|
|
Table Of Contents
Dynamic Domain Name Server Updates
Dynamic Domain Name Server Updates
This chapter discusses Domain Name Server (DNS) update methods and Server Address assignment, and provides configuration details for those features.
This chapter contains the following sections:
•
DNS Server Address Assignment
•
IP Reachability
TIA/EIA/IS-835-D describes dynamic DNS update methods used by the home AAA server and the Home Agent. DNS update by AAA is applicable to both Simple IP and Mobile IP service, while DNS update by the Home Agent is only applicable to Mobile IP service. The following paragraphs describe the IP Reachability feature on Home Agent.
When the HA receives an initial Registration Request it sends a RADIUS Access-Request to the Home RADIUS server. If the RADIUS server is configured to request Home Agent-based DNS updates, the Home RADIUS server will include the DNS-Update-Required attribute in the RADIUS Access-Accept message returned to the HA. If the initial Mobile IP registration is successful, the HA sends a DNS Update message to the DNS server to add an A Resource Record for the MS. The HA sends a DNS Update message to the primary and secondary DNS server, if present.
When the HA receives a Mobile IP RRQ with lifetime timer set to 0, or the Mobile IP lifetime expires, or administrative operations invalidate the mobility binding for the MS, the Home Agent will send a DNS Update message to DNS server to delete the associated Resource Record.
Note
Note
The following call flow describes the IP Reachability on Home Agent - mobile registration scenario:
1.
2.
3.
4.
5.
6.
The following call flow describes the IP Reachability on Home Agent - Mobile deregistration scenario:
1.
2.
3.
4.
5.
6.
Configuring IP Reachability
The following commands will enable the IP Reachability feature on Home Agent for the specified realm:
To verify that this feature is enabled for a binding, use the following command:
The following example illustrates the realm configuration for IP reachability:
ip ddns update method sit-ha2-ddns2DDNS bothip mobile realm @ispxyz2.com dns dynamic-update method sit-ha2-ddns2DNS Server Address Assignment
IS835D defines a method to push the home DNS server address to a mobile as an NVSE in a mobileip registration response. This procedure allows the Mobile Station to learn the primary and secondary DNS server address of its home domain.
The RADIUS server includes a DNS Server VSA in an access response to the HA during mobile authentication. The HA forms a DNS server NVSE from the DNS Server VSA and adds it to mobileip registration response. If the DNS Server VSA is not received at the time of authentication, and a DNS server address is configured locally on the HA, the HA will form a DNS server NVSE from the local configuration and add it to mobileip registration response.
The DNS Server VSA and DNS Server NVSE carry primary and secondary DNS IP addresses.
The DNS Server VSA will be synced to the standby if the HA is deployed in redundant mode.
To enable this feature for the specified realm, issue the following commands:
ip mobile realm realm dns server assign
ip name-server x.x.x.x
To locally configure the DNS Server address, issue the following command:
ip mobile realm realm dns server primary dns server address secondary dns server address
To verify that this feature is enabled for a binding, use the show ip mobile binding command.
Note
Examples
The following example illustrates how to configure a User profile for DNS:
[ //localhost/Radius/Profiles/mwts-mip-r20sit-haslb1-prof/Attributes ]CDMA-DNS-Server-IP-Address = 01:06:0A:4D:9B:0A:02:06:0A:4D:9B:09:03:03:01:04:03:01CDMA-DNS-Update-Required = "HA does need to send DNS Update"CDMA-HA-IP-Addr = 20.20.225.1CDMA-MN-HA-Shared-Key = ciscociscociscocCDMA-MN-HA-SPI = 00:00:10:01CDMA-Reverse-Tunnel-Spec = "Reverse tunneling is required"class = "Entering the World of Mobile IP-3"Service-Type = FramedHere is a sample configuration of the DNS server address assignment realm:
ip mobile realm @ispxyz2.com dns server 10.77.155.10 2.2.2.2ip mobile realm @ispxyz2.com dns server assignThe following example illustrates how to configure the same in an AR user profile:
set CDMA-DNS-Server-IP-Address 01:06:0A:4D:9B:0A:02:06:0A:4D:9B:09:03:03:01:04:03:01Bold text are the primary and secondary DNS server addresses.
Here is a sample configuration of both IP Reachability and DNS Server Address Assignment:
ha2#show runBuilding configuration...Current configuration : 10649 bytes!! Last configuration change at 22:45:21 UTC Fri Nov 11 2005!version 12.3service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryptionservice internalservice udp-small-servers!hostname tb1-6513-ha2!boot-start-markerboot-end-marker!!aaa new-model!!aaa group server radius MOTserver 150.2.0.1 auth-port 1645 acct-port 1646!aaa authentication ppp default local group MOTaaa authorization config-commandsaaa authorization ipmobile default group MOTaaa authorization network default group MOTaaa authorization configuration default group MOTaaa accounting session-duration ntp-adjustedaaa accounting update newinfo periodic 3aaa accounting network ha start-stop group MOTaaa accounting system default start-stop group MOT!aaa server radius dynamic-authorclient 150.2.0.1server-key cisco!aaa session-id common!resource policy!ip subnet-zerono ip gratuitous-arps!!ip cefip dfp agent ipmobileport 400interval 15inservice!ip ftp source-interface GigabitEthernet0/0.10ip ftp username rootip ftp password pdsnmwgno ip domain lookupip name-server 10.77.155.10ip name-server 1.1.1.1ip name-server 6.6.6.6no ip dhcp use vrf connectedno ip dhcp conflict loggingip dhcp ping packets 0!ip dhcp pool Subnet-Pool1utilization mark high 75utilization mark low 25origin dhcp subnet size initial /30 autogrow /30!!ip vrf forwarding!ip vrf ispxyz!ip vrf ispxyz-vrf1rd 100:1!ip vrf ispxyz-vrf2rd 100:2!!ip ddns update method sit-ha2-ddns1DDNS both!ip ddns update method sit-ha2-ddns2DDNS both!vpdn enablevpdn ip udp ignore checksum!vpdn-group testsip1-l2tp! Default L2TP VPDN group! Default PPTP VPDN groupaccept-dialinprotocol anyvirtual-template 1l2tp tunnel hello 0!username user-ha2 password 0 cisco!!!interface Tunnel10no ip addressip access-group 150 in!interface Loopback0ip address 20.20.225.1 255.255.255.0!interface Loopback1description address of the LNS serverip address 20.20.206.20 255.255.255.0!interface Loopback2ip address 170.12.0.102 255.255.0.0!interface GigabitEthernet0/0no ip addressno ip route-cache cefno ip route-cacheno keepaliveno cdp enable!interface GigabitEthernet0/0.10description TFTP vlanencapsulation dot1Q 10ip address 10.77.155.5 255.255.255.192no ip route-cacheno snmp trap link-statusno cdp enable!interface GigabitEthernet0/0.172description HAAA interfaceencapsulation dot1Q 172ip address 170.2.0.20 255.255.0.0no ip route-cacheno snmp trap link-statusno cdp enablestandby delay minimum 15 reload 15standby version 2standby 2 ip 170.2.0.102standby 2 follow sit-ha2!interface GigabitEthernet0/0.202description PI interfaceencapsulation dot1Q 202ip address 20.20.202.20 255.255.255.0no ip route-cacheno snmp trap link-statusno cdp enablestandby delay minimum 15 reload 15standby version 2standby 2 ip 20.20.202.102standby 2 ip 20.20.204.2 secondarystandby 2 ip 20.20.204.3 secondarystandby 2 ip 20.20.204.4 secondarystandby 2 ip 20.20.204.5 secondarystandby 2 ip 20.20.204.6 secondarystandby 2 timers msec 750 msec 2250standby 2 priority 130standby 2 preempt delay minimum 180standby 2 name sit-ha2!interface GigabitEthernet0/0.205description REF interfaceencapsulation dot1Q 205ip address 20.20.205.20 255.255.255.0no ip route-cacheno snmp trap link-statusno cdp enablestandby delay minimum 15 reload 15standby version 2standby 2 ip 20.20.205.102standby 2 follow sit-ha2!interface Virtual-Template1description To be used by VPDN for PPP tunnelip unnumbered Loopback1peer default ip address pool LNS-poolno keepaliveppp accm 0ppp authentication chap pap optionalppp accounting none!router mobile!ip local pool LNS-pool 7.0.0.1 7.0.0.255ip local pool ispxyz-vrf1-pool 50.0.0.1 50.0.0.255ip local pool mobilenodes 40.0.0.1 40.0.100.255ip default-gateway 10.77.155.1ip classlessip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0.202ip route 10.77.139.29 255.255.255.255 10.77.155.1ip route 150.2.0.0 255.255.0.0 170.2.0.1no ip http server!!ip mobile debug include usernameip mobile home-agent template Tunnel10 address 20.20.202.102ip mobile home-agent revocation timeout 5 retransmit 4ip mobile home-agent dynamic-address 20.20.202.102ip mobile home-agent accounting ha broadcast lifetime 3600 replay 8 suppress-unreachable unknown-ha denyip mobile home-agent redundancy sit-ha2 virtual-network address 20.20.202.102 periodic-syncip mobile radius disconnectip mobile virtual-network 50.0.0.0 255.0.0.0ip mobile virtual-network 40.0.0.0 255.0.0.0ip mobile host nai mwts-pmp-r20sit-base-user1@ispxyz1.com virtual-network 40.0.0.0 255.0.0.0 aaa load-sa lifetime 600ip mobile host nai @ispxyz2.com address pool local mobilenodes virtual-network 40.0.0.0 255.0.0.0 aaa lifetime 180ip mobile realm mwts-pmp-r20sit-base-user1@ispxyz1.com dns server 10.77.155.10 1.1.1.1ip mobile realm mwts-pmp-r20sit-base-user1@ispxyz1.com dns server assignip mobile realm mwts-pmp-r20sit-base-user1@ispxyz1.com dns dynamic-update method sit-ha2-ddns1ip mobile realm @ispxyz2.com vrf ispxyz-vrf2 ha-addr 20.20.204.6ip mobile realm @ispxyz2.com dns server 10.77.155.10 2.2.2.2ip mobile realm @ispxyz2.com dns server assignip mobile realm @ispxyz2.com dns dynamic-update method sit-ha2-ddns2ip mobile secure foreign-agent 20.20.201.10 20.20.201.100 spi 100 key ascii cisco replay timestamp within 7 algorithm md5 mode prefix-suffixip mobile secure foreign-agent 20.20.210.10 20.20.210.100 spi 100 key ascii cisco replay timestamp within 5 algorithm md5 mode prefix-suffixip mobile secure home-agent 20.20.202.10 20.20.202.95 spi 100 key ascii cisco replay timestamp within 7 algorithm md5 mode prefix-suffix!ip radius source-interface Loopback2no logging traplogging source-interface GigabitEthernet0/0.201access-list 150 permit ip host 40.0.0.1 host 20.20.205.220 logaccess-list 150 permit ip host 20.20.205.220 host 40.0.0.1 logaccess-list 150 deny ip any any logsnmp-server community public ROsnmp-server community private RWsnmp-server trap-source Loopback0snmp-server host 150.2.0.100 version 2c privatesnmp-server host 150.2.0.100 publicno cdp run!!radius-server attribute 44 include-in-access-reqradius-server attribute 8 include-in-access-reqradius-server attribute 32 include-in-access-reqradius-server attribute 55 access-request includeradius-server host 150.2.0.1 auth-port 1645 acct-port 1646 key 7 121A0C041104radius-server host 150.2.0.100 auth-port 1645 acct-port 1646 key ciscoradius-server retransmit 4radius-server timeout 2radius-server deadtime 5radius-server key ciscoradius-server vsa send accountingradius-server vsa send authenticationradius-server vsa send accounting 3gpp2radius-server vsa send authentication 3gpp2!control-plane!alias exec shc sh cdma pdsnalias exec ua undebug allalias exec ui undebug ip packet!line con 0exec-timeout 0 0line vty 0 4exec-timeout 0 0line vty 5 15exec-timeout 0 0!!endha2#
Posted: Fri Nov 17 01:21:02 PST 2006
All contents are Copyright © 1992--2006 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.
