|
Table Of Contents
Planning to Configure the Home Agent
Cisco 7200 Series Platform Prerequisites
Catalyst 6500 / Cisco 7600 Series Platform Prerequisites
Supported Standards, MIBs, and RFCs
Planning to Configure the Home Agent
This chapter provides information that you should know before configuring a Cisco Mobile Wireless Home Agent.
This chapter includes the following sections:
• Upgrading a Home Agent Image
• Supported Standards, MIBs, and RFCs
Supported Platforms
The Cisco HA is available on Cisco's 7206VXR NPE-400 router, 7206VXR NPE-G1 router, 6500 series switch and 7600 series router. The HA supports Fast Ethernet and Gigabit Ethernet interfaces on these platforms.
Note Cisco Mobile Wireless Release 3.0, Cisco IOS Release 12.3(14)YX and later, supports both the standard MWAM 512 MB per processor memory option, and the 1 GB per processor memory option.
Prerequisites
Depending on the platform on which you are implementing a Home Agent, the prerequisites vary. The sections below provide general guidelines to follow before configuring a Cisco Mobile Wireless Home Agent in your network:
• Cisco 7200 Series Platform Prerequisites
• Catalyst 6500 / Cisco 7600 Series Platform Prerequisites
Cisco 7200 Series Platform Prerequisites
Ensure that you meet the following hardware and software requirements before you implement a Home Agent in your network on the Cisco 7200 series router platform.
Home Agent on the Cisco 7206VXR NPE-400
For platform details and complete list of interfaces supported on 7206VXR NPE-400, please refer to the following URL on Cisco.com: http://www.cisco.com/en/US/products/hw/routers/ps341/products_installation_guide_book09186a008007daa6.html
The supported configuration on a Cisco 7206VXR with NPE-400 processor is with 512MB DRAM and one PA-2FE-TX FE port adopter, or two PA-FE-TX port adaptors. PA-2FE-TX port adaptor has two 10/100 based Ethernet ports. PA-FE-TX port adapter has one 10/100 based Ethernet port. The I/O controller on the NPE-400 processor supports two more 10/100 based Ethernet ports. Because the PA-FE-TX is end-of-sale, new configurations require the PA-2FE-TX port adaptor.
For IPSec support, a service adaptor (SA-ISA or SA-VAM2) is required. Because SA-ISA is end-of-sale, new configurations utilizing IPSec will require the NPE-G1 with SA-VAM2.
Home Agent on 7206VXR NPE-G1
For platform details and complete list of interfaces supported on 7206VXR NPE-G1, please refer to the following URL on Cisco.com: http://www.cisco.com/en/US/products/hw/routers/ps341/products_installation_guide_chapter09186a0080201e63.html
The supported configuration on a Cisco 7206VXR NPE-G1 processor is with 1GB DRAM and one PA-2FE-TX FE port adaptor. The Cisco 7206VXR NPE-G1 has three 10/100/1000 based Ethernet Ports.
For IPSec support, a service adaptor SA-ISA or SA-VAM2 is required. Because the SA-ISA is end-of-sale, new configurations utilizing IPSec will require use of SA-VAM2
Catalyst 6500 / Cisco 7600 Series Platform Prerequisites
Home Agent on 6500 Series Switch
For platform details and a complete list of interfaces supported on the Cisco 6500 series switch, please refer to the on-line product information at the following url: http://www.cisco.com/en/US/products/hw/switches/ps708/index.html
The supported configuration for the HA based on the 6500 Series switch is dependent on the desired capacity, interface type to be deployed, and whether IPSec support is required.
Either a Supervisor Engine 2 with Multilayer Switch Feature Card 2 (MSFC2) and Policy Feature Card 2 (PFC2) is required, or a Supervisor Engine 720 with Multilayer Switch Feature Card 3 (MSFC3) and Policy Feature Card 3BXL (PFC3BXL) is required.
A 1GB MWAM or 512MB MWAM is required to run HA functionality. Each MWAM module supports up to 5 HA images (5 HA instances).
For IPSec support, an IPSec VPN Services Module (VPNSM) is required for each Cisco 6500 series switch chassis.
Home Agent on 7600 Series Router
For platform details and a complete list of interfaces supported on the Cisco 7600 series router, please refer to the following URL on Cisco.com:
http://www.cisco.com/en/US/products/hw/routers/ps368/index.htmlThe supported configuration for the HA based on the Cisco 7600 Series switch is dependent on the desired capacity, interface type to be deployed, and whether IPSec support is required.
Either a Supervisor Engine 2 with Multilayer Switch Feature Card 2 (MSFC2) and Policy Feature Card 2 (PFC2) is required, or a Supervisor Engine 720 with Multilayer Switch Feature Card 3 (MSFC3) and Policy Feature Card 3BXL (PFC3BXL) is required.
A 1GB MWAM or 512MB MWAM module is required to run HA functionality. Each MWAM module supports 5 HA images (5 HA instances).
For IPSec support, an IPSec VPN Services Module (VPNSM) is required for each Cisco 7600 series switch chassis.
Configuration Tasks
The Cisco Home Agent software includes three images, one for the Cisco 7200 Series Router, one for the 7300 Series router, and one for the Cisco Catalyst 6500 switch and Cisco 7600 Series router platforms. This section describes the steps for configuring the Cisco Home Agent. Each image is described by platform number.
•c7200-h1is-mz HA image
•c7301-is-mz HA image
•svcmwam-h1is-mz HA image
Upgrading a Home Agent Image
To perform the upgrade perform the following procedure:
Step 1 Log onto the supervisor and boot the MP partition on the PC.
router #hw-module module 3 reset cf:1
Device BOOT variable for reset = cf:1 Warning: Device list is not verified.
>
> Proceed with reload of module? [confirm] % reset issued for module 3
>router#
Step 2 Once the module is online, issue the following command:
copy tftp: tftp file location pclc# linecard #-fs:
The upgrade file uses a special format that makes this process slow. The following example illustrates the upgrade process output:
router #copy tftp://172.31.219.33/images/c6svcmwam-c6is-mz.bin pclc#3-fs:
Destination filename [c6svcmwam-c6is-mz.bin]?
Accessing tftp://172.31.219.33/images/c6svcmwam-c6is-mz.bin...
Loading images/c6svcmwam-c6is-mz.bin from 10.102.16.25 (via Vlan1):
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[OK - 29048727/58096640 bytes]
29048727 bytes copied in 1230.204 secs (23616 bytes/sec)
router #
2d21h: %SVCLC-SP-5-STRRECVD: mod 3: <Application upgrade has started>
2d21h: %SVCLC-SP-5-STRRECVD: mod 3: <Do not reset the module till upgrade completes!!>
router #
2d21h: %SVCLC-SP-5-STRRECVD: mod 3: <Application upgrade has succeeded>
2d21h: %SVCLC-SP-5-STRRECVD: mod 3: <You can now reset the module
Step 3 Boot the MWAM card back to partition 4, and you have an upgraded image.
router#hw-module module 3 reset
Upgrading the HA Image From XW-based Image to YX-based Image
If you are upgrading the Home Agent from a XW-based image to a 12.3(14)YX, or 12.4(11)T image, you first need to upgrade the SUP image from a SXB-based image to a SXE-based image.
Note We recommend that you upgrade to the Cisco IOS Supervisor Engine 720, Release 12.2(18)SXE3. For more information on the 12.2(18)SXE3 Supervisor image, please refer to the following URL: http://www.cisco.com/en/US/products/hw/switches/ps708/prod_release_note09186a00801c8339.html
After you upgrade the SUP image, you can then upgrade the HA image.
Upgrading the Supervisor Image
To upgrade the Supervisor image, perform the following procedure:
Step 1 Copy the SUP image to the disks (disk0: / slavedisk0:).
Step 2 Add the following command to the running config boot system disk0: SUP image name". Here is an example:
boot system disk0:c6k222-pk9sv-mz.122-18.SXD2.bin
Note This step may require you to unconfigure previously configured instances of this CLI in order to enable the image to properly reload.
Step 3 Perform a "write memory" so that running configuration is saved on both active and standby SUP.
Step 4 Issue reload command on the active SUP.
Step 5 Both active and standby supervisors will reload simultaneously and come up with the SXD-based image.
Note Issuing the reload command on the active SUP will cause both the active and standby Supervisors to reload simultaneously, thus causing some downtime during the upgrade process.
Upgrading the HA Image on MWAM
To upgrade to the YF-based image on the MWAM, perform the following procedure:
Step 1 Bring down the active HA by issuing the hw-module module slot # reset cf:1 command. The standby HA will take over as the active HA. Log onto the supervisor and boot the MP partition on the PC.
router #hw-module module 3 reset cf:1
Device BOOT variable for reset = cf:1 Warning: Device list is not verified.
>
> Proceed with reload of module? [confirm] % reset issued for module 3
>router#
Step 2 Once the module is online, copy the YF image to pclc# slot file system by issuing the following command:
copy tftp: tftp file location pclc# linecard #-fs:
The upgrade file uses a special format that makes this process slow. The following example illustrates the upgrade process output:
router #copy tftp://198.133.219.33/images/c6svcmwam-c6is-mz.bin pclc#3-fs:
Destination filename [c6svcmwam-c6is-mz.bin]?
Accessing tftp://198.133.219.33/images/c6svcmwam-c6is-mz.bin...
Loading images/c6svcmwam-c6is-mz.bin from 64.102.16.25 (via Vlan1):
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[OK - 29048727/58096640 bytes]
29048727 bytes copied in 1230.204 secs (23616 bytes/sec)
router #
2d21h: %SVCLC-SP-5-STRRECVD: mod 3: <Application upgrade has started>
2d21h: %SVCLC-SP-5-STRRECVD: mod 3: <Do not reset the module till upgrade completes!!>
router #
2d21h: %SVCLC-SP-5-STRRECVD: mod 3: <Application upgrade has succeeded>
2d21h: %SVCLC-SP-5-STRRECVD: mod 3: <You can now reset the module
Step 3 Boot the MWAM card back to partition 4, and you have an upgraded image.
router#hw-module module 3 reset cf:4
Step 4 Verify that all the bindings opened with the active HA have synced with the processor with new image.
Step 5 Bring down the active HA with the XW-based image. The newly loaded YF-based HA will now become active.
Step 6 Perform steps 1 through 3 as described above.
Note The downgrade process is similar to the upgrade process; the SUP image should be downgraded first, followed by the HA image.
Note For SXD-based SUP images, if config-on-SUP mode is used on the MWAM, the startup configuration is written on both the SUP and local file system. This will assist you in upgrading or downgrading the images without losing the HA configuration between XW and YF images.
Note The downgraded image always starts with config-local due to incompatibility, and so it must be explicitly configured again using config-on-sup on every downgrade. Additionally, any further upgrades will start with the mode used by the same version the image used earlier, followed by the mode used by the old version.
Changing Configuration on Home Agent in a Live Network
If you need to change the working configuration on a Home Agent in a live network environment, perform the following procedure:
Step 1 Bring the standby HA out of service. An example would be to shut down the HSRP interface towards active HA.
Step 2 Make the necessary configuration changes on the standby HA, and save the configuration.
Step 3 Issue the reload command to bring the standby HA back into service.
Step 4 Bring the active HA out of service by shutting down HSRP interface. This will cause the standby to takeover as the active HA.
Step 5 Make the necessary configuration changes on the active HA, and save the configuration.
Step 6 Issue the reload command to bring the active HA back into service.
Note Some outage might occur concerning existing calls on the active HA being cleared forcibly.
Note For HA redundancy to work properly, configure the active and standby the same.
Loading the IOS Image to MWAM
The image download process automatically loads an IOS image onto the three processor complexes on the MWAM. All three complexes on the card run the same version of IOS, so they share the same image source. The software for MWAM bundles the images it needs in flash memory on the PC complex. For more information, refer to the Cisco Multi-processor WAN Application Module Installation and Configuration Note.
Required Base Configuration
A typical HA configuration requires that you define interfaces in three directions: PDSN/FA, home network, and AAA server. If HA redundancy is required, then you must configure another interface for HSRP binding updates between HAs. If you are running the HA on the MWAM, the HA will see the access to one GE port that will connect to Catalyst 6500 backplane. That port can be configured as a trunk port with subinterfaces provided for each necessary network access.
VLANs can be defined corresponding to each interface: PDSN/FA, home network, AAA. In the case of multiple HA instances in the same Catalyst 6500 chassis, or 7600 chassis, the same VLAN can be used for all of them.
The following sections illustrate the required base configuration for the Cisco Mobile Wireless Home Agent:
• Basic IOS Configuration on MWAM
• Configuring AAA in the Home Agent Environment
• Configuring RADIUS in the Home Agent Environment
Basic IOS Configuration on MWAM
To configure the Supervisor engine to recognize the MWAM modules, and to establish physical connections to the backplane, use the following commands:
Note MWAM modules synchronize their timing functions from the Supervisor engine's clock timers. Do not configure the timers on each individual MWAM.
Configuring AAA in the Home Agent Environment
Access control is the way you manage who is allowed access to the network server and what services they are allowed to use. AAA network security services provide the primary framework through which you set up access control on your router or access server. For detailed information about AAA configuration options, refer to the "Configuring Authentication," and "Configuring Accounting" chapters in the Cisco IOS Security Configuration Guide.
To configure AAA in the HA environment, use the following commands in global configuration mode:
Configuring RADIUS in the Home Agent Environment
RADIUS is a method for defining the exchange of AAA information in the network. In the Cisco implementation, RADIUS clients run on Cisco routers and send authentication requests to a RADIUS server that contains all user authentication and network server access information. For detailed information about RADIUS configuration options, refer to the "Configuring RADIUS" chapter in the Cisco IOS Security Configuration Guide.
To configure RADIUS in the HA environment, use the following commands in global configuration mode:
Configuration Examples
Figure 1 and the information that follows is an example of the placement of a Cisco HA and it's configuration.
Figure 1 Home Agent —A Network Map
Example 1
hostname ha1-7206
!
aaa new-model
!
aaa authentication login default group radius
aaa authentication login CONSOLE none
aaa authorization config-commands
aaa authorization ipmobile default group radius
aaa authorization network default group radius
aaa session-id common
!
interface FastEthernet0/1
description To FA/PDSN
ip address 3.3.3.1 255.255.255.0
!
interface FastEthernet0/2
description To AAA
ip address 10.30.30.1 255.0.0.0
!
router mobile
!
ip local pool ha-pool1 10.35.35.1 35.35.35.254
ip mobile home-agent broadcast
ip mobile virtual-network 10.35.35.0 255.255.255.0
ip mobile host nai @xyz.com address pool local ha-pool1 virtual-network 10.35.35.0 255.255.255.0 aaa load-sa lifetime 65535
!
radius-server host 10.0.0.10 auth-port 1645 acct-port 1646 key cisco
!
line con 0
exec-timeout 0 0
login authentication CONSOLE
________________________________________________________
Example 1 Home Agent Configuration
Cisco_HA#sh run
Building configuration...
Current configuration : 4532 bytes
!
version 12.2
no parser cache
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service internal
service udp-small-servers
service tcp-small-servers
!
hostname USER_HA
!
aaa new-model
!
!
aaa authentication ppp default group radius
aaa authorization config-commands
aaa authorization ipmobile default group radius
aaa authorization network default group radius
aaa authorization configuration default group radius
aaa session-id common
!
username simulator password 0 cisco
username userc-moip password 0 cisco
username pdsn password 0 cisco
username userc password 0 cisco
username USER_PDSN
ip subnet-zero
ip cef
!
!
no ip domain-lookup
!
! !
!
interface Loopback0
ip address 10.2.2.2 255.255.255.0
!
interface Tunnel1
no ip address
!
interface FastEthernet0/0
ip address 10.15.68.14 255.255.0.0
duplex half
speed 100
no cdp enable
!
interface FastEthernet0/1
no ip address
shutdown
duplex half
speed 10
no cdp enable
!
interface FastEthernet1/0
ip address 10.92.92.2 255.255.0.0
duplex auto
speed auto
no cdp enable
!
interface FastEthernet1/1
ip address 10.5.5.3 255.255.255.0 secondary
ip address 10.5.5.1 255.255.255.0
shutdown
duplex auto
speed auto
no cdp enable
!
!
router mobile
!
ip local pool ha-pool 10.0.0.1 10.0.15.254
ip local pool ha-pool1 10.4.4.100 10.4.4.255
ip default-gateway 10.15.0.1
ip classless
ip route 10.3.3.1 255.255.255.255 FastEthernet1/1
ip route 10.100.0.1 255.255.255.255 9.15.0.1
ip route 10.17.17.17 255.255.255.255 FastEthernet1/0
no ip http server
ip pim bidir-enable
ip mobile home-agent
ip mobile host nai userc-moip address pool local ha-pool interface FastEthernet1/0
ip mobile host nai userc address pool local pdsn-pool interface Loopback0 aaa
ip mobile secure host nai userc-moip spi 100 key hex ffffffffffffffffffffffffffffffff replay timestamp within 150
!
!
radius-server host 10.15.200.1 auth-port 1645 acct-port 1646 key cisco
radius-server retransmit 3
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 5 15
!
!
end
Restrictions
Simultaneous Bindings
The Cisco Home Agent does not support simultaneous bindings. When multiple flows are established for the same NAI, a different IP address is assigned to each flow. This means that simultaneous binding is not required, because it is used to maintain more than one flow to the same IP address.
Security
The HA supports IPSec, IKE, IPSec Authentication Header (AH) and IP Encapsulating Security Payload (ESP) as required in IS-835-B. The Home Agent does not support security for control or user traffic independently. Either both are secured, or neither.
The Home Agent does not support dynamically assigned keys or shared secrets as defined in IS-835-B.
Supported Standards, MIBs, and RFCs
RFCs
Cisco IOS Mobile Wireless Home Agent Release 3.0 supports the following RFCs:
•IPv4 Mobility, RFC 2002
•IP Encapsulation within IP, RFC 2003
•Applicability Statement for IP Mobility Support, RFC 2005
•The Definitions of Managed Objects for IP Mobility Support Using SMIv2, RFC 2006
•Reverse Tunneling for Mobile IP, RFC 3024
•Mobile IPv4 Challenge/Response Extensions, RFC 3012
•Mobile NAI Extension, RFC 2794
•Generic Routing Encapsulation, RFC 1701
•GRE Key and Sequence Number Extensions, RFC 2890
•IP Mobility Support for IPv4, RFC 3220, Section 3.2 Authentication
•The Network Access Identifier, RFC 2486, January 1999.
•An Ethernet Address Resolution Protocol, RFC 826, November 1982
•The Internet Key Exchange (IKE), RFC 2409, November 1998.
•Cisco Hot Standby Routing Protocol (HSRP), RFC 2281, March 1998
Standards
Cisco IOS Mobile Wireless Home Agent Release 3.0 supports the following standards:
•TIA/EIA/IS-835-B, TIA/EIA/IS-835-C and TIA/EIA/IS-835-D
MIBs
Cisco IOS Mobile Wireless Home Agent Release 3.0 supports the following MIBs:
•CISCO- MOBILE-IP-MIB—provides enhanced management capabilities.
•Radius MIB—as defined in RADIUS Authentication Client MIB, RFC 2618, June 1999.
The HA implements SNMPv2 as specified in the suite of protocols: RFC 1901 to RFC 1908. The HA supports the MIB defined in The Definitions of Managed Objects for IP Mobility Support Using SMIv2, RFC 2006, October 1995.
A full list of MIBs that are supported on the 7200, 7600 and 6500 series platforms can be found on Cisco web at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
Session counters maintained in the MIB cannot be reset using SNMP or CLI. The Home Agent CPU and Memory Utilization counters are accessible using the CISCO-PROCESS-MIB.
The following additional counters will be supported in the Cisco Mobile Wireless Home Agent Release 3.0 MIB:
•Number of Bindings for FA/CoA
•Number of registration requests received per FA/CoA
•Failure counters per FA/CoA—HA Release 2.0 and above supports global failure counters. A per-FA/CoA counter will be added for each of those counters
Related Documents
Cisco IOS Software Documentation
•Cisco IOS Dial Technologies Configuration Guide, Release 12.3
•Cisco IOS Dial Technologies Command Reference, Release 12.3
•Cisco IOS Interface Configuration Guide, Release 12.3
•Cisco IOS Interface Command Reference, Release 12.3
•Cisco IOS IP Configuration Guide, Release 12.3
•Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.3
•Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.3
•Cisco IOS IP Command Reference, Volume 3 of 3: Multicast, Release 12.3
•Cisco IOS Quality of Service Solutions Configuration Guide, Release 12.3
•Cisco IOS Quality of Service Solutions Command Reference, Release 12.3
•Cisco IOS Security Configuration Guide, Release 12.3
•Cisco IOS Security Command Reference, Release 12.3
•Cisco IOS Switching Services Configuration Guide, Release 12.3
•Cisco IOS Switching Services Command Reference, Release 12.3
•Cisco Multi-Processor WAN Application Module Installation and Configuration Note
Posted: Fri Nov 17 00:48:47 PST 2006
All contents are Copyright © 1992--2006 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.