Home Agent Configuration

Problem

You want to configure a router to act as a Home Agent for Mobile Nodes.

Solution

The first step in configuring IP Mobility in your network is to set up one or more Home Agent routers, which will act as the virtual home base and support tunnels for your roaming devices:

RouterHome#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
RouterHome(config)#interface Loopback0
RouterHome(config-if)#ip address 192.168.9.1 255.255.255.255
RouterHome(config-if)#exit
RouterHome(config)#router mobile
RouterHome(config-router)#exit
RouterHome(config)#router eigrp 99
RouterHome(config-router)#redistribute mobile
RouterHome(config-router)#network 192.168.9.0
RouterHome(config-router)#network 192.168.10.0
RouterHome(config-router)#default-metric 10000 10 255 1 1500
RouterHome(config-router)#no auto-summary
RouterHome(config-router)#exit
RouterHome(config)#ip mobile home-agent address 192.168.9.1
RouterHome(config)#ip mobile virtual-network 192.168.10.0 255.255.255.0
RouterHome(config)#ip mobile host 192.168.10.1 192.168.10.254 virtual-network 192.168.10.0 255.255.255.0
RouterHome(config)#ip mobile secure host 192.168.10.110 spi 100 key ascii cookbook
RouterHome(config)#ip mobile secure host 192.168.10.111 spi 100 key ascii cookbook
RouterHome(config)#ip mobile secure host 192.168.10.112 spi 100 key ascii cookbook
RouterHome(config)#ip mobile secure host 192.168.10.113 spi 100 key ascii cookbook
RouterHome(config)#ip mobile secure host 192.168.10.114 spi 100 key ascii cookbook
RouterHome(config)#ip mobile secure host 192.168.10.115 spi 100 key ascii cookbook
RouterHome(config)#end
RouterHome#

In case you need to adjust access-lists or firewall rules, note that IP Mobility tunnels use IP protocol number 55.

 

Discussion

A good way to handle IP Mobility in an enterprise network is to configure the roaming pool of addresses and the Home address on Loopback interfaces on the home router. This is how we have handled the configuration in this recipe. This way, if you have a lot of roaming devices, they are easy to identify from their IP addresses. As a side effect of this approach, none of the roaming devices are ever "home" because their home network doesn't really exist on a physical piece of wire anywhere.

The first thing we do in this recipe is to configure a Loopback interface that will be the Home Agent IP address. Because this is where all of the tunnels will terminate, it is sensible to make it a Loopback interface. This way, as long as there is network connectivity between the Home Agent and Foreign Agent routers, the tunnels can continue to operate, allowing you to take advantage of any link redundancy in your network:

RouterHome(config)#interface Loopback0
RouterHome(config-if)#ip address 192.168.9.1 255.255.255.255

Then we enable IP Mobility functionality on this router. Because IP Mobility introduces routes into the routing table, it is enabled in the same way as any other routing protocol, with a router command:

RouterHome(config)#router mobile
RouterHome(config-router)#exit

There is nothing to configure in the router configuration mode. This command just turns on the ability to inject IP Mobile routes into the routing table and allows you to redistribute these routes into other routing protocols, which we do next:

RouterHome(config)#router eigrp 99
RouterHome(config-router)#redistribute mobile
RouterHome(config-router)#network 192.168.9.0
RouterHome(config-router)#network 192.168.10.0
RouterHome(config-router)#default-metric 10000 10 255 1 1500
RouterHome(config-router)#no auto-summary
RouterHome(config-router)#exit

In this example, we have used EIGRP as our routing protocol, but you could just as easily use any other routing protocol. The Mobile routes are injected into the routing protocol by using the redistribute mobile command. Consequently, they will always appear as external routes when viewed elsewhere in the network. Please refer to Chapters 6, 7, 8, and 9 for more information about IP routing and redistribution into different routing protocols.

Next we configure the IP Mobility features that we need on the Home Agent router. First we define the IP address that will serve as the Home Agent address on all of the roaming devices served by this Home Agent:

RouterHome(config)#ip mobile home-agent address 192.168.9.1

Then we use the ip mobile virtual-network and ip mobile host commands to define the IP addresses that will be used by the Mobile Nodes:

RouterHome(config)#ip mobile virtual-network 192.168.10.0 255.255.255.0
RouterHome(config)#ip mobile host 192.168.10.1 192.168.10.254 virtual-network 192.168.10.0 255.255.255.0

Note that the virtual-network command is required here because this 192.168.10.0/24 network does not appear on any physical interface on this router. If we had wanted instead to have a real network segment that supported a mixture of roaming and nonroaming devices, we could have done so by pointing the ip mobile host command to the corresponding interface as follows:

RouterHome(config)#ip mobile host 192.168.10.10 192.168.10.254 interface FastEthernet0/1

We have made another small change in this command by excluding the devices in the range 192.168.10.1-9. This was done to save space for network devices, which will presumably never roam. Also note that if you are using a physical interface to support the roaming range, then it might make sense to use the router's IP address on this interface as the Home Agent address.

We stress, however, that we prefer to use virtual networks for roaming. The only compelling reason for requiring a mixture of roaming and nonroaming devices in the same address range is to support an ad-hoc mobile infrastructure. We feel that the resource and maintenance requirements for supporting IP Mobility in a network of any size are sufficiently heavy to warrant a more careful network design than this.

Finally, we have configured a list of security keys to be used for authenticating the Mobile Nodes as they connect:

RouterHome(config)#ip mobile secure host 192.168.10.110 spi 100 key ascii cookbook
RouterHome(config)#ip mobile secure host 192.168.10.111 spi 100 key ascii cookbook
RouterHome(config)#ip mobile secure host 192.168.10.112 spi 100 key ascii cookbook
RouterHome(config)#ip mobile secure host 192.168.10.113 spi 100 key ascii cookbook
RouterHome(config)#ip mobile secure host 192.168.10.114 spi 100 key ascii cookbook
RouterHome(config)#ip mobile secure host 192.168.10.115 spi 100 key ascii cookbook

We have configured a separate line for each Mobile Node, specifying its IP address and an authentication key. You can specify a list of different keys for each host by giving each key a different Security Parameter Index (SPI) value:

RouterHome(config)#ip mobile secure host 192.168.10.112 spi 100 key ascii cookbook
RouterHome(config)#ip mobile secure host 192.168.10.112 spi 200 key ascii oreilly
RouterHome(config)#ip mobile secure host 192.168.10.112 spi 300 key ascii 2edition

You must then configure the same keys with the same SPI values on the Mobile Node. This allows you to easily update your keys without losing connectivity. When you want to change your key values, you simply add the new keys to your Mobile Nodes and to the Home Agent, and then you go back around and delete the old keys.

In this case, of course, we have set the keys for all of the Mobile Nodes to the same value, cookbook, which we certainly don't recommend doing in a production network.

In larger networks, it can become rather onerous to manually configure all of these keys on the Home Agent routers. So Cisco has made it possible to use AAA to obtain these keys from a central TACACS+ database:

RouterHome(config)#aaa new-model
RouterHome(config)#aaa authorization ipmobile default group tacacs+
RouterHome(config)#ip mobile secure mn-aaa spi 200 algorithm md5

Please refer to Chapter 4 for more information on TACACS+.

See Also

Chapters 4, 6, 7, 8, and 9





Cisco IOS Cookbook
Cisco IOS Cookbook (Cookbooks (OReilly))
ISBN: 0596527225
EAN: 2147483647
Year: 2004
Pages: 505
Simiral book on Amazon

Flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net