Cisco IOS Mobile Wireless Home Agent Command Reference

lower [upper]

One or a range of mobile host or mobile node group IP addresses. The upper end of the range is optional.

nai string

Network access identifier. The NAI can be a unique identifier (username@realm) or a group identifier (@realm).

static-address

(Optional) Indicates that a static IP address is to be assigned to the flows on this NAI. This parameter is not valid if the NAI is a realm.

addr1, addr2, ...

(Optional) One to a maximum of five IP addresses to be assigned using the static-address keyword.

local-pool name

(Optional) Name of the local pool of addresses to use for assigning a static IP address to this NAI.

address

(Optional) Indicates that a dynamic IP address is to be assigned to the flows on this NAI.

addr

(Optional) IP address to be assigned using the address keyword.

pool

(Optional) Indicates that a pool of addresses is to be used in assigning a dynamic IP address.

local name

(Optional) The name of the local pool to use in assigning addresses.

dhcp-proxy-client

(Optional) Indicates that the DHCP request should be sent to a DHCP server on behalf of the mobile node.

dhcp-server addr

(Optional) IP address of the DHCP server.

interface name

When used with DHCP, specifies the gateway address from which the DHCP server should select the address.

virtual-network network-address mask

Indicates that the mobile station resides in the specified virtual network, which was created using the ip mobile virtual-network command.

aaa

(Optional) Retrieves security associations from a AAA (TACACS+ or RADIUS) server. Allows the home agent to download address configuration details from the AAA server.

load-sa

(Optional) Caches security associations after retrieval by loading the security association into RAM. See Table 8 for details on how security associations are cached for NAI hosts and non-NAI hosts.

permanent

(Optional) Caches security associations in memory after retrieval permanently. Use this optional keyword only for NAI hosts.

authorized-pool name

(Optional) Verifies the IP address assigned to the mobile node if it is within the pool specified by the name argument.

skip-aaa-reauthentication

(Optional) When configured, the home agent does not send an access request for authentication for mobile IP re-registration requests. When disabled, the home agent sends an access request for all Mobile IP registration requests.

care-of-access access-list

(Optional) Access list. This can be a named access list or standard access list. The range is from 1 to 99. Controls where mobile nodes roam—the acceptable care-of addresses.

lifetime seconds

(Optional) Lifetime (in seconds). The lifetime for each mobile node (group) can be set to override the global value. The range is from 3 to 65535 (infinite).

12.0(1)T

This command was introduced.

12.2(2)XC

The nai keyword and associated parameters were added.

12.2(13)T

The permanent keyword was added and the command was integrated into Cisco IOS Release 12.2(13)T.

12.3(4)T

The authorized-pool and skip-aaa-reauthentication keywords were added.

On the router

•Security association is in router memory, resulting in fast lookup.

•For home agents supporting fewer than 1500 mobile nodes, this provides optimum authentication performance and security (keys never leave router).

•NVRAM of router is limited, cannot store many security associations. Each security association configuration takes about 80 bytes. For 125 KB NVRAM, you can store about 1500 security associations on a home agent.

On the AAA server, retrieve security association each time registration comes in

•Central administration and storage of security association on AAA server.

•If keys change constantly, administration is simplified to one server, latest keys always retrieved during registration.

•Router memory (DRAM) is conserved. Router will need memory only to load in a security association, and then release the memory when done.

•Requires network to retrieve security association, slower than other storage methods, and dependent on network and server performance.

•Multiple home agents that use one AAA server, which can become the bottleneck, can get slow response.

•Key can be snooped if packets used to retrieve from AAA are not encrypted (for example, using RADIUS or unencrypted TACACS+ mode).

On the AAA server, retrieve and store security association

•AAA acts as an offload configuration server, security associations are loaded into router DRAM, which is more abundant (for example, 16 MB, 32 MB, 64 MB) when the first registration comes in. Each security association takes only about 50 bytes of DRAM, so 10,000 mobile nodes will use up 0.5 MB.

•If keys remain fairly constant, once security associations are loaded, home agent authenticates as fast as when stored on the router.

•Only security associations that are needed are loaded into router memory. Mobile nodes that never register will not waste memory.

•If keys change on the AAA server after the mobile node registered, then you need to use clear ip mobile secure command to clear and load in new security association from AAA, otherwise the security association of the router is stale.

aaa

Security associations are deleted after authentication and are not cached.

Security associations are deleted after authentication and are not cached.

aaa load-sa

The security association is cached while the mobile node is registered. If the mobile node's registration is deleted, the security association is removed.

Security associations are cached permanently.

aaa load-sa permanent

Security associations are cached permanently after being retrieved from the AAA server.

—

aaa authorization ipmobile

Authorizes Mobile IP to retrieve security associations from the AAA server using TACACS+ or RADIUS.

clear ip mobile secure

Clears and retrieves remote security associations.

ip mobile proxy-host

Locally configures the proxy Mobile IP attributes

ip mobile secure

Specifies the mobility security associations for mobile host, visitor, home agent, and foreign agent.

show ip mobile host

Displays mobile node counters and information.

12.3(7)XJ

This command was introduced.

12.4(11)T

This command was integrated into Cisco IOS Release 12.4(11)T.

realm

Name of the specified realm.

vrf vrf name

Enables VRF support for a specific group.

ha-addr ip-address

IP address of the Home Agent.

aaa-group

(Optional) Denotes a AAA group.

accounting aaa-acct-group

(Optional) Specifies a AAA accounting group.

authentication aaa-auth-group

(Optional) Specifies a AAA authentication group.

dns dynamic-update method word

(Optional) Enables the DNS Update procedure for the specified realm. word is the dynamic DNS update method name.

dns server primary dns server address secondary dns server address

(Optional) Enables you to locally configure the DNS Server address.

assign

(Optional) Enables this feature for the specified realm.

hotline

(Optional) Enables Hotlining of the mobile hosts.

12.3(7)XJ.

This command was introduced.

12.3(14)YX

The dns server assign, and dns dynamic-update method variables were introduced.

12.4(11)T

This command was integrated into Cisco IOS Release 12.4(11)T.

aaa-download

Downloads security association from AAA at every timer interval.

host

Security association of the mobile host on the home agent.

visitor

Security association of the mobile host on the foreign agent.

home-agent

Security association of the remote home agent on the foreign agent.

foreign-agent

Security association of the remote foreign agent on the home agent.

proxy-host

Security association of the proxy Mobile IP users. This keyword is only available on Packet Data Serving Node (PDSN) platforms.

lower-address

IP address of a host or lower range of IP address pool.

upper-address

(Optional) Upper range of an IP address pool. If specified, security associations for multiple hosts are configured. The value used in the upper-address argument must be greater than that used in the lower-address argument.

nai string

Network access identifier of the mobile node. The nai string is valid only for a host, visitor, and proxy host.

inbound-spi spi-in

Security parameter index used for authenticating inbound registration packets. Range is from 0x100 to 0xffffffff.

outbound-spi spi-out

Security parameter index used for calculating the authenticator in outbound registration packets. Range is from 0x100 to 0xffffffff.

spi spi

Bidirectional SPI. Range is from 0x100 to 0xffffffff.

key hex string

ASCII string of hexadecimal values. No spaces are allowed.

replay

(Optional) Specifies replay protection used on registration packets.

timestamp

(Optional) Validates incoming packets to ensure that they are not being "replayed" by a spoofer using the timestamp method.

number

(Optional) Number of seconds. Registration is valid if received within the router's clock +/- 7 seconds. This means the sender and receiver are in time synchronization (NTP can be used).

algorithm

(Optional) Algorithm used to authenticate messages during registration.

md5

(Optional) Message Digest 5.

hmac-md5

(Optional) Hash-based message authentication code (HMAC) message digest 5.

mode

(Optional) Mode used to authenticate during registration.

prefix-suffix

(Optional) The key is used to wrap the registration information for authentication (for example, key registration information key) to calculate the message digest.

12.0(1)T

This command was introduced.

12.2

The lower-address and upper-address arguments were added.

12.2(2)XC

The nai keyword was added.

12.2(13)T

The hmac-md5 keyword was added and this command was integrated into Cisco IOS Release 12.2(13)T.

12.3(4)T

The proxy-host keyword was added for PDSN platforms.

ip mobile host

Configures the mobile host or mobile node group.

ip mobile proxy-host

Configures the proxy Mobile IP attributes.

ntp server

Allows the system clock to be synchronized by a time server.

show ip mobile secure

Displays the mobility security associations for mobile host, mobile visitor, foreign agent, or home agent.

crypto map

Enables encryption or decryption on new tunnels. This keyword is only available on platforms running specific Packet Data Serving Node (PDSN) code images.

map-name

The name of the crypto map. This argument is available only on platforms running specific PDSN code images.

route-cache

Sets tunnels to fast-switching mode.

cef

Sets tunnels to Cisco Express Forwarding (CEF) switching mode if CEF is enabled on the router.

path-mtu-discovery

Specifies when the tunnel MTU should expire if set by Path MTU Discovery.

age-timer minutes

(Optional) Time interval in minutes after which the tunnel reestimates the path MTU.

infinite

(Optional) Turns off the age timer.

nat

Applies Network Address Translation (NAT) on the tunnel interface.

inside

Sets the dynamic tunnel as the inside interface for NAT.

outside

Sets the dynamic tunnel as the outside interface for NAT.

route-map map-tag

Defines a meaningful name for the route map.

12.0(1)T

This command was introduced.

12.1(1)T

The nat, inside, and outside keywords were added.

12.2T

The cef keyword was added.

12.2(13)T

The route-map keyword and map-tag argument were added.

12.3(4)T

The crpto map keyword and map-name argument were added for PDSN platforms.

ip cef

Enables CEF on the RP card.

show ip mobile tunnel

Displays active tunnels.

net

Network associated with the IP address of the virtual network.

mask

Mask associated with the IP address of the virtual network.

address address

(Optional) IP address of a home agent on a virtual network.

12.0(1)T

This command was introduced.

12.0(2)T

The address keyword and address argument were added.

ip mobile host

Configures the mobile host or mobile node group.

redistribute mobile

Redistributes routes from one routing domain into another routing domain.

format

(Optional) A string sent in attribute 32 containing an IP address (%i), a hostname (%h), or a domain name (%d).

12.1 T

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS release 12.(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

hostname

Domain Name System (DNS) name of the RADIUS server host.

ip-address

IP address of the RADIUS server host.

test username

(Optional) Turns on the automated testing feature for RADIUS server load balancing.

user-name

(Optional) Test user ID username.

•Must be used if the test username keyword is used.

---

Caution It is recommended that a test user, one that is not defined on the RADIUS server, be used for RADIUS server automated testing to protect against security issues that may arise if the test user is not correctly configured.

---

auth-port

(Optional) Specifies the UDP destination port for authentication requests.

port-number

(Optional) Port number for authentication requests; the host is not used for authentication if set to 0. If unspecified, the port number defaults to 1645.

ignore-auth-port

(Optional) Turns off the automated testing feature for RADIUS server load balancing on the authentication port.

acct-port

(Optional) Specifies the UDP destination port for accounting requests.

port-number

(Optional) Port number for accounting requests; the host is not used for accounting if set to 0. If unspecified, the port number defaults to 1646.

ignore-acct-port

(Optional) Turns off the automated testing feature for RADIUS server load balancing on the accounting port.

timeout

(Optional) The time interval (in seconds) that the router waits for the RADIUS server to reply before retransmitting. This setting overrides the global value of the radius-server timeout command. If no timeout value is specified, the global value is used. Enter a value in the range 1 to 1000.

seconds

(Optional) Specifies the timeout value. Enter a value in the range 1 to 1000. If no timeout value is specified, the global value is used.

retransmit

(Optional) The number of times a RADIUS request is re-sent to a server, if that server is not responding or responding slowly. This setting overrides the global setting of the radius-server retransmit command.

retries

(Optional) Specifies the retransmit value. Enter a value in the range 1 to 100. If no retransmit value is specified, the global value is used.

key

(Optional) Specifies the authentication and encryption key used between the router and the RADIUS daemon running on this RADIUS server. This key overrides the global setting of the radius-server key command. If no key string is specified, the global value is used.

The key is a text string that must match the encryption key used on the RADIUS server. Always configure the key as the last item in the radius-server host command syntax. This is because the leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in the key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key.

string

(Optional) Specifies the authentication and encryption key for all RADIUS communications between the router and the RADIUS server. This key must match the encryption used on the RADIUS daemon. All leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key.

alias

(Optional) Allows up to eight aliases per line for any given RADIUS server.

idle-time

(Optional) Specifies the time the server remains idle before it is quarantined and test packets are sent out.

seconds

(Optional) Length of idle time.

•Default is 3600 seconds (1 hour).

The valid range is 1-35791 seconds.

11.1

This command was introduced.

12.0(5)T

This command was modified to add options for configuring timeout, retransmission, and key values per RADIUS server.

12.1(3)T

The alias keyword was added on the Cisco AS5300 and AS5800 universal access servers.

12.2(28)SB

The following keywords and arguments were added for configuring RADIUS server load balancing automated testing functionality: test username user-name, ignore-auth-port, ignore-acct-port, and idle-time seconds.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.4(11)T

This command was integrated into Cisco IOS Release 12.4(11)T.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

aaa accounting

Enables AAA accounting of requested services for billing or security purposes.

aaa authentication ppp

Specifies one or more AAA authentication method for use on serial interfaces running PPP.

aaa authorization

Sets parameters that restrict network access to a user.

debug aaa test

Shows when the idle-timer or dead-timer has expired for RADIUS server load balancing.

load-balance

Enables RADIUS server load balancing for named RADIUS server groups.

ppp

Starts an asynchronous connection using PPP.

ppp authentication

Enables CHAP or PAP or both and specifies the order in which CHAP and PAP authentication are selected on the interface.

radius-server key

Sets the authentication and encryption key for all RADIUS communications between the router and the RADIUS daemon.

radius-server load-balance

Enables RADIUS server load balancing for the global RADIUS server group.

radius-server retransmit

Specifies how many times the Cisco IOS software searches the list of RADIUS server hosts before giving up.

radius-server timeout

Sets the interval a router waits for a server host to reply.

test aaa group

Tests RADIUS load balancing server response manually.

username

Establishes a username-based authentication system, such as PPP CHAP and PAP.

12.0(1)T

This command was introduced.

show ip mobile globals

Displays global information for mobile agents.

show ip protocols

Displays the parameters and current state of the active routing protocol process.

show processes

Displays information about the active processes.

home-agent

(Optional) Mobility bindings for a specific home agent (HA).

ip-address

(Optional) IP address for the HA.

nai string

(Optional) Mobile node (MN) identified by the network access identifier (NAI).

session-id string

(Optional) Session identifier. The string argument must be fewer than 25 characters in length.

summary

(Optional) Total number of bindings in the table.

12.0(1)T

This command was introduced.

12.0(2)T

The home-agent keyword and ip-address argument were added.

12.1(2)T

The summary keyword was added.

12.2(2)XC

The nai keyword was added.

12.2(13)T

This command was enhanced to display the service options field and to include information about the mobile networks registered on the home agent.

12.3(4)T

The session-id keyword was added.

12.3(8)T

The output was enhanced to display UDP tunneling information.

12.4(9)T

The output was enhanced to display multipath support.

Total

Total number of mobility bindings.

<IP Address>

Home IP address of the mobile node. The NAI is displayed if configured.

Care-of Addr

Care-of address of the mobile node.

Src Addr

IP source address of the registration request as received by the home agent. Will be either the colocated care-of address of a mobile node or an address on the foreign agent or the active HA address. If it is the active HA address, then this is a binding update from the active HA to the standby HA and not a registration directly received from the MN or FA.

Lifetime granted

The lifetime (in hh:mm:ss) granted to the mobile node for this registration. Number of seconds appears in parentheses.

remaining

The time (in hh:mm:ss) remaining until the registration expires. It has the same initial value as lifetime granted and is counted down by the home agent.

Flags

Services requested by the mobile node. The mobile node requests these services by setting bits in the registration request. Uppercase characters denote bit set.

Identification

Identification used in that binding by the mobile node. This field has two purposes: unique identifier for each request and replay protection.

Tunnel

The tunnel used by the mobile node is characterized by the source and destination addresses and reverse-allowed or reverse-off for reverse tunnel. The default encapsulation is IP-in-IP. The mobile node can request GRE.

Routing Options

Routing options identify the services that the home agent is currently providing. The mobile node must request these services in its registration request by setting the services flag (see Flags field description). For example, the V bit may have been requested by the mobile node (shown in the Flags field), but the home agent will not provide such service. Possible options are B (broadcast), D (direct-to-mobile node), G (GRE), and T (reverse-tunnel).

Service Options

Service options configured.

NAT detect

Indicates that the mobile node is registering from behind a NAT-enabled router.

Mobile Networks

Mobile networks configured or registered on the home agent. D denotes dynamic (registered) mobile networks, and S denotes static (configured) mobile networks.

Session identifier

The ID used to uniquely identify a Mobile IP flow.

SPI

The security parameter index (SPI) is the 4-byte opaque index within the mobility security association that selects the specific security parameters to be used to authenticate the peer.

MD5

Message Digest 5 authentication algorithm. HMAC-MD5 is displayed if configured.

Prefix-suffix

Authentication mode.

Timestamp

Replay protection method.

root key

Dynamic key based on the Microsoft Windows password shared between the mobile node and AAA or Windows domain controller or active directory. Once a mobile node registers, this key is established until the binding persists on the home agent. Subsequent registration requests can be authenticated using the root key.

session key

Dynamic key that is derived using the root key. This key can be refreshed, and the refreshed keys are based off the root key. Subsequent registration renewal messages can be authenticated using the session key. The period or frequency for the session key refresh is determined by the mobile node. Registration requests that also request session key refresh are authenticated using the root key.

Roaming IF Attributes

Attributes associated with the roaming interface. BW denotes the bandwidth of the roaming interface.

Description

Description of the roaming interface on the mobile router.

Multi-path Metric bandwidth

Metric that the mobile router uses for multipath support.

debug ip mobile

Displays IP mobility activities.

ip mobile foreign-agent nat traversal

Enables NAT UDP traversal support for Mobile IP foreign agents.

ip mobile home-agent nat traversal

Enables NAT UDP traversal support for Mobile IP HAs.

show ip mobile globals

Displays global information about Mobile IP home agents, foreign agents, and mobile nodes.

show ip mobile tunnel

Displays information about UDP tunneling.

show ip mobile visitor

Displays the table that contains a visitor list of foreign agents.

ip address

IP address of the Home agent

home-agent address

(Optional) IP address of mobile node.

nai string

(Optional) Network access identifier.

summary

(Optional) Displays the total number of bindings that are VRF-enabled.

vrf

(Optional) VRF of the user.

realm

(Optional) Displays the vrf realm.

12.0(1)T

This command was introduced.

12.0(2)T

The following keyword and argument were added:

•home-agent address

12.1(2)T

The summary keyword was added.

12.2(2)XC

The nai keyword was added.

12.3(7)XJ

This command was modified to display VRF related info if the realm of the NAI is under a VRF.

12.4(15)T

This command was integrated into Cisco IOS Release 12.4(15)T.

Total

Total number of mobility bindings.

IP address

Home IP address of the mobile node.

Care-of Addr

Care-of address of the mobile node.

Src Addr

IP source address of the Registration Request as received by the Home Agent. Will be either the collocated care-of address of a mobile node or an address of the Foreign Agent.

Lifetime granted

The lifetime granted to the mobile node for this registration. Number of seconds in parentheses.

Lifetime remaining

The time remaining until the registration is expired. It has the same initial value as lifetime granted, and is counted down by the Home Agent.

Flags

Registration flags sent by mobile node. Uppercase characters denote bit set.

Identification

Identification used in that binding by the mobile node. This field has two purposes: unique identifier for each request, and replay protection.

Tunnel

The tunnel used by the mobile node is characterized by the source and destination addresses, and reverse-allowed or reverse-off for reverse tunnel. The default is IPIP encapsulation, otherwise GRE will be displayed in the Routing Options field.

Routing Options

Routing options list all Home Agent-accepted services. For example, the V bit may have been requested by the mobile node (shown in the Flags field), but the Home Agent will not provide such service. Possible options are B (broadcast), D (direct-to-mobile node), G (GRE), and T (reverse-tunnel).

ip address

IP address of the Home agent

home-agent address

(Optional) IP address of mobile node.

nai string

(Optional) Network access identifier.

summary

(Optional) Displays the total number of bindings that are VRF-enabled.

vrf

(Optional) VRF of the user.

realm

(Optional) Displays the vrf realm.

12.0(1)T

This command was introduced.

12.0(2)T

The following keyword and argument were added:

•home-agent address

12.1(2)T

The summary keyword was added.

12.2(2)XC

The nai keyword was added.

12.3(7)XJ

This command was modified to display VRF related info if the realm of the NAI is under a VRF.

12.4(15)T

This command was integrated into Cisco IOS Release 12.4(15)T.

Total

Total number of mobility bindings.

IP address

Home IP address of the mobile node.

Care-of Addr

Care-of address of the mobile node.

Src Addr

IP source address of the Registration Request as received by the Home Agent. Will be either the collocated care-of address of a mobile node or an address of the Foreign Agent.

Lifetime granted

The lifetime granted to the mobile node for this registration. Number of seconds in parentheses.

Lifetime remaining

The time remaining until the registration is expired. It has the same initial value as lifetime granted, and is counted down by the Home Agent.

Flags

Registration flags sent by mobile node. Uppercase characters denote bit set.

Identification

Identification used in that binding by the mobile node. This field has two purposes: unique identifier for each request, and replay protection.

Tunnel

The tunnel used by the mobile node is characterized by the source and destination addresses, and reverse-allowed or reverse-off for reverse tunnel. The default is IPIP encapsulation, otherwise GRE will be displayed in the Routing Options field.

Routing Options

Routing options list all Home Agent-accepted services. For example, the V bit may have been requested by the mobile node (shown in the Flags field), but the Home Agent will not provide such service. Possible options are B (broadcast), D (direct-to-mobile node), G (GRE), and T (reverse-tunnel).

12.0(1)T

This command was introduced.

12.2(13)T

This command was enhanced to display the NAT detect field and the Strip realm domain field.

12.2(15)T

This command was enhanced to display the HA Accounting field.

12.3(7)T

This command was enhanced to display information about foreign agent route optimization.

12.3(8)T

This command was enhanced to display information about UDP tunneling.

12.4(9)T

This command was enhanced to display information about multipath support.

Registration lifetime

Default lifetime (in hh:mm:ss) for all mobile nodes. Number of seconds given in parentheses.

Roaming access list

Determines which mobile nodes are allowed to roam. Displayed if defined.

Care-of access list

Determines which care-of addresses are allowed to be accepted. Displayed if defined.

Broadcast

Whether broadcast is enabled or disabled.

Replay protection time

Time, in seconds, that the time stamp on a registration request (RRQ) from a mobile node may differ from the router's internal clock.

Reverse tunnel

Whether reverse tunnel is enabled or disabled.

ICMP Unreachable

Sends ICMP unreachable messages, which are enabled or disabled for the virtual network.

Strip realm

Whether strip realm is enabled or disabled.

NAT detect

Whether NAT detect is enabled or disabled. If NAT detect is enabled, the home agent can detect a registration request that has traversed a NAT-enabled device and can apply a tunnel to reach the Mobile IP client.

HA Accounting

Whether home agent accounting is enabled or disabled.

NAT UDP Tunneling support

Whether NAT UDP tunneling is enabled or disabled on the home agent.

UDP Tunnel Keepalive

Keepalive interval, in seconds, configured on the home agent that avoids a NAT translation entry on a NAT device from expiring when there is no active Mobile IP data traffic going through the UDP tunnel.

Forced UDP Tunneling

Whether the home agent is configured to accept forced UDP tunneling.

Address

Home agent address.

Virtual networks

Lists virtual networks serviced by the home agent. Displayed if defined.

Multiple Path Support

Whether multiple path support is enabled or disabled.

Pending registrations expire after

The amount of time, in seconds, before a pending registration will time out.

Care-of addresses advertised

Displayed if care-of addresses are defined.

Mobile network route injection

Mobile network route injection can be enabled or disabled.

Mobile network route redistribution

Mobile network route redistribution can be enabled or disabled.

Mobile network route injection access list

The name of the access list used if mobile network route injection is enabled.

NAT UDP Tunneling support

Whether NAT UDP tunneling is enabled or disabled on the foreign agent

UDP Tunnel Keepalive

Keepalive interval, in seconds, configured on the foreign agent that avoids a NAT translation entry on a NAT device from expiring when there is no active Mobile IP data traffic going through the UDP tunnel.

Forced UDP Tunneling

Whether the foreign agent is configured to force UDP tunneling.

up, interface-only, transmit-only

Up status is displayed if the foreign agent is configured to function in an asymmetric link environment. Interface-only status is displayed if the foreign agent is configured to advertise only its own address as the care-of address in an asymmetric link environment. Transmit-only status is displayed if the foreign agent is configured to transmit only from the interface in an asymmetric link environment.

Number of interfaces providing service

See the show ip mobile interface command for more information on the interfaces providing service. Agent advertisements are sent when ICMP Router Discovery Protocol (IRDP) is enabled.

Encapsulations supported

The encapsulation types that are supported. Possible encapsulation types are IPIP and GRE.

Tunnel fast switching

Whether tunnel fast switching is enabled or disabled.

cef switching

Whether CEF switching is enabled or disabled.

Discovered tunnel MTU

Aged out after amount of time (in hh:mm:ss).

show ip mobile interface

Displays advertisement information for interfaces that are providing foreign agent service or that are home links for mobile nodes.

address

(Optional) IP address of specific mobile node. If not specified, information for all mobile nodes is displayed.

interface interface

(Optional) Displays all mobile nodes whose home network is on this interface.

network address

(Optional) Displays all mobile nodes residing on this network or virtual network.

nai string

(Optional) Network access identifier.

group

(Optional) Displays all mobile node groups configured using the ip mobile host command.

summary

(Optional) Displays all values in the table.

12.0(1)T

This command was introduced.

12.2(2)XC

The nai keyword was added.

12.2(13)T

This command was integrated into Cisco IOS Release 12.2(13)T.

IP address

Home IP address of the mobile node. The network access identifier (NAI) is displayed if configured.

Allowed lifetime

Allowed lifetime (in hh:mm:ss) of the mobile node. By default, it is set to the global lifetime (ip mobile home-agent lifetime command). Setting this lifetime will override global value.

Roaming status

When the mobile node is registered, the roaming status is - Registered - ; otherwise, it is - Unregistered -. Use the show ip mobile binding command for more information when the user is registered.

Home link

Interface or virtual network.

Accepted

Total number of service requests for the mobile node accepted by the home agent.

Last time

The time at which the most recent registration request was accepted by the home agent for this mobile node.

Overall service time

Overall service time that has accumulated for the mobile node since the router has booted or cleared.

Denied

Total number of service requests for the mobile node denied by the home agent (sum of all registrations denied with Code 128 through Code 159).

Last time

The time at which the most recent registration request was denied by the home agent for this mobile node.

Last code

The code indicating the reason why the most recent registration request for this mobile node was rejected by the home agent.

Total violations

Total number of security violations.

Tunnel to mobile node

Number of packets and bytes tunneled to mobile node.

Reverse tunnel from mobile node

Number of packets and bytes reverse tunneled from mobile node.

NAI string

NAI associated with the mobile node.

Bindings

Addresses currently assigned to the NAI.

IP address

Mobile host IP address or grouping of addresses.

Home link

Interface or virtual network.

Care-of ACL

Care-of address access list.

Security association

Router or AAA server.

Allowed lifetime

Allowed lifetime for mobile host or group.

clear ip mobile host-counters

Clears the mobile node counters.

show ip mobile binding

Displays the mobility binding table.

host

Displays security association of the mobile host on the home agent.

visitor

Displays security association of the mobile visitor on the foreign agent.

foreign-agent

Displays security association of the remote foreign agents on the home agent.

home-agent

Displays security association of the remote home agent on the foreign agent.

proxy-host

Displays security association of the proxy mobile user. This keyword is only available on Packet Data Serving Node (PDSN) platforms running specific PDSN code images.

summary

Displays number of security associations in table.

ip-address

IP address.

nai string

Network access identifier (NAI).

12.0(1)T

This command was introduced.

12.2(2)XC

The nai keyword was added.

12.2(13)T

This command was integrated into Cisco IOS Release 12.2(13)T.

12.3(4)T

The proxy-host keyword was added for PDSN platforms.

10.0.0.6

IP address. The NAI is displayed if configured.

In/Out SPI

The SPI is the 4-byte opaque index within the mobility security association that selects the specific security parameters to be used to authenticate the peer. Allows either "SPI" or "In/Out SPI." The latter specifies an inbound and outbound SPI pair. If an inbound SPI is received, then outbound SPI will be used when a response is sent.

MD5

Message Digest 5 authentication algorithm. HMAC-MD5 id displayed if configured.

Prefix-suffix

Authentication mode.

Timestamp

Replay protection method.

Key

The shared secret key for the security associations, in hexadecimal format.

12.0(1)T

This command was introduced.

12.2(13)T

This command was enhanced to display successful registration requests with NAT detect and to display information about foreign agent reverse tunnels and foreign agent challenge and response extensions.

12.3(14)T

The command output was enhanced to display the count of UDP Port 434 input packets that were dropped by UDP.

Port: 434 (Mobile IP) input drops

Total number of UDP Port 434 (Mobile IP) packets dropped by UDP processing due to a full input queue. These packets are not processed by the home agent or foreign agent and so are not otherwise counted or displayed by Mobile IP. This count is the same count displayed by using the show ip socket detail command.

Solicitations received

Total number of solicitations received by the mobility agent.

Advertisements sent

Total number of advertisements sent by the mobility agent.

response to solicitation

Total number of advertisements sent by the mobility agent in response to mobile node solicitations.

Register requests

Total number of registration requests received by the home agent.

Deregister requests

Total number of registration requests received by the home agent with a lifetime of zero (requests to deregister).

Register replied

Total number of registration replies sent by the home agent.

Deregister replied

Total number of registration replies sent by the home agent in response to requests to deregister.

Accepted

Total number of registration requests accepted by the home agent (Code 0).

No simultaneous bindings

Total number of registration requests accepted by the home agent—simultaneous mobility bindings unsupported (Code 1).

Denied

Total number of registration requests denied by the home agent.

Ignored

Total number of registration requests ignored by the home agent.

Unspecified

Total number of registration requests denied by the home agent—reason unspecified (Code 128).

Unknown HA

Total number of registration requests denied by the home agent—unknown home agent address (Code 136).

Administrative prohibited

Total number of registration requests denied by the home agent—administratively prohibited (Code 129).

No resource

Total number of registration requests denied by the home agent—insufficient resources (Code 130).

Authentication failed MN

Total number of registration requests denied by the home agent—mobile node failed authentication (Code 131).

Authentication failed FA

Total number of registration requests denied by the home agent—foreign agent failed authentication (Code 132).

Bad identification

Total number of registration requests denied by the home agent—identification mismatch (Code 133).

Bad request form

Total number of registration requests denied by the home agent—poorly formed request (Code 134).

Unavailable encap

Total number of registration requests denied by the home agent—unavailable encapsulation (Code 139).

Reverse tunnel mandatory

Total number of registration requests denied by the home agent—reverse tunnel is mandatory and the "T" bit is not set (Code 138).

Unavailable reverse tunnel

Total number of registration requests denied by the home agent—reverse tunnel unavailable (Code 137).

Binding updates

A Mobile IP standby message sent from the active router to the standby router when a registration request comes into the active router.

Binding update acks

A Mobile IP standby message sent from the standby router to the active router to acknowledge the reception of a binding update.

Binding info request

A Mobile IP standby message sent from a router coming up from reboot/or a down interface. The message is a request to the current active router to send the entire Mobile IP binding table.

Binding info reply

A reply from the active router to the standby router that has part or all of the binding table (depending on size).

Binding info reply acks

An acknowledge message from the standby router to the active router that it has received the binding info reply.

Gratuitous ARP

Total number of gratuitous ARPs sent by the home agent on behalf of mobile nodes.

Proxy ARPs sent

Total number of proxy ARPs sent by the home agent on behalf of mobile nodes.

Total incoming registration requests...

Total number incoming registration requests using NAT detect.

Request in

Total number of registration requests received by the foreign agent.

Forwarded

Total number of registration requests relayed to the home agent by the foreign agent.

Denied

Total number of registration requests denied by the foreign agent.

Ignored

Total number of registration requests ignored by the foreign agent.

Unspecified

Total number of registration requests denied by the foreign agent—reason unspecified (Code 64).

HA unreachable

Total number of registration requests denied by the foreign agent—home agent unreachable (Codes 80-95).

Administrative prohibited

Total number of registration requests denied by the foreign agent— administratively prohibited (Code 65).

No resource

Total number of registration requests denied by the home agent—insufficient resources (Code 66).

Bad lifetime

Total number of registration requests denied by the foreign agent—requested lifetime too long (Code 69).

Bad request form

Total number of registration requests denied by the home agent—poorly formed request (Code 70).

Unavailable encapsulation

Total number of registration requests denied by the home agent—unavailable encapsulation (Code 72).

Unavailable compression

Total number of registration requests denied by the foreign agent—requested Van Jacobson header compression unavailable (Code 73).

Unavailable reverse tunnel

Total number of registration requests denied by the home agent—reverse tunnel unavailable (Code 74).

Reverse tunnel mandatory

Total number of registration requests denied by the foreign agent—reverse tunnel is mandatory and the "T" bit is not set (Code 75).

Replies in

Total number of well-formed registration replies received by the foreign agent.

Forwarded

Total number of valid registration replies relayed to the mobile node by the foreign agent.

Bad

Total number of registration replies denied by the foreign agent—poorly formed reply (Code 71).

Ignored

Total number of registration replies ignored by the foreign agent.

Authentication failed MN

Total number of registration requests denied by the home agent—mobile node failed authentication (Code 67).

Authentication failed HA

Total number of registration replies denied by the foreign agent—home agent failed authentication (Code 68).

Received challenge/gen. authentication extension, feature not enabled

Total number of registration requests dropped by the foreign agent—received challenge/generalized-authentication extension in registration request but Mobile IP foreign agent challenge/response extension is not enabled.

Unknown challenge

Total number of registration requests denied by the foreign agent—unknown challenge (Code 104).

Missing Challenge

Total number of registration requests denied by the foreign agent—missing challenge (Code 105).

Stale Challenge

Total number of registration requests denied by the foreign agent—stale challenge (Code 106).

interface

(Optional) Displays a particular tunnel interface. The interface argument is tunnel x.

12.0(1)T

This command was introduced.

12.2(13)T

The output was enhanced to display route maps configured on the home agent.

12.2(15)T

The output was enhanced to display tunnel templates for multicast configured on the home agent or mobile router.

12.3(8)T

The output was enhanced to display UDP tunneling.

12.4(9)T

The command was enhanced to display information about multipath support.

src

Tunnel source IP address.

dest

Tunnel destination IP address.

Key

Identifies the tunnel when there are multiple tunnels between the same end points (source address and destination address) for multipath support. This situation can occur if a mobile router registers through foreign agents on different interfaces. All of the HA-MR tunnels would have the same end points.

encap

Tunnel encapsulation type.

mode

Either reverse-allowed or reverse-off for reverse tunnel mode.

tunnel-users

Number of users on the tunnel.

HA created

Entity that created the tunnel. This field can be one of three values: HA created, FA created, or MR created.

fast switching

Enabled or disabled.

ICMP unreachable

Enabled or disabled.

packets input

Number of packets in.

bytes

Number of bytes in.

drops

Number of packets dropped. Packets are dropped when there are no visitors to send to after the foreign agent deencapsulates incoming packets. This prevents loops because the foreign agent will otherwise route the de-encapsulated packets back to the home agent.

packets output

Number of packets output.

bytes

Number of bytes output.

Route Map is

Name of the route map.

Running template configuration

If tunnel templates for multicast are enabled or disabled, this information is displayed or absent, respectively.

show ip mobile binding

Displays the mobility binding table.

show ip mobile host

Displays mobile node information.

show ip mobile visitor

Displays the table that contains a visitor list of foreign agents.

address

(Optional) Displays violations from a specific IP address.

nai string

(Optional) Network access identifier.

12.0(1)T

This command was introduced.

12.2(2)XC

The nai keyword and associated parameters were added.

12.2(13)T

This command was integrated into Cisco IOS Release 12.2(13)T.

IP address

IP address of the violator. The network access identifier (NAI) is displayed if configured.

Violations

Total number of security violations for this peer.

Last time

Time of the most recent security violation for this peer.

SPI

SPI of the most recent security violation for this peer. If the security violation is due to an identification mismatch, then this is the SPI from the mobile-home authentication extension. If the security violation is due to an invalid authenticator, then this is the SPI from the offending authentication extension. In all other cases, it should be set to zero.

Identification

Identification used in request or reply of the most recent security violation for this peer.

Error Code

Error code in request or reply.

Reason Codes

Reason for the most recent security violation for this peer. Possible reasons are:

•(1) No mobility security association

•(2) Bad authenticator

•(3) Bad identifier

•(4) Bad SPI

•(5) Missing security extension

•(6) Other

vrf-name

Name assigned to the VRF.

connected

(Optional) Displays all connected routes in a VRF.

protocol

(Optional) To specify a routing protocol, use one of the following keywords: bgp, egp, eigrp, hello, igrp, isis, ospf, or rip.

as-number

(Optional) Autonomous system number.

tag

(Optional) Cisco IOS routing area label.

output-modifiers

(Optional) For a list of associated keywords and arguments, use context-sensitive help.

ip-prefix

(Optional) Specifies a network to display.

list number

(Optional) Specifies the IP access list to display.

profile

(Optional) Displays the IP routing table profile.

static

(Optional) Displays static routes.

summary

(Optional) Displays a summary of routes.

supernets-only

(Optional) Displays supernet entries only.

12.0(5)T

This command was introduced.

12.2(2)T

The ip-prefix argument was added. The output from the show ip route vrf vrf-name ip-prefix command was enhanced to display information on the multipaths to the specified network.

12.2(14)S

This command was integrated into Cisco IOS Release 12.2(14)S.

12.0(22)S

Enhanced Interior Gateway Routing Protocol (EIGRP) VRF support was added.

12.2(15)T

EIGRP VRF support was integrated into Cisco IOS Release 12.2(15)T.

12.2(18)S

EIGRP VRF support was integrated into Cisco IOS Release 12.2(18)S.

12.2(27)SBC

This command was integrated into Cisco IOS Release 12.2(27)SBC.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(33)SXH

The output was enhanced to display remote label information and corresponding MPLS flags for prefixes that have remote labels stored in the Routing Information Base (RIB).

Routing entry for 10.22.22.0/24

Network number.

Known via ...

Indicates how the route was derived.

distance

Administrative distance of the information source.

metric

The metric to reach the destination network.

Tag

Integer that is used to implement the route.

type

Indicates that the route is an L1 type or L2 type route.

Last update from 10.22.5.10

Indicates the IP address of a router that is the next hop to the remote network and the router interface on which the last update arrived.

00:01:07 ago

Specifies the last time the route was updated (in hours:minutes:seconds).

Routing Descriptor Blocks:

Displays the next hop IP address followed by the information source.

10.22.6.10, from 10.11.6.7, 00:01:07 ago

Indicates the next hop address, the address of the gateway that sent the update, and the time that has elapsed since this update was received (in hours:minutes:seconds).

Route metric

This value is the best metric for this routing descriptor block.

traffic share count

Number of uses for this routing descriptor block.

AS Hops

Number of hops to the destination or to the router where the route first enters internal BGP (iBGP).