Cisco IOS Mobile Wireless Home Agent Configuration Guide, Release 12.4

Cisco IOS Mobile Wireless
Home Agent
Configuration Guide
Release 12.4
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
Text Part Number: OL-7614-01

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public
domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn,
and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the
Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Empowering the Internet
Generation, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise,
the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX,
Post-Routing, Pre-Routing, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, StrataView Plus, TeleRouter, The Fastest Way to Increase Your Internet Quotient,
and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship
between Cisco and any other company. (0502R)
Cisco IOS Mobile Wireless Home Agent Configuration Guide

© 2005 Cisco Systems, Inc. All rights reserved.
C ON T E N T S
About Cisco IOS Software Documentation for Release 12.4 vii
Documentation Objectives vii
Audience vii
Documentation Organization for Cisco IOS Release 12.4 vii
Document Conventions xiii
Obtaining Documentation xv
Cisco.com xv
Documentation DVD xv
Ordering Documentation xvi
Documentation Feedback xvi
Cisco Product Security Overview xvi

Reporting Security Problems in Cisco Products xvii
Obtaining Technical Assistance xvii

Cisco Technical Support Website xvii
Submitting a Service Request xviii
Definitions of Service Request Severity xviii
Obtaining Additional Publications and Information xix
Using Cisco IOS Software for Release 12.4 xxi
Understanding Command Modes xxi
Getting Help xxii

Example: How to Find Command Options xxiii
Using the no and default Forms of Commands xxv
Saving Configuration Changes xxvi
Filtering Output from the show and more Commands xxvi
Finding Additional Feature Support Information xxvii

OL-7614-01 iii
Contents
CHAPTER 1 Cisco Mobile Wireless Home Agent 1-1
Feature Overview 1-1

System Overview 1-2
Cisco Home Agent Network 1-3
Packet Data Services 1-4
Cisco Mobile IP Service 1-4
Cisco Proxy Mobile IP Service 1-6
Features 1-7
Feature Support 1-7
Benefits 1-8
The Home Agent 1-9
Dynamic Home Agent Assignment 1-9
Home Agent Redundancy 1-10
HSRP Groups 1-10
How HA Redundancy Works 1-10
Physical Network Support 1-12
Home Address Assignment 1-13
3 DES Encryption 1-14
Mobile IP IPSec 1-14
User Profiles 1-16
Mobility Binding Association 1-17
User Authentication and Authorization 1-17
HA Binding Update 1-18
Packet Filtering 1-18
Security 1-18
Restrictions 1-18
Supported Platforms 1-19
Supported Standards, MIBs, and RFCs 1-20
CHAPTER 2 Configuring Cisco Mobile Wireless Home Agent 2-1
Configuration Tasks 2-1

Upgrading a Home Agent Image 2-1
Loading the Cisco IOS Image to MWAM 2-2
Configuring the Home Agent 2-2
Basic IOS Configuration on MWAM 2-3
Configuring AAA in the Home Agent Environment 2-4
Configuring RADIUS in the Home Agent Environment 2-4
Configuring Mobile IP Security Associations 2-5
Configuring HA Redundancy 2-5

iv OL-7614-01
Contents
Enabling Mobile IP 2-5

Enabling HSRP 2-5
Configuring HSRP Group Attributes 2-6
Enabling HA Redundancy for a Physical Network 2-6
Enabling HA Redundancy for a Virtual Network Using One Physical Network 2-7
Configuring Network Management 2-7
Configuring the Cisco Home Agent 2-8
Configuring IPSec for the HA 2-8
Monitoring and Maintaining the HA 2-9
Configuration Examples 2-9

Cisco Home Agent Configuration 2-10
Home Agent Redundancy Configuration 2-13
Home Agent IPSec Configuration 2-17
INDEX

OL-7614-01 v
Contents

vi OL-7614-01
About Cisco IOS Software Documentation for
Release 12.4
This chapter discusses the objectives, audience, organization, and conventions of Cisco IOS software
documentation. It also provides sources for obtaining documentation, technical assistance, and
additional publications and information from Cisco Systems.
Documentation Objectives
Cisco IOS software documentation describes the tasks and commands available to configure and
maintain Cisco networking devices.
Audience
The Cisco IOS software documentation set is intended primarily for users who configure and maintain
Cisco networking devices (such as routers and switches) but who may not be familiar with the
configuration and maintenance tasks, the relationship among tasks, or the Cisco IOS software commands
necessary to perform particular tasks. The Cisco IOS software documentation set is also intended for
those users experienced with Cisco IOS software who need to know about new features, new
configuration options, and new software characteristics in the current Cisco IOS software release.
Documentation Organization for Cisco IOS Release 12.4

The Cisco IOS Release 12.4 documentation set consists of the configuration guide and command
reference pairs listed in Table 1 and the supporting documents listed in Table 2. The configuration guides
and command references are organized by technology. For the configuration guides:
• Some technology documentation, such as that for DHCP, contains features introduced in
Releases 12.2T and 12.3T and, in some cases, Release 12.2S. To assist you in finding a particular
feature, a roadmap document is provided.
• Other technology documentation, such as that for OSPF, consists of a chapter and accompanying
Release 12.2T and 12.3T feature documents.

OL-7614-01 vii
About Cisco IOS Software Documentation for Release 12.4
Note In some cases, information contained in Release 12.2T and 12.3T feature documents augments or
supersedes content in the accompanying chapters. Therefore it is important to review all feature
documents for a particular technology.
Table 1 lists the Cisco IOS Release 12.4 configuration guides and command references.
Table 1 Cisco IOS Release 12.4 Configuration Guides and Command References
Configuration Guide and

Command Reference Titles Description
IP
Cisco IOS IP Addressing Services The configuration guide is a task-oriented guide to configuring IP addressing and
Configuration Guide, Release 12.4 services, including Network Address Translation (NAT), Domain Name System
(DNS), and Dynamic Host Configuration Protocol (DHCP). The command
Cisco IOS IP Addressing Services
reference provides detailed information about the commands used in the
Command Reference, Release 12.4
configuration guide.
Cisco IOS IP Application Services The configuration guide is a task-oriented guide to configuring IP application
Configuration Guide, Release 12.4 services, including IP access lists, Web Cache Communication Protocol
(WCCP), Gateway Load Balancing Protocol (GLBP), Server Load Balancing
Cisco IOS Application Services
(SLB), Hot Standby Router Protocol (HSRP), and Virtual Router Redundancy
Protocol (VRRP). The command reference provides detailed information about
the commands used in the configuration guide.
Cisco IOS IP Mobility The configuration guide is a task-oriented guide to configuring Mobile IP and
Configuration Guide, Release 12.4 Cisco Mobile Networks. The command reference provides detailed information
Cisco IOS IP Mobility about the commands used in the configuration guide.
Cisco IOS IP Multicast The configuration guide is a task-oriented guide to configuring IP Multicast,
Configuration Guide, Release 12.4 including Protocol Independent Multicast (PIM), Internet Group Management
Cisco IOS IP Multicast Protocol (IGMP), Distance Vector Multicast Routing Protocol (DVMRP), and
Command Reference, Release 12.4 Multicast Source Discovery Protocol (MSDP). The command reference provides
detailed information about the commands used in the configuration guide.
Cisco IOS IP Routing Protocols The configuration guide is a task-oriented guide to configuring IP routing
Configuration Guide, Release 12.4 protocols, including Border Gateway Protocol (BGP), Intermediate
System-to-Intermediate System (ISIS), and Open Shortest Path First (OSPF).
Cisco IOS IP Routing Protocols
The command reference provides detailed information about the commands used
in the configuration guide.
Cisco IOS IP Switching The configuration guide is a task-oriented guide to configuring IP switching
Configuration Guide, Release 12.4 features, including Cisco Express Forwarding (CEF), fast switching, and
Cisco IOS IP Switching Multicast Distributed Switching (MDS). The command reference provides
Command Reference, Release 12.4 detailed information about the commands used in the configuration guide.
Cisco IOS IPv6 The configuration guide is a task-oriented guide to configuring IP version 6
Configuration Guide, Release 12.4 (IPv6), including IPv6 broadband access, IPv6 data-link layer, IPv6 multicast
routing, IPv6 quality of service (QoS), IPv6 routing, IPv6 services and
Cisco IOS IPv6
management, and IPv6 tunnel services. The command reference provides

viii OL-7614-01
Table 1 Cisco IOS Release 12.4 Configuration Guides and Command References (continued)

Security and VPN
Cisco IOS Security The configuration guide is a task-oriented guide to configuring various aspects of
Configuration Guide, Release 12.4 security features, including terminal access security, network access security,
Cisco IOS Security accounting, traffic filters, router access, and network data encryption with router
Command Reference, Release 12.4 authentication. The command reference provides detailed information about the
commands used in the configuration guide.
QoS
Cisco IOS Quality of Service Solutions The configuration guide is a task-oriented guide to configuring quality of service
Configuration Guide, Release 12.4 (QoS) features, including traffic classification and marking, traffic policing and
Cisco IOS Quality of Service Solutions shaping, congestion management, congestion avoidance, and signaling. The
Command Reference, Release 12.4 command reference provides detailed information about the commands used in
the configuration guide.
LAN Switching
Cisco IOS LAN Switching The configuration guide is a task-oriented guide to local-area network (LAN)
Configuration Guide, Release 12.4 switching features, including configuring routing between virtual LANs
(VLANs) using Inter-Switch Link (ISL) encapsulation, IEEE 802.10
Cisco IOS LAN Switching
encapsulation, and IEEE 802.1Q encapsulation. The command reference
provides detailed information about the commands used in the configuration
guide.
Multiprotocol Label Switching (MPLS)
Cisco IOS Multiprotocol Label Switching The configuration guide is a task-oriented guide to configuring Multiprotocol
Configuration Guide, Release 12.4 Label Switching (MPLS), including MPLS Label Distribution Protocol, MPLS
traffic engineering, and MPLS Virtual Private Networks (VPNs). The command
Cisco IOS Multiprotocol Label Switching
Network Management
Cisco IOS IP SLAs The configuration guide is a task-oriented guide to configuring the Cisco IOS IP
Monitoring Technology Service Level Assurances (IP SLAs) feature. The command reference provides
Configuration Guide, Release 12.4 detailed information about the commands used in the configuration guide.
Cisco IOS IP SLAs
Monitoring Technology
Cisco IOS NetFlow The configuration guide is a task-oriented guide to NetFlow features, including
Configuration Guide, Release 12.4 configuring NetFlow to analyze network traffic data, configuring NetFlow
Cisco IOS NetFlow aggregation caches and export features, and configuring Simple Network
Command Reference, Release 12.4 Management Protocol (SNMP) and NetFlow MIB features. The command

OL-7614-01 ix

Cisco IOS Network Management The configuration guide is a task-oriented guide to network management
Configuration Guide, Release 12.4 features, including performing basic system management, performing
Cisco IOS Network Management troubleshooting and fault management, configuring Cisco Discovery Protocol
Command Reference, Release 12.4 (CDP), configuring Cisco Networking Services (CNS), configuring
DistributedDirector, and configuring Simple Network Management Protocol
(SNMP). The command reference provides detailed information about the
Voice
Cisco IOS Voice The configuration library is a task-oriented collection of configuration guides
Configuration Library, Release 12.4 and other documents covering Cisco IOS support for voice call control protocols,
interoperability, physical and virtual interface management, troubleshooting, and
Cisco IOS Voice
other topics. In addition, the library includes documentation for IP telephony
applications related to Cisco IOS. The command reference provides detailed
information about the commands used in the configuration library.
Wireless / Mobility
Cisco IOS Mobile Wireless The configuration guide is a task-oriented guide to understanding and configuring a
Gateway GPRS Support Node Cisco IOS Gateway GPRS Support Node (GGSN) in a 2.5G General Packet Radio
Configuration Guide, Release 12.4 Service (GPRS) and 3G Universal Mobile Telecommunication System (UMTS)
network. The command reference provides detailed information about the
Gateway GPRS Support Node
Cisco IOS Mobile Wireless The configuration guide is a task-oriented guide to understanding and configuring the
Home Agent Cisco Mobile Wireless Home Agent, which is an anchor point for mobile terminals
Configuration Guide, Release 12.4 for which Mobile IP or Proxy Mobile IP services are provided. The command
Home Agent
Cisco IOS Mobile Wireless The configuration guide is a task-oriented guide to understanding and configuring the
Packet Data Serving Node Cisco Packet Data Serving Node (PDSN), a wireless gateway between the mobile
Configuration Guide, Release 12.4 infrastructure and standard IP networks that enables packet data services in a Code
Division Multiple Access (CDMA) environment. The command reference provides
Packet Data Serving Node
Cisco IOS Mobile Wireless The configuration guide is a task-oriented guide to understanding and
Radio Access Networking configuring Cisco IOS Radio Access Network products. The command reference
Configuration Guide, Release 12.4 provides detailed information about the commands used in the configuration
Cisco IOS Mobile Wireless guide.
Radio Access Networking

x OL-7614-01

Long Reach Ethernet (LRE) and Digital Subscriber Line (xDSL)
Cisco IOS The configuration guide is a task-oriented guide to configuring broadband access
Broadband Access Aggregation and DSL aggregation and digital subscriber line features. The command reference
Configuration Guide, Release 12.4 provides detailed information about the commands used in the configuration
Cisco IOS guide.
Broadband Access Aggregation and DSL
Cisco IOS The configuration guide is a task-oriented guide to configuring Service Selection
Service Selection Gateway Gateway (SSG) features, including subscriber authentication, service access, and
Configuration Guide, Release 12.4 accounting. The command reference provides detailed information about the
Cisco IOS
Service Selection Gateway
Dial—Access
Cisco IOS Dial Technologies The configuration guide is a task-oriented guide to configuring lines, modems,
Configuration Guide, Release 12.4 and Integrated Services Digital Network (ISDN) services. This guide also
contains information about configuring dial-up solutions, including solutions for
Cisco IOS Dial Technologies
remote sites dialing in to a central office, Internet service providers (ISPs), ISP
customers at home offices, enterprise WAN system administrators implementing
dial-on-demand routing, and other corporate environments. The command
Asynchronous Transfer Mode (ATM)
Cisco IOS Asynchronous Transfer Mode The configuration guide is a task-oriented guide to configuring Asynchronous
Configuration Guide, Release 12.4 Transfer Mode (ATM), including WAN ATM, LAN ATM, and multiprotocol over
ATM (MPOA). The command reference provides detailed information about the
Cisco IOS Asynchronous Transfer Mode
WAN
Cisco IOS Wide-Area Networking The configuration guide is a task-oriented guide to configuring wide-area
Configuration Guide, Release 12.4 network (WAN) features, including Layer 2 Tunneling Protocol Version 3
(L2TPv3), Frame Relay, Link Access Procedure Balanced (LAPB), and X.25.
Cisco IOS Wide-Area Networking
System Management
Cisco IOS Configuration Fundamentals The configuration guide is a task-oriented guide to using Cisco IOS software to
Configuration Guide, Release 12.4 configure and maintain Cisco routers and access servers, including information
about using the Cisco IOS command-line interface (CLI), loading and
Cisco IOS Configuration Fundamentals
maintaining system images, using the Cisco IOS file system, using the Cisco IOS
Web browser user interface (UI), and configuring basic file transfer services. The
command reference provides detailed information about the commands used in
the configuration guide.

OL-7614-01 xi

Cisco IOS The configuration guide is a task-oriented guide to configuring and managing
Interface and Hardware Component interfaces and hardware components, including dial shelves, LAN interfaces,
Configuration Guide, Release 12.4 logical interfaces, serial interfaces, and virtual interfaces. The command
Cisco IOS reference provides detailed information about the commands used in the
Interface and Hardware Component configuration guide.
IBM Technologies
Cisco IOS Bridging The configuration guide is a task-oriented guide to configuring bridging features,
Configuration Guide, Release 12.4 including transparent and source-route transparent (SRT) bridging, source-route
bridging (SRB), Token Ring Inter-Switch Link (TRISL), and Token Ring Route
Cisco IOS Bridging
Switch Module (TRRSM). The command reference provides detailed
information about the commands used in the configuration guide.
Cisco IOS IBM Networking Configuration The configuration guide is a task-oriented guide to IBM networking including:
Guide, Release 12.4 data-link switching plus (DLSw+), serial tunnel (STUN), and block serial tunnel
Cisco IOS IBM Networking (BSTUN); Logical Link Control, type 2 (LLC2), and Synchronous Data Link
Command Reference, Release 12.4 Control (SDLC); IBM Network Media Translation, including SDLC Logical
Link Control (SDLLC) and Qualified Logical Link Control (QLLC); downstream
physical unit (DSPU), Systems Network Architecture (SNA) service point, SNA
Frame Relay Access, Advanced Peer-to-Peer Networking (APPN), native client
interface architecture (NCIA) client/server topologies, and IBM Channel Attach.
Additional and Legacy Protocols
Cisco IOS AppleTalk The configuration guide is a task-oriented guide to configuring the AppleTalk
Configuration Guide, Release 12.4 protocol. The command reference provides detailed information about the
Cisco IOS AppleTalk
Cisco IOS DECnet The configuration guide is a task-oriented guide to configuring the DECnet
Configuration Guide, Release 12.4 protocol. The command reference provides detailed information about the
Cisco IOS DECnet
Cisco IOS ISO CLNS The configuration guide is a task-oriented guide to configuring International
Configuration Guide, Release 12.4 Organization for Standardization (ISO) Connectionless Network Service
Cisco IOS ISO CLNS (CLNS). The command reference provides detailed information about the
Command Reference, Release 12.4 commands used in the configuration guide.
Cisco IOS Novell IPX The configuration guide is a task-oriented guide to configuring the Novell
Configuration Guide, Release 12.4 Internetwork Packet Exchange (IPX) protocol. The command reference provides
Cisco IOS Novell IPX detailed information about the commands used in the configuration guide.
Cisco IOS Terminal Services The configuration guide is a task-oriented guide to configuring terminal services,
Configuration Guide, Release 12.4 including DEC, local-area transport (LAT), and X.25 packet
assembler/dissembler (PAD). The command reference provides detailed
Cisco IOS Terminal Services
information about the commands used in the configuration guide.

xii OL-7614-01
Document Conventions
Table 2 lists the documents and resources that support the Cisco IOS Release 12.4 software
configuration guides and command references.
Table 2 Cisco IOS Release 12.4 Supporting Documents and Resources
Document Title Description

Cisco IOS Master Commands List, An alphabetical listing of all the commands documented in the Cisco IOS
Release 12.4 Release 12.4 command references.
Cisco IOS New, Modified, Removed, A listing of all the new, modified, removed, and replaced commands for Cisco IOS
and Replaced Commands, Release Release 12.3T, grouped by maintenance release and ordered alphabetically within
12.3T each group.
Cisco IOS New and Modified A listing of all the new, modified, removed, and replaced commands for Cisco IOS
Commands, Releases 12.2T and 12.3(1) Releases 12.2T and 12.3(1), grouped by maintenance release and ordered
alphabetically within each group.
New Features in Cisco IOS Release 12.4 An alphabetical listing of the Cisco IOS Release 12.4 features that are new since
Cisco IOS Release 12.3 and links to the feature module documentation.
Cisco IOS System Messages, These publications list and describe Cisco IOS system messages. Not all system
Volume 1 of 2 messages indicate problems with your system. Some are purely informational, and
Cisco IOS System Messages, others may help diagnose problems with communications lines, internal hardware,
Volume 2 of 2 or the system software.
Cisco IOS Debug Command Reference, This publication contains an alphabetical listing of the debug commands and their
Release 12.4 descriptions. Documentation for each command includes a brief description of its
use, command syntax, and usage guidelines.
Dictionary of Internetworking Terms This publication compiles and defines the terms and acronyms used in the
and Acronyms internetworking industry.
Release notes documentation This documentation describes system requirements, provides information about
new and changed features, and includes other useful information about specific
software releases.
Caveats documentation This documentation provides information about Cisco IOS software defects in
specific software releases.
RFCs RFCs are standards documents maintained by the Internet Engineering Task Force
(IETF). Cisco IOS software documentation references supported RFCs when
applicable. The full text of referenced RFCs may be obtained at the following URL:
http://www.rfc-editor.org/
MIBs MIBs are used for network monitoring. To locate and download MIBs for selected
platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the
following URL:
http://www.cisco.com/go/mibs
Within Cisco IOS software documentation, the term router is generally used to refer to a variety of Cisco
products (for example, routers, access servers, and switches). Routers, access servers, and other
networking devices that support Cisco IOS software are shown interchangeably within examples. These
products are used only for illustrative purposes; that is, an example that shows one product does not
necessarily indicate that other products are not supported.

OL-7614-01 xiii
The Cisco IOS documentation set uses the following conventions:
Convention Description
^ or Ctrl The ^ and Ctrl symbols represent the Control key. For example, the key combination ^D or Ctrl-D
means hold down the Control key while you press the D key. Keys are indicated in capital letters but
are not case sensitive.
string A string is a nonquoted set of characters shown in italics. For example, when setting an SNMP
community string to public, do not use quotation marks around the string or the string will include the
quotation marks.
Command syntax descriptions use the following conventions:
bold Bold text indicates commands and keywords that you enter literally as shown.
italics Italic text indicates arguments for which you supply values.
[x] Square brackets enclose an optional element (keyword or argument).
| A vertical line indicates a choice within an optional or required set of keywords or arguments.
[x | y] Square brackets enclosing keywords or arguments separated by a vertical line indicate an optional
choice.
{x | y} Braces enclosing keywords or arguments separated by a vertical line indicate a required choice.
Nested sets of square brackets or braces indicate optional or required choices within optional or required
elements. For example:
[x {y | z}] Braces and a vertical line within square brackets indicate a required choice within an optional element.
Examples use the following conventions:
screen Examples of information displayed on the screen are set in Courier font.
bold screen Examples of text that you must enter are set in Courier bold font.
< > Angle brackets enclose text that is not printed to the screen, such as passwords, and are used in
contexts in which the italic document convention is not available, such as ASCII text.
! An exclamation point at the beginning of a line indicates a comment line. (Exclamation points are also
displayed by the Cisco IOS software for certain processes.)
[ ] Square brackets enclose default responses to system prompts.

xiv OL-7614-01
Obtaining Documentation
The following conventions are used to attract the attention of the reader:
Caution Means reader be careful. In this situation, you might do something that could result in equipment
damage or loss of data.
Note Means reader take note. Notes contain helpful suggestions or references to material not covered in the
manual.
Timesaver Means the described action saves time. You can save time by performing the action described in the
paragraph.
Obtaining Documentation
Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several
ways to obtain technical assistance and other technical resources. These sections explain how to obtain
technical information from Cisco Systems.
Cisco.com
You can access the most current Cisco documentation at this URL:
http://www.cisco.com/univercd/home/home.htm
You can access the Cisco website at this URL:
http://www.cisco.com
You can access international Cisco websites at this URL:
http://www.cisco.com/public/countries_languages.shtml
Documentation DVD
Cisco documentation and additional literature are available in a Documentation DVD package, which
may have shipped with your product. The Documentation DVD is updated regularly and may be more
current than printed documentation. The Documentation DVD package is available as a single unit.
Registered Cisco.com users (Cisco direct customers) can order a Cisco Documentation DVD (product
number DOC-DOCDVD=) from the Ordering tool or Cisco Marketplace.
Cisco Ordering tool:
http://www.cisco.com/en/US/partner/ordering/
Cisco Marketplace:
http://www.cisco.com/go/marketplace/

OL-7614-01 xv
Documentation Feedback
Ordering Documentation
You can find instructions for ordering documentation at this URL:
http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm
You can order Cisco documentation in these ways:
• Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from
the Ordering tool:
http://www.cisco.com/en/US/partner/ordering/
• Nonregistered Cisco.com users can order documentation through a local account representative by
calling Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or, elsewhere in
North America, by calling 1 800 553-NETS (6387).
Documentation Feedback
You can provide documentation comments online, or you can send comments about technical
documentation to bug-doc@cisco.com.
You can submit comments by using the response card (if present) behind the front cover of your
document or by writing to the following address:
Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883
We appreciate your comments.
Cisco Product Security Overview

Cisco provides a free online Security Vulnerability Policy portal at this URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
From this site, you can perform these tasks:
• Report security vulnerabilities in Cisco products.
• Obtain assistance with security incidents that involve Cisco products.
• Register to receive security information from Cisco.
A current list of security advisories and notices for Cisco products is available at this URL:
http://www.cisco.com/go/psirt
If you prefer to see advisories and notices as they are updated in real time, you can access a Product
Security Incident Response Team Really Simple Syndication (PSIRT RSS) feed from this URL:
http://www.cisco.com/en/US/products/products_psirt_rss_feed.html

xvi OL-7614-01
Obtaining Technical Assistance
Reporting Security Problems in Cisco Products

Cisco is committed to delivering secure products. We test our products internally before we release them,
and we strive to correct all vulnerabilities quickly. If you think that you might have identified a
vulnerability in a Cisco product, contact PSIRT:
• Emergencies — security-alert@cisco.com
• Nonemergencies — psirt@cisco.com
Tip We encourage you to use Pretty Good Privacy (PGP) or a compatible product to encrypt any sensitive
information that you send to Cisco. PSIRT can work from encrypted information that is comparable with
PGP versions 2.x through 8.x.
Never use a revoked or an expired encryption key. The correct public key to use in your correspondence
with PSIRT is the one that has the most recent creation date in this public key server list:
http://pgp.mit.edu:11371/pks/lookup?search=psirt%40cisco.com&op=index&exact=on
In an emergency, you can also reach PSIRT by telephone:

• 1 877 228-7302
• 1 408 525-6532

For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, Cisco
Technical Support provides award-winning 24-hour-a-day technical assistance. The Cisco Technical
Support Website on Cisco.com features extensive online support resources. In addition, Cisco Technical
Assistance Center (TAC) engineers provide telephone support. If you do not hold a valid Cisco service
contract, contact your reseller.
Cisco Technical Support Website

The Cisco Technical Support Website provides online documents and tools for troubleshooting and
resolving technical issues with Cisco products and technologies. The website is available 24 hours a day,
365 days a year, at this URL:
http://www.cisco.com/techsupport
Access to all tools on the Cisco Technical Support Website requires a Cisco.com user ID and password.
If you have a valid service contract but do not have a user ID or password, you can register at this URL:
http://tools.cisco.com/RPF/register/register.do
Note Use the Cisco Product Identification (CPI) tool to locate your product serial number before submitting
a web or phone request for service. You can access the CPI tool from the Cisco Technical Support
Website by clicking the Tools & Resources link under Documentation & Tools. Choose Cisco Product
Identification Tool from the Alphabetical Index drop-down list, or click the Cisco Product
Identification Tool link under Alerts & RMAs. The CPI tool offers three search options: by product ID

OL-7614-01 xvii
or model name; by tree view; or, for certain products, by copying and pasting show command output.
Search results show an illustration of your product with the serial number label location highlighted.
Locate the serial number label on your product and record the information before placing a service call.
Submitting a Service Request

Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3
and S4 service requests are those in which your network is minimally impaired or for which you require
product information.) After you describe your situation, the TAC Service Request Tool provides
recommended solutions. If your issue is not resolved using the recommended resources, your service
request is assigned to a Cisco TAC engineer. The TAC Service Request Tool is located at this URL:
http://www.cisco.com/techsupport/servicerequest
For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone.
(S1 or S2 service requests are those in which your production network is down or severely degraded.)
Cisco TAC engineers are assigned immediately to S1 and S2 service requests to help keep your business
operations running smoothly.
To open a service request by telephone, use one of the following numbers:
Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553-2447
For a complete list of Cisco TAC contacts, go to this URL:
http://www.cisco.com/techsupport/contacts
Definitions of Service Request Severity

To ensure that all service requests are reported in a standard format, Cisco has established severity
definitions.
Severity 1 (S1)—Your network is “down,” or there is a critical impact to your business operations. You
and Cisco will commit all necessary resources around the clock to resolve the situation.
Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your
business operation are negatively affected by inadequate performance of Cisco products. You and Cisco
will commit full-time resources during normal business hours to resolve the situation.
Severity 3 (S3)—Operational performance of your network is impaired, but most business operations
remain functional. You and Cisco will commit resources during normal business hours to restore service
to satisfactory levels.
Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or
configuration. There is little or no effect on your business operations.

xviii OL-7614-01
Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is available from various online
and printed sources:
• Cisco Marketplace provides a variety of Cisco books, reference guides, and logo merchandise. Visit
Cisco Marketplace, the company store, at this URL:
http://www.cisco.com/go/marketplace/
• Cisco Press publishes a wide range of general networking, training, and certification titles. Both new
and experienced users will benefit from these publications. For current Cisco Press titles and other
information, go to Cisco Press at this URL:
http://www.ciscopress.com
• Packet magazine is the Cisco Systems technical user magazine for maximizing Internet and
networking investments. Each quarter, Packet delivers coverage of the latest industry trends,
technology breakthroughs, and Cisco products and solutions, as well as network deployment and
troubleshooting tips, configuration examples, customer case studies, certification and training
information, and links to scores of in-depth online resources. You can access Packet magazine at
this URL:
http://www.cisco.com/packet
• iQ Magazine is a quarterly publication from Cisco Systems designed to help growing companies
learn how they can use technology to increase revenue, streamline their business, and expand
services. The publication identifies the challenges facing these companies and the technologies to
help solve them, using real-world case studies and business strategies to help readers make sound
technology investment decisions. You can access iQ Magazine at this URL:
http://www.cisco.com/go/iqmagazine
• Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering
professionals involved in designing, developing, and operating public and private internets and
intranets. You can access Internet Protocol Journal at this URL:
http://www.cisco.com/ipj
• World-class networking training is available from Cisco. You can view current offerings at
this URL:
http://www.cisco.com/en/US/learning/index.html

OL-7614-01 xix

xx OL-7614-01
Using Cisco IOS Software for Release 12.4
This chapter provides helpful tips for understanding and configuring Cisco IOS software using the
command-line interface (CLI). It contains the following sections:
• Understanding Command Modes, page xxi
• Getting Help, page xxii
• Using the no and default Forms of Commands, page xxv
• Saving Configuration Changes, page xxvi
• Filtering Output from the show and more Commands, page xxvi
• Finding Additional Feature Support Information, page xxvii
For an overview of Cisco IOS software configuration, see the Cisco IOS Configuration Fundamentals
Configuration Guide.
For information on the conventions used in the Cisco IOS software documentation set, see the “About
Cisco IOS Software Documentation for Release 12.4” chapter.
Understanding Command Modes

You use the CLI to access Cisco IOS software. Because the CLI is divided into many different modes,
the commands available to you at any given time depend on the mode that you are currently in. Entering
a question mark (?) at the CLI prompt allows you to obtain a list of commands available for each
command mode.
When you log in to the CLI, you are in user EXEC mode. User EXEC mode contains only a limited
subset of commands. To have access to all commands, you must enter privileged EXEC mode, normally
by using a password. From privileged EXEC mode you can issue any EXEC command—user or
privileged mode—or you can enter global configuration mode. Most EXEC commands are one-time
commands. For example, show commands show important status information, and clear commands
clear counters or interfaces. The EXEC commands are not saved when the software reboots.
Configuration modes allow you to make changes to the running configuration. If you later save the
running configuration to the startup configuration, these changed commands are stored when the
software is rebooted. To enter specific configuration modes, you must start at global configuration mode.
From global configuration mode, you can enter interface configuration mode and a variety of other
modes, such as protocol-specific modes.
ROM monitor mode is a separate mode used when the Cisco IOS software cannot load properly. If a valid
software image is not found when the software boots or if the configuration file is corrupted at startup,
the software might enter ROM monitor mode.

OL-7614-01 xxi
Getting Help
Table 3 describes how to access and exit various common command modes of the Cisco IOS software.
It also shows examples of the prompts displayed for each mode.
Table 3 Accessing and Exiting Command Modes
Command
Mode Access Method Prompt Exit Method
User EXEC Log in. Router> Use the logout command.
Privileged From user EXEC mode, Router# To return to user EXEC mode, use the disable
EXEC use the enable command. command.
Global From privileged EXEC Router(config)# To return to privileged EXEC mode from global
configuration mode, use the configure configuration mode, use the exit or end command.
terminal command.
Interface From global Router(config-if)# To return to global configuration mode, use the exit
configuration configuration mode, command.
specify an interface using
To return to privileged EXEC mode, use the end
an interface command.
command.
ROM monitor From privileged EXEC > To exit ROM monitor mode, use the continue
mode, use the reload command.
command. Press the
Break key during the
first 60 seconds while the
system is booting.
For more information on command modes, see the “Using the Cisco IOS Command-Line Interface”
chapter in the Cisco IOS Configuration Fundamentals Configuration Guide.
Getting Help
Entering a question mark (?) at the CLI prompt displays a list of commands available for each command
mode. You can also get a list of keywords and arguments associated with any command by using the
context-sensitive help feature.
To get help specific to a command mode, a command, a keyword, or an argument, use one of the
following commands:
Command Purpose
help Provides a brief description of the help system in any command mode.
abbreviated-command-entry? Provides a list of commands that begin with a particular character string. (No space
between command and question mark.)
abbreviated-command-entry<Tab> Completes a partial command name.
? Lists all commands available for a particular command mode.
command ? Lists the keywords or arguments that you must enter next on the command line.
(Space between command and question mark.)

xxii OL-7614-01
Getting Help
Example: How to Find Command Options

This section provides an example of how to display syntax for a command. The syntax can consist of
optional or required keywords and arguments. To display keywords and arguments for a command, enter
a question mark (?) at the configuration prompt or after entering part of a command followed by a space.
The Cisco IOS software displays a list and brief description of available keywords and arguments. For
example, if you were in global configuration mode and wanted to see all the keywords or arguments for
the arap command, you would type arap ?.
The <cr> symbol in command help output stands for “carriage return.” On older keyboards, the carriage
return key is the Return key. On most modern keyboards, the carriage return key is the Enter key. The
<cr> symbol at the end of command help output indicates that you have the option to press Enter to
complete the command and that the arguments and keywords in the list preceding the <cr> symbol are
optional. The <cr> symbol by itself indicates that no more arguments or keywords are available and that
you must press Enter to complete the command.
Table 4 shows examples of how you can use the question mark (?) to assist you in entering commands.
The table steps you through configuring an IP address on a serial interface on a Cisco 7206 router that
is running Cisco IOS Release 12.0(3).
Table 4 How to Find Command Options
Command Comment
Router> enable Enter the enable command and
Password: <password> password to access privileged EXEC
Router#
commands. You are in privileged
EXEC mode when the prompt changes
to Router#.
Router# configure terminal Enter the configure terminal
Enter configuration commands, one per line. End with CNTL/Z. privileged EXEC command to enter
Router(config)#
global configuration mode. You are in
global configuration mode when the
prompt changes to Router(config)#.
Router(config)# interface serial ? Enter interface configuration mode by
<0-6> Serial interface number specifying the serial interface that you
Router(config)# interface serial 4 ?
/
want to configure using the interface
Router(config)# interface serial 4/ ? serial global configuration command.
<0-3> Serial interface number
Enter ? to display what you must enter
Router(config)# interface serial 4/0 ?
<cr> next on the command line. In this
Router(config)# interface serial 4/0 example, you must enter the serial
Router(config-if)# interface slot number and port number,
separated by a forward slash.
When the <cr> symbol is displayed,
you can press Enter to complete the
command.
You are in interface configuration mode
when the prompt changes to
Router(config-if)#.

OL-7614-01 xxiii
Getting Help
Table 4 How to Find Command Options (continued)
Command Comment
Router(config-if)# ? Enter ? to display a list of all the
Interface configuration commands: interface configuration commands
.
.
available for the serial interface. This
. example shows only some of the
ip Interface Internet Protocol config commands available interface configuration
keepalive Enable keepalive commands.
lan-name LAN Name command
llc2 LLC2 Interface Subcommands
load-interval Specify interval for load calculation for an
interface
locaddr-priority Assign a priority group
logging Configure logging for interface
loopback Configure internal loopback on an interface
mac-address Manually set interface MAC address
mls mls router sub/interface commands
mpoa MPOA interface configuration commands
mtu Set the interface Maximum Transmission Unit (MTU)
netbios Use a defined NETBIOS access list or enable
name-caching
no Negate a command or set its defaults
nrzi-encoding Enable use of NRZI encoding
ntp Configure NTP
.
.
.
Router(config-if)#
Router(config-if)# ip ? Enter the command that you want to
Interface IP configuration subcommands: configure for the interface. This
access-group Specify access control for packets
accounting Enable IP accounting on this interface
example uses the ip command.
address Set the IP address of an interface Enter ? to display what you must enter
authentication authentication subcommands
next on the command line. This
bandwidth-percent Set EIGRP bandwidth limit
broadcast-address Set the broadcast address of an interface example shows only some of the
cgmp Enable/disable CGMP available interface IP configuration
directed-broadcast Enable forwarding of directed broadcasts commands.
dvmrp DVMRP interface commands
hello-interval Configures IP-EIGRP hello interval
helper-address Specify a destination address for UDP broadcasts
hold-time Configures IP-EIGRP hold time
.
.
.
Router(config-if)# ip

xxiv OL-7614-01
Using the no and default Forms of Commands
Table 4 How to Find Command Options (continued)
Command Comment
Router(config-if)# ip address ? Enter the command that you want to
A.B.C.D IP address configure for the interface. This
negotiated IP Address negotiated over PPP
Router(config-if)# ip address
example uses the ip address command.
next on the command line. In this
example, you must enter an IP address
or the negotiated keyword.
A carriage return (<cr>) is not
displayed; therefore, you must enter
additional keywords or arguments to
complete the command.
Router(config-if)# ip address 172.16.0.1 ? Enter the keyword or argument that you
A.B.C.D IP subnet mask want to use. This example uses the
Router(config-if)# ip address 172.16.0.1
172.16.0.1 IP address.
example, you must enter an IP subnet
mask.
A <cr> is not displayed; therefore, you
must enter additional keywords or
arguments to complete the command.
Router(config-if)# ip address 172.16.0.1 255.255.255.0 ? Enter the IP subnet mask. This example
secondary Make this IP address a secondary address uses the 255.255.255.0 IP subnet mask.
<cr>
Router(config-if)# ip address 172.16.0.1 255.255.255.0 Enter ? to display what you must enter
example, you can enter the secondary
keyword, or you can press Enter.
A <cr> is displayed; you can press
Enter to complete the command, or
you can enter another keyword.
Router(config-if)# ip address 172.16.0.1 255.255.255.0 In this example, Enter is pressed to
Router(config-if)# complete the command.
Using the no and default Forms of Commands

Almost every configuration command has a no form. In general, use the no form to disable a function.
Use the command without the no keyword to reenable a disabled function or to enable a function that is
disabled by default. For example, IP routing is enabled by default. To disable IP routing, use the no ip
routing command; to reenable IP routing, use the ip routing command. The Cisco IOS software
command reference publications provide the complete syntax for the configuration commands and
describe what the no form of a command does.
Configuration commands can also have a default form, which returns the command settings to the
default values. Most commands are disabled by default, so in such cases using the default form has the
same result as using the no form of the command. However, some commands are enabled by default and

OL-7614-01 xxv
Saving Configuration Changes
have variables set to certain default values. In these cases, the default form of the command enables the
command and sets the variables to their default values. The Cisco IOS software command reference
publications describe the effect of the default form of a command if the command functions differently
than the no form.
Saving Configuration Changes

Use the copy system:running-config nvram:startup-config command or the copy running-config
startup-config command to save your configuration changes to the startup configuration so that the
changes will not be lost if the software reloads or a power outage occurs. For example:
Router# copy system:running-config nvram:startup-config
Building configuration...
It might take a minute or two to save the configuration. After the configuration has been saved, the
following output appears:
[OK]
Router#
On most platforms, this task saves the configuration to NVRAM. On the Class A flash file system
platforms, this task saves the configuration to the location specified by the CONFIG_FILE environment
variable. The CONFIG_FILE variable defaults to NVRAM.
Filtering Output from the show and more Commands

You can search and filter the output of show and more commands. This functionality is useful if you
need to sort through large amounts of output or if you want to exclude output that you need not see.
To use this functionality, enter a show or more command followed by the “pipe” character (|); one of the
keywords begin, include, or exclude; and a regular expression on which you want to search or filter (the
expression is case-sensitive):
command | {begin | include | exclude} regular-expression
The output matches certain lines of information in the configuration file. The following example
illustrates how to use output modifiers with the show interface command when you want the output to
include only lines in which the expression “protocol” appears:
Router# show interface | include protocol
FastEthernet0/0 is up, line protocol is up

Serial4/0 is up, line protocol is up
Serial4/1 is up, line protocol is up
Serial4/2 is administratively down, line protocol is down
Serial4/3 is administratively down, line protocol is down
For more information on the search and filter functionality, see the “Using the Cisco IOS Command-Line
Interface” chapter in the Cisco IOS Configuration Fundamentals Configuration Guide.

xxvi OL-7614-01
Finding Additional Feature Support Information

If you want to use a specific Cisco IOS software feature, you will need to determine in which Cisco IOS
software images that feature is supported. Feature support in Cisco IOS software images is dependant
on three main factors: the software version (called the “Release”), the hardware model (the “Platform”
or “Series”), and the “Feature Set” (collection of specific features designed for a certain network
environment). Although the Cisco IOS software documentation set documents feature support
information for Release 12.4 as a whole, it does not generally provide specific hardware and feature set
information.
To determine the correct combination of Release (software version), Platform (hardware version), and
Feature Set needed to run a particular feature (or any combination of features), use Feature Navigator.
Feature Navigator is a web-based tool available on Cisco.com at http://www.cisco.com/go/fn. Feature
Navigator is available only for registered users of Cisco.com. If you do not have an account or have
forgotten your username or password, click Cancel at the login dialog box and follow the instructions
that appear.
Software features may also have additional limitations or restrictions. For example, a minimum amount
of system memory may be required. Or there may be known issues for features on certain platforms that
have not yet been resolved (called “Caveats”). For the latest information about these limitations, see the
release notes for the appropriate Cisco IOS software release. Release notes provide detailed installation
instructions, new feature descriptions, system requirements, limitations and restrictions, caveats, and
troubleshooting information for a particular software release.

OL-7614-01 xxvii

xxviii OL-7614-01
C H A P T E R 1
Cisco Mobile Wireless Home Agent
This chapter describes the Cisco Mobile Wireless Home Agent. It includes information on the features
and functions of the product, features, benefits, restrictions and supported platforms.
This document includes the following sections:
• Feature Overview, page 1-1
• System Overview, page 1-2
• Cisco Home Agent Network, page 1-3
• Packet Data Services, page 1-4
• Features, page 1-7
• Benefits, page 1-8
• Restrictions, page 1-18
• Supported Platforms, page 1-19
• Supported Standards, MIBs, and RFCs, page 1-20
Feature Overview
Cisco’s Mobile Wireless Packet Data Solution includes the Packet Data Serving Node (PDSN) with
foreign agent functionality (FA), the Cisco Mobile Wireless Home Agent (HA), AAA servers, and
several other security products and features. The solution is standards compliant, and is designed to meet
the needs of mobile wireless industry as it transitions towards third-generation cellular data services.
The Home Agent is the anchor point for mobile terminals for which MobileIP or Proxy MobileIP
services are provided. Traffic sent to the terminal is routed via the Home Agent. With reverse tunneling,
traffic from the terminal is also routed via the Home Agent.
A PDSN provides access to the Internet, intranets, and Wireless Application Protocol (WAP) servers for
mobile stations using a Code Division Multiple Access 2000 (CDMA2000) Radio Access Network
(RAN). The Cisco PDSN is a Cisco IOS software feature that runs on Cisco 7200 routers, Catalyst 6500
switches, and Cisco 7600 Internet Routers, and acts as an access gateway for Simple IP and Mobile IP
stations. It provides foreign agent (FA) support and packet transport for virtual private networking
(VPN). It also acts as an Authentication, Authorization, and Accounting (AAA) client.
The Cisco PDSN, and the Cisco Home Agent support all relevant 3GPP2 standards, including those that
define the overall structure of a CDMA2000 network, and the interfaces between radio components, the
Home Agent, and the PDSN.

OL-7614-01 1-1
Chapter 1 Cisco Mobile Wireless Home Agent
Feature Overview
System Overview
CDMA is one of the standards for mobile communication. A typical CDMA2000 network includes
terminal equipment, mobile termination, base transceiver stations (BTSs), base station controllers
(BSCs), PDSNs, and other CDMA network and data network entities. The PDSN is the interface between
a BSC and a network router.
Figure 1 illustrates the relationship of the components of a typical CDMA2000 network, including a
PDSN and a Home Agent. In this illustration, a roaming mobile station user is receiving data services
from a visited access provider network, rather than from the mobile station user’s subscribed access
provider network.
Figure 1 The CDMA Network
Subscribed Access Provider Network Broker Network
AAA
BTS
BSC IP Broker
PCF Network AAA
RAN PDSN
R-P Interface IP
Network
Visited Access Provider Network Home ISP or Corporate

Private Network
Visited
BTS
AAA
Home AAA
Server
Mobile station
BSC IP Home Agent
PCF Network
42689
RAN PDSN
R-P Interface
As the illustration shows, the mobile station, which must support either Simple IP or Mobile IP, connects
to a radio tower and BTS. The BTS connects to a BSC, which contains a component called the Packet
Control Function (PCF). The PCF communicates with the Cisco PDSN through an A10/A11 interface.
The A10 interface is for user data and the A11 interface is for control messages. This interface is also
known as the RAN-to-PDSN (R-P) interface. For the Cisco Home Agent Release 1.2, you must use a
Fast Ethernet (FE) interface as the R-P interface on the 7200 platform, and a Giga Ethernet (GE)
interface on the MWAM platform.
The IP networking between the PDSN and external data networks is through the
PDSN-to-intranet/Internet (Pi) interface. For the Cisco Home Agent Release 1.2, you can use either an
FE or GE interface as the Pi interface.
For “back office” connectivity, such as connections to a AAA server, the interface is media independent.
Any of the interfaces supported on the Cisco 7206 can be used to connect to these types of services, but
Cisco recommends that you use either an FE or GE interface as the Pi interface.

1-2 OL-7614-01
Feature Overview
Cisco Home Agent Network

Figure 2 illustrates the functional elements in a typical CDMA2000 packet data system, and Cisco
products that are currently available to support this solution. The Home Agent, in conjunction with the
PDSN/Foreign Agent, allows a mobile station with Mobile IP client function, to access the internet or
corporate intranet using Mobile IP-based service access. Mobile IP extends user mobility beyond the
coverage area of the current, serving PDSN/Foreign Agent. If another PDSN is allocated to the
call(following a handoff), the target PDSN performs a Mobile IP registration with the Home Agent; this
ensures that the same home address is allocated to the mobile. Additionally, clients without a Mobile IP
client can also make use of these services by using the Proxy Mobile IP capability provided by the PDSN
The Home Agent, then, is the anchor point for mobile terminals for which MobileIP or Proxy MobileIP
services are provided. Traffic is routed via the home agent, and the home agent also provides Proxy ARP
services. In the case of reverse tunneling, traffic from the terminal is also routed via the Home Agent.
Figure 2 Cisco Products for CDMA2000 Packet Data Services Solution
Visited access provider network Prepaid

billing server
RADIUS RADIUS
Home
IP network
IP network RADIUS
Broker network
RP interface MOBILE IP
HA
MS PDSN
RN Home IP network,
(BSC/PCF) private network,
home access
provider network
81107
For Mobile IP services, the Home Agent would typically be located within an ISP network, or within a
corporate domain. However, many ISPs and/or corporate entities may not be ready to provision Home
Agents by the time service providers begin rollout of third-generation packet data services. As a remedy,
Access service providers could provision Home Agents within their own domains, and then forward
packets to ISPs or corporate domains via VPDN services. Figure 3 illustrates the functional elements
that are necessary to support Mobile IP-based service access when the Home Agent is located in the
service provider domain.

OL-7614-01 1-3
Feature Overview
Figure 3 Cisco Mobile IP Based Service Access With Home Agent in Service Provider Network
Visited access provider network VLR CS Access

provider network
SS7
Network
MCS HLR
Cisco access register

AAA server
Visited Home AAA AAA broker
AAA home IP network network
Mobile BSC,
station BTS PCF
Radio Access Network (RAN)

R-P
IP
Interface Firewall
Network HA
A10/A11
MIP/GRE
PDSN/FA
Home ISP
private network
home provider
CiscoWorks
2000 CNR network
network register
81104
management DNS/DHCP
For Mobile IP and Proxy-Mobile IP types of access, these solutions allow a mobile user to roam within
and beyond it’s service provider boundaries, while always being reachable and addressable via the IP
address assigned on initial session establishment. Details of Mobile IP and Proxy Mobile IP Services can
be found in Packet Data Services.
Packet Data Services

In the context of a CDMA2000 network, the Cisco Home Agent supports two types of packet data
services: Mobile-IP and Proxy Mobile-IP services. From the perspective of the Cisco Home Agent, these
services are identical.
Cisco Mobile IP Service

With Mobile IP, the mobile station can roam beyond the coverage area of a given PDSN and still maintain
the same IP address and application-level connections.

1-4 OL-7614-01
Feature Overview
Figure 4 shows the placement of the Cisco Home Agent in a Mobile IP scenario.
Figure 4 CDMA Network —Mobile IP Scenario
Visitor Home Access

Location Provider Network
Register
SS7
(VLR) HLR
network
Home IP Network
RADIUS
RADIUS
IP
network
Broker Network
R-P
Interface
RADIUS
Mobile station PDSN

RAN
Home IP Network,
Private Network,
Home Access
Provider Network
HA
Visited Access
42690
Provider Network
The communication process occurs in the following order:

1. The mobile station registers with its Home Agent (HA) through a FA. In the context of the
CDMA2000 network, the FA is the Cisco PDSN.
2. The Cisco HA accepts the registration, assigns an IP address to the mobile station, and creates a
tunnel to the FA. The resulting configuration is a PPP link between the mobile station and the FA
(or PDSN), and an IP-in-IP or GRE tunnel between the FA and the HA.
As part of the registration process, the Cisco HA creates a binding table entry to associate the mobile
station’s home address with its care of address.

OL-7614-01 1-5
Feature Overview
Note While away from home (from the HA’s perspective), the mobile station is associated with a
care-of address. This address identifies the mobile station’s current, topological point of
attachment to the Internet, and is used to route packets to the mobile station. Either a foreign
agent’s address, or an address obtained by the mobile station for use while it is present on a
particular network, is used as the care-of address. In the case of the Cisco Home Agent, the
Care-of-Address is always an address of the Foreign Agent.
3. The HA advertises network reachability to the mobile station, and tunnels datagrams to the mobile
station at its current location.
4. The mobile station sends packets with its home address as the source IP address.
5. Packets destined for the mobile station go through the HA, which tunnels them to the PDSN. From
there they are sent to the mobile station using the care-of address. This scenario also applies to
reverse tunneling, which allows traffic moving from the mobile to the network to pass through the
Home Agent.
6. When the PPP link is handed off to a new PDSN, the link is re-negotiated and the Mobile IP
registration is renewed.
7. The HA updates its binding table with the new care-of address.
Note For more information about Mobile IP, refer to the Cisco IOS Release 12.2 documentation modules
Cisco IOS IP Configuration Guide and Cisco IOS IP Command Reference. RFC 2002 describes the
specification in detail. TIA/EIA/IS-835-B also defines how Mobile IP is realized in the Home Agent.
Cisco Proxy Mobile IP Service

Currently, there is a lack of commercially-available Mobile IP client software. Conversely, PPP, which
is widely used to connect to an Internet Service Provider (ISP), is ubiquitous in IP devices. As an
alternative to Mobile IP, you can use Cisco’s proxy Mobile IP feature. This capability of the Cisco
PDSN, which is integrated with PPP, enables the PDSN, functioning as a Foreign Agent, and a Mobile
IP client, to provide mobility to authenticated PPP users.
The communication process occurs in the following order:
1. The Cisco PDSN (acting as an FA) collects and sends mobile station authentication information to
the AAA server (specifically, PPP authentication information).
2. If the mobile station is successfully authorized to use Cisco PDSN Proxy Mobile IP service, the
AAA server returns the registration data and an HA address.
3. The FA uses this information, and other data, to generate a Registration Request (RRQ) on behalf
of the mobile station, and sends it to the Cisco HA.
4. If the registration is successful, the Cisco HA sends a registration reply (RRP) that contains an IP
address to the FA.
5. The FA assigns the IP address (received in the RRP) to the mobile station, using IPCP.
6. A tunnel is established between the Cisco HA and the FA/PDSN. If reverse tunneling is enabled, the
tunnel carries traffic to and from the mobile station.
Note The PDSN takes care of all Mobile IP re-registrations on behalf of the Proxy-MIP client.

1-6 OL-7614-01
Features
Features
This section describes the following key features of the Cisco PDSN/HA:
• Dynamic Home Agent Assignment, page 1-9
• Home Agent Redundancy, page 1-10
• Home Address Assignment, page 1-13
• 3 DES Encryption, page 1-14
• Mobile IP IPSec, page 1-14
• User Profiles, page 1-16
• Mobility Binding Association, page 1-17
• User Authentication and Authorization, page 1-17
• HA Binding Update, page 1-18
• Packet Filtering, page 1-18
• Packet Filtering, page 1-18
• Security, page 1-18
Feature Support
In addition to supporting Cisco IOS networking features, a Cisco 7200 router, 6500 switch, or 7600
router, configured as a Home Agent, supports the following Home Agent-specific features:
• Support for static IP Addresses assignment
– Public IP addresses
– Private IP addresses
• Support for dynamic IP Addresses assignment
– Public IP addresses
– Private IP addresses
• Multiple flows for different NAIs using static or dynamic addresses
• Multiple flows for the same NAI using different static addresses
• Foreign Agent Challenge extensions in RFC 3012 - bis 03
– Mobile IP Agent Advertisement Challenge Extension
– MN-FA Challenge Extension
– Generalized Mobile IP Authentication Extension, which specifies the format for the MN-AAA
Authentication Extension
• Mobile IP Extensions specified in RFC 2002
– MN-HA Authentication Extension
– FA-HA Authentication Extension
• Reverse Tunneling, RFC 2344
• Mobile NAI Extension, RFC 2794

OL-7614-01 1-7
Features
• Multiple tunneling Modes between FA and HA

– IP-in-IP Encapsulation, RFC 2003
– Generic Route Encapsulation, RFC 2784
• Binding Update message for managing stale bindings
• Home Agent redundancy support
• Mobile IP Extensions specified in RFC 3220
– Authentication requiring the use of SPI. section 3.2
• Support for Packet Filtering
– Input access lists
– Output access lists
• Support for proxy and gratuitous ARP
• Mobile IP registration replay protection using timestamps. Nonce-based replay protection is not
supported
Benefits
The following list identifies some of the key benefits that the Cisco Home Agent provides:
• Supports static and dynamic IP address allocation.
• Attracts, intercepts and tunnels datagrams for delivery to the MS.
• Receives tunneled datagrams from the MS (through the FA), un-encapsulates them, and delivers
them to the Corresponding Node (CN).
Note Depending on the configuration, reverse tunneling may, or may not, be used by the MS, and
may or may not be accepted by the HA.
• Presents a unique routable address to the network.

• Supports ingress and egress filtering.
• Maintains binding information for each registered MS containing an association of CoA with home
address, NAI, and security key(s) together with the lifetime of that association.
• Receives and processes registration renewal requests within the bounds of the Mobile IP registration
lifetime timer, either from the MS (via the FA in the Mobile IP case), or from the FA (in the Proxy
Mobile IP case).
• Receives and processes de-registration requests either from the MS (via the FA in the Mobile IP
case), or from the FA (in the Proxy Mobile IP case).
• Maintains a subscriber database that is stored locally or retrieved from an external source.
• Sends a binding update to the source PDSN under hand-off conditions when suitably configured.
• Supports dynamic HA assignment.

1-8 OL-7614-01
The Home Agent
The Home Agent

The Home Agent (HA) maintains mobile user registrations and tunnels packets destined for the mobile
to the PDSN/FA. It supports reverse tunneling, and can securely tunnel packets to the PDSN using IPSec.
Broadcast packets are not tunneled. Additionally, the HA performs dynamic home address assignment
for the mobile. Home address assignment can be from address pools configured locally, through either
DHCP server access, or from the AAA server.
The Cisco HA supports proxy Mobile IP functionality, and is available on the 7600, 7200, and 6500
series platforms. A 7200-based Cisco HA supports up to 262,000 mobile bindings, can process 100
bindings per second, and is RFC 2002, 2003, 2005 and 2006 compliant.
A 7600 or 6500-based Cisco HA with 2 MWAM cards housing 5 active HA images and 5 standby images,
would support the above figures multiplied by 5.
For more information on Mobile IP as it relates to Home Agent configuration tasks, please refer to the
following url:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t1/mobileip.htm.
Dynamic Home Agent Assignment

The Home Agent can be dynamically assigned in a CDMA2000 network when the following
qualifications exist.
The first qualification is that the Home Agent receives a mobile IP Registration Request with a value of
0.0.0.0 in the “Home Agent” field. Upon authentication/authorization, the PDSN retrieves the HA’s IP
address. The PDSN then uses this address to forward the Registration Request to the HA, but does not
update the actual HA address field in the Registration Request.
The Home Agent sends a Registration Reply, and places it’s own IP address in the “Home Agent” field.
At this point, any re-registration request that are received would contain the Home Agent’s IP address in
the “Home Agent” field.
The second qualification is a function of the PDSN/Foreign Agent, and is included here for
completeness. In this case, a AAA server is used to perform the dynamic Home Agent assignment
function. Depending on network topology, either the local-AAA, or the home-AAA server would
perform this function. When an access service provider is also serving as an ISP, Home Agents would
be located in the access provider network. In this service scenario, a local-AAA server would perform
Home Agent assignment function. Based on the user NAI received in the access request message, the
AAA server would return a elected Home Agent’s address in an access reply message to the PDSN.
A pool of Home Agent addresses is typically configured at the AAA server. For the access provider
serving as an ISP, multiple pools of Home Agents could be configured at the local AAA server; however,
this depends on SLAs with the domains for which Mobile IP, or proxy-Mobile IP services are supported.
You can configure the Home Agent selection procedure at the AAA server, using either a round-robin or
a hashing algorithm over user NAI selection criteria.
The PDSN/Foreign Agent sends the Registration Request to the Home Agent; however, there is no IP
address in the HA field of the MIP RRQ (it is 0.0.0.0). When the PDSN retrieves the IP address from
AAA, it does not update the MIP RRQ; instead, it forwards the RRQ to the HA address retrieved. The
PDSN cannot alter the MIP RRQ because it does not know the MN-HA SPI, and key value (which
contains the IP address of the Home Agent in the “Home Agent” field). Depending on network topology,
either the local-AAA, or the home-AAA server would perform this function. In situations where the
Home Agents are located in the access provider network, the local-AAA server would perform Home

OL-7614-01 1-9
The Home Agent
Agent assignment function. Additionally, multiple pools of Home Agents could be configured at the
local-AAA server, depending on SLAs with the domains for which Mobile IP or proxy-Mobile IP
services are supported.
Home Agent Redundancy

Cisco Home Agents can be configured to provide 1:1 redundancy. Two Home Agents are configured in
hot-standby mode, based on Cisco Hot Standby Routing Protocol (HSRP in RFC 2281. NAI support in
the Mobile IP HA Redundancy feature provides CDMA2000 specific capabilities for Home Agent
redundancy. The CDMA2000 framework requires address assignment based on NAI, and support of
multiple static IP addresses per user NAI.). This enables the active Home Agent to continually copy
mobile session-related information to the standby Home Agent, and maintains synchronized state
information at both Home Agents. In case an active Home Agent fails, the standby home agent takes over
without service disruption.
During the Mobile IP registration process, an HA creates a mobility binding table that maps the home
IP address of an MN to the current care-of address of the MN. If the HA fails, the mobility binding table
will be lost and all MNs registered with the HA will lose their connectivity. To reduce the impact of an
HA failure, Cisco IOS software supports the HA redundancy feature.
Note On 7600 or 6500-based configurations, the backup Home Agent image is configured on a different
MWAM card to the primary.
The functionality of HA redundancy runs on top of the Hot Standby Router Protocol (HSRP). HSRP is
a protocol developed by Cisco that provides network redundancy in a way that ensures that user traffic
will immediately and transparently recover from failures.
HSRP Groups
Before configuring HA redundancy, you must understand the concept of HSRP groups.
An HSRP group is composed of two or more routers that share an IP address and a MAC (Layer 2)
address and act as a single virtual router. For example, your Mobile IP topology can include one active
HA and one or more standby HAs that the rest of the topology view as a single virtual HA.
You must define certain HSRP group attributes on the interfaces of the HAs so that Mobile IP can
implement the redundancy. You can use the groups to provide redundancy for MNs with a home link on
either the interface of the group (a physical network) or on virtual networks. Virtual networks are logical
circuits that are programmed and share a common physical infrastructure.
How HA Redundancy Works

The HA redundancy feature enables you to configure an active HA and one or more standby HAs. The
HAs in a redundancy group may be configured in an Active HA-Standby HA role if the HAs are
supporting physical networks, or in a Peer HA-Peer HA role if they are supporting virtual networks.
In the first case, the Active HA assumes the lead HA role, and synchronizes the Standby HA. In the case
of virtual network support, Peer HAs share the lead HA role and “update” each other. The Peer HA
configuration allows for load balancing of the incoming RRQs, as either HA may receive RRQs. In either
scenario, the HAs participating in the redundancy group should be configured similarly. The current
support structure is 1 to1 to provide the maximum robustness and transparency in failover.

1-10 OL-7614-01
The Home Agent
HA functionality is a service provided by the router and is not interface specific. Therefore, the HA and
the MN must agree on which HA interface the MN should send its registration requests, and conversely,
on which HA interface the HA should receive the registration requests. This agreement must factor in
the following two scenarios:
• An MN that has an HA interface (HA IP address) that is not on the same subnet as the MN.
• An MN that requires the HA interface to be on the same subnet as the MN, that is, the HA and the
MN must be on the same home network.
For MNs on physical networks, an active HA accepts registration requests from the MN and sends
binding updates to the standby HA. This process keeps the mobility binding table on the active and
standby HAs synchronized.
For MNs on virtual networks, the active and standby HAs are peers—either HA can handle registration
requests from the MN and update the mobility binding table on the peer HA.
When a standby HA comes up, it must request all mobility binding information from the active HA. The
active HA responds by downloading the mobility binding table to the standby HA. The standby HA
acknowledges that it has received the requested binding information. Figure 5 illustrates an active HA
downloading the mobility bindings to a standby HA. A main concern in this stage of the process is which
HA IP interface the standby HA should use to retrieve the appropriate mobility binding table, and on
which interface of the standby HA the binding request should be sent.
Figure 5 Overview of HA Redundancy and Mobility Binding Process
Active Active
home home
agent agent
Binding
info
reply
Binding Binding update Binding Binding info

update acknowledgment info request reply acknowledgment
Standby Standby
home home
agent agent
(a) Updating binding information (b) Downloading mobility

39271
after registration Binding tables
Note The Active HA-Standby HA can also be in Peer HA-Peer HA configuration.

OL-7614-01 1-11
The Home Agent
Physical Network Support

For MNs on physical networks, the HAs are configured in the Active HA-Standby HA configurations as
shown in Figure 6 and Figure 7. The MNs that are supported on this physical network are configured
with the HSRP virtual group address as the HA address. Hence, only the Active HA can accept RRQs
from the MN since it is the 'owner' of the HSRP virtual group address. Upon receipt of an authenticated
RRQ, the Active HA sends a Binding Update to the Standby HA.
HA Redundancy for physical networks can support multiple HAs in the redundancy group, although only
one HA can be in Active state and only one HA can be in Standby state. For example, consider the
scenario where there are four HAs in the redundancy group (one Active HA, one Standby HA, and two
HAs in Listen state). If the Active HA fails, the Standby HA becomes the Active HA, and the HA in
Listen state with higher priority becomes the Standby HA.
Figure 6 Virtual Network Support Using One Physical Network (Peer HA-Peer HA)
Active
HA1
1.0.0.1
Virtual
networks
HSRP Loopback
group interface
Router address
1.0.0.2
Standby
Internet HA2
Physical
home
network
44138
Foreign
agent

1-12 OL-7614-01
The Home Agent
Figure 7 Virtual Network Support Using Multiple Physical Networks (Peer HA-Peer HA)
Active
HA1
Virtual
networks
Loopback
HSRP HSRP interface
Router group group
address 1 address 2
42304
Standby
Internet HA2
Home Home
network 1 network 2
Foreign
agent
Home Address Assignment

The Home Agent assigns a home address to the mobile based on user NAI received during Mobile IP
registration. The IP addresses assigned to a mobile station may be statically or dynamically assigned.
The Home Agent will not permit simultaneous registrations for different NAIs with the same IP address,
whether it is statically or dynamically assigned.
Static IP Address
A static IP address is an address that is pre-assigned to the mobile station, and possibly preconfigured at
the mobile device. The Home Agent supports static addresses that might be public IP addresses, or
addresses in private domain.
Note Use of private addresses for Mobile IP services requires reverse tunneling between the PDSN/FA and
the Home Agent.
The mobile user proposes the configured/available address as a nonzero home address in the Registration
Request message. The Home Agent may accept this address or return another address in the Registration
Reply message. The Home Agent may obtain the IP address by accessing the home AAA server or DHCP
server. The home AAA server may return the name of a local pool, or a single IP address. On successful
Mobile IP registration, Mobile IP based services are made available to the user.

OL-7614-01 1-13
The Home Agent
Dynamic IP Address
It is not necessary for a home IP address to be configured in the mobile station in order to access packet
data services. A mobile user may request a dynamically assigned address by proposing an all zero home
address in the Registration Request message. The Home Agent assigns a home address and returns it to
the mobile in the Registration Reply message. The Home Agent obtains the IP address by accessing the
home AAA server. The AAA server returns the name of a local pool or a single IP address. On successful
registration, Mobile IP based services are made available to the user.
Address Assignment for Same NAI—Multiple Static Addresses

The Cisco Home Agent supports multiple Mobile IP registrations for the same NAI with different static
addresses. This is accomplished by configuring static IP address pool(s) at the home AAA or DHCP
server. When the HA receives a Registration Request message from the mobile user, the HA accesses the
home AAA for authentication, and possibly for assignment of an IP address. The NAI provided by the
mobile user is sent to the home AAA. The home AAA server returns a list of static IP addresses or the
static IP pool name corresponding to this NAI.
Address Assignment for Same NAI—Different Mobile Terminal

When the same NAI is used for registration from two different mobiles, the behavior is as follows:
• If static address assignment is used in both cases, they are viewed as independent cases.
• If dynamic address assignment is used in both cases, the second registration replaces the first.
• If static is used for the first, and dynamic for the second, the dynamic address assignment replaces
the static address assignment.
• If dynamic is used for the first, and static for the second, they are viewed as independent cases.
Additionally, two flows originating from the same mobile using the same NAI—but two different
Home Agents—are viewed as independent cases.
3 DES Encryption
The Cisco Home Agent 1.2 release include 3DES encryption, which supports IPSec on the HA. To
accomplish this on the 7200 router platform, Cisco supplies an SA ISA card for hardware provided
IPsec. On the 7600 and 6500 platforms, the MWAM utilizes the Cisco IPSec Acceleration Card.
In this release the HA requires you to configure the parameters for each PDSN before a mobile ip data
traffic tunnel is established between the PDSN and the HA.
Note This feature is only available with hardware support.
Mobile IP IPSec
The Internet Engineering Task Force (IETF) has developed a framework of open standards called IP
Security (IPSec) that provides data confidentiality, data integrity, and data authentication between
participating peers. IPSec provides these security services at the IP layer; it uses Internet Key Exchange
(IKE) to handle negotiation of protocols and algorithms based on local policy, and to generate the
encryption and authentication keys to be used by IPSec. IPSec can be used to protect one or more data
flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a
host.

1-14 OL-7614-01
The Home Agent
IS835-B specifies three mechanisms for providing IPSec security:

• Certificates
• Dynamically distributed preshared secret
• Statically configured preshared secret.
Note IS835-B Statically configured preshared secret is not supported in PDSN Release 1.2. Only CLI
configured, statically configured preshared secret of IKE will be implemented and supported.
Note The Cisco Home Agent Release 1.2 on the Cisco 7600 and 6500 platforms requires the support of the
Cisco IPSec Services Module (VPNSM), a blade that runs on the Catalyst 6500 or 7600 router. VPNSM
does not have any physical WAN or LAN interfaces, and utilizes VLAN selectors for its VPN policy. For
more information on Catalyst 6500 Security Modules visit
http://www.cisco.com/en/US/products/hw/switches/ps708/index.html.
For more information on the Cisco 7600 Internet Router visit

http://www.cisco.com/en/US/products/hw/routers/ps368/index.html.
IPSec based security may be applied on tunnels between the PDSN and the HA depending on parameters
received from Home AAA server. A single tunnel may be established between each PDSN and HA pair.
It is possible for a single tunnel between the PDSN and HA pair to have three types of traffic streams:
Control Messages, Data with IP in IP encapsulation, and Data with GRE in IP encapsulation. All traffic
carried in the tunnel will have same level of protection provided by IPSec.
IS835 defines MobileIP service as described in RFC 2002; the Cisco HA provides Mobile IP service and
Proxy Mobile IP service.
In Proxy Mobile service, the Mobile Node is connected to the PDSN/FA through Simple IP, and the
PDSN/FA acts as Mobile IP Proxy for the MN to the HA.
Once Security Associations (SAs or tunnels) are established, they remain active until there is traffic on
the tunnel, or the lifetime of the SAs expire.
Note IPSec does not work with HA redundancy, since the IPSec security associations are not replicated to the
standby during failover.
Figure 8 illustrates the IS835 IPSec network topology.

OL-7614-01 1-15
The Home Agent
Figure 8 IS835 IPSec Network
Visitor Home Access

Location Provider Network
Register
(VLR) HLR
SS7
network
Home IP Network
RADIUS
RADIUS
Broker Network
IP
R-P
network
Interface
RADIUS
Mobile station PDSN

RAN
Home IP Network,
Private Network,
Home Access
Provider Network
IPsec Tunnel
HA
Visited Access
84001
Provider Network
User Profiles
The Home Agent maintains a per NAI profile that contains the following parameters:
• User Identification—NAI
• User Identification—IP Address
• Security Associations
• Reverse Tunnel indication—the parameter specifies the style of reverse tunneling that is required
for the user data transfer with Mobile IP services.
• Time stamp window for replay protection
• State information is maintained for all Registration Request flags requested, and then granted (for
example, S|B|D|M|G|V flags).
The profile, identified by the NAI, can be configured locally or retrieved from a AAA server.

1-16 OL-7614-01
The Home Agent
Additionally, the Home Agent supports an intelligent security association caching mechanism that
optimizes the session establishment rate and mimimizes the time for session establishment.
The Home Agent supports the local configuration of a maximum of 200000 user profiles; on the MWAM,
the HA supports 5 x 200000 user profiles. The User profile, identified by the NAI, can be configured
locally, or retrieved from a AAA server.
Mobility Binding Association

The mobility binding is identified in the home agent in the following ways:
• For static IP address assignment, NAI+IP
• For dynamic IP address assignment, NAI
The binding association contains the following information:
• Care-of address
• Home address
• Lifetime of the association
• Signalling identification field
User Authentication and Authorization

The Home Agent can be configured to authenticate a user using either PAP or CHAP. The Foreign Agent
Challenge procedures are supported (RFC 3012) and includes the following extensions:
• Mobile IP Agent Advertisement Challenge Extension
• MN—FA Challenge Extension
• MN—AAA Authentication Extension
Note PAP will be used if no MN—AAA extension is present, and CHAP will always be used if MN—AAA is
present.
When configured to authenticate a user with the Home AAA server, if the Home Agent receives the
MN—AAA Authentication Extension in the Registration Request, the contents are used. If the extension
is absent, a default configurable password is used.
The Home Agent accepts and maintains the MN—FA challenge extension, and MN—AAA
authentication extension (if present), from the original registration for use in later registration updates.
If the Home Agent does not receive a response from the AAA server within a configurable timeout, the
message can be retransmitted a configurable number of times. The Home Agent can be configured to
communicate with a group of AAA servers, the server being chosen in round robin fashion from the
available configured servers.
Note The Home Agent will accept user profiles, it will not authorize a mobile subscriber based on information
returned in a group profile.

OL-7614-01 1-17
The Home Agent
HA Binding Update
When a mobile first registers for packet data services, a PPP session and associated Mobile IP flow(s)
are established at the PDSN. In the event of an inter PDSN handoff, another PPP session is established
at the target PDSN, and the mobile registers with the Home Agent via the new PDSN/FA. If PPP idle
timeout is configured on the PDSN virtual template, the maximum mobile IP lifetime advertised to the
mobile will be 1 second less than the idle-timeout.
Idle, or unused PPP sessions at a PDSN/Foreign Agent consume valuable resources. The Cisco
PDSN/Foreign Agent and Home Agent support Binding Update and Binding Acknowledge messages to
release such idle PPP sessions as soon as possible. In the event of an inter-PDSN handoff and Mobile IP
registration, the Home Agent updates mobility binding information for the mobile with the
Care-of-Address (CoA) of the new PDSN/FA.
If simultaneous bindings are not enabled, the Home Agent sends a notification in the form of a Binding
Update message to the previous PDSN/FA. The previous PDSN/FA acknowledges with a Binding
Acknowledge, if required, and deletes the visitor list entry for the Mobile IP session. The previous
PDSN/FA initiates the release of the PPP session when there are no active flows for that mobile station.
Note The sending of the binding update message is configurable at the Home Agent on a global basis.
Packet Filtering
The Home Agent can filter both egress packets from an external data network and ingress data packets
based on the Foreign Agent IP address or the Mobile Node IP address.
Security
The HA uses any present statically configured shared secret(s) when processing authentication
extension(s) present in mobile IP registration messages.
Restrictions
Simultaneous Bindings
The Cisco Home Agent does not support simultaneous bindings. When multiple flows are established
for the same NAI, a different IP address is assigned to each flow. This means that simultaneous binding
is not required, because it is used to maintain more than one flow to the same IP address.
IP Reachability
The Home Agent does not support dynamic DNS updates. Hence the CDMA2000 feature, IP
Reachability, is not supported.
Security
The HA supports IPSec, IKE, IPSec Authentication Header (AH) and IP Encapsulating Security Payload
(ESP) as required in IS-835-B. The Home Agent does not support security for control or user traffic
independently. Either both are secured, or neither.
The Home Agent does not support dynamically assigned keys or shared secrets as defined in IS-835-B

1-18 OL-7614-01
Supported Platforms
Supported Platforms
Cisco 7200 Router Platform
The Cisco Home Agent is supported on Cisco’s 7206VXR routing platform. The Home Agent supports
all physical interfaces currently supported on the 7206VXR platform. These interfaces include Fast
Ethernet.
For a complete list of interfaces supported on 7206VXR platform, please refer to the on-line product
information at Cisco CCO home page. For hardware details on 7206VXR platform, please refer to C7200
product specifications at http://www.cisco.com/warp/public/cc/pd/rt/7200/index.shtml).
The recommended hardware configuration for PDSN Release 1.2 is based on C7206VXR chassis with
an NPE-400 processor, 512 MB DRAM, and two FE port adaptors. The I/O controller on the NPE-400
processor supports two more 10/100 based Ethernet ports. A service adaptor, SA_ISA, is required for
hardware support of IPSec.
Cisco MWAM on the Catalyst 6500 Switch and 7600 Router Support
The Cisco Home Agent is also supported on Cisco’s Multi-processor WAN Application Module
(MWAM) on the 6500 Catalyst Switch, and on the 7600 Internet Router. Each Catalyst 6500 or 7600 can
support up to 6 MWAM modules. Each MWAM has 3 gigabit ethernet interfaces internally connected to
the Cat6500 or 7600 backplane with 802.1q trunking. There are no external visible ports on an MWAM.
The recommended hardware configuration for Home Agent Release 1.2 is based on a Catalyst 6500 or
7600 chassis with a SUP2, and 512 MB of DRAM.
The recommended MWAM configuration calls for 512 Meg RAM per processor, totalling 1 gigabyte per
processor complex.
An IPSec Services Module (VPNSM) is required for hardware support of IPSec.
Each MWAM supports up to 5 IOS images, and each of them can function the same as a Home Agent
running on 7200VXR platform. There are no significant feature differences between a Home Agent on
an MWAM and a Home Agent on the Cisco 7200VXR series Router platform. However, configuring IP
sec on the Cisco IPSec Services Module (VPNSM) is completely different than from the Cisco 7200
series Router. All configuration is done on the Supervisor card and not on the MWAM.
Note The initial release of the Home Agent on MWAM (1.2) has a tested limit of up to 5 Home agent images
on each of two MWAMs
For a complete list of interfaces supported on 6500 platform, please refer to the on-line product
information at Cisco.com home page. For hardware details on 6500 platform, please refer to the Catalyst
6500 product specifications at http://www.cisco.com/en/US/products/hw/switches/ps708/index.html.
For a complete list of interfaces supported on 7600 platform, please refer to the on-line product
information at Cisco.com home page. For hardware details on 7600 platform, please refer to the
Cisco series 7600 product specifications at
http://www.cisco.com/en/US/products/hw/routers/ps368/index.html.
Determining Platform Support Through Cisco Feature Navigator

Cisco IOS software is packaged in feature sets that support specific platforms. To get updated
information regarding platform support for this feature, access Cisco Feature Navigator. Cisco Feature
Navigator dynamically updates the list of supported platforms as new platform support is added for the
feature.

OL-7614-01 1-19
Supported Standards, MIBs, and RFCs
Cisco Feature Navigator is a web-based tool that enables you to determine which Cisco IOS software
images support a specific set of features and which features are supported in a specific Cisco IOS image.
You can search by feature or release. Under the release section, you can compare releases side by side
to display both the features unique to each software release and the features in common.
To access Cisco Feature Navigator, you must have an account on Cisco.com. If you have forgotten or
lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check
will verify that your e-mail address is registered with Cisco.com. If the check is successful, account
details with a new random password will be e-mailed to you. Qualified users can establish an account
on Cisco.com by following the directions at http://www.cisco.com/register.
Cisco Feature Navigator is updated regularly when major Cisco IOS software releases and technology
releases occur. For the most current information, go to the Cisco Feature Navigator home page at the
following URL:
http://www.cisco.com/go/fn
Availability of Cisco IOS Software Images

Platform support for particular Cisco IOS software releases is dependent on the availability of the
software images for those platforms. Software images for some platforms may be deferred, delayed, or
changed without prior notice. For updated information about platform support and availability of
software images for each Cisco IOS software release, refer to the online release notes or, if supported,
Cisco Feature Navigator.

The Cisco PDSN Home Agent is compliant with the following standards:
Standards
• TIA/EIA/IS-835-B, Wireless IP Network Standard
• TIA/EIA/TSB-115, Wireless IP Network Architecture Based on IETF Protocols
MIBs
The Home Agent supports the following MIBs:
• MIB defined in The Definitions of Managed Objects for IP Mobility Support Using SMIv2, RFC
2006, October 1995.
• The RADIUS MIB, as defined in RADIUS Authentication Client MIB, RFC 2618, June 1999.
To obtain lists of supported MIBs by platform and Cisco IOS release, and to download MIB modules,
go to the Cisco MIB website on Cisco.com at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
RFCs
• IPv4 Mobility, RFC 2002
• IP Encapsulation within IP, RFC 2003
• Applicability Statement for IP Mobility Support, RFC 2005
• The Definitions of Managed Objects for IP Mobility Support Using SMIv2, RFC 2006
• Reverse Tunneling for Mobile IP, RFC 3024
• Mobile IPv4 Challenge/Response Extensions, RFC 3012

1-20 OL-7614-01
• Mobile NAI Extension, RFC 2794

• Generic Routing Encapsulation, RFC 1701
• GRE Key and Sequence Number Extensions, RFC 2890
• IP Mobility Support for IPv4, RFC 3220, Section 3.2 Authentication
• The Network Access Identifier, RFC 2486, January 1999.
• An Ethernet Address Resolution Protocol, RFC 826, November 1982
• The Internet Key Exchange (IKE), RFC 2409, November 1998.

OL-7614-01 1-21

1-22 OL-7614-01
C H A P T E R 2
Configuring Cisco Mobile Wireless Home Agent
This chapter describes the Cisco Mobile Wireless Home Agent. It includes information on the supported
platforms, configuration tasks, monitoring and maintaining, and configuration examples.
This document includes the following sections:
• Configuration Tasks, page 2-1
• Monitoring and Maintaining the HA, page 2-9
• Configuration Examples, page 2-9
Configuration Tasks
The Cisco Home Agent software includes two images, one for the Cisco 7200 and one for the 6500 and
7600 platforms. This section describes the steps for configuring the Cisco Home Agent. Each image is
described by platform number.
• c7200-h1is-mz HA image
• c6svcmwam-h1is-mz HA image
Upgrading a Home Agent Image

To upgrade an image, you will need a compact flash card that has the MP partition from the current image
or later, and a recent supervisor image. To locate the images, please go to the Software Center at
Cisco.com (http://www.cisco.com/public/sw-center/).
To perform the upgrade perform the following procedure:
Step 1 Log onto the supervisor and boot the MP partition on the PC.
Router# hw-module module 3 reset cf:1
Device BOOT variable for reset = > <cf:1> Warning: Device list is not verified.
>
> Proceed with reload of module? [confirm] % reset issued for module 3
>Router#
Step 2 Once the module is online, issue the following command:

copy tftp: tftp file location pclc# linecard #-fs:

OL-7614-01 2-1
Chapter 2 Configuring Cisco Mobile Wireless Home Agent
Configuration Tasks
The upgrade file uses a special format that makes this process slow. The following example illustrates
the upgrade process output:
Router# copy tftp://198.133.219.33/images/c6svcmwam-c6is-mz.bin pclc#3-fs:
> Destination filename [c6svcmwam-c6is-mz.bin]?
> Accessing tftp://198.133.219.33/images/c6svcmwam-c6is-mz.bin...
> Loading images/c6svcmwam-c6is-mz.bin from 64.102.16.25 (via Vlan1):
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> [OK - 29048727/58096640 bytes]
> 29048727 bytes copied in 1230.204 secs (23616 bytes/sec)

Router#
> 2d21h: %SVCLC-SP-5-STRRECVD: mod 3: <Application upgrade has started>
> 2d21h: %SVCLC-SP-5-STRRECVD: mod 3: <Do not reset the module till upgrade completes!!>
> Router#
> 2d21h: %SVCLC-SP-5-STRRECVD: mod 3: <Application upgrade has succeded>

> 2d21h: %SVCLC-SP-5-STRRECVD: mod 3: <You can now reset the module
Step 3 Boot the MWAM card back to partition 4, and you have an upgraded image.
Router#hw-module module 3 reset
Loading the Cisco IOS Image to MWAM

The image download process automatically loads a Cisco IOS image onto the three Processor complexes
on the MWAM. All three complexes on the card run the same version of Cisco IOS, so they share the
same image source. The software for MWAM bundles the images it needs in flash memory on the PC
complex. For more information, refer to the Cisco Multiprocessor WAN Application Module Installation
and Configuration Note.
Configuring the Home Agent

A typical HA configuration requires that you define interfaces in three directions: PDSN/FA, home
network, and AAA server. If HA redundancy is required, then you must configure another interface for
HSRP binding updates between HAs. If you are running the HA on the MWAM, the HA will see the
access to one GE port that will connect to Catalyst 6500 backplane. That port can be configured as a
trunk port with subinterfaces provided for each necessary network access.
VLANs can be defined corresponding to each interface: PDSN/FA, home network, AAA. In the case of
multiple HA instances in the same Catalyst 6500 chassis, or 7600 chassis, the same VLAN can be used
for all of them.
The Cisco Home Agent can provide two classes of user services: Mobile IP, and proxy Mobile IP. The
following sections describe the configuration tasks for implementing the Cisco Home Agent.
MWAM Configuration Tasks (Required for All Scenarios)

• Basic IOS Configuration on MWAM

2-2 OL-7614-01
Configuration Tasks
AAA and RADIUS Configuration Tasks (Required for All Scenarios)

To configure the AAA and RADIUS in the Home Agent environment, complete the following tasks.
• Configuring AAA in the Home Agent Environment
• Configuring RADIUS in the Home Agent Environment
Mobile IP Configuration Tasks (Required for Mobile IP)

To configure Mobile IP on the Home Agent, complete the following task:
• Configuring Mobile IP Security Associations
Home Agent Redundancy Tasks (Required for Mobile IP)

• Configuring HA Redundancy
Network Management Configuration Tasks

• Configuring Network Management
Cisco Home Agent Configuration Tasks

• Configuring the Cisco Home Agent
IP Sec Configuration Tasks

• Configuring IPSec for the HA
Maintaining the HA
• Monitoring and Maintaining the HA
Basic IOS Configuration on MWAM

To configure the Supervisor engine recognize the MWAM modules, and to establish physical
connections to the backplane, use the following commands:
Command Purpose
Router# vlan database Enter VLAN configuration mode.
Router(vlan)# vlan vlan-id Add an Ethernet VLAN.
Router(vlan)# exit Updates the VLAN database, propagates it throughout
the administrative domain, and return to privileged
EXEC mode.
Router(config)# mwam module 7 port 3 allowed-vlan Configures the ethernet connectivity from the
vlan_range backplane to the individual processors on the MWAM.
Router# session slot MWAM module processor processor Configures the ethernet connectivity from the
number backplane to the individual processors on the MWAM.
Processor number is from 2 to 6.
Router(config)# int gigabitEthernet 0/0 Specifies the type of interface being configured, and
the slot number.
Router(config-if)# no shut Puts the specified GE interfaces in service.
Router(config-if)# int gigabitEthernet 0/0.401

OL-7614-01 2-3
Configuration Tasks
Command Purpose
Router(config-subif)# encapsulation dot1Q 401 Enables IEEE 802.1Q encapsulation of traffic on a
specified subinterface in virtual LANs.
Router(config-subif)# ip address 11.111.1.11 255.255.255.0
Router(config-subif)# exit Updates the VLAN database, propagates it throughout

the administrative domain, and return to privileged
EXEC mode.
Note MWAM modules synchronize their timing functions from the Supervisor engine’s clock timers. Do not
configure the timers on each individual MWAM.
Configuring AAA in the Home Agent Environment

Access control is the way you manage who is allowed access to the network server and what services
they are allowed to use. AAA network security services provide the primary framework through which
you set up access control on your router or access server. For detailed information about AAA
configuration options, refer to the “Configuring Authentication,” and “Configuring Accounting”
chapters in the Cisco IOS Security Configuration Guide.
To configure AAA in the HA environment, use the following commands in global configuration mode:
Command Purpose
Router(config)# aaa authentication ppp default Enables authentication of PPP users using RADIUS.
group radius
Router(config)# aaa authorization network default group Restricts network access to a user. Runs authorization
radius for all network-related service requests. Uses the
group radius authorization method as the default
method for authorization.
Configuring RADIUS in the Home Agent Environment

RADIUS is a method for defining the exchange of AAA information in the network. In the Cisco
implementation, RADIUS clients run on Cisco routers and send authentication requests to a RADIUS
server that contains all user authentication and network server access information. For detailed
information about RADIUS configuration options, refer to the “Configuring RADIUS” chapter in the
Cisco IOS Security Configuration Guide.
To configure RADIUS in the HA environment, use the following commands in global configuration
mode:
Command Purpose
Router(config)# radius-server host ip-addr key Specifies the IP address of the RADIUS server host
sharedsecret and specifies the shared secret text string used between
the router and the RADIUS server.

2-4 OL-7614-01
Configuration Tasks
Configuring Mobile IP Security Associations

To configure security associations for mobile hosts, FAs, and HAs, use one of the following commands
in global configuration mode:
Command Purpose
Router(config)# ip mobile secure { host | visitor | Specifies the security associations for IP mobile
home-agent | foreign-agent | proxy-host} {lower-address users.
[upper-address] | nai string} { inbound-spi spi-in
outbound-spi spi-out | spi spi} key {hex | ascii} string
[replay timestamp [number] algorithm md5
mode prefix-suffix]
Configuring HA Redundancy
To configure your routers for Mobile IP HA redundancy, perform the required tasks described in the
following sections:
• Enabling Mobile IP (Required)
• Enabling HSRP (Required)
• Enabling HA Redundancy for a Physical Network (Required)
• Enabling HA Redundancy for a Virtual Network Using One Physical Network
Enabling Mobile IP
To enable Mobile IP on the router, use the following command in global configuration mode:
Command Purpose
Router(config)# router mobile Enables Mobile IP on the router.
Enabling HSRP
To enable HSRP on an interface, use the following command in interface configuration mode:
Router(config-if)# standby [group-number] ip ip-address Enables HSRP.

OL-7614-01 2-5
Configuration Tasks
Configuring HSRP Group Attributes

To configure HSRP group attributes that affect how the local router participates in HSRP, use either of
the following commands in interface configuration mode:
Router(config-if)# standby [group-number] priority Sets the Hot Standby priority used in choosing the
priority [preempt [delay [minimum | sync] active router. By default, the router that comes up
delay]]
later becomes standby. When one router is
or designated as an active HA, the priority is set highest
in the HSRP group and the preemption is set.
Router(config-if)# standby [group-number] [priority
Configure the preempt delay sync command so that
priority] preempt [delay [minimum | sync]
delay] all bindings will be downloaded to the router before
it takes the active role. The router becomes active
when all bindings are downloaded, or when the
timer expires, whichever comes first.
Enabling HA Redundancy for a Physical Network

To enable HA redundancy for a physical network, use following commands beginning in interface
configuration mode:
Command Purpose
Router(config-if)# standby [group-number] ip ip-address Enables HSRP.
Router(config-if)# standby name hsrp-group-name Sets the name of the standby group.
Router(config)# ip mobile home-agent redundancy Configures the home agent for redundancy using
hsrp-group-name the HSRP group name.
Router(config)# ip mobile secure home-agent address spi spi Sets up the home agent security association
key hex string between peer routers. If configured on the active
HA, the IP address address argument is that of the
standby HA. If configured on the standby HA, the
IP address address argument is that of the active
router. Note that a security association needs to be
set up between all HAs in the standby group.

2-6 OL-7614-01
Configuration Tasks
Enabling HA Redundancy for a Virtual Network Using One Physical Network

To enable HA redundancy for a virtual network and a physical network, use the following commands
beginning in interface configuration mode:
Command Purpose
Router (config-if)# standby [group-number] ip ip-address Enables HSRP.
Router(config)# ip mobile home-agent address address Defines a global home agent address. In this
configuration, the address is the HSRP group
or address. Enter this command if the mobile node
and home agent are on different subnets.
or
Enables and controls home agent services to the
Router(config)# ip mobile home-agent
router. Enter this command if the mobile node and
home agent are on the same subnet.
Router(config)# ip mobile virtual-network net mask [address Defines the virtual network. If the mobile node
address] and home agent are on the same subnet, use the
[address address] option.
Router(config)# ip mobile home-agent redundancy Configures the home agent for redundancy using
hsrp-group-name [[virtual-network] address address] the HSRP group to support virtual networks.
Router(config)# ip mobile secure home-agent address spi spi Sets up the home agent security association
key hex string between peer routers. If configured on the active
HA, the IP address address argument is that of the
standby HA. If configured on the standby HA, the
IP address address argument is that of the active
router. Note that a security association needs to be
set up between all HAs in the standby group.
Configuring Network Management

To enable SNMP network management for the HA, use the following commands in global configuration
mode:
Command Purpose
Router(config)# snmp-server community string [ro | rw] Specifies the community access string to permit
access to the SNMP protocol.
Router(config)# snmp-server host host-addr traps version {1 | Specifies the recipient of an SNMP notification
2 | 3 [auth | noauth | priv]} operation.
Router(config)# no virtual-template snmp Prevents the virtual-access subinterfaces from
being registered with the SNMP functionality of
the router and reduces the amount of memory
being used, thereby increasing the call setup
performance.
Router(config)# snmp-server enable traps ipmobile (Optional) Specifies Simple Network
Management Protocol (SNMP) security
notifications for Mobile IP.

OL-7614-01 2-7
Configuration Tasks
Configuring the Cisco Home Agent

To configure the Cisco HA, use the following commands in global configuration mode:
Command Purpose
Router(config)# ip mobile host {lower [upper] | nai string Specifies either static IP addresses or a pool of IP
[static-address addr1 [addr2] [addr3] [addr4] [addr5] | addresses for use by multiple flows with the same
local-pool name {address addr | pool {local name |
dhcp-proxy-client [dhcp-server addr]}}}{interface name |
NAI.
virtual-network net mask} [aaa [load-sa]] [care-of-access
acl] [lifetime number]
Router(config)# ip mobile home-agent [broadcast] Enables and controls home agent services on the
[care-of-access acl] [lifetime number] [replay seconds] router.
[reverse-tunnel-off] [roam-access acl] [strip-nai-realm]
[suppress-unreachable] [local-timezone]
Configuring IPSec for the HA

To configure IPSec for the HA, use the following commands in global configuration mode:
Command Purpose
Router(config)# crypto map map-name seq-num ipsec-isakmp Creates a a crypto map entry for one HA in one
Crypto-map set.
set peer ip address of ha
set transform-set transform-set-name The Crypto Map definition is not complete until:
match address acl name
1. ACL associated with it is defined, and
2. The Crypto-Map applied on Interface. You
can configure Crypto MAP for different HAs
by using a different sequence number for
each HA in one crypto-map set.
Router# access-list acl-name deny udp host HA IP addr eq Defines the access list.
mobile-ip host PDSN IP addr eq mobile-ip
The ACL name “acl-name” is same as in the
access-list acl-name permit ip host PDSN IP addr host HA IP addr crypto-map configuration
access-list acl-name deny ip any any
Router# Interface Physical-Interface of PI interface Applies the Crypto-Map on Pi Interface, as the
HA sends/receives Mobile IP traffic to/from
crypto map Crypto-Map set
PDSN on this interface
Router# ip mobile tunnel crypto map crypto-map set name Configure Mobile IP to use the configured
Crypto-Map set

2-8 OL-7614-01
Monitoring and Maintaining the HA
Monitoring and Maintaining the HA

To monitor and maintain the HA, use the following commands in privileged EXEC mode:
Command Purpose
Router# clear ip mobile binding Removes mobility bindings.
Router# clear ip mobile host-counters Clears the mobility counters specific to each
mobile station.
Router#clear ip mobile secure Clears and retrieves remote security associations.
Router# debug ip mobile advertise Displays advertisement information.
Router# debug ip mobile host Displays mobility event information.
Router# show ip mobile binding Displays the mobility binding table.

Router# show ip mobile host Displays mobile station counters and information.
Router# show ip mobile proxy Displays information about a proxy Mobile IP
host.
Router# show ip mobile secure Displays mobility security associations for Mobile
IP.
Router# show ip mobile violation Displays information about security violations.
Configuration Examples
This section provides the following configuration examples:
• Cisco Home Agent Configuration
• Home Agent Redundancy Configuration
• Home Agent IPSec Configuration

OL-7614-01 2-9
Cisco Home Agent Configuration

Figure 1 and the information that follows is an example of the placement of a Cisco HA and it’s
configuration.
Figure 1 Home Agent—A Network Map
CDMA-Ix1
virtual interface
5.5.5.5 255.0.0.0
2.2.2.x/24 3.3.3.x/24
Home
pdsn1-7206 RADIUS
2.2.2.2 3.3.3.2 30.0.0.10
FE1/0 FE2/0
e Mo
rfac bil
Inte eI
R-P PT
un
11.11.11.1/32 ne
l
2.2.2.1 FE0/0
BSC
12.12.12.100/8 Loopback 0
PCF 3.3.3.1 30.30.30.1/8
virtual interface
FE0/1 FE0/2
VLAN2 ha1-7206
VLAN30
12.12.22.12
Local
BSC RADIUS pdsn2-7206
PCF
FE1/0
3.3.3.3
FE2/0
59198
VLAN3

2-10 OL-7614-01
Example 1
Router#
!
aaa new-model
!
aaa authentication login default group radius
aaa authentication login CONSOLE none
aaa authorization config-commands
aaa authorization ipmobile default group radius
aaa authorization network default group radius
aaa session-id common
!
interface FastEthernet0/1
description To FA/PDSN
ip address 3.3.3.1 255.255.255.0
!
description To AAA
ip address 30.30.30.1 255.0.0.0
!
router mobile
!
ip local pool ha-pool1 35.35.35.1 35.35.35.254
ip mobile home-agent broadcast
ip mobile virtual-network 35.35.35.0 255.255.255.0
ip mobile host nai @xyz.com address pool local ha-pool1 virtual-network 35.35.35.0
255.255.255.0 aaa load-sa lifetime 65535
!
radius-server host 30.0.0.10 auth-port 1645 acct-port 1646 key cisco
!
line con 0
exec-timeout 0 0
login authentication CONSOLE
________________________________________________________
Example 2 Home Agent Configuration
Router# show run

Building configuration...
Current configuration : 4532 bytes

!
version 12.2
no parser cache
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service internal
service udp-small-servers
service tcp-small-servers
!
hostname USER_HA
!
aaa new-model
!
!
aaa authentication ppp default group radius

OL-7614-01 2-11

aaa authorization configuration default group radius
!
username simulator password 0 cisco
username userc-moip password 0 cisco
username pdsn password 0 cisco
username userc password 0 cisco
username USER_PDSN
ip subnet-zero
ip cef
!
!
no ip domain-lookup
!
! !
!
interface Loopback0
ip address 2.2.2.2 255.255.255.0
!
interface Tunnel1
no ip address
!
ip address 9.15.68.14 255.255.0.0
duplex half
speed 100
no cdp enable
!
no ip address
shutdown
duplex half
speed 10
no cdp enable
!
ip address 92.92.92.2 255.255.0.0
duplex auto
speed auto
no cdp enable
!
ip address 5.5.5.3 255.255.255.0 secondary
ip address 5.5.5.1 255.255.255.0
shutdown
duplex auto
speed auto
no cdp enable
!
!
router mobile
!
ip local pool ha-pool 6.0.0.1 6.0.15.254
ip local pool ha-pool1 4.4.4.100 4.4.4.255
ip default-gateway 9.15.0.1
ip classless
ip route 3.3.3.1 255.255.255.255 FastEthernet1/1
ip route 9.100.0.1 255.255.255.255 9.15.0.1
ip route 17.17.17.17 255.255.255.255 FastEthernet1/0
no ip http server
ip pim bidir-enable
ip mobile home-agent
ip mobile host nai userc-moip address pool local ha-pool interface FastEthernet1/0

2-12 OL-7614-01
ip mobile host nai userc address pool local pdsn-pool interface Loopback0 aaa
ip mobile secure host nai userc-moip spi 100 key hex ffffffffffffffffffffffffffffffff
replay timestamp within 150
!
!
radius-server retransmit 3
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 5 15
!
!
end
Home Agent Redundancy Configuration

PDSN Configuration
~~~~~~~~~~~~~~
version 12.2
no service pad
service internal
service cdma pdsn
!
hostname mwt10-7206a
!
aaa new-model
!
aaa authentication ppp default local group radius
!
ip subnet-zero
ip cef
!
virtual-profile aaa
!
interface Loopback0
ip address 6.0.0.1 255.0.0.0
no ip route-cache
no ip mroute-cache
!
interface CDMA-Ix1

OL-7614-01 2-13
ip address 5.0.0.1 255.0.0.0

tunnel source 5.0.0.1
!
description to PCF
ip address 4.0.0.101 255.0.0.0
no ip route-cache cef
duplex half
!
interface Ethernet2/0
description to HA
ip address 7.0.0.1 255.0.0.0
duplex half
!
description to AAA
ip address 150.1.1.9 255.255.0.0
duplex half
!
interface Virtual-Template1
ip unnumbered Loopback0
ip mobile foreign-service challenge
ip mobile foreign-service reverse-tunnel
ip mobile registration-lifetime 60000
no keepalive
no peer default ip address
ppp authentication chap pap optional
ppp accounting none
!
Router mobile
!
ip local pool pdsn-pool 11.0.0.1 11.0.0.255
ip classless
ip route 9.0.0.0 255.0.0.0 7.0.0.2
ip route 10.0.0.0 255.0.0.0 7.0.0.2
no ip http server
ip pim bidir-enable
ip mobile foreign-agent care-of Ethernet2/0
!
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
!
cdma pdsn virtual-template 1
cdma pdsn a10 max-lifetime 65535
cdma pdsn timeout mobile-ip-registration 300
cdma pdsn mip-reg-fail-no-closesession
cdma pdsn secure pcf 4.0.0.1 spi 100 key ascii cisco
cdma pdsn secure pcf 4.0.0.2 spi 100 key ascii cisco
call rsvp-sync
!
!
!
gatekeeper
shutdown
!
line con 0
exec-timeout 0 0
line aux 0

2-14 OL-7614-01
line vty 0 4
!
end
Active-HA configuration
~~~~~~~~~~~~~~~~~~~
version 12.2
no service pad
!
hostname mwt10-7206b
!
aaa new-model
!
!
ip subnet-zero
ip cef
!
description to PDSN/FA
ip address 7.0.0.2 255.0.0.0
no ip route-cache
no ip mroute-cache
duplex half
standby ip 7.0.0.4
standby priority 110
standby preempt delay sync 100
standby name cisco
!
description to AAA
ip address 150.2.1.8 255.255.0.0
no ip route-cache
no ip mroute-cache
duplex half
!
Router mobile
!
ip classless
no ip http server
ip pim bidir-enable
ip mobile home-agent redundancy cisco
ip mobile host nai mwts-mip-np-user1@ispxyz.com static-address 40.0.0.1 interface
Ethernet2/0 aaa
ip mobile secure home-agent 7.0.0.3 spi 100 key ascii redundancy algorithm md5 mode
prefix-suffix
!
radius-server host 150.2.0.2 auth-port 1645 acct-port 1646
radius-server key cisco
call rsvp-sync
!

OL-7614-01 2-15
!
!
gatekeeper
shutdown
!
line con 0
line aux 0
line vty 0 4
!
end
Standby-HA configuration
~~~~~~~~~~~~~~~~~~~~
version 12.2
no service pad
!
hostname mwt10-7206b
!
aaa new-model
!
!
ip subnet-zero
ip cef
!
description to PDSN/FA
ip address 7.0.0.3 255.0.0.0
no ip route-cache
no ip mroute-cache
duplex half
standby ip 7.0.0.4
standby name cisco
!
description to AAA
ip address 150.2.1.7 255.255.0.0
no ip route-cache
no ip mroute-cache
duplex half
!
router mobile
!
ip classless
no ip http server
ip pim bidir-enable
ip mobile home-agent redundancy cisco
ip mobile host nai mwts-mip-np-user1@ispxyz.com static-address 40.0.0.1 interface
Ethernet2/0 aaa
ip mobile secure home-agent 7.0.0.2 spi 100 key ascii redundancy algorithm md5 mode
prefix-suffix
!

2-16 OL-7614-01
radius-server host 150.2.0.2 auth-port 1645 acct-port 1646

radius-server key cisco
call rsvp-sync
!
!
!
gatekeeper
shutdown
!
line con 0
line aux 0
line vty 0 4
!
end
Home Agent IPSec Configuration
Note Once you permit the hosts/subnets you want encrypted, ensure that you put in an explicit deny statement.
The deny statement states do not encrypt any other packets.
Note The following example is for IPSec on the Cisco 7200 router only. IPSec on the Cisco Catalyst 6500 and
the Cisco 7600 is configured on the Supervisor, rather than on the Home Agent.
access-list 101 deny ip any any

-------------------------------------------------------
!
! No configuration change since last restart
!
version 12.2
service timestamps debug datetime
service timestamps log datetime
service password-encryption
!
hostname 7206f1
!
aaa new-model
!
!
aaa authentication login CONSOLE none
aaa authentication login NO_AUTHENT none
aaa authentication ppp default group radius
enable password 7 151E0A0E
!
username xxx privilege 15 nopassword
ip subnet-zero

OL-7614-01 2-17
ip cef
!
!
no ip domain-lookup
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco address 1.1.1.4
crypto isakmp key cisco address 172.18.60.30
!
!
crypto ipsec transform-set esp-des-sha-transport esp-des esp-sha-hmac
mode transport
!
crypto map tosim 10 ipsec-isakmp
set peer 1.1.1.4
set transform-set esp-des-sha-transport
match address 101
!
crypto map tosim3 10 ipsec-isakmp
set peer 172.18.60.30
set transform-set esp-des-sha-transport
match address 103
!
!
interface Loopback0
ip address 9.0.0.1 255.0.0.0
!
interface Loopback1
ip address 12.0.0.1 255.0.0.0
!
interface Loopback10
ip address 10.1.1.1 255.255.255.0
!
ip address 1.1.1.1 255.255.255.0
load-interval 30
duplex full
speed 100
crypto map tosim
!
ip address 2.1.1.1 255.0.0.0
load-interval 30
duplex full
speed 100
!
ip address 3.1.1.1 255.255.255.0
load-interval 30
duplex full
!
ip address 172.18.60.10 255.255.255.0
load-interval 30
duplex full
crypto map tosim3
!
router mobile
!
ip local pool ispabc-pool1 12.0.0.2 12.1.0.1
ip local pool ispabc-pool1 12.1.0.2 12.2.0.1
ip local pool ispxyz-pool1 9.0.0.2 9.1.0.1

2-18 OL-7614-01
ip local pool ispxyz-pool1 9.1.0.2 9.2.0.1

ip classless
ip route 172.18.49.48 255.255.255.255 172.18.60.1
no ip http server
ip pim bidir-enable
ip mobile home-agent address 10.1.1.1
ip mobile host nai @ispabc.com address pool local ispabc-pool1 virtual-network 12.0.0.0
ip mobile host nai @ispxyz.com address pool local ispxyz-pool1 virtual-network 9.0.0.0
!
!
access-list 101 permit ip host 10.1.1.1 host 1.1.1.4
access-list 103 permit ip host 10.1.1.1 host 172.18.60.30
!
!
radius-server host 172.18.49.48 auth-port 1645 acct-port 1646 key 7 094F471A1A0A
radius-server key 7 02050D480809
call rsvp-sync
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
exec-timeout 0 0
!
exception protocol ftp
exception dump 64.102.16.25
exception memory minimum 1000000
ntp clock-period 17179878
ntp server 172.18.60.1
!
end

OL-7614-01 2-19

2-20 OL-7614-01
I N D EX
default form, using xxv

Symbols
no form, using xxv
<cr> xxiii command syntax
? command xxii conventions xiv
displaying (example) xxiii
configuration 2-1, 2-2
Numerics
AAA and RADIUS 2-3
3DES Encryption 1-14 AAA in the Home Agent Environment 2-4
3GPP2 1-1 Cisco Home Agent 2-3
Examples 2-9
A
IP Sec 2-3
Active HA-Standby 1-11 Loading the IOS Image to MWAM 2-2
Authentication, Authorization, and Accounting 1-1 Maintaining the HA 2-3
Mobile IP 2-3
MWAM 2-2
B Network Management 2-3
Basic IOS Configuration on MWAM 2-3 Tasks 2-1

Upgrading 2-1
configurations, saving xxvi
C
carriage return (<cr>) xxiii

D
cautions, usage in text xv
CDMA 1-2 documentation
Cisco IOS configuration changes, saving xxvi conventions xiii
Cisco IOS Software Images 1-20 Dynamic Home Agent Assignments 1-9
Cisco IPSec Acceleration Card 1-14

Cisco Mobile IP Service 1-4
E
Cisco Proxy Mobile IP Service 1-6
Code Division Multiple Access 2000 1-1 Enabling HA Redundancy 2-6, 2-7
command modes, understanding xxi to xxii Enabling HSRP 2-5
commands Enabling Mobile IP 2-5
context-sensitive help for abbreviating xxii

OL-7614-01 IN-1
Index
F N
Feature Navigator 1-19 notes, usage in text xv

filtering output, show and more commands xxvi
functionality (FA) 1-1
P
Packet Data Services 1-4

G
Packet Data Serving Node 1-1
global configuration mode, summary of xxii Packet Filtering 1-18
privileged EXEC mode, summary of xxii
prompts, system xxii
H
Proxy-MIB client 1-6
HA Binding Update 1-18 Proxy MobileIP 1-1
help command xxii
Home Agent 1-1
Q
Functionality 1-10
Home Address 1-13 question mark (?) command xxii
HSRP Groups 1-10
R
Radio Access Network 1-1

I
Restrictions 1-18
interface configuration mode, summary of xxii RFC
Internet Engineering Task Force 1-14 full text, obtaining xiii
Internet Service Provider 1-6 ROM monitor mode, summary of xxii
M S
MIB, descriptions online xiii Support

MobileIP 1-1 Benefits 1-7, 1-8
Mobile IP IPSec 1-14 Feature Support 1-7
Mobility Binding Association 1-17 Physical Network Support 1-12
modes Platforms 1-19
See command modes Cisco 7200 1-19
Monitoring and Maintaining the HA 2-9 Cisco MWAM 1-19
Supported Standards, MIBs, and RFCs 1-20

IN-2 OL-7614-01
Index
Tab key, command completion xxii
User Authentication 1-17

user EXEC mode, summary of xxii
virtual private network 1-1
Wireless Application Protocol (WAP) 1-1

OL-7614-01 IN-3
Index

IN-4 OL-7614-01

Cisco IOS Mobile Wireless Home Agent Configuration Guide, Release 12.4

Caricato da

Informazioni sul documento

Descrizione originale:

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Cisco IOS Mobile Wireless Home Agent Configuration Guide, Release 12.4

Caricato da

Copyright:

Formati disponibili

Cisco IOS Mobile Wireless

Text Part Number: OL-7614-01

Cisco IOS Mobile Wireless Home Agent Configuration Guide

About Cisco IOS Software Documentation for Release 12.4 vii

Documentation Objectives vii

Documentation Organization for Cisco IOS Release 12.4 vii

Document Conventions xiii

Cisco Product Security Overview xvi

Obtaining Technical Assistance xvii

Using Cisco IOS Software for Release 12.4 xxi

Understanding Command Modes xxi

Getting Help xxii

Using the no and default Forms of Commands xxv

Saving Configuration Changes xxvi

Filtering Output from the show and more Commands xxvi

Finding Additional Feature Support Information xxvii

Cisco IOS Mobile Wireless Home Agent Configuration Guide

CHAPTER 1 Cisco Mobile Wireless Home Agent 1-1

Feature Overview 1-1

CHAPTER 2 Configuring Cisco Mobile Wireless Home Agent 2-1

Configuration Tasks 2-1

Cisco IOS Mobile Wireless Home Agent Configuration Guide

Enabling Mobile IP 2-5

Configuration Examples 2-9

Cisco IOS Mobile Wireless Home Agent Configuration Guide

Cisco IOS Mobile Wireless Home Agent Configuration Guide

Documentation Organization for Cisco IOS Release 12.4

Cisco IOS Mobile Wireless Home Agent Configuration Guide

Configuration Guide and

Cisco IOS Mobile Wireless Home Agent Configuration Guide

Configuration Guide and

Cisco IOS Mobile Wireless Home Agent Configuration Guide

Configuration Guide and

Cisco IOS Mobile Wireless Home Agent Configuration Guide

Configuration Guide and

Cisco IOS Mobile Wireless Home Agent Configuration Guide

Configuration Guide and

Cisco IOS Mobile Wireless Home Agent Configuration Guide

Table 2 Cisco IOS Release 12.4 Supporting Documents and Resources

Document Title Description

Cisco IOS Mobile Wireless Home Agent Configuration Guide

The Cisco IOS documentation set uses the following conventions:

Command syntax descriptions use the following conventions:

Examples use the following conventions:

Cisco IOS Mobile Wireless Home Agent Configuration Guide

Cisco IOS Mobile Wireless Home Agent Configuration Guide

Cisco Product Security Overview

Cisco IOS Mobile Wireless Home Agent Configuration Guide

Reporting Security Problems in Cisco Products

In an emergency, you can also reach PSIRT by telephone:

Obtaining Technical Assistance

Cisco Technical Support Website

Cisco IOS Mobile Wireless Home Agent Configuration Guide

Submitting a Service Request

Definitions of Service Request Severity

Cisco IOS Mobile Wireless Home Agent Configuration Guide

Obtaining Additional Publications and Information

Cisco IOS Mobile Wireless Home Agent Configuration Guide

Cisco IOS Mobile Wireless Home Agent Configuration Guide

Understanding Command Modes

Cisco IOS Mobile Wireless Home Agent Configuration Guide

Table 3 Accessing and Exiting Command Modes

Cisco IOS Mobile Wireless Home Agent Configuration Guide