|
Table Of Contents
Assigning a Home Address on the Home Agent
Configuring ODAP-based Address Allocation
DHCP-Proxy-Client Configuration
Assigning a Home Address on the Home Agent
This chapter discusses how the Cisco Mobile Wireless Home Agent assigns home addresses to a mobile note, the different address types, and provides configuration details and examples.
This chapter includes the following sections:
• Dynamic Home Agent Assignment
• On-Demand Address Pool (ODAP)
• Configuring ODAP-based Address Allocation
Home Address Assignment
The Home Agent assigns a home address to the mobile node based on user NAI received during Mobile IP registration. The IP addresses assigned to a mobile station may be statically or dynamically assigned. The Home Agent does not permit simultaneous registrations for different NAIs with the same IP address, whether it is statically or dynamically assigned.
Static IP Address
A static IP address is an address that is pre-assigned to the mobile station, and possibly preconfigured at the mobile device. The Home Agent supports static addresses that might be public IP addresses, or addresses in a private domain.
Note Use of private addresses for Mobile IP services requires reverse tunneling between the PDSN/FA and the Home Agent.
The mobile user proposes the configured or available address as a non-zero home address in the registration request message. The Home Agent may accept this address, or return another address in the registration reply message. The Home Agent may obtain the IP address by accessing the home AAA server or DHCP server. The home AAA server may return the name of a local pool, or a single IP address. On successful Mobile IP registration, Mobile IP based services are made available to the user.
Static Home Addressing Without NAI
The original Mobile IP specification supported only static addressing of mobile nodes. The home IP address served as the "user name" portion of the authentication. Static addressing can be beneficial because it allows each device to keep the same address all the time no matter where it is attached to the network. This allows the user to run mobile terminated services without updating the DNS, or some other form of address resolution. It is also easy to manage MNs with static addressing because the home address and the Home Agent are always the same. However, provisioning and maintenance are much more difficult with static addressing because address allocation must be handled manually, and both the Home Agent and MN must be updated. Here is an example configuration:
router (config)# ip mobile host 10.0.0.5 interface FastEthernet0/0
router (config)# ip mobile host 10.0.0.10 10.0.0.15 interface FastEthernet0/0
router (config)# ip mobile secure host 10.0.0.12 spi 100 key ascii secret
Static Home Addressing with NAI
Static home addressing can also be used in conjunction with NAI to support an NAI-based authorization and other services. It is also possible to allow a single user to use multiple static IP addresses either on the same device, or multiple devices, while maintaining only one AAA record and security association. A user must be authorized to use an address before the registration will be accepted. Addresses can be authorized either locally, or through a AAA server. If a MN requests an address which is already associated with a binding that has a different NAI, the HA will attempt to return another address from the pool unless the command is set.
Here is a sample configuration:
router (config)# ip mobile home-agent reject-static-addr
Local Authorization
A static address can be authorized on a per MN or per realm basis using configuration commands. Per MN configurations require that you define a specific NAI in the user or user@realm form. Per realm configurations require that you define a generic NAI in the @realm form, and allow only the specification of a local pool.
Here is a sample configuration:
router (config)# ip local pool static-pool 10.0.0.5 10.0.0.10
router (config)# ip mobile host nai user@staticuser.com static-address 10.0.0.1 10.0.0.2
interface FastEthernet0/0
router (config)# ip mobile host nai user@staticuser.com static-address local-pool static-pool interface FastEthernet0/0
router (config)# ip mobile host nai @static.com static-address local-pool static-pool
interface FastEthernet0/0
AAA Authorization
It is also possible to store either the authorized addresses, or local pool name in a AAA server. Each user must have either the static-ip-addresses attribute or the static-ip-pool attribute configured in the AAA server. Unlike the static address configuration on the command line, the static-ip-addresses attribute is not limited in the number of addresses that can be returned.
Here is a sample configuration.
HA configuration:
router (config)# ip local pool static-pool 10.0.0.5 10.0.0.10
router (config)# ip mobile host nai user@staticuser.com interface FastEthernet0/0 aaa
router (config)# ip mobile host nai @static.com interface FastEthernet0/0 aaa
Radius Attributes:
Cisco-AVPair = "mobileip:static-ip-addresses=10.0.0.1 10.0.0.2 10.0.0.3"
Cisco-AVPair = "mobileip:static-ip-pool=static-pool"
Dynamic Home Agent Assignment
The Home Agent can be dynamically assigned in a CDMA2000 network when the following qualifications exist:
•The first qualification is that the Home Agent receives a Mobile IP registration request with a value of 0.0.0.0 in the Home Agent field. Upon authentication/authorization, the PDSN retrieves the HA's IP address. The PDSN then uses this address to forward the Registration Request to the HA, but does not update the actual HA address field in the Registration Request.
The Home Agent sends a Registration Reply, and places it's own IP address in the Home Agent field. At this point, any re-registration requests that are received would contain the Home Agent's IP address in the Home Agent field.
•The second qualification is a function of the PDSN/Foreign Agent, and is included here for completeness. In this case, a AAA server is used to perform the dynamic Home Agent assignment function. Depending on network topology, either the local-AAA, or the home-AAA server would perform this function. When an access service provider is also serving as an ISP, Home Agents would be located in the access provider network. In this service scenario, a local-AAA server would perform Home Agent assignment function. Based on the user NAI received in the access request message, the AAA server would return an elected Home Agent's address in an access reply message to the PDSN.
A pool of Home Agent addresses is typically configured at the AAA server. For the access provider serving as an ISP, multiple pools of Home Agents could be configured at the local AAA server; however, this depends on SLAs with the domains for which Mobile IP, or proxy-Mobile IP services are supported. You can configure the Home Agent selection procedure at the AAA server, using either a round-robin or a hashing algorithm over user NAI selection criteria.
The PDSN/Foreign Agent sends the Registration Request to the Home Agent; however, there is no IP address in the HA field of the MIP RRQ (it is 0.0.0.0). When the PDSN retrieves the IP address from AAA, it does not update the MIP RRQ; instead, it forwards the RRQ to the HA address retrieved. The PDSN cannot alter the MIP RRQ because it does not know the MN-HA SPI, and key value (which contains the IP address of the Home Agent in the "Home Agent" field). Depending on network topology, either the local AAA, or the home AAA server would perform this function. In situations where the Home Agents are located in the access provider network, the local AAA server would perform Home Agent assignment function. Additionally, multiple pools of Home Agents could be configured at the local AAA server, depending on SLAs with the domains for which Mobile IP, or proxy Mobile IP services are supported.
Dynamic IP Address
It is not necessary for a home IP address to be configured in the mobile station to access packet data services. A mobile user may request a dynamically assigned address by proposing an all-zero home address in the registration request message. The Home Agent assigns a home address and returns it to the MN in the registration reply message. The Home Agent obtains the IP address by accessing the home AAA server. The AAA server returns the name of a local pool or a single IP address. On successful registration, Mobile IP based services are made available to the user.
Fixed Addressing
It is possible to configure the Home Agent with a fixed address for each NAI. The fixed address is assigned to the MN each time it registers. This provides users all the benefits of static addressing while simplifying the configuration of the MN.
Note We do not recommend fixed addressing for large-scale deployment because the Home Agent configuration must be updated to perform all user maintenance.
Here is a sample configuration:
router# ip mobile host nai user@realm.com address 10.0.0.1 interface FastEthernet0/0
Local Pool Assignment
Local pool assignment requires that one or more address pools be configured on the HA. The HA allocates addresses from the pool on a first come, first served basis. The MN will keep the address as long as it has an active binding in the HA. The MN may update it's binding by sending a RRQ with either the allocated address, or 0.0.0.0 as it's home address. When the binding expires the address is immediately returned to the pool.
Note Currently local pool allocation cannot be used with the peer-to-peer HA Redundancy model. The number of local pools that you can configure is limited only by the available memory on the router.
Here is a sample configuration:
router (config)# ip local pool mippool 10.0.0.5 10.0.0.250
router (config)# ip mobile host nai @localpool.com address pool local mippool virtual-network 10.0.0.0 255.255.255.0
SNMP Traps to Track Utilization of Local IP Pool
The CISCO-IP-LOCAL-POOL-MIB has traps to track local pool utilization, but these traps require that you specify the threshold in absolute numbers. However, it is desirable to track pool utilization in percentage when there are several, non-contiguous, IP pools. Cisco IOS Release 12.4(11)T adds the following required capabilities:
•A new threshold option is added to the ip local pool command to configure high and low threshold in percentage terms. Objects "cIpLocalPoolPercentAddrThldLo" and "cIpLocalPoolPercentAddrThldHi" are defined for the high and low threshold watermark, respectively.
•A notification object "cIpLocalPoolPercentAddrThldHi" is defined. When the percentage of used addresses in an IP local pool is equal to (or exceeds) the "cIpLocalPoolPercentAddrThldHi" threshold value, the "ciscoIpLocalPoolPercentAddrNoti" notification is generated. Once this notification is generated, it is disarmed and is not generated again until the number of used address falls below the value indicated by "cIpLocalPoolPercentAddrThldLo". When the percentage of used addresses in the IP local pool falls below the "cIpLocalPoolPercentAddrThldLo" threshold value, the "ciscoIpLocalPoolPercentAddrNoti" notification is rearmed.
DHCP Allocation
The Dynamic Host Configuration Protocol (DHCP) is widely used to allocate IP addresses for desktop computers. IOS Mobile IP leverages the existing DHCP proxy client in IOS to allow the home address to be allocated by a DHCP server. The NAI is sent in the Client-ID option, and can be used to provide dynamic DNS services.
Here is a sample configuration:
router(config)# ip mobile host nai @dhcppool.com address pool dhcp-proxy-client dhcp-server 10.1.2.3 interface FastEthernet 0/0
Note Currently DHCP cannot be used with the peer-to-peer HA redundancy model.
Dynamic Addressing from AAA
Dynamic addressing from AAA allows you to support fixed and/or per session addressing for MNs without the trouble of maintaining addressing at the MN or HA. The AAA server can return either a specific address, a local pool name, or a DHCP server address. If the AAA server is used to return a specific address, the home address can be configured either as an attribute on the NAI entry in the RADIUS database, or can be allocated from a pool depending on the capabilities of the AAA server being used. The AAA server can also return the name of a local pool configured on the HA or a DHCP server IP address.
Here is a sample configuration.
On the HA:
router (config)# ip local pool dynamic-pool 10.0.0.5 10.0.0.10
router (config)# ip mobile host nai user@staticuser.com interface FastEthernet0/0 aaa
router (config)# ip mobile host nai @static.com interface FastEthernet0/0 aaa
AAA Address assignment:
Cisco-AVPair = "mobileip:ip-address=65.0.0.71"AAA Local Pool attribute:
Cisco-AVPair = "mobileip:ip-pool=dynamic-pool"AAA DHCP server attribute:
Cisco-AVPair = "mobileip:dhcp-server=10.1.5.10"On-Demand Address Pool (ODAP)
If you use MWAM cards to provide a higher density of HAs, you may choose to have IP addresses allocated from a central source. Cisco's IOS On-Demand Address Pools (ODAPs) provides this functionality. ODAP simplifies HA configuration, in that you will not have to configure a local pool of IP addresses in each HA configuration.
You can use ODAP to centralize the management of large pools of addresses and simplify the configuration of large networks. The ODAP feature consists of two components:
•DHCP ODAP subnet allocation server
•ODAP manager (residing on each HA)
A DHCP ODAP subnet allocation server is configured to create and allocate pools of IP address space on a per-subnet basis. The size of these pools is configurable, and these subnets will be leased to the ODAP managers on the HA, and they provide subnet allocation pools for the ODAP manager allocation. The DHCP ODAP subnet allocation server functionality can reside on one of the HA instances on the MWAM. The DHCP ODAP subnet allocation server functionality can also reside on another external Cisco IOS router, or an external Cisco Access Register.
The ODAP manager functionality resides on each HA image. Rather than using local IP pools, the HA uses the ODAP manager functionality. The ODAP manager leases subnets from the ODAP subnet allocation server based on the demand for IP addresses and subnet availability to each HA. The ODAP manager on the HA assigns addresses to clients from these subnets, and dynamically increases or decreases the subnet pool size depending on address utilization. When an HA ODAP manager leases a subnet, a summarized route is automatically added for each subnet that the HA receives. This route is added to the Null interface and is a static route.
When the ODAP manager on the HA allocates a subnet, the ODAP subnet allocation server creates a subnet binding. This binding is stored in the DHCP database for as long as the ODAP manager needs the address space. The binding is destroyed and the subnet returned to the subnet pool only when the HA ODAP manager releases the subnet as the address space utilization decreases.
The DHCP ODAP subnet allocation server has enhanced DHCP functionality. Instead of returning a single IP address, it returns a subnet of addresses. The ODAP manager manages this pool of IP addresses on the HA. This functionality provides a more efficient route summarization for the routing protocols.
Configuring ODAP-based Address Allocation
To enable the HA to support ODAP pools, perform the following task:
Command PurposeStep 1
Router(config)# ip mobile host nai address pool dhcp-pool odap poolname
Enables the HA to support ODAP address pools.
Here is an example:
Router (config)#ip mobile host nai @ispbar2.com address pool dhcp-pool ha-dhcp-pool
ODAP Restrictions
The following restrictions apply to the ODAP feature:
•ODAP with peer-to-peer redundancy is not supported.
•The minimum subnet lease time on the ODAP server must be 10 minutes.
•Preemption with rf-interdev support is not working.
Address Assignment for Same NAI - Multiple Static Addresses
The Cisco Home Agent supports multiple Mobile IP registrations for the same NAI with different static addresses. This is accomplished by configuring static-ip-address pool(s) at the home-AAA or DHCP server. When the HA receives a Registration Request message from the mobile user, the HA accesses the home-AAA for authentication, and possibly for assignment of an IP address. The NAI provided by the mobile user is sent to the home-AAA. The home-AAA server returns a list of static-IP-addresses or the static-ip-pool name corresponding to this NAI.
Address Assignment For Same NAI - Different Mobile Terminal
When the same NAI is used for registration from two different mobiles, the behavior is as follows:
•If static address assignment is used in both cases, they are viewed as independent cases.
•If dynamic address assignment is used in both cases, the second registration replaces the first.
•If static is used for the first, and dynamic for the second, the dynamic address assignment replaces the static address assignment.
•If dynamic is used for the first, and static for the second, they are viewed as independent cases.
Additionally, two flows originating from the same mobile using the same NAI—but two different Home Agents—are viewed as independent cases.
Configuration Examples
ODAP Redundancy Configuration
Active-HA configuration
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname mwt10-7206b
!
redundancy inter-device
scheme standby cisco
!
ipc zone default
association 1
no shutdown
protocol sctp
local-port 500
local-ip 10.0.0.2
remote-port 500
remote-ip 10.0.0.3
aaa new-model
!
aaa authentication ppp default local group radius
aaa authorization config-commands
aaa authorization ipmobile default group radius
aaa authorization network default group radius
aaa session-id common
!
ip dhcp ping packet 0
ip dhcp pool ha-dhcp-pool
origin dhcp subnet size initial /30 autogrow /30
ip subnet-zero
ip cef
!
interface Ethernet2/0
description to PDSN/FA
ip address 10.0.0.2 255.0.0.0
no ip route-cache
no ip mroute-cache
duplex half
standby ip 10.0.0.4
standby priority 110
standby preempt delay min 100
standby name cisco
!
interface Ethernet2/2
description to AAA
ip address 172.16.1.8 255.255.0.0
no ip route-cache
no ip mroute-cache
duplex half
!
router mobile
!
ip classless
no ip http server
ip pim bidir-enable
ip mobile home-agent
ip mobile home-agent redundancy cisco
ip mobile virtual-network 33.0.0.0 255.0.0.0
ip mobile host nai user14@cisco.com address pool dhcp-pool ha-dhcp-pool
virtual-network 10.0.0.0 255.0.0.0 aaa
ip mobile secure home-agent 10.0.0.3 spi 100 key ascii redundancy
algorithm md5 mode
prefix-suffix
!
radius-server host 172.16.0.2 auth-port 1645 acct-port 1646
radius-server retransmit 3
radius-server key cisco
call rsvp-sync
!
mgcp profile default
!
dial-peer cor custom
!
gatekeeper
shutdown
!
line con 0
line aux 0
line vty 0 4
!
end
Standby-HA configuration
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname mwt10-7206b
!
redundancy inter-device
scheme standby cisco
!
ipc zone default
association 1
no shutdown
protocol sctp
local-port 500
local-ip 10.0.0.3
remote-port 500
remote-ip 10.0.0.2
aaa new-model
!
aaa authentication ppp default local group radius
aaa authorization config-commands
aaa authorization ipmobile default group radius
aaa authorization network default group radius
aaa session-id common
!
ip dhcp pool ha-dhcp-pool
origin dhcp subnet size initial /30 autogrow /30
ip subnet-zero
ip cef
!
interface Ethernet2/0
description to PDSN/FA
ip address 10.0.0.3 255.0.0.0
no ip route-cache
no ip mroute-cache
duplex half
standby ip 10.0.0.4
standby name cisco
!
interface Ethernet2/2
description to AAA
ip address 150.2.1.7 255.255.0.0
no ip route-cache
no ip mroute-cache
duplex half
!
router mobile
!
ip classless
no ip http server
ip pim bidir-enable
ip mobile home-agent
ip mobile home-agent redundancy cisco
ip mobile virtual-network 10.0.0.0 255.0.0.0
ip mobile host nai user14@cisco.com address pool dhcp-pool ha-dhcp-pool
virtual-network 10.0.0.0 255.0.0.0 aaa
ip mobile secure home-agent 10.0.0.2 spi 100 key ascii redundancy
algorithm md5 mode
prefix-suffix
!
radius-server host 172.16.0.2 auth-port 1645 acct-port 1646
radius-server retransmit 3
radius-server key cisco
call rsvp-sync
!
mgcp profile default
!
dial-peer cor custom
!
gatekeeper
shutdown
!
line con 0
line aux 0
line vty 0 4
!
end
DHCP-Proxy-Client Configuration
Active-HA configuration
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname mwt10-7206b
!
aaa new-model
!
aaa authentication ppp default local group radius
aaa authorization config-commands
aaa authorization ipmobile default group radius
aaa authorization network default group radius
aaa session-id common
!
ip subnet-zero
ip cef
!
interface Loopback0
ip address 10.0.0.1 255.255.255.255
interface Ethernet2/0
description to PDSN/FA
ip address 10.0.0.2 255.0.0.0
no ip route-cache
no ip mroute-cache
duplex half
standby ip 10.0.0.4
standby priority 110
standby preempt delay sync 100
standby name cisco
!
interface Ethernet2/2
description to AAA
ip address 172.16.1.8 255.255.0.0
no ip route-cache
no ip mroute-cache
duplex half
!
router mobile
!
ip classless
no ip http server
ip pim bidir-enable
ip mobile home-agent
ip mobile home-agent redundancy cisco
ip mobile virtual-network 10.0.0.0 255.0.0.0
ip mobile host nai user01@cisco.com address pool dhcp-proxy-client
dhcp-server 10.0.0.101 virtual-network 10.0.0.0 255.0.0.0
ip mobile secure home-agent 10.0.0.3 spi 100 key ascii redundancy
algorithm md5 mode
prefix-suffix
!
ip mobile virtual-network 10.0.0.0 255.0.0.0
ip mobile host nai user01@cisco.com address pool dhcp-proxy-client
dhcp-server 10.0.0.101 virtual-network 10.0.0.0 255.0.0.0
radius-server host 172.16.0.2 auth-port 1645 acct-port 1646
radius-server retransmit 3
radius-server key cisco
call rsvp-sync
!
mgcp profile default
!
dial-peer cor custom
!
gatekeeper
shutdown
!
line con 0
line aux 0
line vty 0 4
!
end
Standby-HA configuration
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname mwt10-7206b
!
aaa new-model
!
aaa authentication ppp default local group radius
aaa authorization config-commands
aaa authorization ipmobile default group radius
aaa authorization network default group radius
aaa session-id common
!
ip subnet-zero
ip cef
!
interface Loopback0
ip address 10.0.0.2 255.255.255.255
interface Ethernet2/0
description to PDSN/FA
ip address 10.0.0.3 255.0.0.0
no ip route-cache
no ip mroute-cache
duplex half
standby ip 10.0.0.4
standby name cisco
!
interface Ethernet2/2
description to AAA
ip address 172.16.1.7 255.255.0.0
no ip route-cache
no ip mroute-cache
duplex half
!
router mobile
!
ip local pool ha-pool 10.0.0.1 10.0.0.255
ip classless
no ip http server
ip pim bidir-enable
ip mobile home-agent
ip mobile home-agent redundancy cisco
ip mobile secure home-agent 10.0.0.2 spi 100 key ascii redundancy
algorithm md5 mode
prefix-suffix
ip mobile virtual-network 10.0.0.0 255.0.0.0
ip mobile host nai user01@cisco.com address pool dhcp-proxy-client
dhcp-server 10.0.0.101 virtual-network 10.0.0.0 255.0.0.0
!
radius-server host 150.2.0.2 auth-port 1645 acct-port 1646
radius-server retransmit 3
radius-server key cisco
call rsvp-sync
!
mgcp profile default
!
dial-peer cor custom
!
gatekeeper
shutdown
!
line con 0
line aux 0
line vty 0 4
!
end
Posted: Fri Nov 17 00:42:57 PST 2006
All contents are Copyright © 1992--2006 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.