|
|
This chapter describes how to configure Mobile IP. For a complete description of the Mobile IP commands in this chapter, refer to the "Mobile IP Commands" chapter of the Cisco IOS IP and IP Routing Command Reference publication. To locate documentation of other commands that appear in this chapter, use the command reference master index or search online.
As personal digital assistants and the next generation of data-ready cellular phones become more widely deployed, a greater degree of connectivity is becoming almost a necessity for the mobile business user. Data connectivity solutions for this group of users is a very different requirement than it is for the fixed dialup user or the stationary wired LAN user. Solutions need to deal with the challenge of movement during a data session or conversation. Cellular service providers and network administrators wanting to deploy wireless LAN technologies need to have a solution that will grant this greater freedom.
Cisco IOS has integrated new technology into our routing platforms to meet these new networking challenges. Mobile IP is a tunneling-based solution that takes advantage of the Cisco-created generic routing encapsulation (GRE) tunneling technology and simpler IP-in-IP tunneling protocol. This tunneling enables a router on a user's home subnet to intercept and transparently forward IP packets to users while they roam beyond traditional network boundaries. This solution is a key enabler of wireless mobility, both in the wireless LAN arena, such as the 802.11 standard, and in the cellular environment for packet-based data offerings, which offer connectivity to a user's home network and the Internet.
Mobile IP provides users the freedom to roam beyond their home subnet while consistently maintaining their home IP address. This enables transparent routing of IP datagrams to mobile users during their movement, so that data sessions can be initiated to them while they roam; it also enables sessions to be maintained in spite of physical movement between points of attachment to the Internet or other networks. The Cisco implementation of Mobile IP is fully compliant with the Internet Engineering Task Force (IETF) proposed standard defined in Request for Comments (RFC) 2002.
Mobile IP is most useful in environments where mobility is desired and the traditional land line dial-in model or Dynamic Host Configuration Protocol (DHCP) do not provide adequate solutions for the needs of the users. If it is necessary or desirable for a user to maintain a single address while they make the transition between networks and network media, Mobile IP can provide them with this ability. Generally, Mobile IP is most useful in environments where a wireless technology is being utilized. This includes cellular environments and wireless LAN situations that may require roaming. Mobile IP can complement many different cellular technologies like CDMA, TDMA, GSM, AMPS, NAMPS, as well as other proprietary solutions, to provide a mobile system that will scale for many users.
Each mobile node is always identified by its home address, no matter what its current point of attachment to the Internet, allowing for transparent mobility with respect to the network and all other devices. The only devices that need to be aware of the movement of this node are the mobile device and a router serving the topologically correct subnet of the user.
agent discovery---The method by which a mobile node determines whether it is currently connected to its home network or a foreign network and detects whether it has moved and the way it has moved. It is the mechanism by which mobile nodes query and discover mobility agents. This is done through an extension of the ICMP Router Discovery Protocol, IRDP (RFC 1256),which includes a mechanism to advertise mobility services to potential users.
care-of address---The termination point of the tunnel to a mobile node. This can be a collocated care-of address, where the mobile node acquires a local address and detunnels its own packets, or a foreign agent care-of address, where a foreign agent detunnels packets and forwards them to the mobile node.
correspondent node---A peer with which a mobile node is communicating. A correspondent node may be either stationary or mobile.
foreign agent---A router on a mobile node's visited network that provides routing services to the mobile node while registered. The foreign agent detunnels and delivers datagrams to the mobile node that was tunneled by the mobile node's home agent. For datagrams sent by a mobile node, the foreign agent may serve as a default router for registered mobile nodes.
home address---An IP address that is assigned for an extended time to a mobile node. It remains unchanged regardless of where the node is attached to the Internet.
home agent---A router on a mobile node's home network that tunnels packets to the mobile node while it is away from home. It keeps current location information for registered mobile nodes called a mobility binding.
home network---The network or virtual network that matches the subnet address of the mobile node.
mobile node---A host or router that changes its point of attachment from one network or subnet to another. A mobile node may change its location without changing its IP address; it may continue to communicate with other Internet nodes at any location using its home IP address, assuming link-layer connectivity to a point of attachment is available.
mobility agent---A home agent or a foreign agent.
mobility binding---The association of a home address with a care-of address and the remaining lifetime.
mobility security association---A collection of security contexts between a pair of nodes, which may be applied to Mobile IP protocol messages exchanged between them. Each context indicates an authentication algorithm and mode, a secret (a shared key or appropriate public/private key pair), and a style of replay protection in use.
MTU---Maximum transmission unit. Maximum packet size, in bytes, that a particular interface can handle.
node---A host or router.
registration---The process by which the mobile node is associated with a care-of address on the home agent while it is away from home. This process may happen directly from the mobile node to the home agent or through a foreign agent.
security parameter index (SPI)---The index identifying a security context between a pair of nodes.
tunnel---The path followed by a datagram while it is encapsulated from the home agent to the mobile node.
To configure home agent functionality on your router, you need to determine IP addresses or subnets for which you would like to allow roaming service. If you intend to support roaming without having a physical home location for the roaming devices, you need to identify the subnets for which you will allow this service and place these virtual networks appropriately within your network on the home agent. It is possible to enable home agent functionality for a homed or nonhomed subnet. In the case of nonhomed addresses, it is necessary to define virtual networks on the router. Mobile IP home agent and foreign agent services can be configured on the same router or on separate routers to enable Mobile IP service to users.
Because Mobile IP requires support on the host device, it is necessary that each mobile node is appropriately configured for the desired Mobile IP service. Please refer to the manual entries in your mobile aware IP stack vendor documentation for details.
To configure Mobile IP, complete the following tasks as related to the functions you intend to support.
To enable home agent service for users having homed or virtually homed IP addresses on the router, use the following commands in global configuration mode:
| Command | Purpose | |
|---|---|---|
Step 1 | router mobile | Enable Mobile IP on the router. |
Step2 | ip mobile home-agent | Enable home agent service. |
Step3 | ip mobile virtual-network addr mask | Add virtual network to routing table. If not using a virtual network, go to step6. |
Step4 | router protocol redistribute mobile | Enable redistribution of a virtual network into routing protocol(s). |
Step5 | ip mobile host lower [upper] virtual-network addr mask [aaa [load-sa]] | Specify mobile nodes (on a virtual network) and where their security associations are stored.1 |
Step6 | ip mobile host lower [upper] {interface name}
| Specify mobile nodes on an interface and where their security associations are stored. Omit this step if there are no mobile nodes on the interface. |
Step7 | ip mobile secure host addr {inbound-spi spi-in outbound-spi spi-out | spi spi} key string | Set up mobile host security associations. Omit this step if using AAA. |
Step8 | ip mobile secure foreign-agent addr {inbound-spi
spi-in outbound-spi spi-out | spi spi} key string
| (Optional) Set up foreign agents' security associations. Omit this step unless you have security association with remote foreign agents. |
| 1By default, security associations are expected to be configured locally; however, the security association configuration can be offloaded to an AAA server. |
To start a foreign agent providing default services, use the following commands in global configuration mode:
| Command | Purpose | |
|---|---|---|
Step1 | router mobile | Enable Mobile IP on the router. |
Step2 | ip mobile foreign-agent care-of interface | Set up care-of address(es) advertised to all foreign agent-enabled interfaces. |
Step3 | ip mobile foreign-service | Enable foreign agent service on the interface. |
Step4 | ip mobile secure home-agent addr {inbound-spi
spi-in outbound-spi spi-out | spi spi} key
string
| (Optional) Set up home agent security association (optional). Skip steps 4 and 5 unless you have security association with remote home agents or visitors. |
Step5 | ip mobile secure visitor addr {inbound-spi
spi-in outbound-spi spi-out | spi spi} key
string [replay timestamp]
| (Optional) Set up visitor security association. |
To make sure Mobile IP is set up correctly, use any of the following commands in EXEC mode:
| Command | Purpose |
|---|---|
show ip mobile globals | Check home agent and foreign agent global settings. |
show ip mobile host group | Check mobile node groups. |
show ip mobile secure {host | visitor | foreign-agent | home-agent} addr | Check security associations. |
show ip mobile interface | Check advertisements on interfaces. |
To monitor and maintain Mobile IP, use any of the following commands:
| Command | Purpose |
|---|---|
show ip mobile host | Check mobile node counters (home agent only). |
show ip mobile binding | Check mobility bindings (home agent only). |
show ip mobile tunnel | Check active tunnels. |
show ip mobile visitor | Check visitor bindings (foreign agent only). |
show ip route mobile | Check Mobile IP routes. |
show ip mobile traffic | Check protocol statistics. |
clear ip mobile traffic | Clear counters. |
show ip mobile violation | Check security violations. |
debug ip mobile advertise | Display advertisement information.1 |
debug ip mobile host | Display mobility events. |
| 1Make sure IRDP is running on the interface. |
To shut down Mobile IP, use all of the following commands in global configuration mode:
| Command | Purpose | |
|---|---|---|
Step1 | no ip mobile home-agent | Disable home agent services. |
Step2 | no ip mobile foreign-agent | Disable foreign agent services. |
Step3 | no router mobile | Stop Mobile IP process. |
This section contains the following configuration examples:
In the following example, the home agent has five mobile hosts on interface Ethernet1 (network 11.0.0.0) and ten on virtual network 10.0.0.0. There are two mobile node groups. Each mobile host has one security association. The home agent has an access list to disable roaming capability by mobile host 11.0.0.5. The 11.0.0.0 group has a lifetime of 1 hour (3600 secs). The 10.0.0.0 group cannot roam in areas where the network is 13.0.0.0.
router mobile ! ! Define which hosts are permitted to roam ip mobile home-agent broadcast roam-access 1 ! ! Define a virtual network ip mobile network 10.0.0.0 255.0.0.0 ! ! Define which hosts are on the virtual network, and the care-of access list ip mobile host 10.0.0.1 10.0.0.10 virtual-network 10.0.0.0 255.0.0.0 care-of-access 2 ! ! Define which hosts are on Ethernet 1, with lifetime of one hour ip mobile host 11.0.0.1 11.0.0.5 interface Ethernet1 lifetime 3600 ! ! The next ten lines specify security associations for mobile hosts ! on virtual network 10.0.0.0 ! ip mobile secure host 10.0.0.1 spi 100 key hex 12345678123456781234567812345678 ip mobile secure host 10.0.0.2 spi 200 key hex 87654321876543218765432187654321 ip mobile secure host 10.0.0.3 spi 300 key hex 31323334353637383930313233343536 ip mobile secure host 10.0.0.4 spi 100 key hex 45678332353637383930313233343536 ip mobile secure host 10.0.0.5 spi 200 key hex 33343536313233343536373839303132 ip mobile secure host 10.0.0.6 spi 300 key hex 73839303313233343536313233343536 ip mobile secure host 10.0.0.7 spi 100 key hex 83930313233343536313233343536373 ip mobile secure host 10.0.0.8 spi 200 key hex 43536373839313233330313233343536 ip mobile secure host 10.0.0.9 spi 300 key hex 23334353631323334353637383930313 ip mobile secure host 10.0.0.10 spi 100 key hex 63738393132333435330313233343536 ! ! The next five lines specify security associations for mobile hosts ! on Ethernet1 ! ip mobile secure host 11.0.0.1 spi a1 key sanfran1 ip mobile secure host 11.0.0.2 spi a1 key sanfran2 ip mobile secure host 11.0.0.3 spi a1 key sanfran3 ip mobile secure host 11.0.0.4 spi a1 key sanfran4 ip mobile secure host 11.0.0.5 spi a1 key sanfran5 ! ! Deny access for this host access-list 1 deny 11.0.0.5 ! ! Deny access to anyone on network 13.0.0.0 trying to register access-list 2 deny 13.0.0.0
In the following AAA server configuration, the home agent can use a AAA server for storing security associations. Mobile IP has been authorized using a TACACS+ server to retrieve the security association information, which is used by the home agent to authenticate registrations. This format can be imported into a CiscoSecure server.
user = 20.0.0.1 {
service = mobileip {
set spi#0 = "spi 100 key hi1"
}
}
user = 20.0.0.2 {
service = mobileip {
set spi#0 = "spi 100 key hi2"
}
}
user = 20.0.0.3 {
service = mobileip {
set spi#0 = "spi 100 key hi3"
}
}
In the example above, the user is the mobile node's IP address. The syntax for the security association is spi#num = "string", where string is the rest of the ip mobile secure {host | visitor | home-agent | foreign-agent} string command.
The following example shows how the home agent is configured to use the AAA server:
aaa new-model aaa authorization ipmobile tacacs+ ! ip mobile home-agent ip mobile network 20.0.0.0 255.0.0.0 ip mobile host 20.0.0.1 20.0.0.3 virtual-network 20.0.0.0 255.0.0.0 aaa ! tacacs-server host 1.2.3.4 tacacs-server key cisco
In the following example, the foreign agent is providing service on interface Ethernet1, advertising care-of address 68.0.0.31 and a lifetime of one hour:
interface Ethernet0 ip address 68.0.0.31 255.0.0.0 interface Ethernet1 ip address 67.0.0.31 255.0.0.0 ip irdp ip irdp maxadvertinterval 10 ip irdp minadvertinterval 7 ip mobile foreign-service ip mobile registration-lifetime 3600 ! router mobile ! ip mobile foreign-agent care-of Ethernet0
Posted: Wed Jul 26 18:37:41 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.