![]() |
SYSTEM ADMINISTRATOR GUIDE 41/1543-CRA 119 1170/1-V1 Uen B | ![]() |
Copyright
© Ericsson AB 2009–2010. All rights reserved. No part of this document may be reproduced in any form without the written permission of the copyright owner.
Disclaimer
The contents of this document are subject to revision without notice due to continued progress in methodology, design and manufacturing. Ericsson shall have no liability for any error or damage of any kind resulting from the use of this document.
Trademark List
SmartEdge | is a registered trademark of Telefonaktiebolaget LM Ericsson. | |
NetOp | is a trademark of Telefonaktiebolaget LM Ericsson. |
This document describes the tasks used to configure SmartEdge
OS Mobile IP wireless services for foreign agent (FA) instances on
the SmartEdge router and their home agent (HA) peers. This document
also provides configuration examples to support Mobile IP wireless
services for FA instances on the router and their FA peer. Operations
tasks for monitoring, administering, and troubleshooting Mobile IP
features are also described in this document.
The terms FA peers and HA peers refer to FAs and HAs that exist on other equipment in the network.
The term Mobile IP binding refers to the association between a mobile node (MN) and its HA instance on the SmartEdge router. The term visitor or visiting MN refers to the association between an MN and an FA instance when that MN is communicating with its HA through the FA instance on the SmartEdge router.
Generic Routing Encapsulation (GRE) and IP-in-IP tunnels can be used with Mobile IP services and nonmobile IP services traffic.
You can configure IP-in-IP tunnels and, optionally, GRE tunnels on the SmartEdge router to support the connections from FA instances to their HA peers and from HA instances to their FA peers. For information about configuring the IP-in-IP and GRE tunnels, see Configuring Single Circuit Tunnels.
For information about configuring Ethernet, 802.3 ad access link group, Fast Ethernet-Gigabit Ethernet, and Gigabit Ethernet ports and circuits to support mobile subscribers, see Configuring ATM, Ethernet, and POS Ports and Configuring Circuits.
Mobile IP allows MNs to retain their IP addresses when they roam across multiple networks. Doing so enables MNs to maintain their existing IP sessions.
Mobile IP consists of the following components:
The MN is an IP device—for example, a laptop computer or personal digital assistant (PDA)—whose point of attachment (POA) to the Internet can frequently change. The MN maintains its connections by using its home IP address.
The HA peer, a router on the MN home network, is the anchor component in Mobile IP network that provides seamless mobility to the MN. When an MN is attached to its home network, it does not use Mobile IP services because it communicates directly using normal IP routing. When an MN is roaming and is not connected to its home network, its HA peer does the following:
MNs listen for FA instance advertisements to determine if they are attached to a home or foreign network. An FA instance is a router on a foreign network that provides routing services to visiting MNs. When the MN visits a foreign network with which its HA peer has service agreements and is authenticated by its HA peer, the MN can obtain Mobile IP services while visiting this network. During the visit, the MN listens for Internet Control Message Protocol (ICMP) router advertisements (RAs) from an FA instance. The RAs allow the MN to learn which FA instances are available and what Mobile IP services they have to provide. The FA instance does the following:
If the MN does not hear RAs from any FAs, the MN sends an ICMP router solicitation requesting that any FA instances on the foreign network reply with an RA.
When the MN discovers a foreign agent (FA) instance with which its HA peer has a service agreement, it sends a Mobile IP registration request to the FA instance. The FA instance validates the request and forwards it to the corresponding HA peer. The registration request does the following:
The MN registration request includes the FA instance CoA and the IP address of its HA peer. It may include the MN assigned home address (HoA) and the MN user identity as described in RFC 2794, Mobile IP Network Access Identifier Extension for IPv4s, or an MN-FA authentication extension as described in RFC 3344 IP Mobility Support for IPv4, or a dynamic home agent extension as described in RFC 4433 Mobile IPv4 Dynamic Home Agent (HA) Assignment. In dynamic HA assignment, the HA IP address in the registration request can be 0.0.0.0 or 255.255.255.255..
The MN sends the registration request to the HA peer so that the HA peer knows where the MN is located. When the MN is successfully authenticated, the HA peer sends a Mobile IP registration reply to the FA instance and the FA instance, in turn, forwards it to the MN.
The HA peer and FA instance also set up forwarding so that all packets destined for the MN home address are forwarded to the MN through the tunnel between the HA peer and the FA instance. The FA instance sets up forwarding so that packets from the MN are reverse tunneled to back over the same tunnel to the HA peer. Packets originating from an MN are always reverse tunneled.
The MN uses its HoA as the source of all packets it sends when it is attached to its home network or visits a foreign network through an FA instance. MN authentication is always performed on the HA peer. The SmartEdge router HA peer employs the user identifier of the MN (included in the registration request) to authenticate mobile IP services that are using AAA protocols with a RADIUS server.
Optionally, the MN can acquire a collocated care-of address (CCoA) on the foreign network and perform Mobile IP services without, or with minimal interaction, with the FA instance. The SmartEdge router does not support this mode of operation.
Mobile IP services enables the SmartEdge router to act as one or more FA instances. Each FA instance communicates with HA peers that support its mobile subscribers, which are referred to as mobile nodes (MNs). Each FA instance has a care-of address (CoA) that the system uses as the termination address for the tunnel to an HA peer.
In a typical deployment, MNs connect wirelessly to base transceiver stations (BTSs), which connect to the SmartEdge router FA instance through Ethernet. In this topology, each MN is represented by a separate Ethernet circuit and MNs can move between BTSs. The FA instance communicates with a SmartEdge HA peer through a tunnel endpoint (a local address of an HA instance). The SmartEdge router routes the MN traffic to the HA peer by using an IP-in-IP tunnel or GRE tunnel. Each HA peer uses a different tunnel. Traffic for the MNs is routed from the FA instance to the HA peer through the same tunnel.
MNs communicate with the SmartEdge router (the FA instance) over Ethernet-based circuits using a context where you configure the FA instance. The system routes the MN traffic to each external HA peer using an IP-in-IP tunnel or a GRE tunnel. Each HA peer uses a different tunnel. Traffic from an HA peer is routed back to the MNs associated with that HA peer using the same tunnel.
Figure 1 illustrates the physical network for MNs, BTS, HA peers, and an FA instance.
A subscriber circuit is associated with each MN attached to an FA. Application of circuit-based services to MNs attached to FA currently is limited to hotlining. For information on hotlining, see Configuring Hotlining for a Foreign Agent.
Each FA subscriber circuit is associated with the Layer 2 access circuit through which the MN connects to the FA. The access circuit may change due to mobility events. The FA subscriber circuit is typically created on the same physical slot as the access circuit. If sufficient capacity is not available on that slot, an alternate slot is chosen. The physical card slot on which the FA subscriber circuit gets created is referred to as the home slot for the subscriber. The home slot does not change as a result of mobility events. If the home slot fails, the FA subscriber circuit is created on an alternate slot.
If an XCRP controller card is switched over or the Mobile IP process is restarted, the MN visitor entries are recovered from shared memory and data forwarding continues uninterrupted.
Subscriber services provided by the SmartEdge FAs attached to MNs are subject to the following requirements and restrictions:
The Mobile IP services implementation can use the multiple context support that the SmartEdge OS provides. The contexts that Mobile IP services can use in different deployment scenarios include:
The CoA interface resides in the CoA context. The CoA interface provides an endpoint for a tunnel to a home-agent peer. The CoA context is typically the local context, but other contexts can be used as well. Each CoA interface can be in a different CoA context independent of other CoA interfaces.
The FA context provides one or more interfaces to the MN and defines the set of HA peers for the FA instance. Each FA instance configured on the SmartEdge router has its own FA context.
The home address (HoA) Virtual Private Network (VPN) context includes the interfaces that terminate the tunnels to the HA peers. Each HA peer that uses private HoAs has its own context. HA peers that use non-overlapping HoAs can share a single context. Each HA peer that has an overlapping HoA must have its own HoA VPN context.
These contexts allow the SmartEdge OS to support various deployment scenarios, which are described in the following sections:
In the most basic deployment, a single FA instance provides connectivity to all MNs while interfacing with all the HA peers. The MN HoAs do not overlap; that is, each MN has a public HoA. In this case, the configuration is simplified to make use of a single context, the FA context.
A few HA peers can allocate HoAs from a private address space while providing Internet connectivity using Network Address Translation (NAT). If so, the IP addresses of the MNs can overlap.
To configure the SmartEdge OS for this deployment, use a single context for the FA instances, HA peers, and CoAs, but exclude the HA peers that use private IP addresses. Use a separate context for each HA peer that uses a private address space.
Each HA peer is independent and can use private IP addresses. For this deployment scenario, each HA peer uses a separate context. The CoA and FA contexts can be the same.
In this scenario, an FA instance provides services to multiple mobile Internet service providers (ISPs). Each ISP owns a set of HA peers and the HoAs that belong to the same ISP do not overlap. Each ISP may use private IP addresses.
To configure this scenario, each ISP uses a separate HoA VPN context; that is, all HA peers belonging to an ISP use the same HoA VPN context. The CoA and FA contexts can be the same for each ISP.
In this scenario, the SmartEdge OS can separate MN, FA, and HA peer networks for each mobile ISP. Each ISP is like an enterprise VPN, ISP contexts are as follows:
If the backbone links are not within a nonlocal context, then the backbone connectivity is through the local context.
Mobile IP services is currently supported only for unicast traffic; broadcast and multicast traffic are not supported.
Mobile IP services is supported only on PPA2 line cards. Do not have any PPA1-based line cards on the chassis when enabling Mobile IP Services.
Mobile IP services comply with the standards found in the following documents:
To configure FA instances on the SmartEdge router and their home-agent (HA) peers, use the configuration guidelines and perform the tasks described in the following sections:
The following configuration guidelines apply when configuring Mobile IP services for an FA instance:
To create the contexts and interfaces for Mobile IP services, perform the tasks described in Table 1. These contexts and interfaces are used in subsequent configuration tasks for the FA instances, HA peers, and Mobile IP tunnels.
# |
Task |
Root Command |
Notes |
---|---|---|---|
1. |
Optional. Create the context for the CoA interface and access context configuration mode. |
Enter this command in global configuration mode. You can use the local context instead of performing this step. For information about the context command (in global configuration mode), see Configuring Contexts and Interfaces. | |
2. |
Create the CoA interface and access interface configuration mode. |
Enter this command in context configuration mode. For information about the interface command (in context configuration mode), see Configuring Contexts and Interfaces. | |
3. |
Optional. Create an FA context for an FA instance and access context configuration mode. |
Enter this command in global configuration mode. You can use the local context instead of performing this step. | |
4. |
Create the interface for the Ethernet ports and 802.1Q VLANs that BTS MNs use to access this FA instance and access interface configuration mode. |
Enter this command in context configuration mode.(1) | |
5. |
Optional. Create an interface for an IP-in-IP tunnel and, optionally, an interface for a GRE tunnel to the HA peer, and access interface configuration mode. |
Enter this command in context configuration mode. Consider making this interface a loopback interface.(2) | |
6. |
Create a multibind last-resort interface to which the FA subscriber circuit will be bound and access interface configuration mode. |
Use the interface ifname multibind lastresort syntax. | |
7. |
Enable IP processing on an interface without assigning an explicit IP address to it. |
Use the ip unnumbered if-name syntax. The interface must be configured as an unnumbered interface.(4) | |
8. |
Optional. Create an HoA VPN context for the terminating interfaces for the IP-in IP tunnel and, optionally, a GRE tunnel for one or more HA peers and access context configuration mode. |
Enter this command in global configuration mode. You can use the local context instead of performing this step, but only HA peers that use public IP addresses or non-overlapping private IP addresses can share a single context. | |
9. |
Optional. Create an interface for an IP-in-IP tunnel and, optionally, an interface for a GRE tunnel to the HA peer and access interface configuration mode. |
Enter this command in context configuration mode. Consider making this interface a loopback interface.(5) | |
10. |
Create a multibind last-resort interface to which the FA subscriber circuit will be bound and access interface configuration mode. |
Use the interface ifname multibind lastresort syntax. | |
11. |
Enable IP processing on an interface without assigning an explicit IP address to it. |
Use the ip unnumbered if-name syntax. The interface must be configured as unnumbered.(7) | |
12. |
Exit interface configuration mode and access context configuration mode. |
|
|
13. |
Optional. Disable RADIUS authentication if services such as hotlining or other subscriber-based services are not used. |
Use the aaa authentication subscriber none syntax | |
14. |
Optional. Configure AAA subscriber authentication by Radius servers with IP addresses or host names in the current context. |
Use the aaa authentication subscriber radius syntax |
(1) This interface can be bound to an Ethernet port, an Ethernet dot1q
PVC, or an economical mode access linkgroup.
(2) If you do not complete
this step and configure a static tunnel, the Mobile IP process creates
tunnels dynamically when required.
(3) Typically, the FA subscriber circuit is bound to the last-resort
interface in the FA context. However, if the HoA peer to which the
subscriber connects is configured with a VPN context, the subscriber
circuit is bound to the last-resort interface in the HoA VPN context.
IP-in-IP and GRE tunnels that are dynamically created by the Mobile
IP process must also be bound to this interface.
(4) You need to create the interface referred to in the ip unnumbered
command. We recommend making this interface a loopback interface.
(5) If you do not complete
this step and configure a static tunnel, the Mobile IP process creates
tunnels dynamically when required.
(6) Typically, the FA subscriber circuit is bound to the last-resort
interface in the FA context. However, if the HoA peer to which the
subscriber connects is configured with a VPN context, the subscriber
circuit is bound to the last-resort interface in the HoA VPN context.
IP-in-IP and GRE tunnels that are dynamically created by the Mobile
IP process are also bound to this interface.
(7) You need
to create the interface referred to in the ip unnumbered command.
We recommend making this interface a loopback interface.
(8) Perform this task only if hotlining is not being used.
If hotlining is required, skip this step and perform step 14.
(9) Perform this task only if hotlining is required. If hotlining
is not being used, skip this step and perform step 13 only.
To configure a key chain between a foreign-agent (FA) instance and home-agent (HA) peer, perform the tasks described in Table 2. For more information about configuring key chains, see Configuring Bridging. Enter all commands in key chain configuration mode, unless otherwise noted.
# |
Task |
Root Command |
Notes |
---|---|---|---|
1. |
Select the context for the FA instance and access context configuration mode. |
Enter this command in global configuration mode. | |
2. |
Create the key chain and access key chain configuration mode. |
Enter this command in context configuration mode. | |
3. |
Configure a key string. |
||
4. |
Specify the security parameter index (SPI) for this key chain. |
To configure an FA instance, perform the tasks described in Table 3; enter all commands in FA configuration mode, unless otherwise noted.
# |
Task |
Root Command |
Notes |
---|---|---|---|
1. |
Select the context for the FA instance and access context configuration mode. |
Enter this command in global configuration mode. | |
2. |
Enable Mobile IP services in this context and access Mobile IP configuration mode. |
Enter this command in context configuration mode. | |
3. |
Optional. Create a dynamic tunnel profile and enter Dynamic Tunnel Profile configuration mode. |
Enter this command in Mobile IP configuration mode. | |
4. |
Optional. Clear the IP header DF flag in all packets that are transmitted on an IP-in-IP or a GRE tunnel. |
Enter this command in Dynamic Tunnel Profile configuration mode. | |
5. |
Optional. Set the MTU for packets sent to GRE tunnels. |
Enter this command in Dynamic Tunnel Profile configuration mode. | |
6. |
Optional. Specify the number of seconds for the router to wait before it brings down a dynamic tunnel that has no active bindings or visitors. |
Enter this command in Dynamic Tunnel Profile configuration mode. | |
7. |
Optional. Set the MTU for packets sent to IP-in-IP tunnels. |
Enter this command in Dynamic Tunnel Profile configuration mode. | |
8. |
Optional. Specify the number of seconds for the router to wait for a dynamic tunnel to be established before bringing the current subscriber or visitor down. |
Enter this command in Dynamic Tunnel Profile configuration mode. | |
9. |
Create or select the FA instance in this context and access FA configuration mode. |
||
10. |
Optional. Reference an existing dynamic tunnel profile. The dynamic tunnel attributes defined in this profile are applied to the dynamic tunnels that are used by this FA instance. |
||
11. |
Specify the interface for the CoA advertised by this FA instance. |
This is the interface that you created for the tunnel for this FA instance. | |
12. |
Optional. Specify the GRE tunnel type to advertise. |
The default is not to advertise optional tunnel types. | |
13. |
Optional. Configure registration revocation. |
The default is to not configure revocation support. | |
14. |
Optional. Configure the default authentication for this FA instance. |
This is the default authentication for all HA peers for this FA instance. | |
15. |
Optional. Enable (the default condition) or disable the forwarding of nonmobile IP traffic for this FA instance. |
||
16. |
Optional. Specifies the means by which the forwarding address for an MN is determined. |
||
17. |
Optional. Enable or disable MN access interface change detection using logical link control (LLC) exchange ID (XID) messages received on a circuit. |
Enable is the default. | |
18. |
Optional. Enable or disable optional or mandatory processing of an MN-FA authentication extension. |
|
Disable is the default. |
To configure an HA peer, perform the tasks described in Table 4; enter all commands in HA peer configuration mode, unless otherwise noted.
# |
Task |
Root Command |
Notes |
---|---|---|---|
1. |
Select the context for the FA instance for this HA peer and access context configuration mode. |
Enter this command in global configuration mode. | |
2. |
Enable Mobile IP services in this context and access Mobile IP configuration mode. |
Enter this command in context configuration mode. | |
3. |
Select the FA instance in this context for the HA peer and access FA configuration mode. |
Enter this command in Mobile IP configuration mode. | |
4. |
Create or select the HA peer and access HA peer configuration mode. |
Enter this command in FA configuration mode. | |
5. |
Optional. Apply a dynamic tunnel profile. |
||
6. |
Optional. Specify the maximum number of pending registrations for this HA peer. |
||
7. |
Optional. Specify the HoA VPN context for this HA peer. |
This context contains the multibind last resort interface you configured in Section 2.2. | |
8. |
Optional. Configure the authentication for the HA peer. |
This authentication overrides the default authentication configured for the FA instance. | |
9. |
Exit HA peer configuration mode and access Mobile IP configuration mode. |
||
10. |
Exit Mobile IP configuration mode and access context configuration mode. |
To configure a Mobile IP interface for MN access, perform the tasks described in Table 5; enter all commands in Mobile IP interface configuration mode, unless otherwise noted.
# |
Task |
Root Command |
Notes |
---|---|---|---|
1. |
Select the context for the FA instance and access context configuration mode. |
Enter this command in global configuration mode. | |
2. |
Enable Mobile IP services in this context and access Mobile IP configuration mode. |
Enter this command in context configuration mode. | |
3. |
Select an existing interface, enable it for Mobile IP services, and access Mobile IP interface configuration mode. |
This interface is the one you created for the Ethernet circuits in step 4 in Table 1. | |
4. |
Optional. Specify the maximum lifetime registration for an MN on this interface. |
||
5. |
Optional. Specify the maximum interval between advertisement messages. |
||
6. |
Optional. Specify the maximum lifetime of advertisement messages. |
||
7. |
Optional. Specify the minimum interval between advertisement messages. |
To configure the MN access to an FA instance, perform the tasks described in Table 6.
# |
Task |
Root Command |
Notes |
---|---|---|---|
1. |
Configure the Ethernet ports and circuits on which the MNs access an FA instance. |
For information about configuring Ethernet circuits, see Configuring ATM, Ethernet, and POS Ports and Configuring Circuits. | |
2. |
Bind the Ethernet ports and circuits to the interfaces created for MN access in the FA context. |
For information about binding circuits to interfaces, see Configuring Bindings. |
You can configure AAA features and RADIUS servers for MN subscribers. For information about configuring AAA features, see Configuring Authentication, Authorization, and Accounting and Configuring RADIUS.
You must configure an IP-in-IP tunnel to each HA peer. You can also configure a GRE tunnel to each HA peer. To configure the Mobile IP tunnels, perform the tasks described in Table 7.
# |
Task |
Root Command |
Notes |
---|---|---|---|
1. |
Configure the IP-in-IP tunnels to the HA peers. |
For information about configuring IP-in-IP tunnels, see Configuring Single Circuit Tunnels. | |
2. |
Optional. Configure the GRE tunnels to the HA peers. |
For information about configuring GRE tunnels, see Configuring Single Circuit Tunnels. |
To enable or disable an FA instance, an HA peer, or MN access to the SmartEdge router, perform the task described in Table 8.
Task |
Root Command |
Notes |
---|---|---|
Optional. Disable or enable an FA instance, an HA peer, or MN access to the SmartEdge router |
Enter this command in FA, HA peer, or Mobile IP interface configuration mode. Use the no form of this command to enable an FA instance, an HA peer, or MN access to the SmartEdge router |
To monitor, administer, and troubleshoot Mobile IP features, perform the appropriate task listed in Table 9. Enter the clear and debug commands in exec mode; enter all show commands in any mode.
Task |
Root Command |
---|---|
Clear Mobile IP counters for an FA instance. |
|
Clear Mobile IP dynamic FA-HA authentication keys corresponding to the specified HA peer, FA peer, or HA local address. |
|
Clear HA peer information or only HA peer counters on an FA instance. |
|
Clear the FA instance access interface, including all Mobile IP visitors associated with the access interface or FA access interface counters. |
|
Clear one or more visitors to an FA instance. |
|
Clear all Mobile IP subscribers in the current context or all contexts. |
|
Enable the generation of debug messages for Mobile IP services on a circuit. |
|
Enable the generation of debug messages for the specified type of Mobile IP events. |
|
Enable the generation of debug messages for an FA instance. |
|
Enable the generation of debug messages for Mobile IP authentication. |
|
Enable the generation of debug messages for an FA instance. |
|
Enable the generation of debug messages for Mobile IP module interaction events, such as Router Configuration Manager (RCM) events and Interface and Circuit State Manager (ISM). |
|
Enable the generation of debug messages for the specified type of Mobile IP packets. This is a filtered debugging feature for specific source, destination, circuit, or packet types. |
|
Enable the generation of debug messages for Mobile IP I/O packet events on a kernel socket interface. |
|
Display the Mobile IP configuration. |
|
Display IP routes for MNs. |
|
Display Mobile IP information for one or more contexts. |
|
Display Mobile IP information for CoA information for an FA instance. |
|
Display Mobile IP debug settings. |
|
Display WiMAX dynamic authentication keys used by an HA or FA instance. |
|
Display information about dynamic tunnel profiles. |
|
Display Mobile IP information for one or all HA peers for an FA instance. |
|
Display information for one or more Mobile IP interfaces. |
|
Display log information for AAA, ISM events, and malformed packets. |
|
Display Mobile IP tunnel statistics. |
|
Display information about static and dynamic tunnels registered with Mobile IP services. |
|
Display a list of Mobile IP visitors to an FA instance. |
|
Display a list of pending Mobile IP visitors to an FA instance. |
The following examples show configurations for a single FA instance and HA peer with IP-in-IP tunnels, a single FA instance with multiple HA peers and IP-in-IP tunnels, and a link aggregation bundle used as an FA access interface.
The following example creates an IP-in-IP tunnel and the interfaces to support an FA instance and a single HA peer, all in the local context. The interface for the IP-in-IP tunnel is unnumbered; it borrows its IP address from the CoA interface. Traffic to and from the MNs is carried on GE port 2/1:
! Create the interfaces for the CoA, the MN access, and the IP-in-IP tunnel to the HA peer, all in the local context [local]Redback(config)#context local [local]Redback(config-ctx)#interface coa loopback [local]Redback(config-if)#ip address 172.16.1.1/16 [local]Redback(config-if)#exit [local]Redback(config-ctx)#interface mn-access [local]Redback(config-if)#ip address 10.1.1.1/16 [local]Redback(config-if)#exit [local]Redback(config-ctx)# interface loop1 loopback [local]Redback(config-if)# ip address 192.168.1.1/32 [local]Redback(config-if)# exit [local]Redback(config-ctx)#interface toHA-peer [local]Redback(config-if)#ip unnumbered coa [local]Redback(config-if)#exit [local]Redback(config-ctx)# interface fa-last-resort multibind lastresort [local]Redback(config-if)#ip unnumbered loop1 [local]Redback(config-if)# exit !Disable RADIUS authentication if services such as hotlining are not used: [local]Redback(config-ctx)aaa authentication subscriber none [local]Redback(config-ctx)exit !Enable the local context and the mn-access interface for Mobile IP services [local]Redback(config-ctx)#router mobile-ip [local]Redback(config-mip)#interface mn-access [local]Redback(config-mip-if)#exit !Create the foreign agent, specify the CoA interface and create a home agent peer local]Redback(config-mip)#foreign-agent [local]Redback(config-mip-fa)#care-of-address coa [local]Redback(config-mip-fa)#home-agent-peer 172.16.2.1 [local]Redback(config-mip-hapeer)#end ! Configure the GE port for MN traffic and bind it to the MN access interface [local]Redback#config [local]Redback(config)#port ethernet 2/1 [local]Redback(config-port)#no shutdown [local]Redback(config-port)#bind interface mn-access local [local]Redback(config-port)#exit !Configure the IP-in-IP tunnel to the HA peer using the CoA as the local endpoint ! Bind it to the HA peer interface in the local context [local]Redback(config)#tunnel ipip HApeerTnl [local]Redback(config-tunnel)#peer-end-point local 172.16.1.1 remote 172.16.2.1 [local]Redback(config-tunnel)#bind interface toHA-peer local [local]Redback(config-tunnel)#end
The following example creates an IP-in-IP tunnel and the interfaces to support an FA instance and two HA peers with overlapping IP addresses. The FA instance and tunnels are configured in the local context; each HA peer has its own VPN context. Traffic to and from the MNs is carried on the GE port 2/1:
! Create the interfaces for the CoA and the MN access interface in the local context [local]Redback(config)#context local [local]Redback(config-ctx)#interface coa loopback [local]Redback(config-if)#ip address 20.1.1.1/16 [local]Redback(config-if)#exit [local]Redback(config-ctx)#interface mn-access [local]Redback(config-if)#ip address 10.1.1.1/16 [local]Redback(config-if)# exit [local]Redback(config-ctx)# interface loop1 loopback [local]Redback(config-if)# ip address 192.168.1.1/32 [local]Redback(config-if)# exit [local]Redback(config-ctx)# interface fa-last-resort multibind lastresort [local]Redback(config-if)#ip unnumbered loop1 [local]Redback(config-if)# exit !Disable RADIUS authentication if services such as hotlining are not used: [local]Redback(config-ctx)aaa authentication subscriber none [local]Redback(config-ctx)exit ! Create the contexts and tunnel interfaces for the HA peers (HoA-VPN 1 and HoA-VPN 2) [local]Redback(config)#context hoa-vpn1 ! Create the interface for the IP-in-IP tunnel endpoint for the HA peer 1 [local]Redback(config-ctx)#interface toHApeer1 ! Use the CoA IP address for the interface [local]Redback(config-if)#ip 20.1.1.1/24 [local]Redback(config-if)#exit [local]Redback(config-ctx)# interface loop1 loopback [local]Redback(config-if)# ip address 192.168.1.1/32 [local]Redback(config-if)# exit [local]Redback(config-ctx)# interface fa-last-resort multibind lastresort [local]Redback(config-if)#ip unnumbered loop1 [local]Redback(config-if)# exit [local]Redback(config)#context hoa-vpn2 ! Create the interface for the IP-in-IP tunnel endpoint for the HA peer 2 [local]Redback(config-ctx)#interface toHApeer2 ! Use the CoA IP address for the interface [local]Redback(config-if)#ip 20.1.1.1/24 [local]Redback(config-if)#exit [local]Redback(config-ctx)# interface loop1 loopback [local]Redback(config-if)# ip address 192.168.1.1/32 [local]Redback(config-if)# exit [local]Redback(config-ctx)# interface fa-last-resort multibind lastresort [local]Redback(config-if)#ip unnumbered loop1 [local]Redback(config-if)# exit ! Enable the local context and the MN access interface for Mobile IP visitors [local]Redback(config)#context local [local]Redback(config-ctx)#router mobile-ip [local]Redback(config-mip)#interface mn-access [local]Redback(config-mip-if)#exit ! Create the foreign agent and specify the care of interface [local]Redback(config-mip)#foreign-agent [local]Redback(config-mip-fa)#care-of-address coa ! Create the first home-agent peer and specify its context [local]Redback(config-mip-fa)#home-agent-peer 172.16.2.1 [local]Redback(config-mip-hapeer)#vpn-context hoa-vpn1 [local]Redback(config-mip-hapeer)#exit ! Create the second home-agent peer and specify its context [local]Redback(config-mip-fa)#home-agent-peer 172.16.2.2 [local]Redback(config-mip-hapeer)#vpn-context hoa-vpn2 [local]Redback(config-mip-hapeer)#end ! Configure the GE port for MN traffic and bind it to the MN access interface [local]Redback#config [local]Redback(config)#port ethernet 2/1 [local]Redback(config-port)#no shutdown [local]Redback(config-port)#bind interface mn-access local [local]Redback(config-port)#exit [local]Redback(config)#port ethernet 2/2 [local]Redback(config-port)#no shutdown [local]Redback(config-port)#bind interface toHApeer1 hoa-vpn1 [local]Redback(config-port)#exit [local]Redback(config)#port ethernet 2/3 [local]Redback(config-port)#no shutdown [local]Redback(config-port)#bind interface toHApeer2 hoa-vpn2 [local]Redback(config-port)#exit ! Configure the IP-in-IP tunnels to the HA peers ! Bind them to their interfaces in the HA peer VPN contexts ! Create the IP-in-IP tunnel to the HA-1 peer, using the CoA for the local end [local]Redback(config)#tunnel ipip HApeer1Tnl [local]Redback(config-tunnel)#description IP-in-IP tunnel circuit to HoA-VPN 1 peer [local]Redback(config-tunnel)#peer-end-point local 20.1.1.1/24 remote 172.16.2.1 context local [local]Redback(config-tunnel)#bind interface toHApeer1 hoa-vpn1 [local]Redback(config-tunnel)#no shutdown [local]Redback(config-tunnel)#exit ! Create the IP-in-IP tunnel to the HA-2 peer; use the CoA for the local end [local]Redback(config)#tunnel ipip HApeer2Tnl [local]Redback(config-tunnel)#description IP-in-IP tunnel circuit to HoA-VPN 2 peer [local]Redback(config-tunnel)#peer-end-point local 20.1.1.1/24 remote 172.16.2.2 context local [local]Redback(config-tunnel)#bind interface toHApeer2 hoa-vpn2 [local]Redback(config-tunnel)#no shutdown [local]Redback(config-tunnel)#exit
The following example shows how to configure a link aggregation bundle as an FA access circuit and enable the interface for Mobile IP services:
! Create an 802.1Q-encapsulated access-link group [local]Redback(config)#link-group foo access economical [local]Redback(config-link-group)#encapsulation dot1q [local]Redback(config-link-group)#dot1q pvc 100 [local]Redback(config-link-group)#bind interface mip-local local ! Enable the local context and the MN access interface for Mobile IP visitors [local]Redback(config)#context local [local]Redback(config-ctx)#router mobile-ip [local]Redback(config-mip)#interface mip-local [local]Redback(config-mip-if)#exit