109
© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2 -1 Mobile Networking Technology Updated by Hakim Badis

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

Embed Size (px)

Citation preview

Page 1: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2 -1

Mobile Networking Technology

Updated by Hakim Badis

Page 2: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-2

The benefit of Mobile IP

“Mobile IP provides an IP node the ability to retain the same IP address and maintain uninterrupted network and application

connectivity while traveling across networks ”

Page 3: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-3© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2 -3

Which ApplicationsWhich ApplicationsWhich ApplicationsWhich Applications

Page 4: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-4

ApplicationsApplications

Page 5: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-5

The objectiveThe objective

Maintaining continuous IP connectivity while crossing network boundaries, e.g.

subnets or between networks

Internet

Host BGateway A171.68.0.0

Gateway C140.31.0.0

Mobile Router171.68.69.0171.68.70.0 Mobile Router

171.68.69.0171.68.70.0

Page 6: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-6

• Approved by the Internet Engineering Steering Group (IESG) in June 1996; published proposed standard in Nov. 1996

• Mobile IP is an IETF proposed standard solution for mobility at Layer 3 IP– RFC2002/3220 - Mobile IP

– RFC2003 and RFC2004 - Tunnel encapsulation

– RFC2005 - Mobile IP applicability

– RFC2006 - Mobile IP MIB

• Associated RFCs– RFC1701 GRE – Generic Routing Encapsulation

– RFC3024 - Reverse Tunneling for Mobile IP

IETF Proposed StandardIETF Proposed Standard

Page 7: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-7

The Problem with MobilityThe Problem with Mobility

Internet

Host BGateway A171.68.0.0

Gateway C140.31.0.0

Mobile Router171.68.69.0171.68.70.0 Mobile Router

171.68.69.0171.68.70.0

“Connect to171.68.68.24”

?

• Gateway A replies to Host B with an ICMP unreachable• Gateway C blocks router from joining network

SEND

X

• Routing Protocol rejects duplicate network advertisements

Where is 171.68.68.0???

Page 8: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-8

Mobile IP SolutionMobile IP Solution

Internet

Host B

Home Agent171.68.60.1Mobile Router

171.68.69.0171.68.70.0 Mobile Router

171.68.69.0171.68.70.0

Mobility Binding Table:MR CoA171.68.69.0 140.31.2.1

Mobility Binding Table:MR CoA171.68.69.0 140.31.2.1

Foreign AgentCOA 140.31.2.1

• Home Agent forwards packets to Mobile Router via Care of Address [CoA]

• Mobile Router sends Registration Request [RRQ] to Home Agent (HA)

Page 9: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-9© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2 -9

Mobile IP Mobile IP

Page 10: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-10

Operator Benefits

• All applications work without modifications

• Access anywhere

• Operator can control handover policies

“IETF Standard RFC 3344!”

Page 11: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-11

Solution in a Nutshell Solution in a Nutshell

• A mobile node has a “home address” for the end-to-end communications, but also uses a temporary “care-of address” on access networks for routing purpose.

• A home agent maintains a mobility binding of home address and care-of address.

Page 12: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-12

Mobile IP Network ElementsMobile IP Network Elements

1. Mobile Node (MN): Mobile IP enabled clients identified by home address updates CoA via registrations

2. Home Agent (HA): Mobile IP enabled gateway acts as location database for MNs

3. Foreign Agent (FA): Mobile IP enabled gateway [Optional] off-loads CPU processing of encapsulation/decapsulation, enforces local network administration policy, allows for billing of MNs, conserves IP address space

Page 13: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-13

Mobile IP Key ConceptsMobile IP Key Concepts

• How does the Mobile Node find out where it is?

Mobility Agent Advertisements—facilitates discovery of Mobility Agents (MN may solicits on demand)

• How does the Mobile Node inform the Home Agent of its current location?

Via Registration—updates mobility binding after successful authentication using security association between MN and HA

• How does the Mobile Node receive packets from the Home Agent?

Tunneling—Home agent adds IP header to direct packets to CoA, where decapsulation occurs

Page 14: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-14

Mobility Binding Table:MN CoA171.68.69.24 140.31.2.1

Mobility Binding Table:MN CoA171.68.69.24 140.31.2.1

Mobile IP Activities ExampleMobile IP Activities Example

• MN learns about FA and registers CoA

• HA maintains MN location database and tunnels traffic to FA

Internet

Host BHome Agent 171.68.69.1

Host A171.68.69.24

Host A171.68.69.24

Foreign Agent 140.31.2.1

Page 15: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-15

• Mobile Router (MR)• Home Agent (HA)• Foreign Agent (FA) [1 Hop Away from MR]• Care of Address (CoA) [Tunnel Endpoint]• Correspondent Node (CN)• Security Association (SA) [SPI/Key]• ICMP Router Discovery Protocol (IRDP) [Advertisement]• Registration Request (RRQ)

Mobile IP TerminologyMobile IP Terminology

MR

HA FA

CNInternet

Page 16: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-16

• MR sends out advertisement request (Solicitation) to “all router” multicast address 224.0.0.2

• FA responds with unicast advertisement to MR

Response includes Care-of Address

AdvertisementIncludes COAAdvertisementIncludes COA

Src AddrFA Intfc Addr

Src AddrFA Intfc Addr

Dest AddrMR Addr

Dest AddrMR Addr

FA HA

SolicitationSolicitation

Src AddrMR addrSrc AddrMR addr

Dest Addr224.0.0.2

Dest Addr224.0.0.2

Step 1: Agent DiscoveryStep 1: Agent Discovery

MR1.1.1.7

MR1.1.1.7

Page 17: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-17

Options in FA advertisementsOptions in FA advertisements

• R Registration required. Registration with this foreign

• agent (or another foreign agent on this link) is required

• even when using a co-located care-of address.

• B Busy. The foreign agent will not accept registrations

• from additional mobile nodes.

• H Home agent. This agent offers service as a home agent on

• the link on which this Agent Advertisement message is

• sent.

• F Foreign agent. This agent offers service as a foreign

• agent on the link on which this Agent Advertisement

• message is sent.

• M Minimal encapsulation. This agent implements receiving

• tunneled datagrams that use minimal encapsulation [34].

• G GRE encapsulation. This agent implements receiving

• tunneled datagrams that use GRE encapsulation [16].

• r Sent as zero; ignored on reception. SHOULD NOT be

• allocated for any other uses.

• T Foreign agent supports reverse tunneling [27].

Page 18: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-18

Step 2: Registration RequestStep 2: Registration Request

• MR retrieves CoA from Advertisement and sends in RRQ

• FA checks requested services and either rejects and replies or forwards the RRQ to HA

1.1.1.7MR

FA

1.1.1.7

HA

RRQIncludes COA from FA

RRQIncludes COA from FA

Dest Port434

Src AddrMR AddrSrc AddrMR Addr

Src PortrandomSrc Portrandom

Dest AddrFA Intfc Addr

RRQ Includes COA

RRQ Includes COA

Dest Port434

Src AddrFA Intfc Addr

Src AddrFA Intfc Addr

Src Port434

Src Port434

Dest AddrHA Addr

Page 19: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-19

Options in RRQOptions in RRQ

• S Simultaneous bindings. If the 'S' bit is set, the mobile

• node is requesting that the home agent retain its prior

• mobility bindings.

• B Broadcast datagrams. If the 'B' bit is set, the mobile

• node requests that the home agent tunnel to it any

• broadcast datagrams that it receives on the home network.

• D Decapsulation by mobile node. If the 'D' bit is set, the

• mobile node will itself decapsulate datagrams which are

• sent to the care-of address. That is, the mobile node is

• using a co-located care-of address.

• M Minimal encapsulation. If the 'M' bit is set, the mobile

• node requests that its home agent use minimal

• encapsulation [34] for datagrams tunneled to the mobile

• node.

• G GRE encapsulation. If the 'G' bit is set, the mobile

• node requests that its home agent use GRE encapsulation

• [16] for datagrams tunneled to the mobile node.

• r Sent as zero; ignored on reception. SHOULD NOT be

• allocated for any other uses.

• T Reverse Tunneling requested; see [27].

Page 20: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-20

Home Agent

• HA authenticates MR

• Sends RRP

• Brings up tunnel and adds host route

RRP ReplyRRP Reply

Dest AddrFA

Dest AddrFA

Dest Port434

Dest Port434

Src AddrHA Intfc Addr

Src AddrHA Intfc Addr

Src Port 434

Src Port 434

Step 2: RRQ ReplyStep 2: RRQ Reply

RRP ReplyRRP Reply

Dest AddrMR Addr Dest AddrMR Addr

Dest PortOrig PortDest PortOrig Port

Src AddrFA Intfc Addr

Src AddrFA Intfc Addr

Src Port 434

Src Port 434

Foreign Agent

• FA sees MR is authenticated

• Forwards RRP to MR

• Brings up tunnel

1.1.1.7MR

FA

1.1.1.7

HA

Page 21: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-21

MR StatesMR States

MR has five states that it can be in:

• Unknown – MR has not heard any agent advertisements and does not know where to send registration requests (RRQs)

• Isolated – MR has heard an agent advertisement

• Pending – MR has sent an RRQ and is waiting for a registration reply (RRP) from HA

• Registered – MR has been accepted and received the RRP from HA, which has set up a binding table entry, tunnels, and routes for the MR

• Home—MR is on its home network

Page 22: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-22

Step 3: RoutingStep 3: Routing

HomeAgent

ForeignAgent

Correspondent Host

• The home agent intercepts the traffic while the Mobile Router is registered as away

• Traffic is sent as usual to the home subnet

• Traffic is tunneled to the CoA of the MR and forwarded to MR

• Traffic from the Mobile Networks can go directly to the correspondent host = “Triangle Routing”

MobileRouter

Page 23: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-23

Mobile Network Routing – Packet FlowMobile Network Routing – Packet Flow

Mobile Router

Foreign Agent

Home AgentCorrespondent Node

Internet

Mobile Networks

Mobile Networksappear to be here

Node on MR

Mobile Networks

Page 24: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-24

Mobile Router

Foreign Agent

Correspondent Node

Internet

HA-FA Tunnel

Node on MR

Mobile Network Routing – Packet FlowMobile Network Routing – Packet Flow

Home Agent

Mobile Networkappears to be here

Mobile Networks

Page 25: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-25

Mobile Router

Foreign Agent

Correspondent Node

Internet

HA-FA Tunnel

HA-MR Tunnel

FA WAN

Nodes on MR

Mobile Network Routing – Packet FlowMobile Network Routing – Packet Flow

Home Agent

Mobile Networkappears to be here

Mobile Networks

Page 26: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-26

Mobile Router

Foreign Agent

Correspondent Node

HA-MR Tunnel

Internet

HA-FA Tunnel

FA WAN

Node on MR

Mobile Network Routing – Packet FlowMobile Network Routing – Packet Flow

Home Agent

Mobile Networkappears to be here

Mobile Networks

Page 27: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-27

Mobile Router

Foreign Agent

Correspondent Node

HA-MR Tunnel

Internet

HA-FA Tunnel

FA WAN

Node on MR

Mobile Network Routing – Return Packet FlowMobile Network Routing – Return Packet Flow

Home Agent

Mobile Networkappears to be here

Mobile Networks

Page 28: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-28

TunnelingTunneling

• HA double encapsulates the packets, creating two tunnels:

HA to FA

HA to MR

• FA strips outer header and forwards to MR

• MR strips inner header and forwards to node on mobile networkOuter Header

HA FA

Inner Header

HA MROriginal Packet

100.100.100.1 30.30.30.1 100.100.100.1 65.1.1.1 <src> <dest> Data

Page 29: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-29

Tunneling cont.Tunneling cont.

• HA dynamically creates tunnel(s) as MRs and Mobile Hosts register

• Tunnels are handled as interfaces

• HA Routing Table shows Tunnels as interfaces

• So “Tunneling” involves

ENCAPSULATION

INTERFACES IN ROUTING TABLE

Page 30: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-30

Home_Agent_#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static routeGateway of last resort is not set 110.0.0.0/8 is variably subnetted, 10 subnets, 2 masksM 110.10.11.0/24 is directly connected, Mobile0M 110.10.11.237/32 [3/1] via 10.10.10.97, 00:57:28, Tunnel2M 110.10.11.245/32 [3/1] via 10.10.10.129, 03:01:54, Tunnel010.0.0.0/8 is variably subnetted, 14 subnets, 3 masksC 10.10.10.32/27 is directly connected, FastEthernet0/0C 10.10.10.76/30 is directly connected, Loopback0O IA 10.10.10.96/27 [110/11] via 10.10.10.36, 00:57:35, FastEthernet0/0M 10.10.11.112/28 [3/1] via 110.10.11.237, 03:55:57, Tunnel1O IA 10.10.10.128/27 [110/2] via 10.10.10.74, 00:57:35, FastEthernet0/1M 10.10.11.144/28 [3/1] via 110.10.11.245, 03:55:57, Tunnel5

HA State – Routing TableHA State – Routing Table

Page 31: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-31

Mobile Router TimersMobile Router Timers

• Agent Solicitation-By default it is off, but if configured, keeps track of when to send next solicitation

• Agent Advertisement-Based on IRDP lifetime. As advertisements are received, timer is restarted. When timer expires, agent removed from agent table.

• Registration-Keeps track of when to send registrations before the registration lifetime expires. MR re-registers until a reply is received.

• Registration lifetime-Based on granted lifetime. As replies are received, timer is restarted. When timer expires, there is no more registration.

• Hold down-By default it is off, but if configured, MR waits for timer to expire before using an agent heard on that interface.

Page 32: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-32© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2 -32

Mobile IPMobile IPFeatures Features

Page 33: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-33

Mobile Router FeaturesMobile Router Features

Co-located Care-of Address

Reverse tunneling

Preferred interfaces

Hold down timer

Agent solicitation

Page 34: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-34

Co-located Care-of Address Support Co-located Care-of Address Support

• Care-of Address resides on Mobile Router itself (obtained by DHCP or example)

Rather than on the Foreign Agent

• Does away with the need for Foreign Agents

• Two IP-in-IP tunnels are created: HA-Co-located address, HA-MR

HA-Co-located address tunnel is only used for routing

Tunnel “Interfaces” added in Routing table

MR HA

Page 35: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-35

Co-located Care-of Address cont. Co-located Care-of Address cont.

• Static Co-located Care-of Address support uses the address statically configured on the roaming interface as care-of address

Used for fixed-IP address connections

e.g. Cellular Data Modem

MR HA

Page 36: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-36© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2 -36

Static Co-located Care-of AddressStatic Co-located Care-of Address

Page 37: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-37

Co-located Care-of Address cont. Co-located Care-of Address cont.

• CCoA can be Static or Dynamic

• Dynamic Co-located Care-of Address support uses DHCP or IPCP to obtain a care-of address for the roaming interface

MR HA

Page 38: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-38

Reverse TunnelingReverse Tunneling

• Normally, routers route packets by looking at the destination address only.

• A security measure against attacks (such as spoofing), ingress filtering on a router checks the source and destination addresses on a packet to make sure that they are topologically correct.

• This poses a problem for Mobile IP because the source address of a packet from a mobile node does not belong to the network from which it emanated.

Page 39: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-39

Mobile Router

Foreign Agent

Correspondent Node

HA-MR Tunnel

Internet

Mobile Network

HA-FA Tunnel

FA WAN

Node on MR

Mobile Network Routing – Packet FlowMobile Network Routing – Packet Flow

Home Agent

Mobile Networkappears to be here

Page 40: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-40

Reverse TunnelingReverse Tunneling

• Reverse tunneling satisfies ingress filtering

• Packets from the mobile network are sent back to the HA through the tunnel

• HA de-capsulates the packets and forwards them to their destination through normal routing

• Thus, the received packets’ path is topologically correct

Page 41: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-41

Mobile Router

Foreign Agent

Correspondent Node

HA-MR Tunnel

Internet

RoamingInterface

Mobile Network

HA-FA Tunnel

FA WAN

Node on MR

Mobile Network Routing – Reverse TunnelingMobile Network Routing – Reverse Tunneling

Edited slide from original by Lawrence Searcy, Cisco Systems Home Agent

Mobile Networkappears to be here

Page 42: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-42

Preferred InterfacesPreferred Interfaces

• By default, the Mobile Router sends data out the active interface with the highest bandwidth.

• If the bandwidth on multiple interfaces is equal, then the interface with the higher IP address is preferred.

• Priority can be configured on mobile router interfaces (default 100).

• MR prefers to register with higher priority interface.

• Uses – least-cost routing, preferential routing

Page 43: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-43

Asymmetric Links Asymmetric Links

• Mobile Router can route traffic unidirectionally over half-duplex links

Especially for a satellite environment

• MR configured to send traffic to a downlink router even though it hears advertisements on another interface

• FA configured to advertise foreign-agent service out only one interface, the uplink interface connected to MR

Page 44: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-44

Asymmetric LinksAsymmetric Links

Home Agent Foreign Agent

UplinkDownlink

MR

FA advertises service onits uplink to MR’s downlink

MR sends RRQ to HAvia FA using its uplink

RRP is sent to FA,which forwards it to MR on its uplink.

UplinkDownlink

ADVTRRQ

RRP

Then tunnels areset up between HA-FA,HA-MR’s downlink interface

Page 45: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-45© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2 -45

Mobile IPMobile IPin real deployments in real deployments

Page 46: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-46

WLAN/GPRS Seamless MobilityWLAN/GPRS Seamless Mobility

SGSNGGSN(FA)

GPRS/UMTS

IP CoreCMX

PDG (FA)

WLAN 802.11Access Network

Mobility(HA)

Dual-mode handsets with L3 Mobility support

Applications

RAN

RNCRNC

Content

Page 47: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-47

Reiterate BenefitReiterate Benefit

• Mobile IP operates at network layer, independent of link layer access technologies, allowing migration and coexistence of various access networks while providing seamless mobility transparently to the user

• Proven mobility across satellite, WLAN, GPRS, CDMA2000, UMTS, LTE, WIMAX, etc.

Page 48: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-48

Differences between Mobile IPv4 and Differences between Mobile IPv4 and Mobile IPv6Mobile IPv6

• Mobile IPv6 leverages enormous IPv6 address space

• Mobile IPv6 is integrated into base IPv6 protocol

• MNv6 automatically obtain CoA after Router Advertisement received

• No Foreign Agent in Mobile IPv6

• Registrations are protected by IPSec in Mobile IPv6

• Built in route optimization between MNv6 and CNv6

Page 49: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-49

Security implications of Mobile IPSecurity implications of Mobile IP

• Access authentication independent of Mobile IP

PPP CHAP for dial up

802.1x for WLAN

• Service authorization

Mobile IP security association for registrations

Page 50: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-50

QOS Implications of Mobile IPQOS Implications of Mobile IP

• DSCP copy to tunnel header

Page 51: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-51

Mobile IP Scalability and FlexibilityMobile IP Scalability and Flexibility

• Demonstrated deployment of millions of MNs

• Mobile IP used for macro-mobility and micro-mobility

Page 52: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-52

ReferencesReferences

• BooksMOBILE IP The Internet Unplugged, ISBN 0-13-856246-6 James D. Solomon

• Cisco Mobile IP Web Pagehttp://www.cisco.com/go/mobile_ip

• IETF Mobile IP Working Grouphttp://www.ietf.org/html.charters/mobileip-charter.html

Page 53: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-53© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2 -53

Cisco 3200Cisco 3200Mobile Access RouterMobile Access Router

IOS Configuration IOS Configuration

Page 54: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-54

AgendaAgenda

• Configuration Outline

• Configuration Commands

• Example Configurations

• Troubleshooting

• Reference:

• http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122tcr/122tip1r/p1ftmobi.htm

Page 55: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-55

Configuring Mobile IP An Outline

55

Page 56: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-56

• Step 1 –

A. Create HA as a mobile IP agent

Define it as an HA

B. Set virtual nets in HA

Redistribute the virtual nets in routing updates

C. Define the IP address of the mobile router so the HA will recognize it

Define the networks that will be associated with that Mobile Router

D. Set up security association for that Mobile Router

Steps to Configure Home AgentSteps to Configure Home Agent

Page 57: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-57

Virtual NetworksVirtual Networks

• Virtual Network is:

Non-physical = no interface

Added to Routing Table

“Home” network for Mobile Host and Router

Mobile Host addresses are assigned from this

Must be unrelated to “real” networks

Page 58: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-58

• Step 2 –

A. Create FA as a mobile IP agent

B. Define it as an Foreign Agent

Specify the interface to be used as Care-of Address

C. Configure an interface to support Mobile IP

IP address and mask

Enable IRDP

Optional: IRDP advertisement intervals

max, min, and holdtime

Enable FA service on the interface

Steps to Configure Foreign AgentSteps to Configure Foreign Agent

Page 59: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-59

• Step 3 –

A. Create Mobile Router as a mobile IP agent

B. Define it as an MR

Specify its address and subnet mask

Specify the IP address of its HA

Optional – registration parameters

Optional - Set Reverse Tunnel on

C. Configure Security Association with HA

Must match HA

D. Specify an interface with Mobile IP service

Set the IP address and mask

Enable roaming

Steps to Configure Mobile RouterSteps to Configure Mobile Router

Page 60: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-60

• Step 4 – Enable services (optional)

Solicitation, retransmission intervals

Co-Located Care-of Address (optional)

Enable CCOA on interface

Set Default Gateway on interface

Mobile Router – Optional FeaturesMobile Router – Optional Features

Page 61: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-61

• Step 5 –Mobile Router Redundancy (optional)

Enable HSRP on interface

Set Priority

Set Preempt

Configure group name

Add redundancy group name to Mobile Router configuration

Mobile Router RedundancyMobile Router Redundancy

Page 62: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-62

Cisco 3200 Installation CourseCisco 3200 Installation CourseLab Diagram Lab Diagram Network 10.10.10.0/24 Network 10.10.11.0/24

FE0/0.69/30 E1 .33/28

.34/28

Loopback 0110.10.11.209/32

10.10.11.36/283200 Bridge802.11b

802.11b

Home Agent

Foreign Agent 1

Foreign Agent 2

FE0/1.73/30

FE0/0

.74/30FE0/1

.129/28

FE0/0

.70/30

.130/28

.98/28

FE0/1

.97/28

FA1 Bridge

FA2 Bridge

E1/0.33/28

WebCam.35/28

Server.34/28

C3200

Lo0 .77/30

Virtual Network

110.10.11.0 / 24

Page 63: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-63

Configuring Mobile IP

63

Page 64: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-64

HA(config)#router mobile Enables Mobile IP on the router

HA(config-routerip mob)#ip mobile home-agent Enables home agent service.

HA(config)#ip mobile virtual-network Creates a Virtual network net mask [address address ]

HA(config)# router protocol [process ID] Enters router configuration mode

HA(config-router)# redistribute mobile subnets Enables redistribution of virtual network and mobile subnets into

routing protocols

HA(config)# ip mobile host lower [upper] Specifies mobile nodes on a virtual virtual-network net mask network

HA(config)#ip mobile host lower [upper] Specifies mobile nodes on a physical interface name interface

HA(config)# ip mobile mobile-networks address Specifies mobile router to be set up

HA(mobile-networks)# network net mask Specifies a network that will be hosted on the mobile host (router)

HA(config)#ip mobile secure host Sets up mobile host security address spi spi key [hex/ascii] string associations.

Configure HAConfigure HA

Page 65: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-65

HA(config)# router mobile

HA(config-router)# ip mobile home-agent

HA(config)# ip mobile virtual-network 110.10.11.0 255.255.255.0

HA(config)# router ospf 64

HA(config-router)# redistribute mobile subnets

HA(config)# ip mobile host 10.10.11.77 virtual-network 110.10.11.0 255.255.255.0

HA(config)# ip mobile mobile-networks 10.10.11.77

HA(mobile-networks)# network 10.10.11.76 255.255.255.252

HA(config)# ip mobile secure host 10.10.11.77 spi 300 key hex 12345678123456781234567812345678

HA(config)#ip mobile home-agent lifetime 65535

Configure HA (example)Configure HA (example)

Page 66: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-66

FA(config)#router mobile Enables Mobile IP on the router

FA(config)#ip mobile foreign-agent Sets up care-of addresses advertised to care-of interface all foreign agent-enabled interfaces.

FA(config-if)#ip mobile foreign-service Enables foreign agent service on the interface.

FA(config)#router mobile

FA(config)#ip mobile foreign-agent care-of Faste 0/0

FA(config)#ip mobile foreign-agent care-of Faste 0/1

FA(config)#interface Faste 0/0

FA(config-if)#ip mobile foreign-service

FA(config-if)#ip mobile registration-lifetime 65535

FA(config)#interface Faste 0/1

FA(config-if)#ip mobile foreign-service

Configure FAConfigure FA

Page 67: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-67

C3200_(config)# interface loopback number Configure loopback address

C3200_(config-if)# ip address <IP address Specifies IP address for loopback subnet mask> interface

C3200_(config)# router mobile Enable Mobile IP on the router

C3200_(config-router)#ip mobile router Configure the mobile router

C3200_(mobile-router)# address IP address of mobile router (using <IP address><SN mask> loopback address)

C3200_(mobile-router# home-agent Specify Home Agent and priority <IP address> [priority priority]

C3200_(config)# ip mobile secure home-agent Set up authentication key <IP add> spi spi key [ hex/ascii ] string

C3200_(config)# interface interface Configure roaming interface

C3200_(config-if)# ip mobile router-service roam [priority priority level ]

C3200_(config-if)# ip mobile router-service solicit [interval seconds] [retransmit initital interval maximum interval retry number of retries ]

Configure Mobile Access RouterConfigure Mobile Access Router

Page 68: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-68

C3200_# interface loopback

C3200_(Interface)# ip address 10.0.11.77 255.255.255.252

C3200_# router mobile

C3200_# ip mobile router

C3200_# address 10.0.11.77 255.255.255.252

C3200_# home-agent 10.0.10.77

C3200_# ip mobile secure home-agent 10.0.10.77 spi 300 key hex 12345678123456781234567812345678

C3200_# interface Faste 0/0

C3200_(interface)# ip mobile router-service roam

C3200_(interface)# ip mobile router-service solicit

Configure Mobile Access Router Configure Mobile Access Router (example)(example)

Page 69: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-69

HA(config)#interface name Interface providing the service

HA(config-if)#ip irdp Turn on the advertisements on the interface

HA(config-if)#ip irdp maxadvertinterval [4-1800]

HA(config-if)#ip irdp minadvertinterval [3-1800]

HA(config)#interface e5/0/2

HA(config-if)#ip irdp

HA(config-if)#ip irdp maxadvertinterval 10

HA(config-if)#ip irdp minadvertinterval 4

Configure HA Advertisements Configure HA Advertisements (Optional)(Optional)

Page 70: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-70

FA(config)#interface name Interface providing the service

FA(config-if)#ip irdp Turn on the advertisements on the interface

FA(config-if)#ip irdp maxadvertinterval [4-1800]

FA(config-if)#ip irdp minadvertinterval [3-1800]

FA(config)#interface e3/1

FA(config-if)#ip irdp

FA(config-if)#ip irdp maxadvertinterval 10

FA(config-if)#ip irdp minadvertinterval 4

FA(config)#interface e3/2

FA(config-if)#ip irdp

Configure FA Advertisements Configure FA Advertisements (Optional)(Optional)

Page 71: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-71

Troubleshooting Mobile IP

71

Page 72: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-72

Troubleshooting Mobile IP - OutlineTroubleshooting Mobile IP - Outline

1. What is router’s configuration?

Verify Agent, Operation

Is it sending Advertisements?

• SHOW IP MOBILE GLOBALS

• DEBUG IP MOBILE ADVERTISEMENTS

2. What is Mobile Router seeing?

Is Wireless associated?

Is Mobile Router receiving Advertisements?

DEBUG IP ICMP

3. What is router doing?

Is Mobile Router trying to register?

Are FA and HA accepting registrations?

• DEBUG IP MOBILE

4. Who are router’s neighbors?

• SHOW IP ROUTE

• SHOW ARP

Page 73: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-73

Troubleshooting Mobile IP - Troubleshooting Mobile IP - OutlineOutline

1. What is router’s configuration?

Verify Agent, Operation

Is it sending Advertisements?

• SHOW IP MOBILE GLOBALS

• DEBUG IP MOBILE ADVERTISEMENTS

2. What is Mobile Router seeing?

Is Wireless associated?

Is Mobile Router receiving Advertisements?

DEBUG IP ICMP

3. What is router doing?

Is Mobile Router trying to register?

Are FA and HA accepting registrations?

• DEBUG IP MOBILE

4. Who are router’s neighbors?

• SHOW IP ROUTE

• SHOW ARP

Page 74: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-74

IP Mobility global information:

Home Agent

Registration lifetime: 10:00:00 (36000 secs) Broadcast disabled Replay protection time: 7 secs Reverse tunnel enabled ICMP Unreachable enabled Virtual networks 110.10.11.0 /24

Foreign Agent is not enabled, no care-of address

0 interfaces providing serviceEncapsulations supported: IPIP and GRETunnel fast switching enabledTunnel path MTU discovery aged out after 10 minha_#

HA#show ip mobile globals

Verifying HA ConfigurationVerifying HA Configuration

Page 75: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-75

Foreign_Agent_2_#sh ip mob globalsIP Mobility global information:Home Agent is not enabled

Foreign Agent

Pending registrations expire after 15 secs Care-of addresses advertised FastEthernet0/1 (10.10.10.97) - up

1 interface providing serviceEncapsulations supported: IPIP and GRETunnel fast switching enabledTunnel path MTU discovery aged out after 10 minForeign_Agent_2_#

FA#show ip mobile globals

Verifying FA ConfigurationVerifying FA Configuration

Page 76: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-76

Foreign_Agent_2_#debug ip mobile advertise

IP mobility agent advertisements debugging is on

Foreign_Agent_2_#

02:30:02: MobileIP: Agent advertisement sent out FastEthernet0/1:

type=16, len=10, seq=2984, lifetime=36000, flags=0x1400(rbhFmGv-rsv-),

02:30:02: Care-of address: 10.10.10.97

02:30:05: MobileIP: Agent advertisement sent out FastEthernet0/1:

type=16, len=10, seq=2985, lifetime=36000, flags=0x1400(rbhFmGv-rsv-),

02:30:05: Care-of address: 10.10.10.97

Debug Advertisements on FADebug Advertisements on FA

Page 77: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-77

Troubleshooting Mobile IP - Troubleshooting Mobile IP - OutlineOutline

1. What is router’s configuration?

Verify Agent, Operation

Is it sending Advertisements?

• SHOW IP MOBILE GLOBALS

• DEBUG IP MOBILE ADVERTISEMENTS

2. What is Mobile Router seeing?

Is Wireless associated?

Is Mobile Router receiving Advertisements?

DEBUG IP ICMP

3. What is router doing?

Is Mobile Router trying to register?

Are FA and HA accepting registrations?

• DEBUG IP MOBILE

4. Who are router’s neighbors?

• SHOW IP ROUTE

• SHOW ARP

Page 78: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-78

MR: AdvertisementsMR: Advertisements

*Mar 1 04:09:27.938: ICMP: rdp advert rcvd type 9, code 0, from 10.10.10.97*Mar 1 04:09:31.938: ICMP: rdp advert rcvd type 9, code 0, from 10.10.10.97*Mar 1 04:09:34.934: ICMP: rdp advert rcvd type 9, code 0, from 10.10.10.97*Mar 1 04:09:37.934: ICMP: rdp advert rcvd type 9, code 0, from 10.10.10.97*Mar 1 04:09:39.934: ICMP: rdp advert rcvd type 9, code 0, from 10.10.10.97

> It is receiving advertisements from Foreign Agent 10.10.10.97

MR#debug ip icmp

Page 79: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-79

Troubleshooting Mobile IP - Troubleshooting Mobile IP - OutlineOutline1. What is router’s configuration?

Verify Agent, Operation

Is it sending Advertisements?

• SHOW IP MOBILE GLOBALS

• DEBUG IP MOBILE ADVERTISEMENTS

2. What is Mobile Router seeing?

Is Wireless associated?

Is Mobile Router receiving Advertisements?

DEBUG IP ICMP

3. What is router doing?

Is Mobile Router trying to register?

Are FA and HA accepting registrations?

• DEBUG IP MOBILE

4. Who are router’s neighbors?

• SHOW IP ROUTE

• SHOW ARP

Page 80: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-80

MR: Registration Requests RRQsMR: Registration Requests RRQs

MR#debug ip mob

IP mobility events debugging is onMR#*Mar 1 04:12:12.898: MobileIP: Authentication algorithm MD5*Mar 1 04:12:16.898: MobileIP: Authentication algorithm MD5*Mar 1 04:12:18.898: MobileIP: Authentication algorithm MD5*Mar 1 04:12:22.898: MobileIP: Authentication algorithm MD5

> It is sending in Registration Requests and not getting any answer

Page 81: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-81

Home_Agent_#

00:14:18: MobileIP: HA 114 received registration for MN 10.4.1.1 on FastEthernet

0/1 using COA 10.3.1.1 HA 10.1.4.1 lifetime 36000 options sbdmgvt

00:14:18: MobileIP: Skip2TLV look for type 32, addr start 7D8742C end 7D87442

00:14:18: MobileIP: Skip2TLV look for type 32, addr start 7D87442 end 7D87442

00:14:18: MobileIP: MN 10.4.1.1 - authenticating MN 10.4.1.1 using SPI 100

00:14:18: MobileIP: MN 10.4.1.1 - authenticated MN 10.4.1.1 using SPI 100

00:14:18: MobileIP: Identification field has timestamp 146 secs greater than our

current time 03/01/93 00:14:18 (> allowed 7 secs) for MN 10.4.1.1

00:14:18: %IPMOBILE-6-SECURE: Security violation on HA from MN 10.4.1.1 - errcod

e registration id mismatch (133), reason Bad identifier (3)

00:14:18: MobileIP: HA rejects registration for MN 10.4.1.1 - registration id mi

smatch (133)

00:14:18: MobileIP: MN 10.4.1.1 - MH auth ext added (SPI 100) to MN 10.4.1.1

00:14:18: MobileIP: MN 10.4.1.1 - HA sent reply to 10.1.3.2

Home_Agent_#debug ip mobile

Debugs on HA – Registration Debugs on HA – Registration Rejected Rejected

Page 82: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-82

Home_Agent_# debug ip mobile 00:14:18: MobileIP: HA 114 received registration for MN 10.4.1.1 on FastEthernet0/1 using COA 10.3.1.1 HA 10.1.4.1 lifetime 36000 options sbdmgvt00:14:18: MobileIP: Skip2TLV look for type 32, addr start 7D877EC end 7D87802 00:14:18: MobileIP: Skip2TLV look for type 32, addr start 7D87802 end 7D87802 00:14:18: MobileIP: MN 10.4.1.1 - authenticating MN 10.4.1.1 using SPI 10000:14:18: MobileIP: MN 10.4.1.1 - authenticated MN 10.4.1.1 using SPI 10000:14:18: MobileIP: Mobility binding for MN 10.4.1.1 created00:14:18: MobileIP: 15 ifs in use00:14:18: MobileIP: Tunnel0 (IP/IP) created with src 10.1.4.1 dst 10.3.1.100:14:18: MobileIP: 16 ifs in use00:14:18: MobileIP: Tunnel1 (IP/IP) created with src 10.1.4.1 dst 10.4.1.100:14:18: MobileIP: Roam timer started for MN 10.4.1.1, lifetime 3600000:14:18: MobileIP: MN 10.4.1.1 is now roaming00:14:18: MobileIP: Insert route 10.4.1.1/255.255.255.255 via gateway 10.3.1.1 on Tunnel000:14:18: MobileIP: Insert route 10.5.2.0/255.255.255.0 via gateway 10.4.1.1 on Tunnel100:14:18: MobileIP: HA accepts registration from MN 10.4.1.100:14:18: MobileIP: MN 10.4.1.1 - MH auth ext added (SPI 100) to MN 10.4.1.100:14:18: MobileIP: MN 10.4.1.1 - HA sent reply to 10.1.3.200:14:19: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up00:14:19: MobileIP: swif coming up Tunnel000:14:19: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up00:14:19: MobileIP: swif coming up Tunnel1Home_Agent_#

Debugs on HA – Registration Debugs on HA – Registration Accepted Accepted

Page 83: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-83

1d02h: MobileIP: FA received registration for MN 20.0.197.84 on Ethernet3/1 using COA 40.0.197.19 HA 20.0.197.82 lifetime 990 options sBdmgvt

1d02h: MobileIP: Ethernet3/1 glean 20.0.197.84 accepted

1d02h: MobileIP: FA queued MN 20.0.197.84 in register table

1d02h: MobileIP: Visitor registration timer started for MN 20.0.197.84, lifetime 15

1d02h: MobileIP: Skip2TLV look for type 32, addr start 200210AC end 200210C2

1d02h: MobileIP: FA forwarded registration for MN 20.0.197.84 to HA 20.0.197.82

1d02h: MobileIP: FA received accept (0) reply for MN 20.0.197.84 on Ethernet3/5 using HA 20.0.197.82 lifetime 990

1d02h: MobileIP: Reply in for MN 20.0.197.84, accepted

1d02h: MobileIP: Update visitor table for MN 20.0.197.84

1d02h: MobileIP: Tunnel2 (IP/IP) created with src 40.0.197.19 dst 20.0.197.82

1d02h: MobileIP: ARP entry for MN 20.0.197.84 inserted

1d02h: MobileIP: Visitor timer started for MN 20.0.197.84, lifetime 990

1d02h: MobileIP: FA dequeued MN 20.0.197.84 from register table

1d02h: MobileIP: MN 20.0.197.84 visiting on Ethernet3/1

1d02h: MobileIP: Skip2TLV look for type 32, addr start 200215A8 end 200215BE

1d02h: MobileIP: FA forwarding reply to MN 20.0.197.84 using src 20.0.197.84 mac 0030.8538.1c90

1d02h: MobileIP: swif coming up Tunnel2

FA#debug ip mobile

Debugs on FA - RegistrationDebugs on FA - Registration

Page 84: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-84

*Mar 1 04:21:53.778: MobileIP: ParseRegExt type MHAE(32) addr 6002A08 end 6002A1E*Mar 1 04:21:53.778: MobileIP: ParseRegExt skipping 20 to next*Mar 1 04:21:53.778: MobileIP: Authenticating HA 10.10.10.77 using SPI 3003*Mar 1 04:21:53.782: MobileIP: Authentication algorithm MD5*Mar 1 04:21:53.782: MobileIP: Authenticated HA 10.10.10.77 using SPI 3003*Mar 1 04:21:57.762: MobileIP: Authentication algorithm MD5*Mar 1 04:21:57.782: MobileIP: ParseRegExt type MHAE(32) addr 61BF1A8 end 61BF1BE*Mar 1 04:21:57.782: MobileIP: ParseRegExt skipping 20 to next*Mar 1 04:21:57.782: MobileIP: Authenticating HA 10.10.10.77 using SPI 3003*Mar 1 04:21:57.782: MobileIP: Authentication algorithm MD5*Mar 1 04:21:57.782: MobileIP: Authenticated HA 10.10.10.77 using SPI 3003*Mar 1 04:21:57.782: MobileIP: Tunnel0 (IP/IP) created with src 110.10.11.217 dst 10.10.10.77*Mar 1 04:21:58.782: MobileIP: swif coming up Tunnel0

FA#debug ip mobile

Debugs on MR - RegistrationDebugs on MR - Registration

Page 85: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-85

Troubleshooting Mobile IP - Troubleshooting Mobile IP - OutlineOutline1. What is router’s configuration?

Verify Agent, Operation

Is it sending Advertisements?

• SHOW IP MOBILE GLOBALS

• DEBUG IP MOBILE ADVERTISEMENTS

2. What is Mobile Router seeing?

Is Wireless associated?

Is Mobile Router receiving Advertisements?

DEBUG IP ICMP

3. What is router doing?

Is Mobile Router trying to register?

Are FA and HA accepting registrations?

• DEBUG IP MOBILE

4. Who are router’s neighbors?

• SHOW IP ROUTE

• SHOW ARP

Page 86: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-86

ha_#show ip mobile binding ? A.B.C.D IP address home-agent Mobility bindings for specific home agent summary Summary of binding table | Output modifiers <cr>ha_#show ip mobile binding Mobility Binding List:Total 9110.10.11.237: Care-of Addr 10.10.10.97, Src Addr 10.10.10.70 Lifetime granted 10:00:00 (36000), remaining 06:59:10 Flags sbdmgvt, Identification AF3BF344.D8F21340 Tunnel2 src 10.10.10.77 dest 10.10.10.97 reverse-allowed MR Tunnel1 src 10.10.10.77 dest 110.10.11.237 reverse-allowed mobile-network 110.10.11.237 Routing Options - 110.10.11.233: Care-of Addr 10.10.10.97, Src Addr 10.10.10.70 Lifetime granted 10:00:00 (36000), remaining 06:59:10 Flags sbdmgvt, Identification AF3BF344.5F153F64………… etc.

HA Binding TableHA Binding Table

Page 87: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-87

Home_Agent_#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static routeGateway of last resort is not set 110.0.0.0/8 is variably subnetted, 10 subnets, 2 masksM 110.10.11.0/24 is directly connected, Mobile0M 110.10.11.237/32 [3/1] via 10.10.10.97, 00:57:28, Tunnel2M 110.10.11.245/32 [3/1] via 10.10.10.129, 03:01:54, Tunnel010.0.0.0/8 is variably subnetted, 14 subnets, 3 masksC 10.10.10.32/27 is directly connected, FastEthernet0/0C 10.10.10.72/30 is directly connected, FastEthernet0/1C 10.10.10.76/30 is directly connected, Loopback0O IA 10.10.10.96/27 [110/11] via 10.10.10.36, 00:57:35, FastEthernet0/0M 10.10.11.112/28 [3/1] via 110.10.11.237, 03:55:57, Tunnel1O IA 10.10.10.128/27 [110/2] via 10.10.10.74, 00:57:35, FastEthernet0/1M 10.10.11.144/28 [3/1] via 110.10.11.245, 03:55:57, Tunnel5

HA State – Routing TableHA State – Routing Table

Virtual Network

Page 88: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-88

Foreign_Agent_2_#show ip mobile visitor Mobile Visitor List:Total 5110.10.11.229: Interface FastEthernet0/1, MAC addr 0001.6441.87ba IP src 110.10.11.229, dest 10.10.10.97, UDP src port 434 HA addr 10.10.10.77, Identification AF3C1098.B402FE18 Lifetime 10:00:00 (36000) Remaining 08:56:25 Tunnel0 src 10.10.10.97, dest 10.10.10.77, reverse-allowed Routing Options - 110.10.11.245: Interface FastEthernet0/1, MAC addr 0001.6441.87a2 IP src 110.10.11.245, dest 10.10.10.97, UDP src port 434 HA addr 10.10.10.77, Identification AF3C114E.911E78F8 Lifetime 10:00:00 (36000) Remaining 08:59:27 Tunnel0 src 10.10.10.97, dest 10.10.10.77, reverse-allowed Routing Options - ……… etc.

FA State – Visiting Mobile RoutersFA State – Visiting Mobile Routers

Page 89: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-89

Foreign_Agent_2_#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static routeGateway of last resort is not set 110.0.0.0/24 is subnetted, 1 subnetsO E2 110.10.11.0 [110/20] via 10.10.10.33, 00:58:44, FastEthernet0/0 10.0.0.0/8 is variably subnetted, 14 subnets, 4 masksC 10.10.10.32/27 is directly connected, FastEthernet0/0O 10.10.10.72/30 [110/2] via 10.10.10.33, 00:58:44, FastEthernet0/0O 10.10.10.77/32 [110/2] via 10.10.10.33, 00:58:44, FastEthernet0/0C 10.10.10.96/27 is directly connected, FastEthernet0/1O E2 10.10.11.112/28 [110/20] via 10.10.10.33, 00:58:47, FastEthernet0/0O IA 10.10.10.128/27 [110/3] via 10.10.10.33, 00:58:47, FastEthernet0/0O E2 10.10.11.144/28 [110/20] via 10.10.10.33, 00:58:47, FastEthernet0/0Foreign_Agent_2_#

Foreign Agent Routing TableForeign Agent Routing Table

Page 90: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-90

Foreign_Agent_2_#sh arp

Protocol Address Age (min) Hardware Addr Type Interface

Internet 10.10.10.73 8 000a.8a7d.0f41 ARPA FastEthernet0/0

Internet 10.10.10.129 - 000a.8a83.0d81 ARPA FastEthernet0/1

Internet 10.10.10.130 7 0040.9657.cc93 ARPA FastEthernet0/1

Internet 10.10.10.74 - 000a.8a83.0d80 ARPA FastEthernet0/0

Internet 110.10.11.237 2 00ff.ff40.00aa ARPA FastEthernet0/1

Foreign_Agent_2_#

FA State – ARP TableFA State – ARP Table

Page 91: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-91

mar_demo_1_#sh arp

Protocol Address Age (min) Hardware Addr Type Interface

Internet 10.3.1.1 12 000a.8a83.0d81 ARPA Vlan1

Internet 10.5.2.1 - 00ff.ff40.00aa ARPA FastEthernet0/0

Internet 10.5.3.1 - 00ff.ff40.00ab ARPA Vlan1

Internet 10.5.3.2 137 0040.9657.2624 ARPA Vlan1

Internet 10.5.3.34 4 0010.a49f.57d9 ARPA Vlan1

mar_demo_1_#

What FA is MR Visiting? Part 1What FA is MR Visiting? Part 1

Page 92: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-92

mar_demo_1_#sh ip routCodes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route

Gateway of last resort is 10.3.1.1 to network 0.0.0.0

10.0.0.0/8 is variably subnetted, 4 subnets, 2 masksM 10.3.1.1/32 [3/1] via 10.3.1.1, 00:07:28, Vlan1C 10.5.3.0/24 is directly connected, Vlan1M 10.1.4.1/32 [3/1] via 10.3.1.1, 00:07:28, Vlan1C 10.5.1.0/24 is directly connected, Loopback0M* 0.0.0.0/0 [3/1] via 10.3.1.1, 00:07:28, Vlan1

What FA is MR Visiting? Part 2What FA is MR Visiting? Part 2

Page 93: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-93

ha_# 05:17:02: MobileIP: HA 120 received registration for MN 110.10.11.225 on FastEthernet0/1 using COA 10.10.10.129 HA 10.10.10.77 lifetime 36000 options sbdmgvt05:17:02: MobileIP: MN 110.10.11.225 - authenticating MN 110.10.11.225 using SPI 500505:17:02: MobileIP: MN 110.10.11.225 - authenticated MN 110.10.11.225 using SPI 500505:17:02: MobileIP: Delete tunnel route for 110.10.11.225/255.255.255.255 via gateway 10.10.10.9705:17:02: MobileIP: Deleted user (7 remains) from Tunnel2 src 10.10.10.77 dest 10.10.10.9705:17:02: MobileIP: Mobility binding for MN 110.10.11.225 updated – tunnel changed05:17:02: MobileIP: Added user (2 active) on Tunnel0 src 10.10.10.77 dest 10.10.10.12905:17:02: MobileIP: Insert route 110.10.11.225/255.255.255.255 via gateway 10.10.10.129 on Tunnel005:17:02: MobileIP: Roam timer started for MN 110.10.11.225, lifetime 3600005:17:02: MobileIP: HA accepts registration from MN 110.10.11.22505:17:02: MobileIP: MN 110.10.11.225 - MH auth ext added (SPI 5005) to MN 110.10.11.22505:17:02: MobileIP: MN 110.10.11.225 - HA sent reply to 10.10.10.74

Debugs on HA/FA - HandoffDebugs on HA/FA - Handoff

Page 94: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-95

Home_Agent_#show ip mobile traffic IP Mobility traffic:Advertisements: Solicitations received 0 Advertisements sent 0, response to solicitation 0Home Agent Registrations: Register 2622, Deregister 2 requests Register 1302, Deregister 2 replied Accepted 87, No simultaneous bindings 0 Denied 1215, Ignored 1322 , Dropped 0 Unspecified 1198, Unknown HA 0 Administrative prohibited 0, No resource 0 Authentication failed MN 0, FA 0, active HA 0 Bad identification 17, Bad request form 0 Unavailable encap 0, reverse tunnel 0 Binding updates received 0, sent 0 total 0 fail 0 Binding update acks received 0, sent 0 Binding info request received 0, sent 0 total 0 fail 0 Binding info reply received 0 drop 0, sent 0 total 0 fail 0 Binding info reply acks received 0 drop 0, sent 0 Gratuitous 0, Proxy 0 ARPs sent CONTINUED >>>

Show IP Mobile Traffic (Home Agent)Show IP Mobile Traffic (Home Agent)

Page 95: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-96

Home_Agent_#show ip mobile traffic CONTINUED…..Foreign Agent Registrations: Request in 0, Forwarded 0, Denied 0, Ignored 0 Unspecified 0, HA unreachable 0 Administrative prohibited 0, No resource 0 Bad lifetime 0, Bad request form 0 Unavailable encapsulation 0, Compression 0 Unavailable reverse tunnel 0 Replies in 0 Forwarded 0, Bad 0, Ignored 0 Authentication failed MN 0, HA 0Home_Agent_#

Show IP Mobile Traffic (Home Agent) cont.Show IP Mobile Traffic (Home Agent) cont.

Page 96: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-97

Home_Agent_#show ip mob tunnelMobile Tunnels:Tunnel1: src 10.10.10.77, dest 110.10.11.237 encap IP/IP, mode reverse-allowed, tunnel-users 1 IP MTU 1460 bytes Path MTU Discovery, mtu: 0, ager: 10 mins, expires: never outbound interface Tunnel2 HA created, fast switching enabled, ICMP unreachable enabled 0 packets input, 0 bytes, 0 drops 10508 packets output, 1237820 bytesTunnel5: src 10.10.10.77, dest 110.10.11.245 encap IP/IP, mode reverse-allowed, tunnel-users 1 IP MTU 1460 bytes Path MTU Discovery, mtu: 0, ager: 10 mins, expires: never outbound interface Tunnel0 HA created, fast switching enabled, ICMP unreachable enabled 0 packets input, 0 bytes, 0 drops 0 packets output, 0 bytes

Show IP Mobile TunnelsShow IP Mobile Tunnels

Page 97: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-98

Home_Agent_# show ip mob secure hostSecurity Associations (algorithm,mode,replay protection,key):10.10.11.77: SPI 300, MD5, Prefix-suffix, Timestamp +/- 7, Key 12345678123456781234567812345678110.10.11.213: SPI 200, MD5, Prefix-suffix, Timestamp +/- 7, Key 23456781234567812345678123456781110.10.11.217: SPI 3003, MD5, Prefix-suffix, Timestamp +/- 7, Key 45678123456781234567812345678102110.10.11.221: SPI 4004, MD5, Prefix-suffix, Timestamp +/- 7, Key 56781234567812345678123456781203110.10.11.225: SPI 5005, MD5, Prefix-suffix, Timestamp +/- 7, Key 67812345678123456781234567812304……. etc.

Show IP Mobile Secure HostsShow IP Mobile Secure Hosts

Page 98: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-99

Show IP Mobile HostShow IP Mobile Host

Mobile Host List:

20.0.197.84:

Allowed lifetime INFINITE/default)

Roam status -Registered-, Home link on interface Ethernet5/0/2

Accepted 8, Last time 03/26/01 10:40:30

Overall service time 00:28:39

Denied 1, Last time 04/24/02 18:13:22

Last code 'registration id mismatch (133)'

Total violations 1

Tunnel to MN - pkts 1, bytes 100

Reverse tunnel from MN - pkts 0, bytes 0

HA#show ip mobile host 20.0.197.84

Page 99: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-100

Show IP Mobile InterfaceShow IP Mobile Interface

Foreign_Agent_2_#sh ip mobile interface

IP Mobility interface information:

Interface FastEthernet0/1:

IRDP (includes agent advertisement) enabled

Prefix Length not advertised

Lifetime is 36000 seconds

Foreign Agent service provided

No registration required

Not busy

Home Agent access list:

Current number of visitors: 5

Foreign_Agent_2_#

Page 100: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-101

Clear CommandsClear Commands

Router#clear ip mobile binding [addr] Removes the binding entry.

Router#clear ip mobile traffic Clears all the Mobile IP counters.

Router#clear ip mobile host counters [addr] Clears Mobile Host Counters.

Router#clear ip mobile visitor Removes the visitor information.

Page 101: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-102

MobileIP: HA 30 received registration for MN 20.0.197.84 on Ethernet5/0/2 using COA 40.0.197.19 HA 20.0.197.82 lifetime 65535 options sBdmgvt

MobileIP: Skip2TLV look for type 32, addr start 61D8EBE4 end 61D8EBFA

MobileIP: Skip2TLV look for type 32, addr start 61D8EBFA end 61D8EBFA

MobileIP: MN 20.0.197.84 - authenticating MN 20.0.197.84 using SPI 100

MobileIP: MN 20.0.197.84 - invalid authenticator for MN 20.0.197.84

MobileIP: HA rejects registration for MN 20.0.197.84 - MN failed authentication (131)

MobileIP: MN 20.0.197.84 - MH auth ext added (SPI 100) to MN 20.0.197.84

MobileIP: MN 20.0.197.84 - HA sent reply to 20.0.197.81

Invalid SPI - DebugInvalid SPI - Debug

Page 102: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-103

Security Violation Log:

Total violations 1

Mobile Hosts:

20.0.197.84:

Violations: 1, Last time: 02/11/02 10:49:11

SPI: 100, Identification: C0122026.6D841504

Error Code: MN failed authentication (131), Reason: Bad authenticator (2)

HA#show ip mobile violation

Invalid SPI – Violations LogInvalid SPI – Violations Log

Page 103: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-104

MobileIP: HA 32 received registration for MN 20.0.197.84 on Ethernet5/0/2 using COA 40.0.197.19 HA 20.0.197.82 lifetime 1000 options sBdmgvt

MobileIP: Skip2TLV look for type 32, addr start 616B4100 end 616B4116

MobileIP: Skip2TLV look for type 32, addr start 616B4116 end 616B4116

MobileIP: MN 20.0.197.84 - authenticating MN 20.0.197.84 using SPI 100

MobileIP: MN 20.0.197.84 - authenticated MN 20.0.197.84 using SPI 100

MobileIP: Identification field 2939948267 has timestamp 288712535 secs less than our current time 04/24/02 18:13:22 3228660802 (< allowed 7 secs) for MN 20.0.197.84

MobileIP: HA rejects registration for MN 20.0.197.84 - registration id mismatch (133)

MobileIP: MN 20.0.197.84 - MH auth ext added (SPI 100) to MN 20.0.197.84

MobileIP: MN 20.0.197.84 - HA sent reply to 20.0.197.81

Timestamp MismatchTimestamp Mismatch

Page 104: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-105

MobileIP: HA 32 received registration for MN 20.0.197.85 on Ethernet5/0/2 using COA 40.0.197.19 HA 20.0.197.82 lifetime 1000 options sBdmgvt

MobileIP: MN 20.0.197.85 is not configured, request ignored

MN Not ConfiguredMN Not Configured

Page 105: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-106

MobileIP: HA 32 received registration for MN 30.2.0.2 on Ethernet5/0/2 using COA 40.0.200.1 HA 20.0.197.82 lifetime 1900 options sBdmgvt

MobileIP: Skip2TLV look for type 32, addr start 616B4100 end 616B4116

MobileIP: Skip2TLV look for type 32, addr start 616B4116 end 616B4116

MobileIP: MN 30.2.0.2 - authenticating MN 30.2.0.2 using SPI 200

MobileIP: MN 30.2.0.2 - authenticated MN 30.2.0.2 using SPI 200

MobileIP: MN 30.2.0.2 requested broadcast support, but disabled locally

MobileIP: Mobility binding for MN 30.2.0.2 updated

MobileIP: Roam timer started for MN 30.2.0.2, lifetime 1000

MobileIP: HA accepts registration from MN 30.2.0.2

MobileIP: MN 30.2.0.2 - MH auth ext added (SPI 200) to MN 30.2.0.2

MobileIP: MN 30.2.0.2 - HA sent reply to 20.0.197.81

Shorter Lifetime on HAShorter Lifetime on HA

Page 106: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-107

MobileIP: FA received registration for MN 30.2.0.2 on Serial4/1 using COA 40.0.200.1 HA 20.0.197.82 lifetime 40000 options sBdmgvt

MobileIP: Lifetime is too long in request from MN 30.2.0.2

MobileIP: FA rejects registration from MN 30.2.0.2 - lifetime too long (69)

MobileIP: MN 30.2.0.2 - FA sent reply to 30.2.0.2

Larger Lifetime on FALarger Lifetime on FA

Page 107: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-108

MobileIP: Roam timer expired for MN 20.0.197.84

MobileIP: Delete tunnel route for 20.0.197.84 via gateway 40.0.197.19

MobileIP: Deleted Tunnel0 src 20.0.197.82 dest 40.0.197.19

MobileIP: HA route maint started with index 0

Lifetime ExpiresLifetime Expires

Page 108: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-109

MobileIP: FA received registration for MN 30.2.0.2 on Serial4/1 using COA 40.0.200.1 HA 20.0.197.83 lifetime 4000 options sBdmgvt

MobileIP: FA queued MN 30.2.0.2 in register table

MobileIP: Visitor registration timer started for MN 30.2.0.2, lifetime 15

MobileIP: Skip2TLV look for type 32, addr start 2000060C end 20000622

MobileIP: FA forwarded registration for MN 30.2.0.2 to HA 20.0.197.83

MobileIP: Visitor registration timer expired for MN 30.2.0.2

MobileIP: FA dequeued MN 30.2.0.2 from register table

MobileIP: Visitor timer expired for MN 30.2.0.2

MobileIP: Host route 30.2.0.2 deleted from routing table

MobileIP: ARP entry for MN 30.2.0.2 removed

MobileIP: Deleted Tunnel0 src 40.0.200.1 dest 20.0.197.82

MobileIP: MN 30.2.0.2 no longer visiting on Serial4/1

HA not replying (seen from FA)HA not replying (seen from FA)

Page 109: © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-1 © 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access

© 2002, Cisco Systems, Inc. All rights reserved. Cisco Mobile Access Router—Module 2-110

MobileIP: FA received registration for MN 30.2.0.2 on Serial4/1 using COA 40.0.200.10 HA 20.0.197.82 lifetime 40000 options sBdmgvt

MobileIP: Care-of addr 40.0.200.10 is invalid in request from MN 30.2.0.2

MobileIP: FA rejects registration from MN 30.2.0.2 - reason unspecified (64)

MobileIP: MN 30.2.0.2 - FA sent reply to 30.2.0.2

Invalid Care-of AddressInvalid Care-of Address