Building the Baseline Topology

Figure 4-1 shows the basic topology, which is designed to demonstrate all the basic functionality in clearly separated components. It consists of Mobile IP entitiesa single Home Agent, two Foreign Agents (FAs), and a Mobile Nodeand non-Mobile IP entitiesa Correspondent Node (CN) and an intermediate system (IS). Each of these devices is a router capable of running IOS software, as shown in Table 4-1. Feature navigator on Cisco.com can ensure that all features are available on the selected platform.

^[*] If possible, IOS Release 12.3 or higher should be used in the Mobility AgentsHome Agents and FAsso that all the features covered in this book are available.

Note that the Mobile Node in this topology is a "mobile router" (see Chapter 7, "Metro Mobility: Cisco Mobile Networks"). Although the mobile router is covered later in this book, it is used in this example to provide a complete solution that is independent of a specific Mobile Node client. The mobile router has essentially the same basic configuration attributes as a simple Mobile Node and thus provides not only a Mobile Node example but also a mobile router example for later reference.

Intermediate System Configuration

The IS shows the interaction between Mobile IP and traditional routing protocols and, as such, has no Mobile IPspecific configuration. However, inclusion of the ISs more accurately models real-world scenarios and allows better understanding of a Mobile IP deployment. In Example 4-1, each interface is assigned an IP address, and the Open Shortest Path First (OSPF) routing protocol is configured for all interfaces.

Example 4-1. Intermediate System Final Configuration

 hostname IS ! interface Ethernet0/0  ip address 192.168.1.1 255.255.255.0 ! interface Ethernet1/0  ip address 192.168.2.1 255.255.255.0 ! interface Ethernet2/0  ip address 192.168.3.1 255.255.255.0 ! interface Ethernet3/0  ip address 192.168.4.1 255.255.255.0 ! router ospf 1  log-adjacency-changes  network 192.168.0.0 0.0.255.255 area 1 ! end 

Correspondent Node Configuration

The CN is used as a peer for traffic from the Mobile Node. Many Mobile IP labs are built without a CN and IS; while this allows basic functionality testing, it does not demonstrate real-world behavior. The use of a CN demonstrates the routing infrastructure as well as the Mobile IP infrastructure, and the interaction of the two. The CN needs only to be configured with an IP address on the interface. Although the CN is a router in Example 4-2, it could easily be replaced with a computer.

Example 4-2. CN Final Configuration

 hostname CN ! interface Ethernet0/0  ip address 192.168.2.2 255.255.255.0 ! end 

Home Agent Configuration

Home Agent configurations entail the following three basic tasks:

• Enabling the Home Agent

• Configuring the home networks

• Configuring the Mobile Nodes that are supported by the Home Agent

We will step through the three tasks and introduce the IOS configuration commands that are needed on the router. The configuration shown in this section demonstrates the base configuration of the Home Agent. Later chapters introduce more features, but keep in mind that you should always keep the configurations as short as possible and enable only the necessary features.

The foremost task is to simply enable the Mobile IP functionality. Note that regardless of which Mobile IP entity the router is functioning as, the Mobile IP routing process needs to be configured as follows:

 router mobile 

When the Mobile IP process is running, one or more Mobility Agents can be enabled. To configure this router as a Home Agent, use the following command:

 ip mobile home-agent 

The next step is to configure the home networks and Mobile Nodes that are to be supported by the Home Agent. IOS Mobile IP supports two types of home networks, physical home networks and virtual home networks. Each Mobile Node that is supported by a Home Agent must reside on one of these types of home networks.

Physical Home Network Configuration

When a Home Agent supports physical home networks, it allows Mobile Nodes to attach directly to their home network. The physical home networks are defined on a Home Agent's physical interface. When a Mobile Node is attached to its home network, all Mobile IP functionality is inactive for that Mobile Node, and normal IP routing delivers traffic. When the Mobile Node is not attached to the home network, the Home Agent uses proxy Address Resolution Protocol (ARP) to divert traffic to the Mobile Node in its current location. Route propagation for a physical home network is handled directly by interior routing protocols, just as it would be for an interface with no Mobile Nodes. To use a physical home network, simply assign the interface an IP address and ensure that it is not shut down.

NOTE

When using physical home networks, if the interface is down, Mobile Nodes cannot register with the Home Agent.

Virtual Home Network Configuration

A Home Agent also supports Mobile Nodes that reside on a virtual home network. Virtual home networks are similar to loopback interfaces, but they are Mobile IP specific. Similar to a loopback interface, a virtual network is always up and not susceptible to physical failures, thereby ensuring higher availability. Virtual networks only support nodes that never physically come home. Virtual networks are expressed as a network number and mask. To define a new virtual network on the Home Agent, use the following configuration command with address as the network number and mask as the network mask:

 ip mobile virtual-network address mask 

Unlike physical interfaces, however, routing information about virtual networks can only be originated by the Home Agent when mobile routes are redistributed into the interior gateway protocol. Redistribution of Mobile IP routes only redistributes the virtual networks; it does not redistribute the individual host routes that reach the Mobile Nodes. The section "Examining the Routing Table," later in this chapter, shows how Mobile IP routes appear in the routing table and how redistribution works.

NOTE

Redistribution allows routes from one routing domain to be translated and injected into another routing domain. Use care when redistributing routes to maintain a functional routing topology.

Specific configuration of redistribution varies from protocol to protocol, but generally, it should be configured on the Home Agent as follows:

 redistribute mobile 

The next step is to configure Mobile Nodes to reside on a particular home network.

Mobile Host Configuration

The essence of a Home Agent configuration centers around configuring the Mobile Nodes that it supports and appears on one or more lines beginning with the ip mobile host command. This command defines which Mobile Nodes are allowed to register, which services they are allowed to use, and how to authenticate them. (The security association itself is configured separately, as described in the next section of this chapter.) The ip mobile host command requires a Mobile Node or group of Mobile Nodes to be defined and associated with a home network.

In the following example command, we consider a simple casedefining a range of Mobile Nodes identified by their home address (192.168.100.10 through 192.168.100.20) and associating them with a virtual network (192.168.100.0 with mask 255.255.255.0):

 ip mobile host 192.168.100.10 192.168.100.20 virtual-network 192.168.100.0   255.255.255.0 

The Home Agent also needs to be configured with the Mobile-Home security association for each Mobile Node. The security association can be configured either in a AAA server or on the command line, as described in the examples of the next section.

Security Association Configuration

The security association between the Home Agent and a Mobile Node is mandatory; it is also the only one used in this chapter. A security context is configured on the Home Agent one per line, and each line is usually associated with one Mobile Node. (Remember a security association is made up of one or more security contexts.) In some cases, several Mobile Nodes can share the same security key, but this is generally not recommended. At a minimum, one Mobile Node-Home Agent (MN-HA) security context is configured for each mobile host entry, but the standard allows for far more. If multiple security contexts, which are differentiated by using different security parameter index (SPI) values, are configured for a single mobile host, the IOS mobile router implementation will round-robin through all keys. In this case, each Registration Request (RRQ) uses a different security context going from the lowest to the highest SPI value and then starting over again. The Home Agent always uses the same security context that was used in the RRQ by the Mobile Node when the Mobile Node sends a Registration Reply (RRP).

NOTE

Configuration of security associations for IOS Mobile IP is always done from the perspective of the agent that is to use that security association. For example, the ip mobile secure foreign-agent… command configures an Home Agent-FA security association on the Home Agent. If the same command were configured on the Mobile Node, it would imply an MN-FA security association.

In the case of a router serving as both a Home Agent and FA, the configuration of keys for Mobile Nodes is slightly different. Specifically, you must be able to differentiate the Mobile Node-Foreign Agent (MN-FA) and MN-HA keys in this hybrid case. Because IOS uses the host command to refer to the Mobile Node in Home Agent configurations and the visitor command to refer to the Mobile Node in FA configurations, the same is done for security associations. Thus, the ip mobile secure host command configures the Home Agent-Mobile Node (HA-MN) security association, while the ip mobile secure visitor command configures the FA-MN security association.

As with all security context, the HA-MN security context must be indexed with an SPI. The SPI in IOS is specified as a hexadecimal value. Finally, the key, algorithm, and mode must be specified. You can specify keys as an ASCII value or a hexadecimal value. To avoid errors, hexadecimal keys are recommended because the use of ASCII keys is not standardized. A complete HA-MN security association is as follows:

 ip mobile secure host 192.168.100.10 spi 100 key hex   1234567890abcdef1234567890abcdef algorithm hmac-md5 

Home Agent Final Configuration

Example 4-3 shows the final configuration of a router serving as a Home Agent. The Home Agent supports Mobile Nodes (192.168.100.10 through 192.168.100.20) residing on virtual network 192.168.100.0. The only Mobile Node configured with a security association is 192.168.100.10, and thus, it is the only Mobile Node allowed to register and roam.

Example 4-3. Home Agent Final Configuration

 hostname HA ! interface Ethernet0/0  ip address 192.168.1.2 255.255.255.0 ! router mobile ! router ospf 1  redistribute mobile subnets  network 192.168.0.0 0.0.255.255 area 1 ! ip mobile home-agent ip mobile virtual-network 192.168.100.0 255.255.255.0 ip mobile host 192.168.100.10 192.168.100.20 virtual-network 192.168.100.0   255.255.255.0 ip mobile secure host 192.168.100.10 spi 100 key hex   1234567890abcdef1234567890abcdef algorithm hmac-md5 ! end 

Foreign Agent Configuration

The FA configuration used in this lab is simple and represents the most common implementation. Complex FA configurations are typically only used in mobile Internet service provider deployments of Mobile IP. A basic FA configuration requires the definition of the Care-of Address (CoA) and activation of roaming interfaces.

Recall that for any Mobile IP entity, the IOS Mobile IP process must be started before any Mobile IP commands can be accepted on the router. Again, this is accomplished with the router mobile command.

FA functionality is enabled with a single global statement that also specifies the interface to be used as the CoA. In the following example command, Ethernet interface 1/0 is configured with FA functionality:

 ip mobile foreign-agent care-of Ethernet1/0 

When the FA service has been enabled on the router, each interface that can accept Mobile Nodes needs to be configured. The interface-level command is as follows:

 ip mobile foreign-service 

Finally, because Mobile IP agent advertisements are part of Internet Control Message Protocol (ICMP) Router Discovery Protocol (IRDP) advertisements, IRDP must be configured. The default timers for IRDP are long and do not facilitate timely handovers unless solicitation is used. In Example 4-4, the timers have been lowered because no link state triggers exist. Three relevant values exist for IRDP configuration: maxadvertinterval, minadvertinterval, and holdtime. If the min and max values are used together, a random value in between the two is generated for each advertisement. The holdtime should typically be three times the maximum to ensure that the agent is truly gone and not just experiencing a brief packet loss. Configuration values for IRDP timers are in seconds. Note that the advertisement timers can also be adjusted on the Home Agent with similar IRDP commands. Unless specified through configuration commands, the default IRDP values are a maximum interval of 5 minutes and a holdtime of 15 minutes.

Examples 4-4 and 4-5 show the configuration of routers serving as FAs. In Example 4-4, the FA allows Mobile Nodes to roam on interface E1/0 with FACare-of Agent (FA-CoA) 192.168.5.1. In Example 4-5, the FA allows Mobile Nodes to roam on interface E1/0 with FA-CoA 192.168.6.1. In both examples, the IRDP agent advertisement timers are adjusted.

Example 4-4. FA1 Final Configuration

 hostname FA1 ! interface Ethernet0/0  ip address 192.168.3.2 255.255.255.0 ! interface Ethernet1/0  ip address 192.168.5.1 255.255.255.0  ip irdp  ip irdp maxadvertinterval 4  ip irdp minadvertinterval 3  ip irdp holdtime 9  ip mobile foreign-service ! router mobile ! router ospf 1  log-adjacency-changes  network 192.168.0.0 0.0.255.255 area 1 ! ip mobile foreign-agent care-of Ethernet1/0 ! end 

Example 4-5. FA2 Final Configuration

 hostname FA2 ! interface Ethernet0/0  ip address 192.168.4.2 255.255.255.0 ! interface Ethernet1/0  ip address 192.168.6.1 255.255.255.0  ip irdp  ip irdp maxadvertinterval 4  ip irdp minadvertinterval 3  ip irdp holdtime 9  ip mobile foreign-service router mobile ! router ospf 1  log-adjacency-changes  network 192.168.0.0 0.0.255.255 area 1 ip mobile foreign-agent care-of Ethernet1/0 ! end 

Mobile Node Configuration

In this chapter, the Mobile Node is an IOS router running the IOS Mobile Networks feature. For this example, only a small subset of the IOS Mobile Networks features is used; full coverage is available in Chapter 7. The Mobile IP client used in IOS Mobile Networks is built on the same standard as a Mobile IP client for a PC or personal digital assistant (PDA) and, thus, requires all the same basic configura-tion attributes. In general, each Mobile Node must be configured with its identification, Home Agent's IP address, and a security association shared with the Home Agent.

IOS Mobile Networks uses a static home address for identification that needs to be configured on an interface before it can be used by the Mobile IP client. You should configure the home address on a loopback interface so that the home address is always up. The home address is a host address and, as such, needs to be configured with a /32 mask. (If the loopback does not have a host mask, traffic for other nodes on the Mobile Node's home network cannot follow the default route, but is routed to the loopback and get dropped.)

The real mask of the home network is configured with the ip mobile router address command. One or more physical interfaces need to be specifically configured as roaming interfaces. These interfaces also must be configured with an IP address to enable IP traffic on that interface. Note that the IP address does not need to be valid and routable. Addresses are commonly used from the autoconf space, but you can pick any IP address.

As with all Mobile IP entities, the router mobile command is required to enable the Mobile IP process on the mobile router. After enabling Mobile IP, the Mobile IP client configuration is invoked with the ip mobile router command, setting the router in mobile router configuration mode. In this mode, the home address and home network subnet mask are configured with the address subcommand, and the Home Agent address is configured with the home-agent sub-command, as shown in the following example:

 router mobile ip mobile router  address 192.168.100.10 255.255.255.0  home-agent 192.168.1.2 

Finally, the mandatory security association with the Home Agent needs to be configured. This security association needs to exactly match the one configured on the Home Agent, as follows:

 ip mobile secure home-agent 192.168.1.2 spi 100 key hex   1234567890abcdef1234567890abcdef algorithm hmac-md5 

Recall that the security association is configured from the perspective of the Mobile IP entity on which the command is invoked, that is, this line is configuring the MN-HA security association.

Example 4-6 shows a mobile router configuration with a home address of 192.168.100.10 and a Home Agent address of 192.168.1.2. Note that the home address is configured on the loopback interface, and interface E0/0 is configured as the roaming interface.

Example 4-6. Mobile Node Final Configuration

 hostname MN ! interface Loopback0  ip address 192.168.100.10 255.255.255.255 ! interface Ethernet0/0  ip address 169.254.255.1 255.255.255.0  ip mobile router-service roam ! router mobile ! ip mobile secure home-agent 192.168.1.2 spi 100 key hex   1234567890abcdef1234567890abcdef algorithm hmac-md5 ! ip mobile router  address 192.168.100.10 255.255.255.0  home-agent 192.168.1.2 ! end