Home > Articles > Networking > Wireless/High Speed/Optical

Mobile IP Technology and Applications

This chapter highlights the major concepts of IOS Mobile IP configuration in a simple lab topology. It presents in detail the most important concepts in IOS Mobile IP configuration. We start out by using six routers to examine each component individually. Several alternatives requiring fewer routers are presented at the end of the chapter.
This chapter is from the book

This chapter highlights the major concepts of IOS Mobile IP configuration in a simple lab topology. It presents in detail the most important concepts in IOS Mobile IP configuration. We start out by using six routers to examine each component individually. Several alternatives requiring fewer routers are presented at the end of the chapter. The idea here is to introduce Mobile IP configuration in its simplest form. All of the solutions presented in upcoming chapters are built on the information presented here. The topology presented here was not created just for this example, but is used by the authors as a baseline for most of their Mobile IP lab work.

Building the Baseline Topology

Figure 4-1 shows the basic topology, which is designed to demonstrate all the basic functionality in clearly separated components. It consists of Mobile IP entities—a single Home Agent, two Foreign Agents (FAs), and a Mobile Node—and non-Mobile IP entities—a Correspondent Node (CN) and an intermediate system (IS). Each of these devices is a router capable of running IOS software, as shown in Table 4-1. Feature navigator on Cisco.com can ensure that all features are available on the selected platform.

Figure 1

Figure 4-1 Basic Lab Topology

Table 4-1 Required IOS Software Versions

Device

Software Version*

Home Agent

IOS Release 12.0(1)T or higher

FAs

IOS Release 12.0(1)T or higher

Mobile Node

IOS Release 12.2(4)T or higher

CN

Any IOS version

IS

Any IOS version with OSPF

*If possible, IOS Release 12.3 or higher should be used in the Mobility Agents—Home Agents and FAs—so that all the features covered in this book are available.

Note that the Mobile Node in this topology is a "mobile router" (see Chapter 7, "Metro Mobility: Cisco Mobile Networks"). Although the mobile router is covered later in this book, it is used in this example to provide a complete solution that is independent of a specific Mobile Node client. The mobile router has essentially the same basic configuration attributes as a simple Mobile Node and thus provides not only a Mobile Node example but also a mobile router example for later reference.

Intermediate System Configuration

The IS shows the interaction between Mobile IP and traditional routing protocols and, as such, has no Mobile IP–specific configuration. However, inclusion of the ISs more accurately models real-world scenarios and allows better understanding of a Mobile IP deployment. In Example 4-1, each interface is assigned an IP address, and the Open Shortest Path First (OSPF) routing protocol is configured for all interfaces.

Example 4-1 Intermediate System Final Configuration

hostname IS
!
interface Ethernet0/0
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet1/0
 ip address 192.168.2.1 255.255.255.0
!     
interface Ethernet2/0
 ip address 192.168.3.1 255.255.255.0
!
interface Ethernet3/0
 ip address 192.168.4.1 255.255.255.0
!
router ospf 1
 log-adjacency-changes
 network 192.168.0.0 0.0.255.255 area 1
!
end

Correspondent Node Configuration

The CN is used as a peer for traffic from the Mobile Node. Many Mobile IP labs are built without a CN and IS; while this allows basic functionality testing, it does not demonstrate real-world behavior. The use of a CN demonstrates the routing infrastructure as well as the Mobile IP infrastructure, and the interaction of the two. The CN needs only to be configured with an IP address on the interface. Although the CN is a router in Example 4-2, it could easily be replaced with a computer.

Example 4-2 CN Final Configuration

hostname CN
!
interface Ethernet0/0
 ip address 192.168.2.2 255.255.255.0
!
end

Home Agent Configuration

Home Agent configurations entail the following three basic tasks:

  • Enabling the Home Agent
  • Configuring the home networks
  • Configuring the Mobile Nodes that are supported by the Home Agent

We will step through the three tasks and introduce the IOS configuration commands that are needed on the router. The configuration shown in this section demonstrates the base configuration of the Home Agent. Later chapters introduce more features, but keep in mind that you should always keep the configurations as short as possible and enable only the necessary features.

The foremost task is to simply enable the Mobile IP functionality. Note that regardless of which Mobile IP entity the router is functioning as, the Mobile IP routing process needs to be configured as follows:

router mobile

When the Mobile IP process is running, one or more Mobility Agents can be enabled. To configure this router as a Home Agent, use the following command:

ip mobile home-agent

The next step is to configure the home networks and Mobile Nodes that are to be supported by the Home Agent. IOS Mobile IP supports two types of home networks, physical home networks and virtual home networks. Each Mobile Node that is supported by a Home Agent must reside on one of these types of home networks.

Physical Home Network Configuration

When a Home Agent supports physical home networks, it allows Mobile Nodes to attach directly to their home network. The physical home networks are defined on a Home Agent's physical interface. When a Mobile Node is attached to its home network, all Mobile IP functionality is inactive for that Mobile Node, and normal IP routing delivers traffic. When the Mobile Node is not attached to the home network, the Home Agent uses proxy Address Resolution Protocol (ARP) to divert traffic to the Mobile Node in its current location. Route propagation for a physical home network is handled directly by interior routing protocols, just as it would be for an interface with no Mobile Nodes. To use a physical home network, simply assign the interface an IP address and ensure that it is not shut down.

Virtual Home Network Configuration

A Home Agent also supports Mobile Nodes that reside on a virtual home network. Virtual home networks are similar to loopback interfaces, but they are Mobile IP specific. Similar to a loopback interface, a virtual network is always up and not susceptible to physical failures, thereby ensuring higher availability. Virtual networks only support nodes that never physically come home. Virtual networks are expressed as a network number and mask. To define a new virtual network on the Home Agent, use the following configuration command with address as the network number and mask as the network mask:

ip mobile virtual-network address mask

Unlike physical interfaces, however, routing information about virtual networks can only be originated by the Home Agent when mobile routes are redistributed into the interior gateway protocol. Redistribution of Mobile IP routes only redistributes the virtual networks; it does not redistribute the individual host routes that reach the Mobile Nodes. The section "Examining the Routing Table," later in this chapter, shows how Mobile IP routes appear in the routing table and how redistribution works.

Specific configuration of redistribution varies from protocol to protocol, but generally, it should be configured on the Home Agent as follows:

redistribute mobile

The next step is to configure Mobile Nodes to reside on a particular home network.

Mobile Host Configuration

The essence of a Home Agent configuration centers around configuring the Mobile Nodes that it supports and appears on one or more lines beginning with the ip mobile host command. This command defines which Mobile Nodes are allowed to register, which services they are allowed to use, and how to authenticate them. (The security association itself is configured separately, as described in the next section of this chapter.) The ip mobile host command requires a Mobile Node or group of Mobile Nodes to be defined and associated with a home network.

In the following example command, we consider a simple case—defining a range of Mobile Nodes identified by their home address (192.168.100.10 through 192.168.100.20) and associating them with a virtual network (192.168.100.0 with mask 255.255.255.0):

ip mobile host 192.168.100.10 192.168.100.20 virtual-network 192.168.100.0
 255.255.255.0

The Home Agent also needs to be configured with the Mobile-Home security association for each Mobile Node. The security association can be configured either in a AAA server or on the command line, as described in the examples of the next section.

Security Association Configuration

The security association between the Home Agent and a Mobile Node is mandatory; it is also the only one used in this chapter. A security context is configured on the Home Agent one per line, and each line is usually associated with one Mobile Node. (Remember a security association is made up of one or more security contexts.) In some cases, several Mobile Nodes can share the same security key, but this is generally not recommended. At a minimum, one Mobile Node-Home Agent (MN-HA) security context is configured for each mobile host entry, but the standard allows for far more. If multiple security contexts, which are differentiated by using different security parameter index (SPI) values, are configured for a single mobile host, the IOS mobile router implementation will round-robin through all keys. In this case, each Registration Request (RRQ) uses a different security context going from the lowest to the highest SPI value and then starting over again. The Home Agent always uses the same security context that was used in the RRQ by the Mobile Node when the Mobile Node sends a Registration Reply (RRP).

As with all security context, the HA-MN security context must be indexed with an SPI. The SPI in IOS is specified as a hexadecimal value. Finally, the key, algorithm, and mode must be specified. You can specify keys as an ASCII value or a hexadecimal value. To avoid errors, hexadecimal keys are recommended because the use of ASCII keys is not standardized. A complete HA-MN security association is as follows:

ip mobile secure host 192.168.100.10 spi 100 key hex
 1234567890abcdef1234567890abcdef algorithm hmac-md5

Home Agent Final Configuration

Example 4-3 shows the final configuration of a router serving as a Home Agent. The Home Agent supports Mobile Nodes (192.168.100.10 through 192.168.100.20) residing on virtual network 192.168.100.0. The only Mobile Node configured with a security association is 192.168.100.10, and thus, it is the only Mobile Node allowed to register and roam.

Example 4-3 Home Agent Final Configuration

hostname HA
!
interface Ethernet0/0
 ip address 192.168.1.2 255.255.255.0
!
router mobile
!
router ospf 1
 redistribute mobile subnets
 network 192.168.0.0 0.0.255.255 area 1
!
ip mobile home-agent
ip mobile virtual-network 192.168.100.0 255.255.255.0
ip mobile host 192.168.100.10 192.168.100.20 virtual-network 192.168.100.0
 255.255.255.0
ip mobile secure host 192.168.100.10 spi 100 key hex 
 1234567890abcdef1234567890abcdef algorithm hmac-md5
!
end

Foreign Agent Configuration

The FA configuration used in this lab is simple and represents the most common implementation. Complex FA configurations are typically only used in mobile Internet service provider deployments of Mobile IP. A basic FA configuration requires the definition of the Care-of Address (CoA) and activation of roaming interfaces.

Recall that for any Mobile IP entity, the IOS Mobile IP process must be started before any Mobile IP commands can be accepted on the router. Again, this is accomplished with the router mobile command.

FA functionality is enabled with a single global statement that also specifies the interface to be used as the CoA. In the following example command, Ethernet interface 1/0 is configured with FA functionality:

ip mobile foreign-agent care-of Ethernet1/0

When the FA service has been enabled on the router, each interface that can accept Mobile Nodes needs to be configured. The interface-level command is as follows:

ip mobile foreign-service

Finally, because Mobile IP agent advertisements are part of Internet Control Message Protocol (ICMP) Router Discovery Protocol (IRDP) advertisements, IRDP must be configured. The default timers for IRDP are long and do not facilitate timely handovers unless solicitation is used. In Example 4-4, the timers have been lowered because no link state triggers exist. Three relevant values exist for IRDP configuration: maxadvertinterval, minadvertinterval, and holdtime. If the min and max values are used together, a random value in between the two is generated for each advertisement. The holdtime should typically be three times the maximum to ensure that the agent is truly gone and not just experiencing a brief packet loss. Configuration values for IRDP timers are in seconds. Note that the advertisement timers can also be adjusted on the Home Agent with similar IRDP commands. Unless specified through configuration commands, the default IRDP values are a maximum interval of 5 minutes and a holdtime of 15 minutes.

Examples 4-4 and 4-5 show the configuration of routers serving as FAs. In Example 4-4, the FA allows Mobile Nodes to roam on interface E1/0 with FA–Care-of Agent (FA-CoA) 192.168.5.1. In Example 4-5, the FA allows Mobile Nodes to roam on interface E1/0 with FA-CoA 192.168.6.1. In both examples, the IRDP agent advertisement timers are adjusted.

Example 4-4 FA1 Final Configuration

hostname FA1
!
interface Ethernet0/0
 ip address 192.168.3.2 255.255.255.0
!
interface Ethernet1/0
 ip address 192.168.5.1 255.255.255.0
 ip irdp 
 ip irdp maxadvertinterval 4
 ip irdp minadvertinterval 3
 ip irdp holdtime 9
 ip mobile foreign-service
!
router mobile
!
router ospf 1
 log-adjacency-changes
 network 192.168.0.0 0.0.255.255 area 1
!
ip mobile foreign-agent care-of Ethernet1/0
!
end

Example 4-5 FA2 Final Configuration

hostname FA2
!
interface Ethernet0/0
 ip address 192.168.4.2 255.255.255.0
!
interface Ethernet1/0
 ip address 192.168.6.1 255.255.255.0
 ip irdp 
 ip irdp maxadvertinterval 4
 ip irdp minadvertinterval 3
 ip irdp holdtime 9
 ip mobile foreign-service
router mobile
!
router ospf 1
 log-adjacency-changes
 network 192.168.0.0 0.0.255.255 area 1
ip mobile foreign-agent care-of Ethernet1/0
!
end

Mobile Node Configuration

In this chapter, the Mobile Node is an IOS router running the IOS Mobile Networks feature. For this example, only a small subset of the IOS Mobile Networks features is used; full coverage is available in Chapter 7. The Mobile IP client used in IOS Mobile Networks is built on the same standard as a Mobile IP client for a PC or personal digital assistant (PDA) and, thus, requires all the same basic configura-tion attributes. In general, each Mobile Node must be configured with its identification, Home Agent's IP address, and a security association shared with the Home Agent.

IOS Mobile Networks uses a static home address for identification that needs to be configured on an interface before it can be used by the Mobile IP client. You should configure the home address on a loopback interface so that the home address is always up. The home address is a host address and, as such, needs to be configured with a /32 mask. (If the loopback does not have a host mask, traffic for other nodes on the Mobile Node's home network cannot follow the default route, but is routed to the loopback and get dropped.)

The real mask of the home network is configured with the ip mobile router address command. One or more physical interfaces need to be specifically configured as roaming interfaces. These interfaces also must be configured with an IP address to enable IP traffic on that interface. Note that the IP address does not need to be valid and routable. Addresses are commonly used from the autoconf space, but you can pick any IP address.

As with all Mobile IP entities, the router mobile command is required to enable the Mobile IP process on the mobile router. After enabling Mobile IP, the Mobile IP client configuration is invoked with the ip mobile router command, setting the router in mobile router configuration mode. In this mode, the home address and home network subnet mask are configured with the address subcommand, and the Home Agent address is configured with the home-agent sub-command, as shown in the following example:

router mobile
ip mobile router
 address 192.168.100.10 255.255.255.0
 home-agent 192.168.1.2

Finally, the mandatory security association with the Home Agent needs to be configured. This security association needs to exactly match the one configured on the Home Agent, as follows:

ip mobile secure home-agent 192.168.1.2 spi 100 key hex
 1234567890abcdef1234567890abcdef algorithm hmac-md5

Recall that the security association is configured from the perspective of the Mobile IP entity on which the command is invoked, that is, this line is configuring the MN-HA security association.

Example 4-6 shows a mobile router configuration with a home address of 192.168.100.10 and a Home Agent address of 192.168.1.2. Note that the home address is configured on the loopback interface, and interface E0/0 is configured as the roaming interface.

Example 4-6 Mobile Node Final Configuration

hostname MN
!
interface Loopback0
 ip address 192.168.100.10 255.255.255.255
!
interface Ethernet0/0
 ip address 169.254.255.1 255.255.255.0
 ip mobile router-service roam
!
router mobile
!
ip mobile secure home-agent 192.168.1.2 spi 100 key hex 
 1234567890abcdef1234567890abcdef algorithm hmac-md5
!
ip mobile router
 address 192.168.100.10 255.255.255.0
 home-agent 192.168.1.2
!
end

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020