Table Of Contents
Cisco Mobile Wireless Home Agent Command Reference for IOS Release 12.4(22)YD
ip mobile cdma ha-chap send attribute
ip mobile debug include username
ip mobile home-agent accounting
ip mobile home-agent author-fail send-response
ip mobile home-agent binding-overwrite
ip mobile home-agent congestion
ip mobile home-agent dynamic-address
ip mobile home-agent foreign-agent
ip mobile home-agent host-config url
ip mobile home-agent max-binding
ip mobile home-agent redundancy
ip mobile home-agent reject-static-addr
ip mobile home-agent resync-sa
ip mobile home-agent revocation
ip mobile home-agent revocation ignore
ip mobile home-agent switchover aaa swact-notification
ip mobile home-agent template tunnel
radius-server attribute 32 include-in-access-req
radius-server attribute 55 access-request include
radius-server vsa send accounting wimax
radius-server vsa send authentication wimax
show ip mobile binding vrf realm
show ip mobile home-agent congestion
snmp-server enable traps ipmobile
standby track decrement priority
track id application home-agent
Cisco Mobile Wireless Home Agent Command Reference for IOS Release 12.4(22)YD
This section documents new or modified commands. All other commands used with this feature are documented in the Cisco IOS Release 12.5T command reference publications.
•
clear ip mobile binding modified
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
aaa accounting
To enable authentication, authorization, and accounting (AAA) accounting of requested services for billing or security purposes when you use RADIUS or TACACS+, use the aaa accounting command in global configuration mode. To disable AAA accounting, use the no form of this command.
aaa accounting {auth-proxy | system | network | exec | connection | commands level | delay-start | dot1x | gigawords | multicast | nested | send | session-duration | suppress | update} {default | list-name | guarantee-first} [vrf vrf-name] {start-stop | stop-only | none} [broadcast] group groupname
no aaa accounting {auth-proxy | system | network | exec | connection | commands level | delay-start | dot1x | gigawords | multicast | nested | send | session-duration | suppress | update} {default | list-name | guarantee-first} [vrf vrf-name] {start-stop | stop-only | none} [broadcast] group groupname
Syntax Description
auth-proxy
Provides information about all authenticated-proxy user events.
system
Performs accounting for all system-level events not associated with users, such as reloads.
network
Runs accounting for all network-related service requests, including SLIP1 , PPP2 , PPP NCPs3 , and ARAP4 .
exec
Runs accounting for EXEC shell session. This keyword might return user profile information such as what is generated by the autocommand command.
connection
Provides information about all outbound connections made from the network access server, such as Telnet, LAT5 , TN3270, PAD6 , and rlogin.
commands level
Runs accounting for all commands at the specified privilege level. Valid privilege level entries are integers from 0 through 15.
default
Uses the listed accounting methods that follow this argument as the default list of methods for accounting services.
delay-start
Delay PPP Network start record until peer IP address is known.
dot1x
For dot1x sessions.
gigawords
64 bit interface counters to support Radius attributes 52 and 53.
list-name
Character string used to name the list of at least one of the accounting methods described in Table 3.
multicast
For multicast accounting.
nested
When starting PPP from EXEC mode, this generates network records before EXEC-STOP record.
none
Disables accounting services on this line or interface.
send
Send records to accounting server.
session-duration
Set the preference for calculating session durations.
start-stop
Sends a "start" accounting notice at the beginning of a process and a "stop" accounting notice at the end of a process. The "start" accounting record is sent in the background. The requested user process begins regardless of whether the "start" accounting notice was received by the accounting server.
stop-only
Sends a "stop" accounting notice at the end of the requested user process.
suppress
Does not generate accounting records for a specific type of user.
update
Enables accounting update record.
broadcast
(Optional) Enables sending accounting records to multiple AAA servers. Simultaneously sends accounting records to the first server in each group. If the first server is unavailable, fail over occurs using the backup servers defined within that group.
group groupname
At least one of the keywords described in Table 2.
1 SLIP = Serial Line Internet Protocol
2 PPP = Point-to-Point Protocol
3 PPP NCPs = Point-to-Point Protocol Network Control Protocols
4 ARAP = AppleTalk Remote Access Protocol
5 LAT = local-area transport
6 PAD = packet assembler/disassembler
Defaults
AAA accounting is disabled.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the aaa accounting command to enable accounting and to create named method lists defining specific accounting methods on a per-line or per-interface basis.
Table 2 contains descriptions of accounting method keywords.
In Table 1, the group radius and group tacacs+ methods refer to a set of previously defined RADIUS or TACACS+ servers. Use the radius-server host and tacacs-server host commands to configure the host servers. Use the aaa group server radius and aaa group server tacacs+ commands to create a named group of servers.
Cisco IOS software supports the following two methods of accounting:
•
•
Method lists for accounting define the way accounting will be performed. Named accounting method lists enable you to designate a particular security protocol to be used on specific lines or interfaces for particular types of accounting services. Create a list by entering the list-name and the method, where list-name is any character string used to name this list (excluding the names of methods, such as radius or tacacs+) and method identifies the methods to be tried in sequence as given.
If the aaa accounting command for a particular accounting type is issued without a named method list specified, the default method list is automatically applied to all interfaces or lines (where this accounting type applies) except those that have a named method list explicitly defined. (A defined method list overrides the default method list.) If no default method list is defined, then no accounting takes place.
Named accounting method lists are specific to the indicated type of accounting. Method list keywords are described in Table 3.
Note
For minimal accounting, include the stop-only keyword to send a "stop" record accounting notice at the end of the requested user process. For more accounting, you can include the start-stop keyword, so that RADIUS or TACACS+ sends a "start" accounting notice at the beginning of the requested process and a "stop" accounting notice at the end of the process. Accounting is stored only on the RADIUS or TACACS+ server. The none keyword disables accounting services for the specified line or interface.
When AAA accounting is activated, the network access server monitors either RADIUS accounting attributes or TACACS+ AV pairs pertinent to the connection, depending on the security method you have implemented. The network access server reports these attributes as accounting records, which are then stored in an accounting log on the security server. For a list of supported RADIUS accounting attributes, refer to the appendix "RADIUS Attributes" in the Cisco IOS Security Configuration Guide. For a list of supported TACACS+ accounting AV pairs, refer to the appendix "TACACS+ Attribute-Value Pairs" in the Cisco IOS Security Configuration Guide.
Note
Examples
The following example defines a default commands accounting method list, where accounting services are provided by a TACACS+ security server, set for privilege level 15 commands with a stop-only restriction.
aaa accounting commands 15 default stop-only group tacacs+The following example defines a default auth-proxy accounting method list, where accounting services are provided by a TACACS+ security server with a stop-only restriction. The aaa accounting command activates authentication proxy accounting.
aaa new-modelaaa authentication login default group tacacs+aaa authorization auth-proxy default group tacacs+aaa accounting auth-proxy default start-stop group tacacs+Related Commands
aaa accounting update
To enable periodic interim accounting records to be sent to the accounting server, use the aaa accounting update command in global configuration mode. To disable interim accounting updates, use the no form of this command.
aaa accounting update [newinfo] [periodic number]
no aaa accounting update
Syntax Description
Defaults
Disabled
Command Modes
Global configuration
Command History
Usage Guidelines
When aaa accounting update is activated, the Cisco IOS software issues interim accounting records for all users on the system. If the keyword newinfo is used, interim accounting records will be sent to the accounting server every time there is new accounting information to report. An example of this would be when IP Control Protocol (IPCP) completes IP address negotiation with the remote peer. The interim accounting record will include the negotiated IP address used by the remote peer.
When used with the keyword periodic, interim accounting records are sent periodically as defined by the argument number. The interim accounting record contains all of the accounting information recorded for that user up to the time the accounting record is sent.
When using both the newinfo and periodic keywords, interim accounting records are sent to the accounting server every time there is new accounting information to report, and accounting records are sent to the accounting server periodically as defined by the argument number. For example, if you configure aaa accounting update newinfo periodic number, all users currently logged in will continue to generate periodic interim accounting records while new users will generate accounting records based on the newinfo algorithm.
Caution
Examples
The following example sends PPP accounting records to a remote RADIUS server. When IPCP completes negotiation, this command sends an interim accounting record to the RADIUS server that includes the negotiated IP address for this user; it also sends periodic interim accounting records to the RADIUS server at 30 minute intervals.
aaa accounting network default start-stop group radiusaaa accounting update newinfo periodic 30Related Commands
aaa accounting
Enables AAA accounting of requested services for billing or security purposes.
aaa authorization ipmobile
To configure multiple AAA groups, or to authorize Mobile IP to retrieve security associations from the AAA server using TACACS+ or RADIUS, use the aaa authorization ipmobile global configuration command. Use the no form of this command to remove authorization.
aaa authorization ipmobile {tacacs+ | radius}
no aaa authorization ipmobile {tacacs+ | radius}
Syntax Description
Defaults
AAA is not used to retrieve security associations for authentication.
Command Modes
Global configuration
Command History
Usage Guidelines
Mobile IP requires security associations for registration authentication. The security associations are configured on the router or on an AAA server. This command is not need for the former; but in the latter case, this command authorizes Mobile IP to retrieve the security associations from the AAA server.
Note
Use this command to configure multiple AAA groups, which is the key to sending different realms to different AAA server-groups.
Examples
The following example uses TACACS+ to retrieve security associations from the AAA server:
aaa new-modelaaa authorization ipmobile tacacs+tacacs-server host 1.2.3.4tacacs-server key mykeyip mobile host 10.0.0.1 10.0.0.5 virtual-network 10.0.0.0 255.0.0.0 aaaRelated Commands
aaa pod server
To enable inbound user sessions to be disconnected when specific session attributes are presented, use the aaa pod server global configuration command. To disable this feature, use the no form of this command.
aaa pod server [port port-number] [auth-type {any | all | session-key}] server-key string [clients | ignore ]
no aaa pod server
Syntax Description
Defaults
The POD server function is disabled.
Command Modes
Global configuration
Command History
12.1(3)T
This command was introduced.
12.4(22)YD
The clients and ignore keywords were added.
Usage Guidelines
For a session to be disconnected, the values in one or more of the key fields in the POD request must match the values for a session on one of the network access server ports. Which values must match depends on the auth-type attribute defined in the command. If no auth-type is specified, all four values must match. If no match is found, all connections remain intact and an error response is returned. The key fields are as follows:
•
•
•
•
Examples
The following example enables POD and sets the secret key to "ab9123."
router (config)# aaa pod server server-key ab9123access list
To configure the access list mechanism for filtering frames by protocol type or vendor code, use the access-list global configuration command. Use the no form of this command to remove the single specified entry from the access list.
access-list access-list-number {permit | deny | remark} {type-code wild-mask | address mask} [compiled reuse | dynamic-extended | rate-limit {ACL index}]
no access-list access-list-number
Syntax Description
Defaults
No numbered encryption access lists are defined, and therefore no traffic will be encrypted/decrypted. After being defined, all encryption access lists contain an implicit "deny" ("do not encrypt/decrypt") statement at the end of the list.
Command Modes
Global configuration
Command History
Usage Guidelines
Use encryption access lists to control which packets on an interface are encrypted/decrypted, and which are transmitted as plain text (unencrypted).
When a packet is examined for an encryption access list match, encryption access list statements are checked in the order that the statements were created. After a packet matches the conditions in a statement, no more statements will be checked. This means that you need to carefully consider the order in which you enter the statements.
To use the encryption access list, you must first specify the access list in a crypto map and then apply the crypto map to an interface, using the crypto map (CET global configuration) and crypto map (CET interface configuration) commands.
Fragmented IP packets, other than the initial fragment, are immediately accepted by any extended IP access list. Extended access lists used to control virtual terminal line access or restrict contents of routing updates must not match the TCP source port, the type of service value, or the packet's precedence.
Note
Caution
Note
Examples
The following example creates a numbered encryption access list that specifies a class C subnet for the source and a class C subnet for the destination of IP packets. When the router uses this encryption access list, all TCP traffic that is exchanged between the source and destination subnets will be encrypted.
access-list 101 permit tcp 172.21.3.0 0.0.0.255 172.22.2.0 0.0.0.255Here are the new command options for Cisco IOS Release 12.4(22)YD:
Router(config)#access-list ?<1-99> IP standard access list<100-199> IP extended access list<1100-1199> Extended 48-bit MAC address access list<1300-1999> IP standard access list (expanded range)<200-299> Protocol type-code access list<2000-2699> IP extended access list (expanded range)<700-799> 48-bit MAC address access listcompiled Enable IP access-list compilationdynamic-extended Extend the dynamic ACL absolute timerrate-limit Simple rate-limit specific access listRouter(config)#access-list 1 ?deny Specify packets to rejectpermit Specify packets to forwardremark Access list entry commentRouter(config)#access-list 1 deny ?Hostname or A.B.C.D Address to matchany Any source hosthost A single host addressRouter(config)#access-list 1 permit ?Hostname or A.B.C.D Address to matchany Any source hosthost A single host addressRouter(config)#access-list 1 remark ?LINE Comment up to 100 characters<cr>Router(config)#access-list 100 ?deny Specify packets to rejectdynamic Specify a DYNAMIC list of PERMITs or DENYspermit Specify packets to forwardremark Access list entry commentRouter(config)#access-list 1100 ?deny Specify packets to rejectpermit Specify packets to forwardRouter(config)#access-list compiled ?reuse Reuse tables when compiling (for reduced memory requirements)<cr>Router(config)#access-list dynamic-extended ?<cr>Router(config)#access-list rate-limit ?<0-99> Precedence ACL index<100-199> MAC address ACL indexRouter(config)#access-list rate-limit 0 ?<0-7> Precedencemask Use precedence bitmaskclear ip mobile binding
To remove mobility bindings, use the clear ip mobile binding EXEC command.
clear ip mobile binding {all | ip-address | nai string | realm word | vrf realm | mac address} [coa | session-id | synch]]
Syntax Description
Command Modes
EXEC
Command History
Usage Guidelines
The Home Agent creates a mobility binding for each roaming mobile node. The mobility binding allows the mobile node to exchange packets with the correspondent node. Associated with the mobility binding is the tunnel to the visited network and a host route to forward packets destined for the mobile node. There should be no need to clear the binding because it expires after lifetime is reached or when the mobile node deregisters.
When the mobility binding is removed, the number of users on the tunnel is decremented and the host route is removed from the routing table. The mobile node is not notified.
Note
Note
Examples
The following example administratively stops mobile node 10.0.0.1 from roaming:
Router# clear ip mobile binding 10.0.0.1Router# show ip mobile bindingMobility Binding List:Total 110.0.0.1:Care-of Addr 68.0.0.31, Src Addr 68.0.0.31,Lifetime granted 02:46:40 (10000), remaining 02:46:32Flags SbdmGvt, Identification B750FAC4.C28F56A8,Tunnel100 src 66.0.0.5 dest 68.0.0.31 reverse-allowedRouting Options - (G)GRERelated Commands
clear ip mobile host-counters
To clear the mobility counters specific to each mobile station, use the clear ip mobile host-counters EXEC command.
clear ip mobile host-counters [[ip-address | nai string ] undo]]
Syntax Description
ip-address
(Optional) IP address of a mobile node.
nai string
(Optional) Network access identifier of the mobile node.
undo
(Optional) Restores the previously cleared counters.
Command Modes
EXEC
Command History
12.0(1)T
This command was introduced.
12.2(2)XC
The nai keyword and associated variables were added.
12.4(15)XM
Added support to clear HA policing statistics.
Usage Guidelines
This command clears the counters that are displayed when you use the show ip mobile host command. The undo keyword restores the counters (this is useful for debugging).
Examples
The following example shows how the counters can be used for debugging and displays the total number of bindings:
Router# show ip mobile hostMobile Host List:Total 1cisco_user1@cisco.com:Dynamic address from local pool acct_pool1Static authorization using pool local acct_pool1Allowed lifetime 10:00:00 (36000/default)Roam status -Registered-, Home link on interface Null0Bindings1.1.1.56Accepted 0, Last time -never-Overall service time 01:14:58Denied 0, Last time -never-Last code '-never- (0)'Total violations 0Acct-Session-Id: 0x00000015Sent on tunnel to MN: 0 packets, 0 bytesReceived on reverse tunnel from MN: 0 packets, 0 bytesRouter# clear ip mobile host-counters20.0.0.1:Allowed lifetime 10:00:00 (36000/default)Roaming status -Unregistered-, Home link on virtual network 20.0.0.0/8Accepted 0, Last time -never-Overall service time -never-Denied 0, Last time -never-Last code `-never- (0)'Total violations 0Tunnel to MN - pkts 0, bytes 0Reverse tunnel from MN - pkts 0, bytes 0Related Commands
clear ip mobile secure
To clear and retrieve remote security associations, use the clear ip mobile secure EXEC command.
clear ip mobile secure {host lower [upper] string | empty | all} [load] [home-agent ha-rk A.B.C.D]
Syntax Description
Command Modes
EXEC
Command History
12.0(1)T
This command was introduced.
12.2(2)XC
The nai keyword and associated variables were added.
Usage Guidelines
Security associations are required for registration authentication. They can be stored on an AAA server. During registration, they may be stored locally after retrieval from the AAA server. The security association on the router may become stale or out of date when the security association on the AAA server changes.
This command clears security associations that have been downloaded from the AAA server.
Note
Note
You can use the clear ip mobile secure all command clears all the keys MN, FA and HA-RK, generated and downloaded from AAA.
Examples
In the following example, the AAA server has the security association for user 10.0.0.1 after registration:
Router# show ip mobile secure host 10.0.0.1Security Associations (algorithm,mode,replay protection,key):10.0.0.1:SPI 300, MD5, Prefix-suffix, Timestamp +/- 7,Key `oldkey' 1230552d39b7c1751f86bae5205ec0c8The security association of the AAA server changes as follows:
Router# clear ip mobile secure host 10.0.0.1 loadRouter# show ip mobile secure host 10.0.0.110.0.0.1:SPI 300, MD5, Prefix-suffix, Timestamp +/- 7,Key `newkey' 1230552d39b7c1751f86bae5205ec0c8Related Commands
ip mobile secure
Specifies the mobility security associations for mobile host, visitor, Home Agent, and Foreign Agent.
clear ip mobile traffic
To clear counters, use the clear ip mobile traffic Privileged EXEC command.
clear ip mobile traffic
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Mobile IP counters are accumulated during operation. They are useful for debugging and monitoring.
This command clears all Mobile IP counters. The undo keyword restores the counters (this is useful for debugging.) See the show ip mobile traffic command for a list and description of all counters.
Examples
The following example shows how the counters can be used for debugging:
Router# show ip mobile trafficIP Mobility traffic:Advertisements:Solicitations received 0Advertisements sent 0, response to solicitation 0Home Agent Registrations:Register 8, Deregister 0 requestsRegister 7, Deregister 0 repliedAccepted 6, No simultaneous bindings 0Denied 1, Ignored 1Unspecified 0, Unknown HA 0Administrative prohibited 0, No resource 0Authentication failed MN 0, FA 0Bad identification 1, Bad request form 0..Router# clear ip mobile trafficRouter# show ip mobile trafficIP Mobility traffic:Advertisements:Solicitations received 0Advertisements sent 0, response to solicitation 0Home Agent Registrations:Register 0, Deregister 0 requestsRegister 0, Deregister 0 repliedAccepted 0, No simultaneous bindings 0Denied 0, Ignored 0Unspecified 0, Unknown HA 0Administrative prohibited 0, No resource 0Authentication failed MN 0, FA 0Bad identification 0, Bad request form 0Related Commands
debug aaa accounting
To display information on accountable events as they occur, use the debug aaa accounting command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug aaa accounting
no debug aaa accounting
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Usage Guidelines
The information displayed by the debug aaa accounting command is independent of the accounting protocol used to transfer the accounting information to a server. Use the debug tacacs and debug radius protocol-specific commands to get more detailed information about protocol-level issues.
You can also use the show accounting command to step through all active sessions and to print all the accounting records for actively accounted functions. The show accounting command allows you to display the active "accountable events" on the system. It provides systems administrators a quick look at what is happening, and may also be useful for collecting information in the event of a data loss of some kind on the accounting server. The show accounting command displays additional data on the internal state of the authentication, authorization, and accounting (AAA) security system if debug aaa accounting is turned on as well.
Examples
The following is sample output from the debug aaa accounting command:
Router# debug aaa accounting16:49:21: AAA/ACCT: EXEC acct start, line 1016:49:32: AAA/ACCT: Connect start, line 10, glare16:49:47: AAA/ACCT: Connection acct stop:task_id=70 service=exec port=10 protocol=telnet address=172.31.3.78 cmd=glare bytes_in=308 bytes_out=76 paks_in=45 paks_out=54 elapsed_time=14debug aaa authentication
To display information on authentication, authorization, and accounting (AAA) TACACS+ authentication, use the debug aaa authentication command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug aaa authentication
no debug aaa authentication
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Usage Guidelines
Use this command to learn the methods of authentication being used and the results of these methods.
Examples
The following is sample output from the debug aaa authentication command. A single EXEC login that uses the "default" method list and the first method, TACACS+, is displayed. The TACACS+ server sends a GETUSER request to prompt for the username and then a GETPASS request to prompt for the password, and finally a PASS response to indicate a successful login. The number 50996740 is the session ID, which is unique for each authentication. Use this ID number to distinguish between different authentications if several are occurring concurrently.
Router# debug aaa authentication6:50:12: AAA/AUTHEN: create_user user='' ruser='' port='tty19' rem_addr='172.31.60.15' authen_type=1 service=1 priv=16:50:12: AAA/AUTHEN/START (0): port='tty19' list='' action=LOGIN service=LOGIN6:50:12: AAA/AUTHEN/START (0): using "default" list6:50:12: AAA/AUTHEN/START (50996740): Method=TACACS+6:50:12: TAC+ (50996740): received authen response status = GETUSER6:50:12: AAA/AUTHEN (50996740): status = GETUSER6:50:15: AAA/AUTHEN/CONT (50996740): continue_login6:50:15: AAA/AUTHEN (50996740): status = GETUSER6:50:15: AAA/AUTHEN (50996740): Method=TACACS+6:50:15: TAC+: send AUTHEN/CONT packet6:50:15: TAC+ (50996740): received authen response status = GETPASS6:50:15: AAA/AUTHEN (50996740): status = GETPASS6:50:20: AAA/AUTHEN/CONT (50996740): continue_login6:50:20: AAA/AUTHEN (50996740): status = GETPASS6:50:20: AAA/AUTHEN (50996740): Method=TACACS+6:50:20: TAC+: send AUTHEN/CONT packet6:50:20: TAC+ (50996740): received authen response status = PASS6:50:20: AAA/AUTHEN (50996740): status = PASSdebug aaa pod
To display debug information for Radius Disconnect message processing at AAA subsystem level , use the debug aaa pod command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug aaa pod
no debug aaa pod
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Examples
The following is sample output from the debug aaa pod command:
Router#sh debuggingGeneral OS:AAA POD packet processing debugging is onThe scenario is a POD request is received from RADIUS 17.17.17.18 with the set of attributes displayed below and after processing PDSN sends back an ACK
Router#03:30:05: POD: 17.17.17.18 request queued03:30:05: ++++++ POD Attribute List ++++++03:30:05: 63ECE94C 0 00000009 username(336) 12 sri-sip-user03:30:05: 65FCEB50 0 00000009 clid(27) 11 0000000000103:30:05: 65FCEB64 0 00000021 cdma-disconnect-reason(420) 4 1(1)03:30:05: 65FCEB78 0 00000029 cdma-correlation-id(374) 8 0000000203:30:05:03:30:05: POD: Sending ACK from port 1700 to 17.17.17.18/1700debug ccm
To display debug information about CCM events and errors, use the debug ccm command in privileged EXEC mode. Use the no form of the command to disable debugging.
debug ccm {event | detail}
no debug ccm {event | detail}
Syntax Description
Defaults
No default values.
Command History
Examples
The following is sample output from the debug ccm command:
Active#deb ccm [event][detail]SAMI 6/3: Oct 24 09:23:39.597: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to upSAMI 6/3: Oct 24 09:23:39.601: CCM: New State[Not Ready]SAMI 6/3: Oct 24 09:23:39.601: CCM: ipmobile ccm RequiredSAMI 6/3: Oct 24 09:23:39.601: CCM: ipmobile ccm is InitiatorSAMI 6/3: Oct 24 09:23:39.601: CCM: ipmobile ccm ReadySAMI 6/3: Oct 24 09:23:39.601: CCM: ipmobile ccm Old State[Not Ready] Event[All Ready]SAMI 6/3: Oct 24 09:23:39.601: CCM: New State[Ready]SAMI 6/3: Oct 24 09:23:39.601: CCM: ipmobile ccm Adding Data Type[0] Length[322]SAMI 6/3: Oct 24 09:23:39.601: CCM: ipmobile ccm Adding Data Type[2] Length[80]SAMI 6/3: Oct 24 09:23:39.601: CCM: Send[Sync Session] Length[402] NumItems[2] Flags[0]SAMI 6/3: Oct 24 09:23:39.601: Client[ipmobile ccm] Type[0] Length[322]SAMI 6/3: Oct 24 09:23:39.601: 86 0E 00 00 00 00 00 09 00 43 01 00 01 00 00 00SAMI 6/3: Oct 24 09:23:39.601: 86 0E 00 00 00 00 00 09 00 3C 00 00 0E 00 00 01SAMI 6/3: Oct 24 09:23:39.601: 86 0E 00 00 00 00 00 09 00 3D 00 00 0D 02 02 09SAMI 6/3: Oct 24 09:23:39.601: 86 0C 00 00 00 00 00 09 00 3E 00 00 8C A0 86 0CSAMI 6/3: Oct 24 09:23:39.601: ...SAMI 6/3: Oct 24 09:23:39.601: Client[ipmobile ccm] Type[2] Length[80]SAMI 6/3: Oct 24 09:23:39.601: 86 0E 00 00 00 00 00 09 00 43 01 00 01 00 00 00SAMI 6/3: Oct 24 09:23:39.601: 86 3E 00 00 00 00 00 09 00 42 00 00 00 00 00 00SAMI 6/3: Oct 24 09:23:39.601: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00SAMI 6/3: Oct 24 09:23:39.601: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00SAMI 6/3: Oct 24 09:23:39.601: ...SAMI 6/3: Oct 24 09:23:39.601: CCM: New State[Dyn Sync]Standby#debug ccm [event][detail]SAMI 7/3: Oct 24 09:23:38.402: CCM: Receive[Sync Session] Length[402] NumItems[2] Flags[0]SAMI 7/3: Oct 24 09:23:38.402: CCM: New State[Not Ready]SAMI 7/3: Oct 24 09:23:38.402: Client[ipmobile ccm] Type[0] Length[322]SAMI 7/3: Oct 24 09:23:38.402: 86 0E 00 00 00 00 00 09 00 43 01 00 01 00 00 00SAMI 7/3: Oct 24 09:23:38.402: 86 0E 00 00 00 00 00 09 00 3C 00 00 0E 00 00 01SAMI 7/3: Oct 24 09:23:38.402: 86 0E 00 00 00 00 00 09 00 3D 00 00 0D 02 02 09SAMI 7/3: Oct 24 09:23:38.402: 86 0C 00 00 00 00 00 09 00 3E 00 00 8C A0 86 0CSAMI 7/3: Oct 24 09:23:38.402: ...SAMI 7/3: Oct 24 09:23:38.402: Client[ipmobile ccm] Type[2] Length[80]SAMI 7/3: Oct 24 09:23:38.402: 86 0E 00 00 00 00 00 09 00 43 01 00 01 00 00 00SAMI 7/3: Oct 24 09:23:38.402: 86 3E 00 00 00 00 00 09 00 42 00 00 00 00 00 00SAMI 7/3: Oct 24 09:23:38.402: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00SAMI 7/3: Oct 24 09:23:38.402: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00SAMI 7/3: Oct 24 09:23:38.402: ...SAMI 7/3: Oct 24 09:23:38.402: CCM:ipmobile ccm Recreate Session Active[0x7B000004] Standby[0x65000002]SAMI 7/3: Oct 24 09:23:38.402: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to upSAMI 7/3: Oct 24 09:23:38.402: CCM: ipmobile ccm RequiredSAMI 7/3: Oct 24 09:23:38.402: CCM: ipmobile ccm is InitiatorSAMI 7/3: Oct 24 09:23:38.402: CCM: ipmobile ccm ReadySAMI 7/3: Oct 24 09:23:38.402: CCM: ipmobile ccm Old State[Not Ready] Event[All Ready]SAMI 7/3: Oct 24 09:23:38.402: CCM: New State[Ready]debug condition
To limit output for some debug commands based on specified conditions, use the debug condition command in privileged EXEC mode. To remove the specified condition, use the no form of this command.
debug condition {called called number | calling calling | glbp interface group | interface interface | ip ip_address | mac-address mac_address | standby interface group | username username | vcid vc_id}
no debug condition {called called number | calling calling | glbp interface group | interface interface | ip ip_address | mac-address mac_address | standby interface group | username username | vcid vc_id}
Syntax Description
Defaults
All debugging messages for enabled protocol-specific debug commands are generated.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use the debug condition command to restrict the debug output for some commands. If any debug condition commands are enabled, output is only generated for interfaces associated with the specified keyword. In addition, this command enables debugging output for conditional debugging events. Messages are displayed as different interfaces meet specific conditions.
If multiple debug condition commands are enabled, output is displayed if at least one condition matches. All the conditions do not need to match.
The no form of this command removes the debug condition specified by the condition identifier. The condition identifier is displayed after you use a debug condition command or in the output of the show debug condition command. If the last condition is removed, debugging output resumes for all interfaces. You will be asked for confirmation before removing the last condition or all conditions.
Not all debugging output is affected by the debug condition command. Some commands generate output whenever they are enabled, regardless of whether they meet any conditions. The commands that are affected by the debug condition commands are generally related to dial access functions, where a large amount of output is expected. Output from the following commands is controlled by the debug condition command:
•
•
•
•
•
Ensure that you enable TID/IMSI-based conditional debugging by entering debug condition calling before configuring debug gprs gtp and debug gprs charging. In addition, ensure that you disable the debug gprs gtp and debug gprs charging commands using the no debug all command before disabling conditional debugging using the no debug condition command. This will prevent a flood of debugging messages when you disable conditional debugging.
Examples
Example 1
In the following example, the router displays debugging messages only for interfaces that use a username of fred. The condition identifier displayed after the command is entered identifies this particular condition.
Router# debug condition username fredCondition 1 setExample 2
The following example specifies that the router should display debugging messages only for VC 1000:
Router# debug condition vcid 1000Condition 1 set01:12:32: 1000 Debug: Condition 1, vcid 1000 triggered, count 101:12:32: 1000 Debug: Condition 1, vcid 1000 triggered, count 1Other debugging commands are enabled, but they will only display debugging for VC 1000.
Router# debug mpls l2transport vc eventAToM vc event debugging is onRouter# debug mpls l2transport vc fsmAToM vc fsm debugging is onThe following commands shut down the interface where VC 1000 is established.
Router(config)# interface s3/1/0Router(config-if)# shutThe debugging output shows the change to the interface where VC 1000 is established.
01:15:59: AToM MGR [13.13.13.13, 1000]: Event local down, state changed from establishedto remote ready01:15:59: AToM MGR [13.13.13.13, 1000]: Local end down, vc is down01:15:59: AToM SMGR [13.13.13.13, 1000]: Processing imposition update, vc_handle 6227BCF0,update_action 0, remote_vc_label 1801:15:59: AToM SMGR [13.13.13.13, 1000]: Imposition Disabled01:15:59: AToM SMGR [13.13.13.13, 1000]: Processing disposition update, vc_handle6227BCF0, update_action 0, local_vc_label 75501:16:01:%LINK-5-CHANGED: Interface Serial3/1/0, changed state to administratively down01:16:02:%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial3/1/0, changed state todownHere are examples of the new options for Cisco IOS Release 12.4(22)YD:
Router#debug condition called ?WORD Called numberRouter#debug condition calling ?WORD Calling numberRouter#debug condition glbp ?GigabitEthernet GigabitEthernet IEEE 802.3zRouter#debug condition glbp gigabitEthernet ?<0-1> GigabitEthernet interface numberRouter#debug condition interface ?Async Async interfaceAuto-Template Auto-Template interfaceBVI Bridge-Group Virtual InterfaceCDMA-Ix CDMA Ix interfaceCTunnel CTunnel interfaceDialer Dialer interfaceGigabitEthernet GigabitEthernet IEEE 802.3zGroup-Async Async Group interfaceLex Lex interfaceLoopback Loopback interfaceMultilink Multilink-group interfaceNull Null interfaceTunnel Tunnel interfaceVif PGM Multicast Host interfaceVirtual-PPP Virtual PPP interfaceVirtual-Template Virtual Template interfaceVirtual-TokenRing Virtual TokenRingvmi Virtual Multipoint InterfaceRouter#debug condition ip ?A.B.C.D IP addressRouter#debug condition mac-address ?H.H.H MAC addressRouter#debug condition standby ?GigabitEthernet GigabitEthernet IEEE 802.3zRouter#debug condition standby gigabitEthernet ?<0-1> GigabitEthernet interface numberRouter#debug condition username ?WORD Username for debug filteringRouter#debug condition vcid ?<1-4294967295> VC IDdebug ip mobile
To display IP mobility activities, use the debug ip mobile command in privileged EXEC mode.
debug ip mobile [advertise | dfp | host | local-area | redundancy | router | upd-tunneling | vpdn-tunneling | ipc | mib]
Syntax Description
Defaults
No default behavior or values.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use the debug ip mobile redundancy command to troubleshoot redundancy problems.
No per-user debugging output is shown for mobile nodes using the network access identifier (NAI) for the debug ip mobile host command. Debugging of specific mobile nodes using an IP address is possible through the access list.
Examples
The following is sample output from the debug ip mobile command when Foreign Agent reverse tunneling is enabled:
MobileIP:MN 14.0.0.30 deleted from ReverseTunnelTable of Ethernet2/1(Entries 0)The following is sample output from the debug ip mobile command:
Router# debug ip mobile ?advertise Mobility Agent advertisementsdfp DFP Agenthost Mobile host activitieslocal-area Local area mobilityredundancy Mobile redundancy activitiesrouter Mobile router activitiesudp-tunneling UDP Tunnelingvpdn-tunneling VPDN TunnelingThe following is sample output from the debug ip mobile advertise command:
debug ip mobile advertiseMobileIP: Agent advertisement sent out Ethernet1/2: type=16, len=10, seq=1, lifetime=36000,flags=0x1400(rbhFmGv-rsv-),Care-of address: 68.0.0.31Prefix Length ext: len=1 (8 )FA Challenge value:769C808DTable 4 Debug IP Mobile Advertise Field Descriptions
The following is sample output from the debug ip mobile udp-tunneling command:
Router# debug ip mobile udp-tunnelingMobileIP: Received UDP Keep-Alive message from tunnel 7.0.0.2:434 - 7.0.0.15:16MobileIP: Sending UDP Keep-Alive message for tunnel 7.0.0.2:434 - 7.0.0.15:16MobileIP: MN 40.0.0.101 - HA rcv BindUpdAck accept from 7.0.0.67 HAA 7.0.0.2MobileIP: UDP Keep-Alive check point time for tunnel 7.0.0.2:434 - 7.0.0.15:16debug ip mobile host
Use the debug ip mobile host EXEC command to display IP mobility events.
debug ip mobile host [acl | mac H.H.H]
no debug ip mobile host [acl | mac H.H.H]
Syntax Description
acl
(Optional) Access list. The values are 1-99.
mac H.H.H
(Optional) Displays debugging events for a host with the specified MAC address. The messages will include the MAC address when applicable.
Defaults
No default values.
Command History
Examples
The following is sample output from the debug ip mobile host command:
Router# debug ip mobile hostMobileIP: HA received registration for MN 20.0.0.6 on interface Ethernet1 using COA68.0.0.31 HA 66.0.0.5 lifetime 30000 options sbdmgvTMobileIP: Authenticated FA 68.0.0.31 using SPI 110 (MN 20.0.0.6)MobileIP: Authenticated MN 20.0.0.6 using SPI 300MobileIP: HA accepts registration from MN 20.0.0.6MobileIP: Mobility binding for MN 20.0.0.6 updatedMobileIP: Roam timer started for MN 20.0.0.6, lifetime 30000MobileIP: MH auth ext added (SPI 300) in reply to MN 20.0.0.6MobileIP: HF auth ext added (SPI 220) in reply to MN 20.0.0.6MobileIP: HA sent reply to MN 20.0.0.6debug ip mobile redundancy
Use the debug ip mobile redundancy EXEC command to display IP mobility redundancy events.
debug ip mobile redundancy {events | error | detail | periodic-sync}
no debug ip mobile redundancy {events | error | detail | periodic-sync}
Syntax Description
Defaults
No default values.
Command History
12.0(1)T
This command was introduced.
12.4(22)YD
The events, error, detail, and periodic-sync keywords were added.
Examples
The following is sample output from the debug ip mobile redundancy command:
Active#debug ip mobile redundancy [events][errors][details]SAMI 6/3: Oct 23 10:15:08.939: MobileIP: SR: Adding Mobile IP SR Version NVSE, length 14.SAMI 6/3: Oct 23 10:15:08.939: MobileIP: SR: Adding MN home agent address NVSE(60) home agent ip address: 14.0.0.1SAMI 6/3: Oct 23 10:15:08.939: MobileIP: SR: Adding CoA address NVSE(61) CoA address: 13.2.2.9SAMI 6/3: Oct 23 10:15:08.939: MobileIP: SR: Adding MN lifetime NVSE(62) MN lifetime: 36000SAMI 6/3: Oct 23 10:15:08.939: MobileIP: SR: Adding MN lifetime-left NVSE(68) MN lifetime left: 36000SAMI 6/3: Oct 23 10:15:08.939: MobileIP: SR: Adding MN flags NVSE(62) MN flags :SAMI 6/3: Oct 23 10:15:08.939: MobileIP: SR: Adding MN identification NVSE(62) MN identification CCAACD2F1SAMI 6/3: Oct 23 10:15:08.939: MobileIP: SR: Adding NAI extension Type(131) NAI derath1@cisco.comSAMI 6/3: Oct 23 10:15:08.939: MobileIP: SR: Adding ip address extension Type(10) binding ip address type 7SAMI 6/3: Oct 23 10:15:08.939: MobileIP: SR: Adding MN home address NVSE(59) MN home address: 65.0.0.1SAMI 6/3: Oct 23 10:15:08.939: MobileIP: SR: Adding Accounting NVSE, length 14 Acct-Sess-Id: 23SAMI 6/3: Oct 23 10:15:08.939: MobileIP: SR: Adding Class NVSE, length 8.SAMI 6/3: Oct 23 10:15:08.939: MobileIP: SR: Adding MN service flags 0x8001SAMI 6/3: Oct 23 10:15:08.939: MobileIP: SR: Adding HA-RK for HA IP 14.0.0.1SAMI 6/3: Oct 23 10:15:08.939: MobileIP: SR: Adding MN CDMA STC NVSESAMI 6/3: Oct 23 10:15:08.939: MobileIP: SR: Adding UDP Tunnel End Point CVSE 13.2.2.9:434 14.0.0.1:0x2SAMI 6/3: Oct 23 10:15:08.939: MobileIP: SR: Sending MobileIP SR Session Create Event with 322 bytes dataSAMI 6/3: Oct 23 10:15:08.939: MobileIP: SR: Adding Mobile IP SR Version NVSE, length 14.SAMI 6/3: Oct 23 10:15:08.939: MobileIP: SR: Adding Accounting Attributes NVSESAMI 6/3: Oct 23 10:15:08.939: MobileIP: SR: Sending MobileIP SR Session Update Periodic Sync with 80 bytes dataSAMI 6/3: Oct 23 10:20:38.943: MobileIP: UDP Keep-Alive failure for tunnel 14.0.0.1:434 - 13.2.2.9:434Standby#debug ip mobile redundancy [events][errors][details]SAMI 7/3: Oct 24 09:25:10.206: MobileIP: SR: Received MobileIP SR Session Create Event with 285 bytes dataSAMI 7/3: Oct 24 09:25:10.206: MobileIP: SR: Parsing SR Version NVSE(67), length 14.Major Version 1, Minor Version 0, Edit version 1SAMI 7/3: Oct 24 09:25:10.206: MobileIP: SR: Parsing MN Home Agent Address 14.0.0.1 NVSE(60) length 16SAMI 7/3: Oct 24 09:25:10.206: MobileIP: SR: Parsing MN CoA Address 13.2.2.9 NVSE(61) length 16SAMI 7/3: Oct 24 09:25:10.206: MobileIP: SR: Parsing MN lifetime 36000 NVSE(62) length 14SAMI 7/3: Oct 24 09:25:10.206: MobileIP: SR: Parsing MN lifetime-left 36000 NVSE(68) length 14SAMI 7/3: Oct 24 09:25:10.206: MobileIP: SR: Parsing MN flags 2 NVSE(63) length 14SAMI 7/3: Oct 24 09:25:10.206: MobileIP: SR: Parsing MN identificationNVSE(64) CCAC12F91 length 20SAMI 7/3: Oct 24 09:25:10.206: MobileIP: SR: Parsing MN NAI derath1@cisco.com Exttype (131) length 19SAMI 7/3: Oct 24 09:25:10.206: MobileIP: SR: Parsing binding Address type CVSE(10) Addr type: 7length (12)SAMI 7/3: Oct 24 09:25:10.206: MobileIP: SR: Parsing MN Home Address 65.0.0.1 NVSE(59) length 16SAMI 7/3: Oct 24 09:25:10.206: MobileIP: SR: Parsing MN GSA NVSE(32) length 60SAMI 7/3: Oct 24 09:25:10.206: MobileIP: SR: Parsing HA Accounting NVSE(34)length (16) Acct-Sess-Id: 27SAMI 7/3: Oct 24 09:25:10.206: MobileIP: SR: Parsing MN service flags CVSE(11) MN service flags: 8001length (12)SAMI 7/3: Oct 24 09:25:10.206: MobileIP: SR: Parsing MN Revoc Exttype (137) length 8SAMI 7/3: Oct 24 09:25:10.206: MobileIP: SR: Parsing MN CDMA STCNVSE(8194) length (11)SAMI 7/3: Oct 24 09:25:10.206: MobileIP: SR: Parsing UDP Tunnel End Point CVSE(12)SAMI 7/3: Oct 24 09:25:10.206: MobileIP: derath1@cisco.com Mobility binding for MN derath1@cisco.com createdSAMI 7/3: Oct 24 09:25:10.206: MobileIP: derath1@cisco.com Adding Binding Registration Revocation flags 0x8000 and timestamp 2760709096 for MN derath1@cisco.comSAMI 7/3: Oct 24 09:25:10.206: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to upSAMI 7/3: Oct 24 09:25:10.206: MobileIP: derath1@cisco.com Tunnel0 (MIPUDP/IP) created with src 14.0.0.1 dst 13.2.2.9SAMI 7/3: Oct 24 09:25:10.206: MobileIP: derath1@cisco.com Setting up UDP Keep-Alive Timer for tunnel 14.0.0.1:0 - 13.2.2.9:0 with keep-alive 110SAMI 7/3: Oct 24 09:25:10.206: MobileIP: derath1@cisco.com Starting the tunnel keep-alive timerSAMI 7/3: Oct 24 09:25:10.206: MobileIP: derath1@cisco.com MN derath1@cisco.com Insert route for 65.0.0.1/255.255.255.255 via gateway 13.2.2.9 (metric 1) on Tunnel0SAMI 7/3: Oct 24 09:25:10.206: MobileIP: derath1@cisco.com Roam timer started for MN derath1@cisco.com using 65.0.0.1, lifetime 36000SAMI 7/3: Oct 24 09:25:10.206: MobileIP: derath1@cisco.com Allocated AAA unique ID 0x00000004 for MN derath1@cisco.com. Acct-Session-Id=0x0000001B.SAMI 7/3: Oct 24 09:25:10.206: MobileIP: derath1@cisco.com Replacing Acct-Session-ID with 0x0000001BSAMI 7/3: Oct 24 09:25:10.206: MobileIP: derath1@cisco.com AAA: Start record sent for MN 65.0.0.1 using ID 0x00000004 and method list "default"SAMI 7/3: Oct 24 09:25:10.206: MobileIP: Converting GSA Extension to 1 SPI(s) and key(s)SAMI 7/3: Oct 24 09:25:10.206: MobileIP: SR: Binding synced from activeNAI derath1@cisco.com HA 65.0.0.1 CoA 14.0.0.1SAMI 7/3: Oct 24 09:25:10.206: MobileIP: Adding UDP Tunnel End Point CVSE 13.2.2.9:434 14.0.0.1:0x2SAMI 7/3: Oct 24 09:25:10.206: MobileIP: SR: Successfuly set CCM session in READY stateSAMI 7/3: Oct 24 09:25:10.206: MobileIP: SR: Received MobileIP SR Session Update Periodic Sync Event with 80 bytes dataSAMI 7/3: Oct 24 09:25:10.206: MobileIP: SR: Parsing SR Version NVSE(67), length 14.Major Version 1, Minor Version 0, Edit version 1SAMI 7/3: Oct 24 09:25:10.206: MobileIP: SR: Decoding Accounting Attributes NVSEExample of Periodic Sync Debug Output
SAMI 1/3: Oct 31 21:26:15.280: MobileIP: SR: Adding Mobile IP SR Version NVSE, length 14.SAMI 1/3: Oct 31 21:26:15.280: MobileIP: SR: Adding Accounting Attributes NVSEo/p packets = 0, i/p packets = 0,o/p octets = 0, i/p octets = 0,elapsed_time = 45356SAMI 1/3: Oct 31 21:26:15.280: MobileIP: SR: Sending MobileIP SR Session Update Periodic Sync with 68 bytes datadebug ip mobile vpdn-tunnel
To display debugging output for the MIP-LAC feature, use the debug ip mobile vpdn-tunnel command in Privileged EXEC mode. Use the no form of the command to disable the feature.
debug ip mobile vpdn-tunnel [events | detail]
no debug ip mobile vpdn-tunnel [events | detail]
Syntax Description
Defaults
There are no default values.
Command Modes
Privileged EXEC
Command History
Examples
The following example displays debugging output for the debug ip mobile vpdn-tunnel detail command:
Router# debug ip mobile vpdn-tunnel detaildebug radius
To display information associated with RADIUS, use the debug radius command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug radius [accounting | authentication | brief | elog | failover | periodic-sync | retransmit | verbose ]
no debug radius [accounting | authentication | brief | elog | failover | retransmit | verbose ]
Syntax Description
Defaults
Debugging output in ASCII format is enabled.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
RADIUS is a distributed security system that secures networks against unauthorized access. Cisco supports RADIUS under the authentication, authorization, and accounting (AAA) security system. When RADIUS is used on the router, you can use the debug radius command to display detailed debugging and troubleshooting information in ASCII format. Use the debug radius brief command for abbreviated output displaying client/server interaction and minimum packet information. Use the debug radius hex command to display packet dump information that has not been truncated in hex format.
Examples
The following is sample output from the debug radius command:
Router# debug radiusSAMI 5/4: Aug 30 19:19:53.575: RADIUS(00000003): Send Accounting-Request to 100.100.0.101:1646 id 1646/2, len 255SAMI 5/4: Aug 30 19:19:53.575: RADIUS: authenticator 4B 84 16 7F 79 8C E9 8B - 3D BB 51 D4 C9 47 98 CCSAMI 5/4: Aug 30 19:19:53.575: RADIUS: Acct-Session-Id [44] 10 "00000003"SAMI 5/4: Aug 30 19:19:53.575: RADIUS: Framed-IP-Address [8] 6 65.1.0.1SAMI 5/4: Aug 30 19:19:53.575: RADIUS: Tunnel-Client-Endpoi[66] 11 "4.0.11.15"SAMI 5/4: Aug 30 19:19:53.575: RADIUS: Vendor, Cisco [26] 30SAMI 5/4: Aug 30 19:19:53.575: RADIUS: Cisco AVpair [1] 24 "mobileip-mn-flags=0x42"SAMI 5/4: Aug 30 19:19:53.575: RADIUS: User-Name [1] 30 "dgudimet-mip1@term-cause.com"SAMI 5/4: Aug 30 19:19:53.575: RADIUS: Acct-Authentic [45] 6 RADIUS [1]SAMI 5/4: Aug 30 19:19:53.575: RADIUS: Vendor, Cisco [26] 32SAMI 5/4: Aug 30 19:19:53.575: RADIUS: Cisco AVpair [1] 26 "connect-progress=Call Up"SAMI 5/4: Aug 30 19:19:53.575: RADIUS: Vendor, 3GPP2 [26] 12SAMI 5/4: Aug 30 19:19:53.575: RADIUS: cdma-ha-ip-addr [7] 6 4.0.11.16SAMI 5/4: Aug 30 19:19:53.575: RADIUS: Acct-Session-Time [46] 6 45SAMI 5/4: Aug 30 19:19:53.575: RADIUS: Acct-Input-Octets [42] 6 0SAMI 5/4: Aug 30 19:19:53.575: RADIUS: Acct-Output-Octets [43] 6 0SAMI 5/4: Aug 30 19:19:53.575: RADIUS: Acct-Input-Packets [47] 6 0SAMI 5/4: Aug 30 19:19:53.575: RADIUS: Acct-Output-Packets [48] 6 0SAMI 5/4: Aug 30 19:19:53.575: RADIUS: Acct-Terminate-Cause[49] 6 nas-request [10]SAMI 5/4: Aug 30 19:19:53.575: RADIUS: Vendor, Cisco [26] 38SAMI 5/4: Aug 30 19:19:53.575: RADIUS: Cisco AVpair [1] 32 "disc-cause-ext=Call Disconnect"SAMI 5/4: Aug 30 19:19:53.575: RADIUS: Acct-Status-Type [40] 6 Stop [2]SAMI 5/4: Aug 30 19:19:53.575: RADIUS: Service-Type [6] 6 Framed [2]SAMI 5/4: Aug 30 19:19:53.575: RADIUS: NAS-IP-Address [4] 6 100.100.2.117SAMI 5/4: Aug 30 19:19:53.575: RADIUS: Acct-Delay-Time [41] 6 0SAMI 5/4: Aug 30 19:19:53.575: RADIUS: Received from id 1646/2 100.100.0.101:1646, Accounting-response, len 20SAMI 5/4: Aug 30 19:19:53.575: RADIUS: authenticator 85 E1 2B 52 56 66 5D 3C - 12 A0 4F 45 52 AB 4C 60debug tacacs
To display information associated with TACACS, use the debug tacacs command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug tacacs [accounting | authentication | authorization | events | packet]
no debug tacacs [accounting | authentication | authorization | events | packet]
Syntax Description
Command Modes
Privileged EXEC
Usage Guidelines
TACACS is a distributed security system that secures networks against unauthorized access. Cisco supports TACACS under the authentication, authorization, and accounting (AAA) security system.
Use the debug aaa authentication command to get a high-level view of login activity. When TACACS is used on the router, you can use the debug tacacs command for more detailed debugging information.
Examples
The following is sample output from the debug aaa authentication command for a TACACS login attempt that was successful. The information indicates that TACACS+ is the authentication method used.
Router# debug aaa authentication14:01:17: AAA/AUTHEN (567936829): Method=TACACS+14:01:17: TAC+: send AUTHEN/CONT packet14:01:17: TAC+ (567936829): received authen response status = PASS14:01:17: AAA/AUTHEN (567936829): status = PASSThe following is sample output from the debug tacacs command for a TACACS login attempt that was successful, as indicated by the status PASS:
Router# debug tacacs14:00:09: TAC+: Opening TCP/IP connection to 192.168.60.15 using source 10.116.0.7914:00:09: TAC+: Sending TCP/IP packet number 383258052-1 to 192.168.60.15 (AUTHEN/START)14:00:09: TAC+: Receiving TCP/IP packet number 383258052-2 from 192.168.60.1514:00:09: TAC+ (383258052): received authen response status = GETUSER14:00:10: TAC+: send AUTHEN/CONT packet14:00:10: TAC+: Sending TCP/IP packet number 383258052-3 to 192.168.60.15 (AUTHEN/CONT)14:00:10: TAC+: Receiving TCP/IP packet number 383258052-4 from 192.168.60.1514:00:10: TAC+ (383258052): received authen response status = GETPASS14:00:14: TAC+: send AUTHEN/CONT packet14:00:14: TAC+: Sending TCP/IP packet number 383258052-5 to 192.168.60.15 (AUTHEN/CONT)14:00:14: TAC+: Receiving TCP/IP packet number 383258052-6 from 192.168.60.1514:00:14: TAC+ (383258052): received authen response status = PASS14:00:14: TAC+: Closing TCP/IP connection to 192.168.60.15The following is sample output from the debug tacacs command for a TACACS login attempt that was unsuccessful, as indicated by the status FAIL:
Router# debug tacacs13:53:35: TAC+: Opening TCP/IP connection to 192.168.60.15 using source192.48.0.7913:53:35: TAC+: Sending TCP/IP packet number 416942312-1 to 192.168.60.15(AUTHEN/START)13:53:35: TAC+: Receiving TCP/IP packet number 416942312-2 from 192.168.60.1513:53:35: TAC+ (416942312): received authen response status = GETUSER13:53:37: TAC+: send AUTHEN/CONT packet13:53:37: TAC+: Sending TCP/IP packet number 416942312-3 to 192.168.60.15(AUTHEN/CONT)13:53:37: TAC+: Receiving TCP/IP packet number 416942312-4 from 192.168.60.1513:53:37: TAC+ (416942312): received authen response status = GETPASS13:53:38: TAC+: send AUTHEN/CONT packet13:53:38: TAC+: Sending TCP/IP packet number 416942312-5 to 192.168.60.15(AUTHEN/CONT)13:53:38: TAC+: Receiving TCP/IP packet number 416942312-6 from 192.168.60.1513:53:38: TAC+ (416942312): received authen response status = FAIL13:53:40: TAC+: Closing TCP/IP connection to 192.168.60.15firewall ip access-group
To specify that the IP firewall is profile-based, use the firewall ip access-group command in hotline-rules subcommand configuration mode. Use the no form to disable this feature.
firewall ip access-group {acl-no | word} {in | out}
no firewall ip access-group {acl-no | word} {in | out}
Syntax Description
Defaults
There are no default values.
Command Modes
hotline-rules subcommand mode.
Command History
Usage Guidelines
Examples
The following example illustrates the firewall ip access-group command:
router (hotline-rules) # firewall ip access-group 199ip local pool
To configure a local pool of IP addresses to be used when a remote peer connects to a point-to-point interface, to generate traps when pool utilization reaches a high or low threshold in percentage, use the ip local pool command in global configuration mode. To remove a range of addresses from a pool (the longer of the no forms of this command), or to delete an address pool (the shorter of the no forms of this command), use one of the no forms of this command.
ip local pool {default | poolname} [low-ip-address [high-ip-address]] [group group-name] [cache-size size] [priority 0-255] [theshold low-threshold high-threshold] [ recycle ]
no ip local pool poolname low-ip-address [high-ip-address]
no ip local pool {default | poolname}
Syntax Description
Defaults
No address pools are configured. Any pool created without the optional group keyword is a member of the base system group.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the ip local pool command to create one or more local address pools from which IP addresses are assigned when a peer connects. You may also add another range of IP addresses to an existing pool. To use a named IP address pool on an interface, use the peer default ip address pool interface configuration command. A pool name can also be assigned to a specific user using authentication, authorization, and accounting (AAA) RADIUS and TACACS functions.
If no named local IP address pool is created, a default address pool is used on all point-to-point interfaces after the ip address-pool local global configuration command is issued. If no explicit IP address pool is assigned, but pool use is requested by use of the ip address-pool local command, the special pool named "default" is used.
The optional group keyword and associated group name allows the association of an IP address pool with a named group. Any IP address pool created without the group keyword automatically becomes a member of a base system group.
An IP address pool name can be associated with only one group. Subsequent use of the same pool name, within a pool group, is treated as an extension of that pool, and any attempt to associate an existing local IP address pool name with a different pool group is rejected. Therefore, each use of a pool name is an implicit selection of the associated pool group.
Note
All IP address pools within a pool group are checked to prevent overlapping addresses; however, no checks are made between any group pool member and a pool not in a group. The specification of a named pool within a pool group allows the existence of overlapping IP addresses with pools in other groups, and with pools in the base system group, but not among pools within a group. Otherwise, processing of the IP address pools is not altered by their membership in a group. In particular, these pool names can be specified in peer commands and returned in RADIUS and AAA functions with no special processing.
IP address pools can be associated with Virtual Private Networks (VPNs). This association permits flexible IP address pool specifications that are compatible with a VPN and a VPN routing and forwarding instance (VRF).
The IP address pools can also be used with the translate commands for one-step vty-async connections and in certain AAA or TACACS+ authorization functions. Refer to the chapter "Configuring Protocol Translation and Virtual Asynchronous Devices" in the Cisco IOS Terminal Services Configuration Guide and the "System Management" part of the Cisco IOS Configuration Fundamentals Configuration Guide for more information.
Low and High Thresholds
Cisco Mobile Wireless Home Agent Release 3.1 enhanced the CISCO-IP-LOCAL-POOL-MIB to generate traps when pool utilization reached a low threshold or high threshold in percentage. Objects "cIpLocalPoolPercentAddrThldLo" and "cIpLocalPoolPercentAddrThldHi" are defined for the high and low threshold watermark, respectively.
When the percentage of used addresses in an IP local pool equals or exceeds the high threshold, a "cilpPercentAddrUsedHiNotif" notification is generated. Once the notification is generated, it is disarmed and will not be generated again until the number of used addresses falls below the value indicated by "cIpLocalPoolPercentAddrThldLo".
When the percentage of used addresses in an IP local pool falls below the low threshold, a "cilpPercentAddrUsedLoNotif" notification will be generated. Once the notification is generated, it is disarmed and will not be generated again until the number of used addresses equals or exceeds the value indicated by "cIpLocalPoolPercentAddrThldHi".
IP address pools are displayed with the show ip local pool EXEC command.
Examples
The following example creates a pool of local IP addresses named "XYZPool," which contain all IP addresses in the range 100.1.1.1 to 100.1.1.10. The group is named "MWG", and the command specifies a cache size of 50, and a low and high threshold of 50 and 90:
Router(config)# ip local pool XYZPool 100.1.1.1 100.1.1.10 group MWG cache-size 50 threshold 50 90The following example creates a group of local IP address pools named "pool2," which contains all IP addresses in the range 172.16.23.0 to 172.16.23.255:
ip local pool pool2 172.16.23.0 172.16.23.255The following example configures a pool of 1024 IP addresses:
no ip local pool defaultip local pool default 10.1.1.0 10.1.4.255
Note
The following example configures multiple ranges of IP addresses into one pool:
ip local pool default 10.1.1.0 10.1.9.255ip local pool default 10.2.1.0 10.2.9.255The following examples show how to configure two pool groups and IP address pools in the base system group:
ip local pool p1_g1 10.1.1.1 10.1.1.50 group grp1ip local pool p2_g1 10.1.1.100 10.1.1.110 group grp1ip local pool p1_g2 10.1.1.1 10.1.1.40 group grp2ip local pool lp1 10.1.1.1 10.1.1.10ip local pool p3_g1 10.1.2.1 10.1.2.30 group grp1ip local pool p2_g2 10.1.1.50 10.1.1.70 group grp2ip local pool lp2 10.1.2.1 10.1.2.10
In the example:
•
•
•
Note that IP address 10.1.1.1 overlaps groups grp1, grp2, and the base system group. Also note that there is no overlap within any group including the base system group, which is unnamed.
The following examples show configurations of IP address pools and groups for use by a VPN and VRF:
ip local pool p1_vpn1 10.1.1.1 10.1.1.50 group vpn1ip local pool p2_vpn1 10.1.1.100 10.1.1.110 group vpn1ip local pool p1_vpn2 10.1.1.1 10.1.1.40 group vpn2ip local pool lp1 10.1.1.1 10.1.1.10ip local pool p3_vpn1 10.1.2.1 10.1.2.30 group vpn1ip local pool p2_vpn2 10.1.1.50 10.1.1.70 group vpn2ip local pool lp2 10.1.2.1 10.1.2.10
The examples show configuration of two pool groups, including pools in the base system group, as follows:
•
•
•
Note that IP address 10.1.1.1 overlaps groups vpn1, vpn2, and the base system group. Also note that there is no overlap within any group including the base system group, which is unnamed.
The VPN needs a configuration that selects the proper group by selecting the proper pool based on remote user data. Thus, each user in a given VPN can select an address space using the pool and associated group appropriate for that VPN. Duplicate addresses in other VPNs (other group names) are not a concern, because the address space of a VPN is specific to that VPN.
In the example, a user in group vpn1 is associated with some combination of the pools p1_vpn1, p2_vpn1, and p3_vpn1, and is allocated addresses from that address space. Addresses are returned to the same pool from which they were allocated.
Here is example output from Cisco IOS Release 12.4(22)YD that illustrates the recycle keyword:
Router(config)#ip local pool xyz 1.1.1.1 ?A.B.C.D Last IP address of rangecache-size Number of free entries to searchgroup Create ip local pool grouppriority Priority metricrecycle recycle address before reusethreshold Threshod percentage for pool group range<cr>Router(config)#ip local pool xyz 1.1.1.1 1.1.1.11 ?cache-size Number of free entries to searchgroup Create ip local pool grouppriority Priority metricrecycle recycle address before reusethreshold Threshod percentage for pool group range<cr>Router(config)#ip local pool xyz 1.1.1.1 1.1.1.11 recycle ?delay Delay before address is available for reassignmentRouter(config)#ip local pool xyz 1.1.1.1 1.1.1.11 recycle delay ?<0-65535> recycle delay in Secondsmwtbg28-6500a-5-3(config)#ip local pool xyz 1.1.1.1 1.1.1.11 recycle delay 3 ?cache-size Number of free entries to searchthreshold Threshod percentage for pool group range<cr>Related Commands
ip mobile cdma ha-chap send attribute
To include the Mobile Equipment Identifier (MEID) in the HA-CHAP access request, use the ip mobile cdma ha-chap send attribute command in global configuration mode. To disable this feature, use the no form of the command.
ip mobile cdma ha-chap send attribute [A1 | A2 | A3]
no ip mobile cdma ha-chap send attribute [A1 | A2 | A3]
Syntax Description
A1
(Optional) Send A1 (Calling Station id) in ha-chap.
A2
(Optional) Send A2(ESN) in ha-chap.
A3
(Optional) Send A3(MEID) in ha-chap.
Defaults
There are no default values.
Command Modes
Global configuration
Command History
Usage Guidelines
The MEID is a new attribute introduced in IS-835D that will eventually replace the ESN. In the interim, both attributes are supported on the Home Agent.
The MEID NVSE will be appended by the PDSN node to the Mobile IP RRQ. When the MEID NVSE is received on the HA, and the ip mobile cdma ha-chap send attribute A3 command is configured, then the MEID value is included in the HA-CHAP access request.
Examples
The following example illustrates the ip mobile cdma ha-chap send attribute A3 command:
ip mobile cdma ha-chap send attribute A3ip mobile debug include username
To display the username or IMSI condition with each debug statement, use the ip mobile debug include username command. To disable this function, use the no form of the command.
ip mobile debug include username
no ip mobile debug include username
Syntax Description
There are no keywords or arguments for this command.
Defaults
There are no default values for this command.
Command Modes
Global configuration
Command History
Usage Guidelines
The following example illustrates the ip mobile debug include username command:
Router# ip mobile debug include usernameip mobile home-agent
To enable and control Home Agent services on the router, use the ip mobile home-agent global configuration command. To disable these services, use the no form of this command.
ip mobile home-agent [home-agent address] [accounting] [binding overwrite] [broadcast] [care-of-access acl] [data-path-idle minutes] [dynamic-address] [lifetime number] [aaa | attribute framed-pool] [message-string][nat-detect] [redundancy] [reject-static-addr] [revocation] [replay seconds] [resync-sa] [reverse-tunnel off] [roam-access acl] [hotline profile profile-id] [strip-realm] [suppress-unreachable] [local-timezone] [nat] [unknown-ha [accept | deny]] [send-mn-address]
no ip mobile home-agent [home-agent address] [accounting] [binding overwrite ] [broadcast] [care-of-access acl] [data-path-idle] [dynamic-address] [lifetime number] [aaa | attribute framed-pool] [message-string] [nat-detect] [redundancy] [reject-static-addr] [revocation] [replay seconds] [resync-sa] [reverse-tunnel off] [roam-access acl] [hotline profile profile-id] [strip-realm] [suppress-unreachable] [local-timezone] [nat] [unknown-ha [accept | deny]] [send-mn-address]
Syntax Description
Defaults
This command is disabled by default. Broadcasting is disabled by default. Reverse tunnel support is enabled by default. ICMP Unreachable messages are sent by default.
Command Modes
Global configuration
Command History
Usage Guidelines
This command enables and controls Home Agent services on the router. Changes to service take effect immediately; however, broadcast and lifetime settings for previously registered mobile nodes are unaffected. Tunnels are shared by mobile nodes registered with the same endpoints, so the reverse-tunnel-off keyword also affects registered mobile nodes.
The Home Agent is responsible for processing registration requests from the mobile node and setting up tunnels and routes to the care-of address. Packets to the mobile node are forwarded to the visited network.
The Home Agent will forward broadcast packets to mobile nodes if they registered with the service. However, heavy broadcast traffic utilizes the CPU of the router. The Home Agent can control where the mobile nodes roam by the care-of-access parameter, and which mobile node is allowed to roam by the roam-access parameter.
When a registration request comes in, the Home Agent will ignore requests when Home Agent service is not enabled or the security association of the mobile node is not configured. The latter condition occurs because the security association must be available for the MH authentication extension in the reply. If a security association exists for the Foreign Agent (IP source address or care-of address in request), the Foreign Agent is authenticated, and then the mobile node is authenticated. The Identification field is verified to protect against replay attack. The Home Agent checks the validity of the request (see Table 5) and sends a reply. (Replay codes are listed in Table 6.) A security violation is logged when Foreign Agent authentication, MH authentication, or Identification verification fails. (The violation reasons are listed in Table 7.)
After registration is accepted, the Home Agent creates or updates the mobility binding of the mobile node, which contains the expiration timer. If no binding existed before this registration, a virtual tunnel is created, a host route to the mobile node via the care-of address is added to the routing table, and gratuitous ARPs are sent out. For deregistration, the host route is removed from the routing table, the virtual tunnel interface is removed (if no mobile nodes are using it), and gratuitous ARPs are sent out if the mobile node is back home. Mobility binding is removed (along with its associated host route and tunnel) when registration lifetime expires or deregistration is accepted.
By default, the HA uses the entire NAI string as username for authentication (which may be with local security association or retrieved from the AAA server). The strip-nai-realm parameter instructs the HA to strip off the realm part of NAI (if it exists) before performing authentication. Basically, the mobile station is identified by only the username part of NAI.
When the packet destined for the mobile node arrives on the Home Agent, the Home Agent encapsulates the packet and tunnels it to the care-of address. If the Don't fragment bit is set in the packet, the outer bit of the IP header is also set. This allows the Path MTU Discovery to set the MTU of the tunnel. Subsequent packets greater than the MTU of the tunnel will be dropped and an ICMP datagram too big message sent to the source. If the Home Agent loses the route to the tunnel endpoint, the host route to the mobile node will be removed from the routing table until tunnel route is available. Packets destined for the mobile node without a host route will be sent out the interface (home link) or to the virtual network (see the description of suppress-unreachable keyword). For subnet-directed broadcasts to the home link, the Home Agent will send a copy to all mobile nodes registered with the broadcast routing option.
Table 5 describes how the Home Agent treats registrations with various bits set when authentication and identification are passed.
Table 6 lists the Home Agent registration reply codes.
Table 7 lists security violation codes.
Table 7 Security Violation Codes
1
No mobility security association.
2
Bad authenticator.
3
Bad identifier.
4
Bad SPI.
5
Missing security extension.
6
Other.
Examples
The following example enables broadcast routing and specifies a global registration lifetime of 7200 seconds (2 hours):
ip mobile home-agent ?aaa HA AAA access settingsaccounting Enable Home Agent accountingaddress HA address for virtual networksbroadcast Enable forwarding of broadcast packetscare-of-access Care-of roaming capability access-listdata-path-idle Allowed idle time (in minutes)<1-65535>dynamic-address Configure Dynamic HA assignment addresslifetime Global lifetime for mobile hostslocal-timezone Use Local Time Zone to generate Identification Fieldsnat NAT traversal settingsnat-detect Enable NAT detect on Home Agentredundancy Home Agent redundancy operationreject-static-addr Reject Used Mobile Node Static IP Addr Requestreplay Set replay protection timestamp value for all SAsresync-sa Turn on resync of SA after failurereverse-tunnel Reverse Tunneling for Mobile IPrevocation Enable Registration Revocationroam-access Mobile host roaming capability access-listsend-mn-address Send MN address as Framed-IP-Address in HA-CHAPstrip-realm Strip off NAI realm partsuppress-unreachable Disable sending ICMP unreachabletemplate Configure a tunnel template for tunnels to the Home Agentunknown-ha Unknown HA address in registration requestHere is an example of the framed-pool attribute:
ip mobile home-agent aaa attribute Framed-Poolip local pool haPool 70.1.1.1 70.1.1.254ip mobile home-agentip mobile virtual-network 70.1.1.0 255.255.255.0ip mobile host nai @cisco.com interface FastEthernet1/0 aaa load-saHere is an example of the ip mobile home-agent data-path-idle command for 60 minutes:
Router(config)#ip mobile home-agent data-path-idle 60Here is an example of how to overwrite an existing binding with the binding-overwrite option:
router(config)# ip mobile home-agent binding-overwriteip local pool cisco-pool 5.1.0.1 5.1.1.0ip mobile host nai @cisco.com address pool local cisco-poolinterface Null0 aaa load-saRelated Commands
ip mobile home-agent accounting
To enable the Home Agent accounting feature, use the ip mobile home-agent accounting command in global configuration mode.
ip mobile home-agent accounting {method name| default}
Syntax Description
Defaults
There are no default values for this command.
Command Modes
Global configuration
Command History
Usage Guidelines
The Home Agent cannot open more than 100k bindings if HA Accounting feature is enabled.
Examples
The following example illustrates the ip mobile home-agent accounting command:
Router# ip mobile home-agent accounting method name
ip mobile home-agent author-fail send-response
To configure the HA to send an RRP to the FA even if AAA sends an Access-Reject or AAA does not respond, use the ip mobile home-agent author-fail send-response global configuration command. Use the no form of the command to disable this feature.
ip mobile home-agent author-fail send-response
no ip mobile home-agent author-fail send-response
Syntax Description
There are no keywords or arguments for this command.
Defaults
This command is disabled by default.
Command Modes
Global configuration
Command History
Usage Guidelines
When this command is configured, the HA sends an RRP to the FA even if AAA sends Access-Reject or AAA does not respond. This RRP contains MHAE filled with all zeros and also error code "MN Failed Authentication". This RRP does not contain FHAE even if FHAE is enabled for that FA.
Examples
The following example illustrates the ip mobile home-agent author-fail send-response command:
Router(config)#ip mobile home-agent author-fail send-responseip mobile home-agent binding-overwrite
To enable deletion of stale bindings identified by the Home Address, MAC address, and NAI information in the registration request, use the ip mobile home-agent binding-overwrite Global configuration command. Use the no form of the command to disable this feature.
ip mobile home-agent binding-overwrite
no ip mobile home-agent binding-overwrite
Syntax Description
There are no keywords or arguments for this command.
Defaults
The feature is disabled by default.
Command Modes
Global configuration.
Command History
Examples
Here is an example of the ip mobile home-agent binding-overwrite command:
Overwrite Existing Binding HA Config
ip mobile home-agent binding-overwriteip local pool cisco-pool 5.1.0.1 5.1.1.0ip mobile host nai @cisco.com address pool local cisco-poolinterface Null0 aaa load-saFA Config
simulator mip mn profile 3registration lifetime 65535registration retries 0registration flags 42revocation flags 00home-agent 81.81.81.81secure home-agent spi 100 key ascii ciscosecure aaa spi 2 key ascii cisconai cisco-%f@cisco.compmip skip subtype 2 idtype macno extension mn-aaano extension mn-fano extension nat traversalextension revocationsimulator mip mn profile 4registration lifetime 65535registration retries 0registration flags 42revocation flags 00home-agent 81.81.81.81home-address 5.0.0.2 0secure home-agent spi 100 key ascii ciscosecure aaa spi 2 key ascii cisconai pepsi-%f@cisco.compmip skip subtype 2 idtype macno extension mn-aaano extension mn-fano extension nat traversalextension revocationsimulator mip scenario 3mn profile 3fa 2.2.2.200mn id 20simulator mip scenario 4mn profile 4fa 2.2.2.200mn id 21ip mobile home-agent congestion
To configure the HA to take a predefined action when congestion hits a predefined threshhold, use the ip mobile home-agent congestion global configuration command. Use the no form of the command to disable this feature.
ip mobile home-agent congestion dfp_weight action reject | abort | redirect HA-address | drop data-path-idle minutes
no ip mobile home-agent congestion
Syntax Description
Defaults
The default DFP value is that corresponding to 70% congestion state.
Command Modes
Global configuration
Command History
Usage Guidelines
Congestion action configurations are mutually exclusive. You must explicitly configure congestion and the corresponding weight.
The DFP weight at which congestion occurs is configurable. The default DFP value is that corresponding to a "70% congestion state". The default value is 0.
The DFP value used is calculated solely for the control processor in the Single IP model.
When the congestion state is reached, four possible actions can occur:
1.
2.
3.
4.
Examples
Here is sample output that shows a congested state:
router#show ip mobile home-agent congestionHome Agent congestion information :Current congestion level: CongestedConfigured Action : AbortConfigured threshold : 10Current DFP value = 9ip mobile home-agent dynamic-address
To set the Home Agent Address field in a Registration Response packet, use the ip mobile home-agent dynamic-address command in global configuration. Use the no form of the command to disable this feature, or to reset the field.
ip mobile home-agent dynamic-address ip address
no ip mobile home-agent dynamic-address ip address
Syntax Description
Defaults
The Home Agent Address field will be set to ip address.
Command Modes
Global configuration
Command History
Examples
The following example illustrates the ip mobile home-agent dynamic address command:
Router# ip mobile home-agent dynamic address 1.1.1.1ip mobile home-agent foreign-agent
To select either 3gpp2 or WiMax access-type for a subscriber based on the IP address of the Foreign Agent through which the request came, or to enable or disable FA authentication for that FA, use the ip mobile home-agent foreign-agent global configuration command. Use the no form of the command to disable this feature.
ip mobile home-agent foreign-agent {default | {ip-address mask}} access-type {3gpp2 | wimax} {disable-fhae | enable-fhae}
no ip mobile home-agent foreign-agent {default | {ip-address mask }} access-type {3gpp2 | wimax} {disable-fhae | enable-fhae}
Syntax Description
Defaults
This command is disabled by default.
Command Modes
Global configuration
Command History
12.4(15)XM
This command was introduced.
12.4(22)YD
enable-fhae and disable-fhae keywords were added.
Usage Guidelines
This configuration is not considered if the respective access-type is not configured under radius. For example, radius vsa send authentication 3gpp2/wimax for authentication, and radius vsa send accounting 3gpp2/wimax for accounting.
In Cisco Home Agent Release 5.0, the actions taken based on the tech-type value take precedence over any locally-configured per-Foreign Agent Access Type configuration introduced in HA 4.0. For example, if the locally configured value indicates 3GPP2 and the tech-type value indicates wimax, then the actions for WiMax are taken.
enable-fhae ensures that all control messages (RRQs, RRPs and revocation messages) to and from FAs defined by ip-address and mask ( or for all FAs on default keyword) will have FHAE. An exception is RRPs when AAA sends an Access-Reject, or AAA does not send any response and this feature is enabled.
disable-fhae rejects RRQs and revocation messages with FHAE from FAs defined by ip-address and mask (or for all FAs on the default keyword). If RRQs with FHAE are received, then an RRP with FA Failed authentication error is sent.
If a Wimax FA is not configured with enable-fhae or disable-fhae, and the RRQs from that FA have FHAE, then FHAE is mandated for that FA after successful authentication, and is the current behavior.
Examples
The following example illustrates the ip mobile home-agent foreign-agent access-type command:
router(config)#ip mobile home-agent foreign-agent ?A.B.C.D Foreign Agent addressdefault Default Access-typerouter(config)#ip mobile home-agent foreign-agent default ?access-type Access-Typerouter(config)#ip mobile home-agent foreign-agent 10.109.1.1 ?A.B.C.D Foreign Agent maskrouter(config)#$ome-agent foreign-agent 10.109.1.1 255.255.255.0 ?access-type Access-Typerouter(config)#$ome-agent foreign-agent 10.109.1.0 255.255.255.0 acrouter(config)#$foreign-agent 10.109.1.0 255.255.255.0 access-type ?3gpp2 3GPP2 Access-typewimax WIMAX Access-typerouter(config)#$foreign-agent 10.109.1.0 255.255.255.0 access-typeip mobile home-agent host-config url
To configure a URLon the HA that allows the MN to download configuration parameters, use the ip mobile home-agent host-config url command in globabl configuration mode. Use the no form of the command to disable the feature.
ip mobile home-agent host-config url
no ip mobile home-agent host-config url
Syntax Description
url
The generic url that you can specify that allows the MN to download its configuration parameters.
Defaults
This command is disabled by default.
Command Modes
Global configuration
Command History
Usage Guidelines
This command is necessary because sometimes the HA is not able to provide the configuration requested by the MN. This command configures a generic site specified by the URL that helps the MN to download its configuration parameters.
Examples
The following example illustrates the ip mobile home-agent host-config command:
Router(config)# ip mobile home-agent host-config http://www.cisco.com
ip mobile home-agent hotline
To distinguish Profile or Rule based hot-lining for each user (MN), and to enter the hotline-rules sub configuration mode, use the ip mobile home-agent hotline command in global configuration mode. Use the no form of the command to disable this feature.
ip mobile home-agent hotline {profile word}
no ip mobile home-agent hotline {profile word}
Syntax Description
profile word
Denotes whether hotlining will be profile based, or rule based. If not configured, hotlining will be rule based.
Defaults
The default value is rule based hotlining.
Command Modes
Global configuration
Command History
Examples
The following example illustrates the ip mobile home-agent hotline command:
Router(config)# [no] ip mobile home-agent hotline profile wordRouter(hotline-rules)#Router(hotline-rules)#?exit Exit from hotline profile configuration modefirewall Firewall Rulesno Negate the hotline rulesredirect Redirection Rulesip mobile home-agent max-binding
To limit the number of bindings that can be opened on the HA, use the ip mobile home-agent max-binding command in global configuration mode. Use the no form of the command to disable the feature.
ip mobile home-agent max-binding max-binding value
no ip mobile home-agent max-binding max-binding value
Syntax Description
Defaults
This CLI limits the number of bindings that can be opened on the HA. The default value is 500,000 with a maximum configurable value of 1 million. The range of the max-binding-value is between 1 and 1,000,000.
Command Modes
Global configuration
Command History
12.4(15)XM
This command was introduced.
12.4(22)YD
The default and maximum binding values were changed to 500,000 and 1,000,000.
Examples
The following example illustrates the ip mobile home-agent max-binding command:
Router# ip mobile home-agent max-binding 500000ip mobile home-agent redundancy
To configure the Home Agent for redundancy, use the ip mobile home-agent redundancy subcommand under the ip mobile home-agent global configuration command. To remove the address, use the no form of this command.
ip mobile home-agent redundancy
no ip mobile home-agent redundancy
Syntax Description
There are no keywords or arguments for this command.
Defaults
There are no default values.
Command Modes
Subcommand of the ip mobile home-agent global configuration command.
Command History
12.0(2)T
This command was introduced.
12.3(7)XJ1
The mode active-standby option was added.
12.4(22)YD
Removed all keywords and arguments.
Usage Guidelines
You must first configure the ip mobile home-agent command to use this sub-command.
Examples
The following is sample output from the ip mobile home-agent redundancy command that specifies an HSRP group name of SanJoseHA:
Router# ip mobile home-agent redundancy
ip mobile home-agent reject-static-addr
To configure the HA to reject Registration Requests from MNs under certain conditions, use the ip mobile home-agent reject-static-addr sub-command under the ip mobile home-agent global configuration command.
ip mobile home-agent reject-static-addr
Syntax Description
This command has not arguments or keywords
Command Modes
Sub-command of the ip mobile home-agent global configuration command.
Command History
Usage Guidelines
You must first configure the ip mobile home-agent command to use this sub-command.
If an MN which has binding to the HA with a static address, and tries to register with the same static address again, then the HA rejects the second RRQ from MN.
Examples
The following example illustrates the ip mobile home-agent reject-static-addr command:
Router# ip mobile home-agent reject-static-addr
ip mobile home-agent resync-sa
To configure the HA to clear out the old cached security associations and requery the AAA server, use the ip mobile home-agent resync-sa command global configuration command.
ip mobile home-agent resync-sa x
Syntax Description
Command Modes
Global configuration.
Command History
Usage Guidelines
When a MN tries to reregister with the HA, the time change from the original timestamp is checked. If that time period is less than x, and the MN fails authentication, then the HA will not requery the AAA server for another SA.
If the MN reregisters with the HA, and the time between registrations is greater than x, and the MN fails registrations, then the HA will clear out the old SA and requery the AAA server.
Examples
The following example illustrates the ip mobile home-agent resync-sa command:
Router# ip mobile home-agent resync-sa 10
ip mobile home-agent revocation
To enable support for MIPv4 Registration Revocation on the HA, use the ip mobile home-agent revocation command in global configuration mode. Use the no form of the command to disable this feature.
ip mobile home-agent revocation [timeout 1-100] [retransmit 0-100] [timestamp msec] [ignore 1-99 | 1300-1999 | word fa access-list name]
no ip mobile home-agent revocation [timeout 1-100] [retransmit 0-100] [timestamp msec]
Syntax Description
Defaults
The timeout default setting is 3 seconds, the retransmit default setting is 3 retransmissions, and the default timestamp setting is seconds.
Command Modes
Global configuration.
Command History
Examples
The following example illustrates the ip mobile home-agent revocation command:
Router# (config)#ip mobile home-agent revoc timeout ?
<1-100> Wait time (default 3 secs)
Router# (config)#ip mobile home-agent revoc retransmit ?
<0-100> Number of retries for a transaction (default 3)
ip mobile home-agent revocation ignore
To enable the HA to send a revocation acknowledgement to the PDSN/FA but not delete the binding, use the ip mobile home-agent revocation ignore global configuration command. Use the no form of the command to disable this function.
ip mobile home-agent revocation ignore fa acl
no ip mobile home-agent revocation ignore fa acl
Syntax Description
fa-acl
Specifies either an acl number 1-99, an FA Standard expanded Access-list number 1300-1999, or an FA Access-list name.
Defaults
There are no default values.
Command Modes
Global configuration.
Command History
Usage Guidelines
When a subscriber roams between their service provider's network and another partner service provider's network, the PDSN gateway sends a Resource Revocation message to the Home Agent to remove the subscriber. This causes timing problems, so Selective FA Revocation selectively ignores these "remove subscriber" requests. Revocation is done on a Foreign Agent basis. Thus, a given HA will statically configure a list of Foreign Agents from which to ignore the "remove subscriber" messages.With Selectable FA Revocation, the Hybrid PDSN/FA will go through the above conditions and send the revocation to the Home Agent. However, in this case the HA ignores the revocation, but sends a RR response to the PDSN.
As a result, the MN and Home Agent still have a binding state but the PDSN/FA no longer has a PPP session/visitor table entry. Eventually, the mobile goes active and has Data Ready to Send, where the 1x RF channel DRS=1 is included. In this scenario, the VLR is not queried and the OpenRP message to the PDSN has MEI set to 1. Regardless of the MEI value, the PDSN will initiate PPP, and send a RRQ with the previously assigned home address. In this case HA will accept the Re-registration.
Examples
Here is an example of the ip mobile home-agent revocation ignore command:
You can ignore revocation from the FA by specifying the standard access-list number or standard access-list name.
Configuring access-list name to ignore the requests from COA 5.1.1.4
Router(config)#ip access-list standard ?<1-99> Standard IP access-list number<1300-1999> Standard IP access-list number (expanded range)WORD Access-list nameRouter(config)#ip access-list standard fa_acl1Router(config-std-nacl)#permit 5.1.1.4Configuring access-list number to ignore the requests from COA 5.1.1.5
Router(config)#ip access-list standard ?<1-99> Standard IP access-list number<1300-1999> Standard IP access-list number (expanded range)WORD Access-list nameRouter(config)#ip access-list standard 1Router(config-std-nacl)#permit 5.1.1.5Configuring access-list name to selectively ignore requests from FA 5.1.1.4 . This is to associate the above created acl with the ip mobile home-agent revocation ignore command.
Router((config)#ip mobile home-agent revocation ignore ?<1-99> fa Access-list numberWORD fa Access-list nameRouter(config)#ip mobile home-agent revocation ignore fa_acl1Configuring the access-list number to selectively ignore requests from FA 5.1.1.5
Router(config)#ip mobile home-agent revocation ignore 1ip mobile home-agent switchover aaa swact-notification
To send Switchover-Action (swact) Notification after a switchover in Accounting watchdog/stop messages for each MIP session, use the ip mobile home-agent switchover aaa swact-notification Global configuration commmand. Use the no form of the command to disable this feature.
ip mobile home-agent switchover aaa swact-notification
no ip mobile home-agent switchover aaa swact-notification
Syntax Description
There are no keywords or arguments for this command.
Defaults
The command is disabled by default.
Command History
Examples
This example configures the HA to send swact notification in an accounting message for each mip session:
router(config)# ip mobile home-agent switchover aaa swact-notificationip mobile home-agent template tunnel
To configure a Home Agent to use the template tunne, use the ip mobile home-agent template tunnel command in global configuration. Use the no form to disable this feature.
ip mobile home-agent template tunnel interface id address home agent address
no ip mobile home-agent template tunnel interface id address home agent address
Syntax Description
Defaults
There are no default values.
Command Modes
Global configuration.
Command History
Examples
The following example illustrates the ip mobile home-agent template tunnel command:
Router(config)# interface tunnel 10
ip access-group 150 in -------> apply access-list 150
Router (config)# access-list 150 deny any 10.10.0.0 0.255.255.255access-list permit any any
------> permit all but traffic to 10.10.0.0 network
Router (config)# ip mobile home-agent template tunnel 10 address 10.0.0.1
ip mobile host
To configure the mobile host or mobile node group, use the ip mobile host global configuration command. For PDSN, use this command to configure the static IP address or address pool for multiple flows with the same NAI.
ip mobile host {lower [upper] | nai string {static-address {addr1 [addr2] [addr3] [addr4] [addr5] | local-pool name} | address {addr | pool {local name | vpdn-tunnel | dhcp-proxy-client [dhcp-server addr]} {interface name | virtual-network network_address mask} [skip-chap | aaa [load-sa permanent]] [authorized-pool pool] [skip-aaa-reauthentication [reregistration | deregistration]] [care-of-access acl] [lifetime number]
no ip mobile host {lower [upper] | nai string {static-address {addr1 [addr2] [addr3] [addr4] [addr5] | local-pool name} | address {addr | pool {local name | vpdn-tunnel | dhcp-proxy-client [dhcp-server addr]} {interface name | virtual-network network_address mask} [skip-chap | aaa [load-sa permanent]] [authorized-pool pool] [skip-aaa-reauthentication [reregistration | deregistration]] [care-of-access acl] [lifetime number]
Syntax Description
Defaults
No host is configured.
Command Modes
Global configuration
Command History
Usage Guidelines
This command configures the mobile host or mobile node group (ranging from lower address to upper address) to be supported by the Home Agent. These mobile nodes belong to the network on an interface or a virtual network (using the ip mobile virtual-network command). The security association for each mobile host must be configured using the ip mobile secure command or downloaded from an AAA server. When using an AAA server, the router will attempt to download all security associations when the command is entered. If no security associations are retrieved, retrieval will be attempted when a registration request arrives or the clear ip mobile secure command is entered.
All hosts must have security associations for registration authentication. Mobile nodes can have more than one security association. The memory consumption calculations shown in Table 8 are based on the assumption of one security association per mobile node.
The nai keyword allows you to specify a particular mobile station or range of mobile stations. The mobile station can request a static IP address (static-address keyword), which is configured using the addr1 variable (for a specific address) or the local-pool keyword (for an IP address from an address pool). Or, the mobile station can request a dynamic address (address keyword), which is configured using the addr variable (for a specific address) or the pool keyword (for an IP address from a pool or DHCP server). If this command is used with the PDSN proxy Mobile IP feature and a realm is specified in the ip mobile proxy-host nai command, then only a pool of addresses can be specified in this command.
The vpdn-tunnel option is added to the ip mobile host command. This keyword is mandatory to bring up MIP-LAC tunnel. You must also configure the vpdn-tunnel virtual-template option of the ip mobile realm command to enable the MIP-LAC feature. Every MIP session matching this realm will be mapped to a corresponding L2TP session. When MIP-LAC is enabled for user(s), and the HA does not go to AAA for authentication / authorization, local configuration will be checked for VPDN parameters.
The address pool can be defined by a local pool or using a DHCP proxy client. For DHCP, the interface name specifies the address pool from which the DHCP server selects and dhcp-server specifies DHCP server address.
Security associations can be stored using one of three methods:
•
•
•
Each method has advantages and disadvantages, which are described in Table 8
.
Note
Note
If the aaa load-sa option is configured, the Home Agent caches the SA locally on first registration. In this case the Home Agent will not invoke the RADIUS authorization procedure for re-registration.
If aaa load-sa skip-aaa-reauthentication is configured, the Home Agent caches the SA locally on first registration; however, the Home Agent will not invoke HA-CHAP procedure for re-registration.
The aaa load-sa permanent option is not supported on the Mobile Wireless Home Agent, and should not be configured.
Note
By default, authentication occurs for all three events listed in the configuration. If the above CLI is not configured, then authentication happens at the time of registration, re-registration and de-registration events. However, please note that, if the MN comes with new SPI, the configuration for skip-aaa-reauth is ignored for that user.
There is a configuration for the re-registration and de-registration events which may be on a per-realm, i.e. VRF, basis. ip mobile host nai string aaa load-sa skip-aaa-reauth [ reregistration | deregistration]
The default configuration is that authentication occurs for all three events. i.e. ip mobile host nai string aaa load-sa. Some examples, assuming the default configuration is in place are ip mobile host nai string aaa load-sa skip-aaa-reauth will result in AAA authentication occurring for registration only.
ip mobile host nai string aaa load-sa skip-aaa-reauth deregistration will result in AAA authentication occurring for registration and reregistration.
ip mobile host nai string aaa skip-chap will result in no authentication occurring for initial registration, reregistration, and deregistration events.
ip mobile host nai string aaa load-sa skip-aaa-reauth reregistration will result in AAA authentication occurring for registration and deregistration only.
Note
Examples
The following example configures a mobile node group to reside on virtual network 20.0.0.0 and store its security associations on the AAA server:
ip mobile host 20.0.0.1 20.0.0.3 virtual-network 20.0.0.0 aaaThe following example configures a local pool of dynamic addresses to be used in assigning IP addresses to mobile stations in the cisco.com domain.
ip mobile host nai @cisco.com address pool local mobilenodes virtual-network 9.0.0.0 255.0.0.0 aaa lifetime 65535The following example configures a local pool of static addresses to be used in assigning IP addresses to mobile stations in the cisco.com domain.
ip mobile host nai @cisco.com static-address local-pool mobilenodesRelated Commands
ip mobile radius disconnect
To enable the processing Radius Disconnect messages on the HA, use the ip mobile radius disconnect command in global configuration mode. Use the no form of this command to disable processing Radius Disconnect messages on the HA.
ip mobile radius disconnect
no ip mobile radius disconnect
Syntax Description
There are no arguments or keywords for this command.
Defaults
The default setting is that there is no processing of Radius Disconnect messages.
Command Modes
Global configuration.
Command History
Usage Guidelines
Note
Note
Examples
The following example illustrates the ip mobile radius disconnect command:
Router# ip mobile radius disconnect
ip mobile realm
To enable inbound user sessions to be disconnected when specific session attributes are presented, and to configure policy parameters on the Home Agent and attach/identify them to QoS through an APN interface, use the ip mobile realm global configuration command in global configuration mode. Use the no form of the command to disable this feature.
ip mobile realm {realm | nai} [vrf vrf-name | ha-addr ip-address] [aaa-group [accounting aaa-acct-group | authentication aaa-auth-group]] periodic minutes accounting [data-path-idle timer value] [dns dynamic-update method word] [dns server primary dns server address secondary dns server address [assign]] [hotline [capability profile-based redirect [ip | http] | rule-based flag]] [vpdn-tunnel virtual-template number [setup-time number]] [service-policy {input policy-name [peak-rate rate] | output policy-name [peak-rate rate]}] [any-traffic | next-hop next-hop-ipadress] [mip-udp-tunnel template-num]
no ip mobile realm {realm | nai} vrf vrf-name ha-addr ip-address [aaa-group [accounting aaa-acct-group | authentication aaa-auth-group]] periodic minutes accounting [data-path-idle timer value] [dns dynamic-update method word] [dns server primary dns server address secondary dns server address [assign]] [[hotline [capability [all | httpredir
| ipfilter | ipredir | profile] redirect [ip | http] | rule-based flag]] [vpdn-tunnel virtual-template number [setup-time number]] [service-policy {input policy-name [peak-rate rate] | output policy-name [peak-rate rate]}] [any-traffic | next-hop next-hop-ipadress] [mip-udp-tunnel template-num]Syntax Description
Defaults
When the setup-time is not specified, the default value is 60.
Command Modes
Global configuration
Command History
Usage Guidelines
This command defines the VRF for the domain "@xyz.com". The IP address of the Home Agent corresponding to the VRF is also defined at which the MOIP tunnel will terminate. IP address of the Home Agent should be a routable IP address on the box. Optionally, the AAA accounting and/or authentication server groups can be defined per VRF. If AAA accounting server group is defined, all accounting records for the users of the realm will be sent to the specified group. If AAA authentication server group is defined, HA-CHAP is sent to the server(s) defined in the group.
The word argument should be specified as nai/realm and in the format of @cisco.com/username@cisco.com. Otherwise, the command will give error message. At least one form of hot-lining should be selected. There is no default rule to activate rule-based hot-lining for the user. Un-configuring this CLI will erase the rule-based hot-lining capability for the user. The values in above command are mentioned as flags. The flag values are explained here:
0x00000001 Profile-based Hot-Lining is supported (Using RADIUS Filter-Id attributes)
0x00000002 Rule-based Hot-Lining is supported using Filter Rule
0x00000004 Rule-based Hot-Lining is supported using HTTP Redirection Rule.
0x00000008 Rule-based Hot-Lining is supported using IP Redirection Rule.The [service-policy {input policy-name [peak-rate rate] | output policy-name [peak-rate rate]}] variables allows you to configure a policy and associated rate for one or more user bindings belonging to that policy on the basis of NAI/realm. This can be configured for both upstream and downstream traffic. The burst and the peak-burst can be configured under the policy-map configuration.
The setup-time for the vpdn-tunnel configuration is optional. The range of values for setup-time is from 5 secs to 300 secs. The default value for setup-time is 60 seconds. The default value is taken in to consideration, when user does not specify the setup-time option explicitly.
Configured setup-time is the maximum tolerance time, starting from the creation of the PPP IDB within which a regenerated PPP session has to come fully up. If this period of time has elapsed and the L2TP tunnel is not up yet, the mobile IP module proceeds to tear down this session's L2TP session, PPP IDB and mobile binding. Also, please note that the number option of tunnel vtemplate number must match the number configured in the corresponding interface virtual-template command.
The periodic keyword defines the sending of interim accounting records at an interval corresponding to the value minutes.
The per-VRF configuration takes precedence over per-realm configuration, which takes precedence over the aaa accounting update periodic configuration.
Note
Examples
The following example identifies the DNS dynamic update keyword:
router(config)#ip mobile realm @ispxyz1.com dns ?dynamic-update Enable 3GPP2 IP reachabilityserver DNS server configurationThe following example identifies the hotlining and vrf keywords:
router(config)# ip mobile realm @ispxyz1.com ?dns Configure DNS detailshotline Hotlining of the mobile hostsvrf VRF for the realmRouter(config)#ip mobile realm {realm | nai} hotline ?capability Hotlining Capability of the mobile hostsredirect Redirect ip address for upstream trafficRouter(config)#[no] ip mobile realm {realm | nai} hotline capability ?all Support all Hotline Capabilitieshttpredir HTTPRedir Rule-based Hot-Liningipfilter IPFilter Rule-based Hot-Liningipredir IPRedir Rule-based Hot-Liningprofile Profile-based Hot-LiningRouter(config)#Here is a policy map configuration example:
Router(config)#ip mobile realm <nai | realm> ?dns Configure DNS detailshotline Hotlining of the mobile hostsservice-policy QoS service policy attachmentvrf VRF for the realmRouter(config)#ip mobile realm <nai | realm> service-policy ?input Attach policy-map in input direction (downstream)output Attach policy-map in output direction (upstream)<cr>Router(config)#ip mobile realm <nai | realm> service-policy input ?WORD Policy-map name in input directionRouter(config)#ip mobile realm <nai | realm> service-policy input <policyname> ?output Attach policy-map in output direction (upstream)peak-rate Police rate<cr>Router(config)#ip mobile realm <nai | realm> service-policy input <policyname> peak-rate ?<8000-2000000000> Police rate value in bpsRouter(config)#ip mobile realm <nai | realm> service-policy input <policyname> peak-rate <rate> ?output Attach policy-map in output direction (upstream)<cr>Router(config)#ip mobile realm <nai | realm> service-policy input <policyname> peak-rate <rate> output ?WORD Policy-map name in output directionRouter(config)#ip mobile realm <nai | realm> service-policy input <policyname> peak-rate <rate> output <policyname> ?peak-rate Police rateRouter(config)#ip mobile realm <nai | realm> service-policy input <policyname> peak-rate <rate> output <policyname> peak-rate ?<8000-2000000000> Police rate value in bpsRouter(config)#ip mobile realm <nai | realm> service-policy input <policyname> peak-rate <rate> output <policyname> peak-rate <rate>Here is an example of the data-path-idle timer-value option:
cisco-1@cisco.com (Bindings 1):MAC Addr 0000.0001.0000Home Addr 5.1.0.1Care-of Addr 2.2.2.200, Src Addr 2.2.2.200Lifetime granted 10:00:00 (36000), remaining 09:52:39IdleTime granted 00:10:00 (10 min), remaining 00:09:24Flags sBdmg-T-, Identification CCA7F408.1Tunnel0 src 81.81.81.81 dest 2.2.2.200 reverse-allowedRouting Options - (T)Reverse-tunnelAccess-tech Type: 3GPP2 (3GPP2 1xRTT/HRPD)Revocation negotiated - I-bit not setip mobile secure
To specify the mobility security associations for the mobile host, visitor, Home Agent, Foreign Agent, and proxy host, use the ip mobile secure global configuration command. To remove the mobility security associations, use the no form of this command.
ip mobile secure {host lower-address [upper-address] | visitor address | home-agent address | foreign-agent address} {inbound-spi spi-in | outbound-spi spi-out | spi spi} key hex string [replay timestamp [number] algorithm md5 mode prefix-suffix]
no ip mobile secure {host lower-address [upper-address] | visitor address | home-agent address | foreign-agent address} {inbound-spi spi-in | outbound spi-out | spi spi} key hex string [replay timestamp [number] algorithm md5 mode prefix-suffix]
Syntax Description
Defaults
No security association is specified.
Command Modes
Global configuration
Command History
12.0(1)T
This command was introduced.
12.2
The lower-address and upper-address arguments were added.
Usage Guidelines
The security association consists of the entity address, SPI, key, replay protection method, authentication algorithm, and mode.
The SPI is the 4-byte index that selects the specific security parameters to be used to authenticate the peer. The security parameters consist of the authentication algorithm and mode, replay attack protection method, timeout, and IP address.
On a Home Agent, the security association of the mobile host is mandatory for mobile host authentication. If desired, configure a Foreign Agent security association on your Home Agent. On a Foreign Agent, the security association of the visiting mobile host and security association of the Home Agent are optional. Multiple security associations for each entity can be configured.
If registration fails because the timestamp value is out of bounds, the time stamp of the Home Agent is returned so the mobile node can reregister with the time-stamp value closer to that of the Home Agent, if desired.
Note
In HA Release 5.0 it is not necessary to configure the home-agent option. Additionally, for WiMax, it is not necessary to configure the foreign-agent option.
Examples
The following example shows mobile node 20.0.0.1, which has a key that is generated by the MD5 hash of the string:
Router# ip mobile secure host 20.0.0.1 spi 100 key hex 12345678123456781234567812345678Related Commands
ip mobile tunnel
To specify the settings of tunnels created by Mobile IP, use the ip mobile tunnel interface configuration command.
ip mobile tunnel {crypto map map-name | route-cache | path-mtu-discovery | nat {inside | outside}}
Syntax Description
Defaults
Disabled.
Command Modes
Interface configuration.
Command History
Usage Guidelines
Path MTU discovery is used by end stations to find a packet size that does not need fragmentation between them. Tunnels have to adjust their MTU to the smallest MTU interior to achieve this. This is described in RFC 2003.
The discovered tunnel MTU should be aged out periodically to possibly recover from case where sub-optimum MTU existed at time of discovery. It is reset to the outgoing interface's MTU.
Examples
The following example sets the discovered tunnel MTU to expire in ten minutes:
Router# ip mobile tunnel reset-mtu-time 600
ip mobile virtual-network
To define a virtual network, use the ip mobile virtual-network global configuration command. To remove the virtual network, use the no form of this command.
ip mobile virtual-network net mask [address addr]
no ip mobile virtual-network net mask [address addr]
Syntax Description
Defaults
No Home Agent addresses are specified.
Command Modes
Global configuration.
Command History
Usage Guidelines
This command inserts the virtual network into the routing table to allow mobile nodes to use the virtual network as their home network. The network is propagated when redistributed to other routing protocols.
Note
Examples
The following example adds the virtual network 20.0.0.0 to the routing table and specifies that the HA IP address is configured on the loopback interface for that virtual network:
<
Guest
