled with entity Configured at Homeagent(3)If the DNS server addresses downloaded using a DNS server VSA from HAAA, then the show output will include the following:
router# show ip mobile bindingMobility Binding List:Total 1mwts-mip-r20sit-haslb@ispxyz30.com (Bindings 1):Home Addr 40.0.0.3Care-of Addr 20.20.210.10, Src Addr 20.20.210.10Lifetime granted 00:03:00 (180), remaining 00:02:05Flags sBdmg-T-, Identification C6ACD910.10000Tunnel0 src 20.20.202.102 dest 20.20.210.10 reverse-allowedRouting Options - (B)Broadcast (T)Reverse-tunnelService Options:Dynamic HA assignmentRevocation negotiated - I-bit setAcct-Session-Id: 31Sent on tunnel to MN: 0 packets, 0 bytesReceived on reverse tunnel from MN: 0 packets, 0 bytesDNS Address primary 10.77.155.10 secondary 10.77.155.9DNS Address Assignment enabled with entity From Home AAA(1)
Note
ACLs Applied to a Mobility Binding and Accounting Session ID and Accounting Counters
router# show ip mobile binding 44.0.0.1Mobility Binding List:44.0.0.1:Care-of Addr 55.0.0.11, Src Addr 55.0.0.11
Guest
