- Overview of the Cisco Mobile Wireless Home Agent
- Planning to Configure the Home Agent
- Single IP Infrastructure
- Assigning a Home Address on the Home Agent
- User Authentication and Authorization
- Home Agent Redundancy
- Configuring Load Balancing on the Home Agent
- Terminating IP Registrations
- Dynamic Domain Name Server Updates
- Per User Packet Filtering
- Home Agent Security
- Home Agent Accounting
- Multi-VPN Routing and Forwarding on the Home Agent
- Home Agent Quality of Service
- Monitoring User Traffic
- Other Configuration Tasks
- Network Management, MIBs, and SNMP on the Home Agent
- Appendix A
Assigning a Home Address on the Home Agent
This chapter discusses how the Cisco Mobile Wireless Home Agent assigns home addresses to a mobile node, the different address types, and provides configuration details and examples.
This chapter includes the following sections:
•Dynamic Home Agent Assignment
Home Address Assignment
The Home Agent assigns a home address to the mobile node based on user NAI received during Mobile IP registration. The IP addresses assigned to a mobile station may be statically or dynamically assigned. The Home Agent does not permit simultaneous registrations for different NAIs with the same IP address, whether it is statically or dynamically assigned.
Address Assignment Feature
The Address Assignment with session overwrite feature removes a stale session to allow a new session to be established for a device. The MAC address of the device remains the same, but the NAI (which may be obtained from outer EAP identity) and HoA may change.
The NAI realm (i.e., not the Home Address field in the RRQ) determines if static IP pool or dynamic IP pool address management is used.
In Home Agent Release 5.0, both CMIPv4 and PMIPv4 are supported. The address management performed is based on the MAC address in the registration.
The following conditions apply for a RRQ with and without MAC address (provided in the PMIPv4 Device ID Extension):
•If RRQ does not contain MAC address (CMIP), the session is managed based on R4.0 matrix
•If RRQ contains MAC address (PMIP), the session is managed based on R5.0 matrix.
•There is no handoff between CMIP and PMIP.
•Domain of CMIP users and PMIP users are not same.
•Home Addresses of CMIP users and PMIP users are not same. If VRF is used and CMIP users and PMIP users are in different VRFs, the HoA address may be same.
Client-based Mobile IPv4
CMIPv4 is based on HA Release 4.0 address assignment method. Configuration examples are illustrated below.
Static IP Pool:
ip mobile host nai @domain static-address local-pool pool_001
AAA assigns the HoA, and the HoA is set in the MIP RRQ for the initial registration.
Dynamic IP Pool Allowing Static Access:
ip mobile host nai @domain static-address local-pool pool_002 address pool local pool_002
If HoA is sent in the MIP RRQ for the initial registration, the HA establishes a session with the HoA. If HoA is not sent in the MIP RRQ for the initial registration, the HA assigns a HoA and establishes a session.
Dynamic IP Pool:
ip mobile host nai @domain address pool local pool_003
The HA assigns the HoA. The HoA is not set (0.0.0.0) in the MIP RRQ for the initial registration. The existing address management is described below using following pool types:
Proxy Mobile IPv4
PMIPv4 is based on the HA Release 5.0 address assignment method. The Address Assignment with HoA Overwrite feature removes a stale session to allow a new session to be established for a device. The MAC address of the device remains the same, but the NAI (which may be obtained from outer EAP identity) and HoA may change.
The NAI realm (not the Home Address field in the RRQ) determines if static IP pool or dynamic IP pool address management is used. The configuration examples are illustrated below:
Static IP Pool:
ip mobile host nai @domain static-address local-pool pool_001
AAA assigns the HoA. The HoA is set in the MIP RRQ for the initial registration.
Dynamic IP Pool:
ip mobile host nai @domain address pool local pool_003
The HA assigns the HoA. The HoA is either set or not set (0.0.0.0) in the MIP RRQ for the initial registration.
To enable the deletion of stale bindings, perform the following task:
Note The revocation message does not need to include NAI extension because multiple HA IP addresses are used for VRF support.
Here are three configuration examples to illustrate how to use the Address Assignment feature. :
MAC-based Session Using Static IP Pool HA Configuration
HA Config
ip local pool cisco-static-pool 5.1.0.1 5.1.1.0
ip mobile host nai @cisco.com static-address local-pool
cisco-static-pool interface Null0 aaa load-sa
FA Config
simulator mip mn profile 1
description ctc-mac-static
registration lifetime 65535
registration retries 0
registration flags 42
revocation flags 00
home-agent 81.81.81.81
home-address 5.1.0.1
secure home-agent spi 100 key ascii cisco
nai cisco-%f@cisco.com
pmip skip subtype 2 idtype mac
no extension fa-challenge
no extension mn-fa
no extension nat traversal
extension revocation
MAC-based Session Using Dynamic IP Pool
HA Config
ip local pool cisco-pool 5.1.0.1 5.1.1.0
ip mobile host nai @cisco.com address pool local cisco-pool
interface Null0 aaa load-sa
FA Config
simulator mip mn profile 1
description ctc-mac-static
registration lifetime 65535
registration retries 0
registration flags 42
revocation flags 00
home-agent 81.81.81.81
home-address 5.1.0.1
secure home-agent spi 100 key ascii cisco
nai cisco-%f@cisco.com
pmip skip subtype 2 idtype mac
no extension fa-challenge
no extension mn-fa
no extension nat traversal
extension revocation
Overwrite Existing Binding
HA Config
ip mobile home-agent binding-overwrite
ip local pool cisco-pool 5.1.0.1 5.1.1.0
ip mobile host nai @cisco.com address pool local cisco-pool
interface Null0 aaa load-sa
FA Config
simulator mip mn profile 3
registration lifetime 65535
registration retries 0
registration flags 42
revocation flags 00
home-agent 81.81.81.81
secure home-agent spi 100 key ascii cisco
secure aaa spi 2 key ascii cisco
nai cisco-%f@cisco.com
pmip skip subtype 2 idtype mac
no extension mn-aaa
no extension mn-fa
no extension nat traversal
extension revocation
simulator mip mn profile 4
registration lifetime 65535
registration retries 0
registration flags 42
revocation flags 00
home-agent 81.81.81.81
home-address 5.0.0.2 0
secure home-agent spi 100 key ascii cisco
secure aaa spi 2 key ascii cisco
nai pepsi-%f@cisco.com
pmip skip subtype 2 idtype mac
no extension mn-aaa
no extension mn-fa
no extension nat traversal
extension revocation
simulator mip scenario 3
mn profile 3
fa 2.2.2.200
mn id 20
simulator mip scenario 4
mn profile 4
fa 2.2.2.200
mn id 21
Static IP Address
A static IP address is an address that is pre-assigned to the mobile station, and possibly preconfigured at the mobile device. The Home Agent supports static addresses that might be public IP addresses, or addresses in private domain.
Note Use of private addresses for Mobile IP services requires reverse tunneling between the PDSN/FA and the Home Agent.
The mobile user proposes the configured or available address as a non-zero home address in the registration request message. The Home Agent may accept this address or return another address in the registration reply message. The Home Agent may obtain the IP address by accessing the home AAA server or DHCP server. The home AAA server may return the name of a local pool, or a single IP address. On successful Mobile IP registration, Mobile IP based services are made available to the user.
Static Home Addressing Without NAI
The original Mobile IP specification supported only static addressing of mobile nodes. The home IP address served as the "user name" portion of the authentication. Static addressing can be beneficial because it allows each device to keep the same address all the time no matter where it is attached to the network. This allows the user to run mobile terminated services without updating the DNS, or some other form of address resolution. It is also easy to manage MNs with static addressing because the home address and the Home Agent are always the same. However, provisioning and maintenance are much more difficult with static addressing because address allocation must be handled manually, and both the Home Agent and MN must be updated. Here is an example configuration:
router (config)# ip mobile host 10.0.0.5 interface FastEthernet0/0
router (config)# ip mobile host 10.0.0.10 10.0.0.15 interface FastEthernet0/0
router (config)# ip mobile secure host 10.0.0.12 spi 100 key ascii secret
Static Home Addressing with NAI
Static home addressing can also be used in conjunction with NAI to support a NAI based authorization and other services. It is also possible to allow a single user to use multiple static IP addresses either on the same device, or multiple devices, while maintaining only one AAA record and security association. A user must be authorized to use an address before the registration will be accepted. Addresses can be authorized either locally, or through a AAA server. If a MN requests an address which is already associated with a binding that has a different NAI, the HA will attempt to return another address from the pool unless the command is set.
Here is a sample configuration:
router (config)# ip mobile home-agent reject-static-addr
Local Authorization
A static address can be authorized on a per MN or per realm basis using configuration commands. Per MN configurations require that you define a specific NAI in the user or user@realm form. Per realm configurations require that you define a generic NAI in the @realm form, and allow only the specification of a local pool.
Here is a sample configuration:
router (config)# ip local pool static-pool 10.0.0.5 10.0.0.10
router (config)# ip mobile host nai user@staticuser.com static-address 10.0.0.1 10.0.0.2
interface FastEthernet0/0
router (config)# ip mobile host nai user@staticuser.com static-address local-pool static-pool interface FastEthernet0/0
router (config)# ip mobile host nai @static.com static-address local-pool static-pool
interface FastEthernet0/0
AAA Authorization
It is also possible to store either the authorized addresses, or local pool name in a AAA server. Each user must have either the static-ip-addresses attribute or the static-ip-pool attribute configured in the AAA server. Unlike the static address configuration on the command line, the static-ip-addresses attribute is not limited in the number of addresses that can be returned.
Here is a sample configuration.
HA configuration:
router (config)# ip local pool static-pool 10.0.0.5 10.0.0.10
router (config)# ip mobile host nai user@staticuser.com interface FastEthernet0/0 aaa
router (config)# ip mobile host nai @static.com interface FastEthernet0/0 aaa
Radius Attributes:
Cisco-AVPair = "mobileip:static-ip-addresses=10.0.0.1 10.0.0.2 10.0.0.3"
Cisco-AVPair = "mobileip:static-ip-pool=static-pool"
Dynamic Home Agent Assignment
The Home Agent can be dynamically assigned in a CDMA2000 network when the following qualifications exist.
The first qualification is that the Home Agent receives a Mobile IP registration request with a value of 0.0.0.0 in the Home Agent field. Upon authentication/authorization, the PDSN retrieves the HA's IP address. The PDSN then uses this address to forward the Registration Request to the HA, but does not update the actual HA address field in the Registration Request.
The Home Agent sends a Registration Reply, and places it's own IP address in the Home Agent field. At this point, any re-registration requests that are received would contain the Home Agent's IP address in the Home Agent field.
The second qualification is a function of the PDSN/Foreign Agent, and is included here for completeness. In this case, a AAA server is used to perform the dynamic Home Agent assignment function. Depending on network topology, either the local-AAA, or the home-AAA server would perform this function. When an access service provider is also serving as an ISP, Home Agents would be located in the access provider network. In this service scenario, a local-AAA server would perform Home Agent assignment function. Based on the user NAI received in the access request message, the AAA server would return a elected Home Agent's address in an access reply message to the PDSN.
A pool of Home Agent addresses is typically configured at the AAA server. For the access provider serving as an ISP, multiple pools of Home Agents could be configured at the local AAA server; however, this depends on SLAs with the domains for which Mobile IP, or proxy-Mobile IP services are supported. You can configure the Home Agent selection procedure at the AAA server, using either a round-robin or a hashing algorithm over user NAI selection criteria.
The PDSN/Foreign Agent sends the Registration Request to the Home Agent; however, there is no IP address in the HA field of the MIP RRQ (it is 0.0.0.0). When the PDSN retrieves the IP address from AAA, it does not update the MIP RRQ; instead, it forwards the RRQ to the HA address retrieved. The PDSN cannot alter the MIP RRQ because it does not know the MN-HA SPI, and key value (which contains the IP address of the Home Agent in the "Home Agent" field). Depending on network topology, either the local AAA, or the home AAA server would perform this function. In situations where the Home Agents are located in the access provider network, the local AAA server would perform Home Agent assignment function. Additionally, multiple pools of Home Agents could be configured at the local AAA server, depending on SLAs with the domains for which Mobile IP, or proxy Mobile IP services are supported.
Dynamic IP Address
It is not necessary for a home IP address to be configured in the mobile station to access packet data services. A mobile user may request a dynamically assigned address by proposing an all-zero home address in the registration request message. The Home Agent assigns a home address and returns it to the MN in the registration reply message. The Home Agent obtains the IP address by accessing the home AAA server. The AAA server returns the name of a local pool or a single IP address. On successful registration, Mobile IP based services are made available to the user.
Fixed Addressing
It is possible to configure the Home Agent with a fixed address for each NAI. The fixed address is assigned to the MN each time it registers. This provides users all the benefits of static addressing while simplifying the configuration of the MN. We do not recommend fixed addressing for large-scale deployment because the Home Agent configuration must be updated to perform user all maintenance.
Here is a sample configuration:
router# ip mobile host nai user@realm.com address 10.0.0.1 interface FastEthernet0/0
Local Pool Assignment
Local pool assignment requires that one or more address pools be configured on the HA. The HA allocates addresses from the pool on a first come, first served basis. The MN will keep the address as long as it has an active binding in the HA. The MN may update it's binding by sending a RRQ with either the allocated address, or 0.0.0.0 as it's home address. When the binding expires the address is immediately returned to the pool.
Note Currently local pool allocation cannot be used with the peer-to-peer HA Redundancy model. The number of local pools which, can be configured is limited only by the available memory on the router.
Here is a sample configuration:
router (config)# ip local pool mippool 10.0.0.5 10.0.0.250
router (config)# ip mobile host nai @localpool.com address pool local mippool virtual-network 10.0.0.0 255.255.255.0
DHCP Allocation
The Dynamic Host Configuration Protocol (DHCP) is already a widely used method of allocating IP addresses for desktop computers. IOS Mobile IP leverages the existing DHCP proxy client in IOS to allow the home address to be allocated by a DHCP server. The NAI is sent in the Client-ID option and can be used to provide dynamic DNS services.
Here is a sample configuration:
router(config)# ip mobile host nai @dhcppool.com address pool dhcp-proxy-client dhcp-server 10.1.2.3 interface FastEthernet 0/0
Note Currently DHCP cannot be used with the peer-to-peer HA Redundancy model.
Dynamic Addressing from AAA
Dynamic addressing from AAA allows you to support fixed and/or per session addressing for MNs without the trouble of maintaining addressing at the MN or HA. The AAA server can return either a specific address, a local pool name, or a DHCP server address. If the AAA server is used to return a specific address, the home address can be configured either as an attribute on the NAI entry in the RADIUS database, or can be allocated from a pool depending on the capabilities of the AAA server being used. The AAA server can also return the name of a local pool configured on the HA or a DHCP server IP address.
Here is a sample configuration.
On the HA:
router (config)# ip local pool dynamic-pool 10.0.0.5 10.0.0.10
router (config)# ip mobile host nai user@staticuser.com interface FastEthernet0/0 aaa
router (config)# ip mobile host nai @static.com interface FastEthernet0/0 aaa
AAA Address assignment:
Cisco-AVPair = "mobileip:ip-address=65.0.0.71"
AAA Local Pool attribute:
Cisco-AVPair = "mobileip:ip-pool=dynamic-pool"
AAA DHCP server attribute:
Cisco-AVPair = "mobileip:dhcp-server=10.1.5.10"
Note The Framed-IP-Address attribute is also supported
Configuration Examples
DHCP-Proxy-Client Configuration
Active-HA configuration
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname mwt10-7206b
!
aaa new-model
!
aaa authentication ppp default local group radius
aaa authorization config-commands
aaa authorization ipmobile default group radius
aaa authorization network default group radius
aaa session-id common
!
ip subnet-zero
ip cef
!
interface Loopback0
ip address 10.0.0.1 255.255.255.255
interface Ethernet2/0
description to PDSN/FA
ip address 10.0.0.2 255.0.0.0
no ip route-cache
no ip mroute-cache
duplex half
standby ip 10.0.0.4
standby priority 110
standby preempt delay sync 100
standby name cisco
!
interface Ethernet2/2
description to AAA
ip address 172.16.1.8 255.255.0.0
no ip route-cache
no ip mroute-cache
duplex half
!
router mobile
!
ip classless
no ip http server
ip pim bidir-enable
ip mobile home-agent
ip mobile home-agent redundancy
ip mobile virtual-network 10.0.0.0 255.0.0.0
ip mobile host nai user01@cisco.com address pool dhcp-proxy-client
dhcp-server 10.0.0.101 virtual-network 10.0.0.0 255.0.0.0
ip mobile secure home-agent 10.0.0.3 spi 100 key ascii redundancy
algorithm md5 mode
prefix-suffix
!
ip mobile virtual-network 10.0.0.0 255.0.0.0
ip mobile host nai user01@cisco.com address pool dhcp-proxy-client
dhcp-server 10.0.0.101 virtual-network 10.0.0.0 255.0.0.0
radius-server host 172.16.0.2 auth-port 1645 acct-port 1646
radius-server retransmit 3
radius-server key cisco
call rsvp-sync
!
mgcp profile default
!
dial-peer cor custom
!
gatekeeper
shutdown
!
line con 0
line aux 0
line vty 0 4
!
end
Standby-HA configuration
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname mwt10-7206b
!
aaa new-model
!
aaa authentication ppp default local group radius
aaa authorization config-commands
aaa authorization ipmobile default group radius
aaa authorization network default group radius
aaa session-id common
!
ip subnet-zero
ip cef
!
interface Loopback0
ip address 10.0.0.2 255.255.255.255
interface Ethernet2/0
description to PDSN/FA
ip address 10.0.0.3 255.0.0.0
no ip route-cache
no ip mroute-cache
duplex half
standby ip 10.0.0.4
standby name cisco
!
interface Ethernet2/2
description to AAA
ip address 172.16.1.7 255.255.0.0
no ip route-cache
no ip mroute-cache
duplex half
!
router mobile
!
ip local pool ha-pool 10.0.0.1 10.0.0.255
ip classless
no ip http server
ip pim bidir-enable
ip mobile home-agent
ip mobile home-agent redundancy
ip mobile secure home-agent 10.0.0.2 spi 100 key ascii redundancy
algorithm md5 mode
prefix-suffix
ip mobile virtual-network 10.0.0.0 255.0.0.0
ip mobile host nai user01@cisco.com address pool dhcp-proxy-client
dhcp-server 10.0.0.101 virtual-network 10.0.0.0 255.0.0.0
!
radius-server host 150.2.0.2 auth-port 1645 acct-port 1646
radius-server retransmit 3
radius-server key cisco
call rsvp-sync
!
mgcp profile default
!
dial-peer cor custom
!
gatekeeper
shutdown
!
line con 0
line aux 0
line vty 0 4
!
end