Table Of Contents
clear ip mobile router registration
clear ip mobile router traffic
ip mobile authentication ignore-spi
ip mobile debug include username
ip mobile foreign-agent inject-mobile-networks
ip mobile foreign-agent nat traversal
ip mobile foreign-agent skip-aaa-reauthentication
ip mobile home-agent aaa user-password
ip mobile home-agent accounting
ip mobile home-agent dynamic-address
ip mobile home-agent multi-path
ip mobile home-agent nat traversal
ip mobile home-agent redundancy
ip mobile home-agent redundancy periodic-sync
ip mobile home-agent reject-static-addr
ip mobile home-agent resync-sa
ip mobile home-agent revocation
ip mobile home-agent template tunnel
IP Mobility Commands
aaa authorization ipmobile
To authorize Mobile IP to retrieve security associations from the AAA server using TACACS+ or RADIUS, use the aaa authorization ipmobile command in global configuration mode. To remove authorization, use the no form of this command.
aaa authorization ipmobile {[radius | tacacs+] | default} [group server-group-name]
no aaa authorization ipmobile {[radius | tacacs+] | default} [group server-group-name]
Syntax Description
radius
Authorization list named radius.
tacacs+
Authorization list named tacacs+.
default
Default authorization list.
group server-group-name
(Optional) Name of the server group to use.
Defaults
AAA is not used to retrieve security associations for authentication.
Command Modes
Global configuration
Command History
Usage Guidelines
Mobile IP requires security associations for registration authentication. The security associations are configured on the router or on a AAA server. This command is not needed for the former; but in the latter case, this command authorizes Mobile IP to retrieve the security associations from the AAA server.
Once the authorization list is named, it can be used in other areas such as login. You can only use one named authorization list; multiple named authorization lists are not supported.
The aaa authorization ipmobile default group server-group-name command is the most commonly used method to retrieve security associations from the AAA server.
Note
The AAA server does not authenticate the user. It stores the security association that is retrieved by the router to authenticate registration.
Examples
The following example uses TACACS+ to retrieve security associations from the AAA server:
aaa new-modelaaa authorization ipmobile tacacs+tacacs-server host 1.2.3.4tacacs-server key mykeyip mobile host 10.0.0.1 10.0.0.5 virtual-network 10.0.0.0 255.0.0.0 aaaThe following example uses RADIUS as the default group to retrieve security associations from the AAA server:
aaa new-modelaaa authentication login default enableaaa authorization ipmobile default group radiusaaa session-id commonradius-server host 128.107.162.173 auth-port 1645 acct-port 1646radius-server retransmit 3radius-server key ciscoip mobile host 10.0.0.1 10.0.0.5 virtual-network 10.0.0.0 255.0.0.0 aaaRelated Commands
address (mobile router)
To set the home IP address of the mobile router, use the address command in mobile router configuration mode. To remove the address, use the no form of this command.
address address mask
no address address mask
Syntax Description
Defaults
No default behavior or values.
Command Modes
Mobile router configuration
Command History
Usage Guidelines
The address command configures the home IP address and subnet mask of the mobile router. The address and subnet mask identify the home network of the mobile router and are used to discover when the mobile router is at home.
Examples
The following example sets the home IP address and subnet mask of the mobile router:
ip mobile routeraddress 10.1.0.1 255.255.0.0Related Commands
show ip mobile router
Displays configuration information and monitoring information about the mobile router.
clear ip mobile binding
To remove mobility bindings, use the clear ip mobile binding command in privileged EXEC mode.
clear ip mobile binding {all [load standby-group-name] | ip-address [coa care-of-address] | nai string [session-id string] | vrf realm realm} [synch]
Syntax Description
Command Modes
Privileged EXEC
Command History
Usage Guidelines
The home agent creates a mobility binding for each roaming mobile node. Associated with the mobility binding is the tunnel to the visited network and a host route to forward packets destined for the mobile node. Typically, there should be no need to clear the binding because it expires after the lifetime is reached or when the mobile node deregisters.
When the mobility binding is removed through use of this command, the number of users on the tunnel is decremented and the host route is removed from the routing table. The mobile node is not notified.
If the nai string session-id string option is specified, only the binding entry with that session identifier is cleared. If the session-id keyword is not specified, all binding entries (potentially more than one, with different session identifiers) for that NAI are cleared. You can determine the session-id string value by using the show ip mobile binding command.
When the synch option is specified, bindings that are administratively cleared on the active home agent are synchronized to the standby home agent, and the bindings will be deleted on the standby home agent. When the redundancy mode is active-standby, the synch option will not take effect if the clear command is issued on the standby home agent.
Use this command with care, because it will disrupt any sessions used by the mobile node. After you use this command, the mobile node will need to reregister to continue roaming.
Examples
The following example administratively stops mobile node 192.168.100.10 from roaming:
Router# show ip mobile bindingMobility Binding List:Total 1192.168.100.10:Care-of Addr 192.168.6.1, Src Addr 192.168.4.2,Lifetime granted 02:46:40 (10000), remaining 02:46:32Flags SbdmGvt, Identification B750FAC4.C28F56A8,Tunnel100 src 192.168.1.2 dest 192.168.6.1 reverse-allowedRouting Options - (G)GRERouter# clear ip mobile binding 10.2.0.1Router# show ip mobile bindingRelated Commands
clear ip mobile host-counters
To clear the mobility counters specific to each mobile node, use the clear ip mobile host-counters command in EXEC mode.
clear ip mobile host-counters [[ip-address | nai string] undo]]
Syntax Description
ip-address
(Optional) IP address of a mobile node.
nai string
(Optional) Network access identifier of the mobile node.
undo
(Optional) Restores the previously cleared counters.
Command Modes
EXEC
Command History
12.0(1)T
This command was introduced.
12.2(2)XC
The nai keyword was added.
12.2(13)T
The nai keyword was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
This command clears the counters that are displayed when you use the show ip mobile host command. The undo keyword restores the counters (this option is useful for debugging).
Examples
The following example shows how the counters can be used for debugging:
Router# show ip mobile host10.0.0.1:Allowed lifetime 10:00:00 (36000/default)Roaming status -registered-, Home link on virtual network 10.15.15.0/8Accepted 2, Last time 04/13/02 19:04:28Overall service time 00:04:42Denied 0, Last time -never-Last code `-never- (0)'Total violations 1Tunnel to MN - pkts 0, bytes 0Reverse tunnel from MN - pkts 0, bytes 0.Router# clear ip mobile host-countersRouter# show ip mobile host-counters10.0.0.1:Allowed lifetime 10:00:00 (36000/default)Roaming status -Unregistered-, Home link on virtual network 10.20.0.0/8Accepted 0, Last time -never-Overall service time -never-Denied 0, Last time -never-Last code `-never- (0)'Total violations 0Tunnel to MN - pkts 0, bytes 0Reverse tunnel from MN - pkts 0, bytes 0Related Commands
clear ip mobile router agent
To delete learned agents and the corresponding care-of address of the foreign agent from the mobile router agent table, use the clear ip mobile router agent command in privileged EXEC mode.
clear ip mobile router agent [ip-address]
Syntax Description
ip-address
(Optional) IP address of an agent. If not specified, all agents are deleted from the agent table.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
The mobile router maintains an agent table listing active agents and the corresponding care-of address of the foreign agent. The mobile router uses this agent table to decide which foreign agent to register with. The mobile router updates the table when it receives advertisements. If an advertisement expires, its entry is automatically deleted from the table.
The clear ip mobile router agent ip-address option allows you to remove a specific agent.
Examples
The following example removes all agents from the mobile router agent table:
Router# clear ip mobile router agentRelated Commands
show ip mobile router interface
Displays information about the agents for the mobile router.
clear ip mobile router registration
To delete registration entries from the mobile router registration table, use the clear ip mobile router registration command in privileged EXEC mode.
clear ip mobile router registration [ip-address]
Syntax Description
ip-address
(Optional) IP address of a specific agent. If not specified, all registration entries are deleted.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
The mobile router maintains a registration table listing registration entries that are used for retransmissions. For example, a registration request is sent when no reply is received or the lifetime is about to expire.
A registration request can be removed from the table to prevent further registration requests from being sent to the agent. The clear ip mobile router registration ip-address option allows you to remove a registration to a specific agent.
Clearing an active registration will cause the mobile router to attempt to deregister.
Examples
The following example removes all registration entries from the mobile router registration table:
Router# clear ip mobile router registrationRelated Commands
show ip mobile router registration
Displays the pending and accepted registrations of the mobile router.
clear ip mobile router traffic
To clear the counters that the mobile router maintains, use the clear ip mobile router traffic command in privileged EXEC mode.
clear ip mobile router traffic
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Mobile router counters are accumulated during operation. They are useful for debugging and monitoring.
Examples
The following example shows how the mobile router counters can be used for debugging:
Router# show ip mobile router trafficMobile Router Counters:Agent Discovery:Solicitations sent 90, advertisements received 17Agent reboots detected 0Registrations:Register 70, Deregister 0 requests sentRegister 70, Deregister 0 replies receivedRequests accepted 68, denied 1 by HA 1 /FA 0Denied due to mismatched ID 1...Router# clear ip mobile router trafficRouter# show ip mobile router trafficMobile Router Counters:Agent Discovery:Solicitations sent 0, advertisements received 0Agent reboots detected 0Registrations:Register 0, Deregister 0 requests sentRegister 0, Deregister 0 replies receivedRequests accepted 0, denied 0 by HA 0 /FA 0Denied due to mismatched ID 0...Related Commands
show ip mobile router traffic
Displays the counters that the mobile router maintains.
clear ip mobile secure
To clear and retrieve remote security associations, use the clear ip mobile secure command in EXEC mode.
clear ip mobile secure {host lower [upper] | nai string | empty | all} [load]
Syntax Description
Command Modes
EXEC
Command History
12.0(1)T
This command was introduced.
12.2(2)XC
The nai keyword was added.
12.2(13)T
The nai keyword was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
Security associations are required for registration authentication. They can be stored on an AAA server. During registration, they may be stored locally after retrieval from the AAA server. The security association on the router may become stale or out of date when the security association on the AAA server changes.
This command clears security associations that have been downloaded from the AAA server.
Note
Examples
In the following example, the AAA server has the security association for user 10.2.0.1 after registration:
Router# show ip mobile secure host 10.2.0.1Security Associations (algorithm,mode,replay protection,key):10.2.0.1:SPI 300, MD5, Prefix-suffix, Timestamp +/- 7,Key `oldkey' 1230552d39b7c1751f86bae5205ec0c8If you change the security association stored on the AAA server for this mobile node, the router clears the security association and reloads it from the AAA server:
Router# clear ip mobile secure host 10.2.0.1 loadRouter# show ip mobile secure host 10.2.0.110.2.0.1:SPI 300, MD5, Prefix-suffix, Timestamp +/- 7,Key `newkey' 1230552d39b7c1751f86bae5205ec0c8Related Commands
ip mobile secure
Specifies the mobility security associations for mobile host, visitor, home agent, and foreign agent.
clear ip mobile traffic
To clear counters, use the clear ip mobile traffic command in EXEC mode.
clear ip mobile traffic [undo]
Syntax Description
Command Modes
EXEC
Command History
Usage Guidelines
Mobile IP counters are accumulated during operation. They are useful for debugging and monitoring.
This command clears all Mobile IP counters. The undo keyword restores the counters (which is useful for debugging). See the show ip mobile traffic command for a description of all counters.
Examples
The following example shows how counters can be used for debugging:
Router# show ip mobile trafficIP Mobility traffic:Advertisements:Solicitations received 0Advertisements sent 0, response to solicitation 0Home Agent Registrations:Register 8, Deregister 0 requestsRegister 7, Deregister 0 repliedAccepted 6, No simultaneous bindings 0Denied 1, Ignored 1Unspecified 0, Unknown HA 0Administrative prohibited 0, No resource 0Authentication failed MN 0, FA 0Bad identification 1, Bad request form 0.Router# clear ip mobile trafficRouter# show ip mobile trafficIP Mobility traffic:Advertisements:Solicitations received 0Advertisements sent 0, response to solicitation 0Home Agent Registrations:Register 0, Deregister 0 requestsRegister 0, Deregister 0 repliedAccepted 0, No simultaneous bindings 0Denied 0, Ignored 0Unspecified 0, Unknown HA 0Administrative prohibited 0, No resource 0Authentication failed MN 0, FA 0Bad identification 0, Bad request form 0Related Commands
clear ip mobile visitor
To remove visitor information, use the clear ip mobile visitor command in privileged EXEC mode.
clear ip mobile visitor [ip-address | nai string [session-id string] [ip-address]]
Syntax Description
Command Modes
EXEC
Command History
Usage Guidelines
The foreign agent creates a visitor entry for each accepted visitor. The visitor entry allows the mobile node to receive packets while in a visited network. Associated with the visitor entry is the Address Resolution Protocol (ARP) entry for the visitor. There should be no need to clear the entry because it expires after lifetime is reached or when the mobile node deregisters.
When a visitor entry is removed, the number of users on the tunnel is decremented and the ARP entry is removed from the ARP cache. The visitor is not notified.
If the nai string session-id string option is specified, only the visitor entry with that session identifier is cleared. If the session-id keyword is not specified, all visitor entries (potentially more than one, with different session identifiers) for that NAI are cleared. You can determine the session-id string value by using the show ip mobile visitor command.
Use this command with care because it may terminate any sessions used by the mobile node. After you use this command, the visitor will need to reregister to continue roaming.
Examples
The following example administratively stops visitor 172.21.58.16 from visiting:
Router# clear ip mobile visitor 172.21.58.16Related Commands
show ip mobile visitor
Displays the table containing the visitor list of the foreign agent.
collocated single-tunnel
To configure the number of tunnels between the mobile router and home agent when registering with a collocated care-of address (CCoA), use the collocated single-tunnel command in mobile router configuration mode.
collocated single-tunnel
Syntax Description
This command has no arguments or keywords.
Defaults
Defaults to single-tunnel enabled.
Command Modes
Mobile router
Command History
Usage Guidelines
This command is used as a "placeholder" only and defaults to single-tunnel enabled. This command can not be unconfigured. In future Cisco IOS releases, a dual-tunnel capability will be needed for IPSec between the mobile router and the home agent. At that time, this command will be optional with dual tunnels (no collocated single-tunnel) being the default. This command is provided now for backward compatibility when the dual-tunnel capablity is implemented.
description (mobile networks)
To add a description to a mobile router configuration, use the description command in mobile networks configuration mode. To remove the description, use the no form of this command.
description string
no description
Syntax Description
Defaults
No default behavior or values.
Command Modes
Mobile networks configuration
Command History
Usage Guidelines
The description command is meant solely as a comment to be put in the configuration to help you remember information about the configured mobile router or its mobile networks.
Examples
The following example shows how to add a description for the mobile router:
ip mobile mobile-networks 10.2.0.1description mobileunitnetwork 172.16.1.0 255.255.255.0network 172.16.2.0 255.255.255.0Related Commands
show ip mobile mobile-networks
Displays a list of mobile networks associated with the mobile router.
home-agent
To specify the home agent that the mobile router uses during registration, use the home-agent command in mobile router configuration mode. To disable the home agent, use the no form of this command.
home-agent ip-address [priority level]
no home-agent ip-address [priority level]
Syntax Description
Defaults
The default priority level is 100.
Command Modes
Mobile router configuration
Command History
Usage Guidelines
The home-agent command specifies which home agent the mobile router uses for registration and to detect when it is home. The priority level determines which home agent address to register with, although all addresses are on the same home agent. The mobile router registers with the home agent with the highest priority level.
The home agent address list is used to detect when the mobile router is home. The mobile router knows that it is at home when the source of the agent advertisements is an IP source address that exists on the home agent address list.
Examples
The following example shows that the mobile router will use the home agent address 1.1.1.1 during registration and will detect when it is at home after receiving agent advertisements from either address 1.1.1.1 or 2.2.2.2:
router mobileip mobile routeraddress 10.1.0.1 255.255.0.0home-agent 1.1.1.1 priority 101home-agent 2.2.2.2 priority 100Related Commands
show ip mobile router
Displays configuration information and monitoring statistics about the mobile router.
ip dhcp client mobile renew
To configure the number of renewal attempts and the interval between attempts for renewing an IP address acquired by a Dynamic Host Configuration Protocol (DHCP) client, use the ip dhcp client mobile renew command in interface configuration mode. To disable the functionality, use the no form of this command.
ip dhcp client mobile renew count number interval ms
no ip dhcp client mobile renew count number interval ms
Syntax Description
Defaults
count number: 2
interval ms: 50Command Modes
Interface configuration
Command History
Usage Guidelines
Mobile DHCP clients automatically attempt to renew an existing IP address in response to certain events, such as moving between wireless access points. The number of renewal attempts, and the interval between those attempts, depending on network conditions, can be modified by using the ip dhcp client mobile renew command.
Examples
In the following example, the DHCP client will make four attempts to renew its current IP address with an interval of 30 milliseconds between attempts :
interface FastEthernet0ip dhcp client mobile renew count 4 interval 30Related Commands
ip mobile authentication ignore-spi
To enable the home agent or foreign agent to accept RFC-2002 based mobile nodes or foreign agents that don't include the security parameter index (SPI) in the authentication extension of the registration message, use the ip mobile authentication ignore-spi command in global configuration mode. To disable this functionality, use the no form of this command.
ip mobile authentication ignore-spi
no ip mobile authentication ignore-spi
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
Global configuration.
Command History
12.2(8)BY
This command was introduced.
12.3(4)T
This command was integrated into Cisco IOS Release 12.3(4)T.
Usage Guidelines
Cisco IOS software supports the Mobile-Home Authentication Extension (MHAE). All registration messages between a mobile and a home agent include a mandatory authentication extension.
In RFC 2002, the SPI field was not included to calculate the authenticator value in the authentication extension of the registration message. In RFC 3220 and 3344, the SPI field in the authentication extension is used as part of the data over which the authentication algorithm must be computed.
The command turns off authentication and allows an RFC-2002 based mobile node and foreign agent to register with the home agent even though the SPI field is not included in the authentication extension of the registration message. The foreign agent will accept both RFC 2002 and RFC 3220/3344 based visitors and the home agent will accept both RFC 2002 and RFC 3220/3344 based mobile nodes and foreign agents.
Examples
The following example allows the home agent to accept registration messages without the SPI in the authentication extension:
ip mobile authentication ignore-spiip mobile bindupdate
To enable a home agent to send a binding update message to a foreign agent, use the ip mobile bindupdate command in global configuration mode. To disable this functionality, use the no form of this command.
ip mobile bindupdate [acknowledge] [maximum seconds] [minimum seconds] [retry number]
no ip mobile bindupdate [acknowledge] [maximum seconds] [minimum seconds] [retry number]
Syntax Description
Defaults
maximum seconds: 10 seconds
minimum seconds: 1 second
retry number: 4 retriesCommand Modes
Global configuration
Command History
12.2(8)BY
This command was introduced.
12.3(4)T
This command was integrated into Cisco IOS Release 12.3(4)T.
Usage Guidelines
This command enables the home agent to send a binding update message to the previous foreign agent when the mobile node moves to a new care-of address. The binding update message informs the foreign agent that a mobile node has moved and it can reclaim resources associated with that mobile node such as a visitor entry or visitor route.
Typically, resources on the foreign agent are not reclaimed until the mobility binding lifetime expires for that mobile node. By using this command, the foreign agent does not have to wait to reclaim resources used by the mobile node when that mobile node is no longer associated with the foreign agent.
Without this command configured, when a mobile node moves from foreign agent 1 to foreign agent 2 or when the home agent removes the binding, foreign agent 1 does not know that the mobile node has moved and the resources on foreign agent 1 associated with the mobile node will not be cleared until the lifetime expires for the mobile node.
If the acknowledge keyword is specified, the home agent periodically retransmits a binding update message until it receives a binding acknowledgement from the foreign agent or until the number of retries is exceeded.
The home agent and foreign agent must share a security association. The binding update message from the home agent and the binding update acknowledgement from the foreign agent must contain a FHAE (Foreign-Home Authentication Extension). If the FHAE is not configured on the home agent with the ip mobile secure command, the home agent will not send a binding update message even if the ip mobile bindupdate command is configured.
Examples
The following example configures the home agent to wait a maximum of 8 seconds before retransmitting a binding update message to a foreign agent. The foreign agent must send an acknowledgement of this binding update message upon receipt.
ip mobile bindupdate acknowledge maximum 8 retry 3ip mobile secure foreign-agent 10.31.1.1 spi 100 key hex 23456781234567812345678123456781The following example configures the security association on the foreign agent. Without the security association configured on the home agent and the foreign agent, the binding update message would not be sent or processed.
ip mobile secure home-agent 172.31.10.1 spi 100 key hex 23456781234567812345678123456781ip mobile debug include username
To display the username or International Mobile Subscriber Identity (IMSI) condition with each debug statement, use the ip mobile debug include username command. To remove the username or IMSI condition from the debug display, use the no form of the command.
ip mobile debug include username
no ip mobile debug include username
Syntax Description
This command has no arguments or keywords.
Command Default
The user name or IMSI condition is not displayed in the debug output.
Command Modes
Global configuration
Command History
12.3(14)YX
This command was introduced.
12.4(11)T
This command was integrated into Cisco IOS Release 12.4(11)T.
Usage Guidelines
In the following example, the user name or IMSI condition will be displayed in any Mobile IP debug output:
Router(config)# ip mobile debug include usernameip mobile foreign-agent
To enable foreign agent service, use the ip mobile foreign-agent command in global configuration mode. To disable this service, use the no form of this command.
ip mobile foreign-agent [care-of interface {interface-only] [transmit-only] | reg-wait seconds | local-timezone | reverse-tunnel private-address}
no ip mobile foreign-agent {care-of interface [interface-only] [transmit-only] | reg-wait | local-timezone | reverse-tunnel private-address}
Syntax Description
Defaults
reg-wait seconds: 15
Command Modes
Global configuration
Command History
Usage Guidelines
This command enables foreign agent service when at least one care-of address is configured. When no care-of address exists, foreign agent service is disabled.
The foreign agent is responsible for relaying the registration request to the home agent, setting up a tunnel to the home agent, and forwarding packets to the mobile node. The show commands used to display relevant information are shown in parentheses in the following paragraph.
When a registration request comes in, the foreign agent will ignore requests when foreign agent service is not enabled on an interface or when no care-of address is advertised. If a security association exists for a visiting mobile node, the visitor is authenticated. The registration bitflag is handled as described in Table 1. The foreign agent checks the validity of the request. If successful, the foreign agent relays the request to the home agent, appending an FH authentication extension if a security association for the home agent exists. The pending registration timer of 15 seconds is started (show ip mobile visitor pending command). At most, five outstanding pending requests per mobile node are allowed. If a validity check fails, the foreign agent sends a reply with error code to the mobile node (reply codes are listed in Table 2). A security violation is logged when visiting mobile node authentication fails (show ip mobile violation command).
When a registration reply comes in, the home agent is authenticated (show ip mobile secure home-agent command) if a security association exists for the home agent (IP source address or home agent address in reply). The reply is relayed to the mobile node.
When registration is accepted, the foreign agent creates or updates the visitor table, which contains the expiration timer. If no binding existed before this registration, a virtual tunnel is created, a host route to the mobile node via the interface (of the incoming request) is added to the routing table (show ip route mobile command), and an ARP entry is added to avoid the sendingof ARP requests for the visiting mobile node. Visitor binding is removed (along with its associated host route, tunnel, and ARP entry) when the registration lifetime expires or deregistration is accepted.
When registration is denied, the foreign agent will remove the request from the pending registration table. The table and timers of the visitor will be unaffected.
When a packet destined for the mobile node arrives on the foreign agent, the foreign agent deencapsulates the packet and forwards it out its interface to the visiting mobile node, without sending ARP requests.
The care-of address must be advertised by the foreign agent. This adddress is used by the mobile node to register with the home agent. The foreign agent and home agent use this address as the source and destination point of tunnel, respectively. The foreign agent is not enabled until at least one care-of address is available. The foreign agent will advertise on interfaces configured with the ip mobile foreign-service command.
Only care-of addresses with interfaces that are up are considered available.
The interface-only and transmit-only keywords are used in an aysmmetric link environment, such as satellite communications, where separate uplinks and downlinks exist. The ip mobile foreign-agent care-of interface interface-only command enables the specified interface to advertise only its own address as the care-of address. All other care-of addresses are not advertised. Other foreign agent interfaces configured for foreign-service will not advertise interface-only care-of addresses. The ip mobile foreign-agent care-of interface transmit-only command informs Mobile IP that the interface acts as an uplink. Registration requests and replies received for this care-of address are treated as transmit-only. This interface will not hear any solicitations. Any care-of address can be configured with the interface-only keyword, but only serial interfaces can be configured with the transmit-only keyword.
Use the reverse-tunnel private-address keywords to force a mobile node with a private address to register with reverse tunnel. Private addresses are IP addresses in the following ranges:
•
•
•
Table 1 lists mobile node registration request service bitflags.
Table 2 lists foreign agent reply codes.
Examples
The following example enables foreign agent service on Ethernet interface 1, advertising 10.0.0.1 as the care-of address:
ip mobile foreign-agent care-of Ethernet0interface Ethernet0ip address 10.0.0.1 255.0.0.0interface Ethernet1ip mobile foreign-serviceThe following example enables foreign agent service on serial interface 4, advertising 10.0.0.2 as the only care-of address. The uplink interface is configured as a transmit-only interface.
ip mobile foreign-agent care-of Serial4 interface-only transmit-onlyinterface Serial4! Uplink interfaceip address 10.0.0.2 255.255.255.0ip irdp!ip mobile foreign-service!Related Commands
ip mobile foreign-agent inject-mobile-networks
To enable direct routing to mobile networks via the foreign agent, use the ip mobile foreign-agent inject-mobile-networks command in global configuration mode. To disable this functionality, use the no form of this command.
ip mobile foreign-agent inject-mobile-networks [mobnetacl access-list-identifier]
no ip mobile foreign-agent inject-mobile-networks [mobnetacl access-list-identifier]
Syntax Description
Defaults
Direct routing via the foreign agent is disabled.
Command Modes
Global configuration
Command History
Usage Guidelines
Configure the ip mobile foreign-agent inject-mobile-networks command on the foreign agent to enable direct routing.
The value entered for the access-list-identifier argument must match the name of an access list defined using the ip access-list command or the number of an access list defined using the access-list command.
Examples
The following example configures the access list named mobile-net-list and enables direct routing via the foreign agent for mobile networks specified on that access list.
ip access-list standard mobile-net-listpermit any!ip mobile foreign-agent inject-mobile-networks mobnetacl mobile-net-listRelated Commands
ip mobile foreign-agent nat traversal
To enable NAT traversal support for Mobile IP (MIP) foreign agents (FAs), use the ip mobile foreign-agent nat traversal command in global configuration mode. To disable NAT traversal support, use the no form of this command.
ip mobile foreign-agent nat traversal [keepalive keepalive-time] [force]
no ip mobile foreign-agent nat traversal [keepalive keepalive-time] [force]
Syntax Description
Defaults
Network Address Translation (NAT) traversal support for FAs is disabled.
Command Modes
Global configuration
Command History
12.3(8)T
This command was introduced.
12.4T
The keepalive keepalive-time range changed.
Usage Guidelines
You need to enable this command under the following circumstances:
•
•
A likely scenario for using this command and when to set the force bit is when there is a firewall between an FA and HA. The firewall blocks IP-in-IP and GRE packets but permits UDP packets.
Examples
The following example shows a FA configuration with a keepalive time of 45 and forced UDP tunneling.
ip mobile foreign-agent care-of Ethernet2/2ip mobile foreign-agent nat traversal keepalive 45 forceRelated Commands
ip mobile foreign-agent skip-aaa-reauthentication
To enable FA-CHAP during Mobile IP registration, and then to skip it in all subsequent re-registrations, use the ip mobile foreign-agent skip-aaa-reauthentication command in global configuration mode. To disable this feature, use the no form of this command.
ip mobile foreign-agent skip-aaa-reauthentication
no ip mobile foreign-agent skip-aaa-reauthentication
Syntax Description
There are no keywords or arguments for this commmand.
Defaults
Disabled
Command Modes
Global configuration
Command History
Usage Guidelines
FA-CHAP is a mechanism for authentication in Mobile IP. As per IS835, FA-CHAP is mandatory during Mobile IP call setup (registration), and requires access to a AAA server. A Mobile IP call has a parameter lifetime, so in order to continue a Mobile IP call, re-registration is required before the lifetime expires, and this re-registration leads to extending of lifetime.
Because FA-CHAP is mandatory, and the call is authenticated during registration, it may be undesirable to access AAA during re-registration of the Mobile IP call. The ip mobile foreign-agent skip-aaa-reauthentication command provides flexibility in this scenario.
When this command is configured, FA-CHAP is performed during Mobile IP registration, and is skipped in all subsequent re-registrations.
The default value is "false", implying that AAA access is not skipped during Mobile IP re-registration.
Examples
The following example shows that FA-CHAP is enabled during Mobile IP registration, but disabled for all subsequent re-registrations:
ip mobile foreign-agent skip-aaa-reauthenticationip mobile foreign-service
To enable foreign agent service on if care-of addresses are configured, use the ip mobile foreign-service command in interface or global configuration mode. To disable this service, use the no form of this command.
ip mobile foreign-service [challenge [forward-mfce] [timeout value] [window number] | [home-access access-list] [limit number] [registration-required] [reverse-tunnel [mandatory]]
no ip mobile foreign-service [challenge [forward-mfce] [timeout value] [window number] | [home-access access-list | limit number | registration-required | reverse-tunnel]
Syntax Description
Defaults
Foreign agent service is not enabled.
There is no limit to the number of visitors allowed on an interface.
window number: 2
Foreign agent reverse tunneling is not enabled. When foreign agent reverse tunneling is enabled, it is not mandatory by default.Command Modes
Interface and global configuration
Command History
Usage Guidelines
This command enables foreign agent service on the interface or all interfaces (global configuration). The foreign agent (F) bit will be set in the agent advertisement, which is appended to the IRDP router advertisement whenever the foreign agent or home agent service is enabled on the interface.
Note
When you use the reverse-tunnel keyword to enable foreign agent reverse tunneling on an interface, the reverse tunneling support (T) bit is set in the agent advertisement.
Cisco Express Forwarding (CEF) switching is currently not supported on a foreign agent when reverse tunneling is enabled. If reverse tunneling is enabled at the foreign agent, disable CEF on the foreign agent, using the no ip cef global configuration command. If the foreign agent does not support reverse tunneling, then there is no need to disable CEF at the global configuration level.
Table 3 lists the advertised bitflags.
Examples
The following example shows how to enable foreign agent service for up to 100 visitors:
interface Ethernet 0ip mobile foreign-service limit 100 registration-requiredThe following example shows how to enable foreign agent reverse tunneling:
interface ethernet 0ip mobile foreign-service reverse-tunnelThe following example shows how to configure foreign agent challenge parameters:
interface ethernet 0ip mobile foreign-service challenge window 2Related Commands
ip mobile home-agent
To enable and control home agent (HA) services, use the ip mobile home-agent command in global configuration mode. To disable these services, use the no form of this command.
ip mobile home-agent [address ip-address] [broadcast] [care-of-access access-list] [lifetime seconds] [nat-detect] [replay seconds] [reverse-tunnel {off | private-address}] [roam-access access-list] [strip-realm] [suppress-unreachable] [local-timezone] [unknown-ha [accept [reply] | deny]] [send-mn-address]
no ip mobile home-agent [address ip-address] [broadcast] [care-of-access access-list] [lifetime seconds] [nat-detect] [replay seconds] [reverse-tunnel {off | private-address}] [roam-access access-list] [strip-realm] [suppress-unreachable] [local-timezone] [unknown-ha [accept [reply] | deny]] [send-mn-address]
Syntax Description
Defaults
The command is disabled. Broadcasting is disabled. Reverse tunnel support is enabled. ICMP unreachable messages are sent. NAT detection is disabled.
Command Modes
Global configuration
Command History
Usage Guidelines
This command enables and controls HA services on a router. Changes to service take effect immediately; however, broadcast and lifetime settings for previously registered MNs are unaffected. Tunnels are shared by MNs registered with the same endpoints, so the reverse-tunnel-off keyword also affects registered MNs.
The HA processes registration requests from the MN and sets up tunnels and routes to the CoA. Packets to the MN are forwarded to the visited network.
The HA will forward broadcast packets to MNs if the MNs are registered with the service. However, heavy broadcast traffic uses the CPU of the router.
The HA can control where the MNs roam by the care-of-access keyword, and which MN is allowed to roam by the roam-access keyword.
When a registration request comes in, the HA ignores requests when HA service is not enabled or the security association of the MN is not configured. The latter condition occurs because the security association must be available for the MH authentication extension in the reply. If a security association exists for the FA (IP source address or CoA in the request), the FA is authenticated, and then the MN is authenticated. The Identification field is verified to protect against replay attack. The HA checks the validity of the request (see Table 4) and sends a reply. (Reply codes are listed in Table 5.) A security violation is logged when FA authentication, MH authentication, or identification verification fails. (The violation reasons are listed in Table 6.)
After registration is accepted, the HA creates or updates the mobility binding of the MN, which contains the expiration timer. If no binding existed before this registration, a virtual tunnel is created, a host route to the MN via the care-of address is added to the routing table, and gratuitous ARPs are sent out. For deregistration, the host route is removed from the routing table, the virtual tunnel interface is removed (if no MNs are using it), and gratuitous ARP messages are sent out if the MN is back home. Mobility binding is removed (along with its associated host route and tunnel) when registration lifetime expires or deregistration is accepted.
By default, the HA uses the entire NAI string as the username for authentication (which may be with local security association or retrieved from the AAA server). The strip-nai-realm keyword instructs the HA to strip off the realm part of NAI (if it exists) before performing authentication. Basically, the MN is identified by only the user name part of the NAI. This option is useful if the majority of MNs belong to the same realm, for example, in the case of enterprise networks.
When the packet destined for the MN arrives on the HA, the HA encapsulates the packet and tunnels it to the care-of address. If the Don't Fragment (DF) bit is set in the packet via the ip mobile tunnel path-mtu-discovery global configuration command, the HA will copy the DF bit from the original packet to the new tunnel IP header. This allows the path MTU discovery to set the MTU of the tunnel. Subsequent packets greater than the MTU of the tunnel will be dropped and an ICMP datagram too big message will be sent to the source (correspondent node). If the HA loses the route to the tunnel endpoint, the host route to the MN will be removed from the routing table until the tunnel route is available. Packets destined for the MN without a host route will be sent out the interface (home network) or to the virtual network (see the description of the suppress-unreachable keyword). For subnet-directed broadcasts to the home link, the HA will send a copy to all MNs registered with the broadcast routing option.
Some companies block ICMP datagram too big messages. If the message does not reach the original correspondent node sending the packet, the correspondent node will simply resend the same size packet. To work around this problem, turn off Path MTU Discovery with the no ip mobile tunnel path-mtu-discovery command. The DF bit will not be copied from the original packet and the tunnel packet can be fragmented.
The ip mobile home-agent nat-detect option is supported for MNs using a collocated care-of address and registering through the FA. The MN will use the NAT inside address as the collocated care-of address used in its registration requests. If a MN is using a FA CoA address, the MN can be detected behind a NAT gateway.
The ip mobile home-agent unknown-ha option can be useful in a testing environment when the HA is using a private address behind a NAT gateway. A MN would need to access the HA through the NAT box while it is on a public network domain. However, NAT will translate the destination IP address of the registration request to the private address of the HA. When the HA checks the HA field in the registration request, it does not match one of the interfaces. The packet can not be processed properly and the tunnels are not set up properly. The ip mobile home-agent unknown-ha command allows the HA to accept the unknown (translated) address and process the registration request.
The send-mn-address keyword is available only on PDSN platforms running specific PDSN code images; consult Feature Navigator for your Cisco IOS software release.
The MN requests services from the HA by setting bits in the registration request. Table 4 shows the services the MN can request.
Table 5 lists the HA registration reply codes. The codes tell the MN whether the registration was accepted or denied. If registration is denied, the reply code gives the reason.
Table 6 lists security violation codes.
Table 6 Security Violation Codes
1
No mobility security association.
2
Bad authenticator.
3
Bad identifier.
4
Bad SPI.
5
Missing security extension.
6
Other.
7
Stale request.
Examples
The following example enables broadcast routing and specifies a global registration lifetime of 7200 seconds (2 hours):
ip mobile home-agent broadcast lifetime 7200Related Commands
ip mobile home-agent aaa user-password
To configure an authentication password for the downloading of security associations from a AAA server, use the ip mobile home-agent aaa user-password command in global configuration mode. To remove the password requirement, use the no form of this command.
ip mobile home-agent aaa user-password {0 password | 7 encrypted-password | password}
no ip mobile home-agent aaa user-password
Syntax Description
Defaults
The default password is cisco.
Command Modes
Global configuration
Command History
Usage Guidelines
When a mobile node sends a registration request packet to the home agent, Mobile IP requires a security association for registration authentication. Security associations for a mobile node can be configured on the home agent or retrieved by the home agent from a AAA server.
If security associations are retrieved from a AAA server, the AAA access-request packets used to retrieve the security associations require a challenge and response. If the registration request of the mobile node does not contain a challenge and response, the home agent auto-generates a challenge and creates a response using the default password "cisco" unless you specify a different password using the ip mobile home-agent aaa user-password command. In either case, a single password is used for all mobile nodes.
The AAA server will read the challenge in the access-request packet of the mobile node, and using the password of the mobile node that is stored on the AAA server, create the response to the challenge. It then authenticates the mobile node, identified by its IP address (or network access identifier), by comparing the two responses to ensure they are identical. For this reason, the password configured by the ip mobile home-agent aaa user-password command must match the user password in the user profile on the AAA server.
Mobile nodes that include a challenge and response in their registration request, such as in the case of dynamic security association and key distribution, do not use the defined password. Instead, the home agent copies the challenge/response from the registration request into the AAA access-request packet. Thus, a mobile node in this scenario can have a "unique" password.
You can enable or disable password encryption with the service password-encryption command. If this command is enabled, even if the ip mobile home-agent aaa user-password 0 password is used, the password will be encrypted.
Examples
The following example enables the encrypted password "$1$i5Rkls3L0yxzS8t9" for authenticating the downloading of security associations from the AAA server:
ip mobile home-agent aaa user-password 7 $1$i5Rkls3L0yxzS8t9The following example enables the unencrypted password "pswd2" for authenticating the downloading of security associations from the AAA server:
ip mobile home-agent aaa user-password 0 pwsd2The following example enables the unencrypted password "pswdmobile" for authenticating the downloading of security associations from the AAA server:
ip mobile home-agent aaa user-password pswdmobileRelated Commands
ip mobile home-agent accounting
To enable home agent accounting services on the router, use the ip mobile home-agent accounting command in global configuration mode. To disable these services, use the no form of this command.
ip mobile home-agent accounting {default | list-name}
no ip mobile home-agent accounting {default | list-name}
Syntax Description
Defaults
The command is disabled.
Command Modes
Global configuration
Command History
Usage Guidelines
This command enables and controls home agent accounting services on the router. First, use the aaa accounting global configuration command to define the accounting method list. Next, apply the same accounting method list on the home agent using the ip mobile home-agent accounting global configuration command.
Examples
The following example enables home agent accounting for the list named mobile-list:
ip mobile home-agent accounting mobile-listRelated Commands
aaa accounting
Enables AAA accounting of requested services for billing or security purposes.
ip mobile home-agent dynamic-address
To set the home agent address field in a Registration Response packet, use the ip mobile home-agent dynamic-address command in global configuration. To disable this functionality, or to reset the field use the no form of this command.
ip mobile home-agent dynamic-address ip-address
no ip mobile home-agent dynamic-address ip-address
Syntax Description
Defaults
The Home Agent Address field will be set to the values specified by the ip-address argument.
Command Modes
Global configuration
Command History
12.3(11)YF
This command was introduced.
12.4(11)T
This command was integrated into Cisco IOS Release 12.4(11)T.
Examples
In the following example, the dynamic home-agent address is set to 10.1.1.1:
Router(config)# ip mobile home-agent dynamic-address 10.1.1.1ip mobile home-agent multi-path
To enable the home agent to process registration requests with multiple path support for all mobile routers, use the ip mobile home-agent multi-path command in global configuration mode. To disable multipath support on the home agent, use the no form of this command.
ip mobile home-agent multi-path [metric {bandwidth | hopcount}]
no ip mobile home-agent multi-path [metric {bandwidth | hopcount}]
Related Commands
Command Default
Multiple path support is enabled by default on the mobile router.
Command Modes
Global configuration.
Command History
Usage Guidelines
Multiple path support is enabled by default on the mobile router but disabled by default on the home agent. The multi-path command in mobile networks configuration mode overrides the global setting.
Examples
The following example shows how to configure the home agent to globally process registration requests for all mobile routers:
!router mobileexitip mobile home-agent multi-pathRelated Commands
ip mobile home-agent nat traversal
To enable NAT traversal support for Mobile IP home agents (HAs), use the ip mobile home-agent nat traversal command in global configuration mode. To disable Network Address Translation (NAT) traversal support for Mobile IP for the HA, use the no form of this command.
ip mobile home-agent nat traversal [keepalive keepalive-time] [forced {accept | reject}]
no ip mobile home-agent nat traversal [keepalive keepalive-time] [forced {accept | reject}]
Syntax Description
Defaults
NAT traversal support for Mobile IP is disabled for the HA.
Command Modes
Global configuration
Command History
12.3(8)T
This command was introduced.
12.4T
the keepalive keepalive-time range changed.
Usage Guidelines
Enable this command if your MNs will roam behind a NAT-enabled router or firewall.
Examples
The following example shows an HA configured with a keepalive timer set to 56 seconds and forced to accept UDP tunneling.
ip mobile home-agent nat traversal 56 forced acceptip mobile home-agent replay 255ip mobile home-agent redundancy Phy1 virtual-networkRelated Commands
ip mobile home-agent redundancy
To configure the home agent for redundancy by using the Hot Standby Router Protocol (HSRP) group name, use the ip mobile home-agent redundancy command in global configuration mode. To remove the address, use the no form of this command.
ip mobile home-agent redundancy hsrp-group-name [[virtual-network] address address] [mode active-standby] [swact-notification]
no ip mobile home-agent redundancy hsrp-group-name [[virtual-network] address address] [mode active-standby] [swact-notification]
Syntax Description
Defaults
No global home agent addresses are specified.
Command Modes
Global configuration
Command History
Usage Guidelines
The virtual-network keyword specifies that the HSRP group supports virtual networks.
Note
When Mobile IP standby is configured, the home agent can request mobility bindings from the peer home agent. When Mobile IP standby is deconfigured, the home agent can remove mobility bindings. Operation of home agent redundancy on physical and virtual networks is described as follows:
•
•
Note
Examples
The following example specifies an HSRP group named SanJoseHA:
ip mobile home-agent redundancy SanJoseHARelated Commands
ip mobile home-agent redundancy periodic-sync
To synchronize the byte and packet counters for each binding to the standby unit using an accounting update event, use the ip mobile home-agent redundancy periodic-sync command in global configuration mode. To disable this functionality, use the no form of this command.
ip mobile home-agent redundancy hsrp-group-name [[virtual-network] address address] periodic-sync
no ip mobile home-agent redundancy hsrp-group-name [[virtual-network] address address] periodic-sync
Syntax Description
hsrp-group-name
The HSRP group name.
virtual-network
(Optional) Specifies that the HSRP group is used to support virtual networks.
address address
(Optional) Home agent address.
Defaults
There are no default values for this command.
Command Modes
Global configuration
Command History
12.3(14)YX
This command was introduced.
12.4(11)T
This command was integrated into Cisco IOS Release 12.4(11)T.
Usage Guidelines
The byte and packet counters for each binding are synchronized to the standby unit using an accounting update event only if the byte counts have changed since the last synchronization.
Examples
In the following example, the byte and packet counters for each binding will be periodically synchronized between the active and standby unit:
Router(config)# ip mobile home-agent redundancy group1 periodic-syncip mobile home-agent reject-static-addr
To configure the HA to reject Registration Requests from MNs under certain conditions, use the ip mobile home-agent reject-static-addr sub-command under the ip mobile home-agent global configuration command.
ip mobile home-agent reject-static-addr
Syntax Description
This command has not arguments or keywords
Command Modes
Subcommand of the ip mobile home-agent global configuration command.
Command History
12.2(8)BY
This command was introduced.
12.4(11)T
This command was integrated into Cisco IOS Release 12.4(11)T.
Usage Guidelines
You must first configure the ip mobile home-agent command to use this sub-command.
If an MN that has a binding to the HA with a static address tries to register with the same static address again, then the HA rejects the second RRQ from the MN.
Examples
The following example illustrates the ip mobile home-agent reject-static-addr command:
Router(config)# ip mobile home-agent reject-static-addrip mobile home-agent resync-sa
To configure the home agent to clear out the old cached security associations and requery the AAA server for a new security association when the mobile node fails authentication, use the ip mobile home-agent resync-sa command in global configuration mode. To disable this functionality, use the no form of this command.
ip mobile home-agent resync-sa seconds
no ip mobile home-agent resync-sa seconds
Syntax Description
Defaults
This command is off by default. The normal behavior of the home agent is to never requery the AAA server for a new security association.
Command Modes
Global configuration
Command History
Usage Guidelines
You must enable security association caching for the ip mobile home-agent resync-sa command to work. Use the ip mobile host aaa load-sa global configuration command to enable caching of security associations retrieved from a AAA server.
When a security association is downloaded for a mobile node from a AAA server, the security association is time stamped. If the mobile node fails reregistration and the time interval since the security association was cached is greater than sec seconds, the home agent will clear out the old security association and requery the AAA server. If the time period is less than the sec value, the home agent will not requery the AAA server for the security association of the mobile node.
The sec value represents the number of seconds the home agent will consider the downloaded security association synchronized with the AAA server. After that time period, it is considered old and can be replaced by a new security association from the AAA server.
This time-based resynchronization process helps prevent denial-of-service attacks on the AAA server and provides a way to synchronize the home agent's cached security association entry when a change to the security association for the mobile node is made at the AAA server and on the mobile node. By using this process, once the mobile node fails reregistration with the old cached security association, the home agent will clear the cache for that mobile node, and resynchronize with the AAA server.
Examples
In the following example, if a registration fails authentication, the home agent retrieves a new security association from the AAA server if the existing security association was downloaded more than 10 seconds ago:
ip mobile home-agent resync-sa 10Related Commands
ip mobile home-agent revocation
To enable support for MIPv4 registration revocation on the home agent, use the ip mobile home-agent revocation command in global configuration mode. To disable support for registration revocation, use the no form of the command.
ip mobile home-agent revocation [timeout seconds] [retransmit retries] [timestamp msec]
no ip mobile home-agent revocation [timeout seconds] [retransmit retries] [timestamp msec]
Syntax Description
Command Default
The home agent does not support registration revocation.
Command Modes
Global configuration
Command History
12.3(7)XJ
This command was introduced.
12.4(11)T
This command was integrated into Cisco IOS Release 12.4(11)T.
Examples
In the following example, the MIPv4 registration message will be retransmitted a maximum of 5 times with a time interval of 4 seconds in between retransmissions:
Router(config)# ip mobile home-agent revocation timeout 4 retransmit 5ip mobile home-agent template tunnel
To configure a home agent to use the template tunnel, use the ip mobile home-agent template tunnel command in global configuration. To disable the use of the template tunnel, use the no form of the command.
ip mobile home-agent template tunnel interface-id address ha-address
no ip mobile home-agent template tunnel interface-id address ha-address
Syntax Description
interface-id
The template tunnel interface ID from which to apply ACLs.
address ha-address
Specifies the home agent address. ACLs will be applied to tunnels with ha-address as the local end point.
Command Default
The home agent does not use a template tunnel.
Command Modes
Global configuration
Command History
12.3(8)XJW
This command was introduced.
12.4(11)T
This command was integrated into Cisco IOS Release 12.4(11)T.
Examples
In the following example, the home agent is configured to use the template tunnel:
Router(config)# interface tunnel 10!Router(config)# ip mobile home-agent template tunnel 10 address 10.0.0.1ip mobile host
To configure the mobile host or mobile node group, use the ip mobile host command in global configuration mode. To disable these services, use the no form of this command.
ip mobile host {lower [upper] | nai string [static-address {addr1 [addr2] [addr3] [addr4] [addr5] | local-pool name}] [address {addr | pool {local name | dhcp-proxy-client [dhcp-server addr]}]} {interface name | virtual-network network-address mask} [aaa [load-sa [permanent]]] [authorized-pool name] [skip-aaa-reauthentication][care-of-access access-list] [lifetime seconds]
no ip mobile host {lower [upper] | nai string [static-address {addr1 [addr2] [addr3] [addr4] [addr5] | local-pool name}] [address {addr | pool {local name | dhcp-proxy-client [dhcp-server addr]}]} {interface name | virtual-network network-address mask} [aaa [load-sa [permanent]]] [authorized-pool name] [skip-aaa-reauthentication] [care-of-access access-list] [lifetime seconds]
Syntax Description
lower [upper]
One or a range of mobile host or mobile node group IP addresses. The upper end of the range is optional.
nai string
Network access identifier. The NAI can be a unique identifier (username@realm) or a group identifier (@realm).
static-address
(Optional) Indicates that a static IP address is to be assigned to the flows on this NAI. This parameter is not valid if the NAI is a realm.
addr1, addr2, ...
(Optional) One to a maximum of five IP addresses to be assigned using the static-address keyword.
local-pool name
(Optional) Name of the local pool of addresses to use for assigning a static IP address to this NAI.
address
(Optional) Indicates that a dynamic IP address is to be assigned to the flows on this NAI.
addr
(Optional) IP address to be assigned using the address keyword.
pool
(Optional) Indicates that a pool of addresses is to be used in assigning a dynamic IP address.
local name
(Optional) The name of the local pool to use in assigning addresses.
dhcp-proxy-client
(Optional) Indicates that the DHCP request should be sent to a DHCP server on behalf of the mobile node.
dhcp-server addr
(Optional) IP address of the DHCP server.
interface name
When used with DHCP, specifies the gateway address from which the DHCP server should select the address.
virtual-network network-address mask
Indicates that the mobile station resides in the specified virtual network, which was created using the ip mobile virtual-network command.
aaa
(Optional) Retrieves security associations from a AAA (TACACS+ or RADIUS) server. Allows the home agent to download address configuration details from the AAA server.
load-sa
(Optional) Caches security associations after retrieval by loading the security association into RAM. See Table 8 for details on how security associations are cached for NAI hosts and non-NAI hosts.
permanent
(Optional) Caches security associations in memory after retrieval permanently. Use this optional keyword only for NAI hosts.
authorized-pool name
(Optional) Verifies the IP address assigned to the mobile node if it is within the pool specified by the name argument.
skip-aaa-reauthentication
(Optional) When configured, the home agent does not send an access request for authentication for mobile IP re-registration requests. When disabled, the home agent sends an access request for all Mobile IP registration requests.
care-of-access access-list
(Optional) Access list. This can be a named access list or standard access list. The range is from 1 to 99. Controls where mobile nodes roam—the acceptable care-of addresses.
lifetime seconds
(Optional) Lifetime (in seconds). The lifetime for each mobile node (group) can be set to override the global value. The range is from 3 to 65535 (infinite).
Defaults
No host is configured.
Command Modes
Global configuration
Command History
Usage Guidelines
This command configures the mobile host or mobile node group (ranging from lower address to upper address) to be supported by the home agent. These mobile nodes belong to the network on an interface or a virtual network (via the ip mobile virtual-network command). The security association for each mobile host must be configured using the ip mobile secure command or downloaded from a AAA server.
All hosts must have security associations for registration authentication. Mobile nodes can have more than one security association. The memory consumption calculations shown in Table 7 are based on the assumption of one security association per mobile node. Caching behavior of security associations differs between NAI and non-NAI hosts as described in Table 8.
The nai keyword allows you to specify a particular mobile node or range of mobile nodes. The mobile node can request a static IP address (static-address keyword), which is configured using the addr1 variable (for a specific address) or the local-pool keyword (for an IP address from an address pool; the requested address must be in the pool). Or, the mobile node can request a dynamic address (address keyword), which is configured using the addr variable (for a specific address) or the pool keyword (for an IP address from a pool or DHCP server). If this command is used with the Packet Data Serving Node (PDSN) proxy Mobile IP feature and a realm is specified in the ip mobile proxy-host nai command, then only a pool of addresses can be specified in this command.
The address pool can be defined by a local pool or by use of a DHCP proxy client. For DHCP, the interface name keyword and argument combination specifies the gateway address from which the DHCP server should select the address and the dhcp-server keyword specifies the DHCP server address. The NAI is sent in the client-id option of the DHCP packet and can be used to provide dynamic DNS services.
You can also use this command to configure the static IP address or address pool for multiple flows with the same NAI. A flow is a set of {NAI, IP address}.
Security associations can be stored by using one of three methods:
•
•
•
Each method has advantages and disadvantages, which are described in Table 7.
The caching behavior of security associations for NAI hosts and non-NAI hosts is described in Table 8.
Note
If the aaa load-sa option is configured, the Home Agent caches the SA locally on first registration. In this case the Home Agent will not invoke the RADIUS authorization procedure for re-registration.
If aaa load-sa skip-aaa-reauthentication is configured, the Home Agent caches the SA locally on first registration; however, the Home Agent will not invoke HA-CHAP procedure for re-registration.
The aaa load-sa permanent option is not supported on the Mobile Wireless Home Agent, and should not be configured.Examples
The following example configures a mobile node group to reside on virtual network 20.0.0.0 and retrieve mobile node security associations from a AAA server every time the mobile node registers:
ip mobile host 20.0.0.1 20.0.0.3 virtual-network 20.0.0.0 aaaThe following example configures a mobile node group to reside on virtual network 10.99.1.0 and retrieve and cache mobile node security associations from a AAA server. The cached security association is then used for subsequent registrations.
ip mobile host 10.99.1.1 10.99.1.100 virtual-network 10.99.1.0 aaa load-saThe following example configures a local pool of dynamic addresses to be used in assigning IP addresses to mobile nodes in the cisco.com domain:
ip mobile host nai @cisco.com address pool local mobilenodes virtual-network 9.0.0.0 255.0.0.0 aaa lifetime 180The following example configures a local pool of dynamic addresses to be used in assigning IP addresses to mobile nodes in the cisco.com domain. The security associations that are retrieved from the AAA server are cached as long as the binding is present and are deleted on the home agent when the binding is removed (due to manual clearing of the binding or lifetime expiration).
ip mobile host nai @cisco.com address pool local mobilenodes virtual-network 10.2.0.0 255.255.0.0 aaa load-sa lifetime 180The following example configures a local pool of static addresses to be used in assigning IP addresses to mobile nodes in the cisco.com domain:
ip mobile host nai @cisco.com static-address local-pool mobilenodesThe following example configures a local pool of dynamic addresses to be used in assigning IP addresses to mobile nodes in the cisco.com domain. The security associations that are retrieved from the AAA server are cached permanently until cleared manually.
ip mobile host nai @cisco.com address pool local mobilenodes virtual network 10.2.0.0 255.255.0.0 aaa load-sa permanent lifetime 180The following example configures the DHCP proxy client to use a DHCP server located at 10.1.2.3 to allocate a dynamic home address:
ip mobile host nai @dhcppool.com address pool dhcp-proxy-client dhcp-server 10.1.2.3 interface FastEthernet 0/0Related Commands
