Foreign Agent Configuration
Problem
You want to configure a Foreign Agent router for IP Mobility to support one or more roaming Mobile Nodes.
Solution
Here is a minimal configuration for a Foreign Agent to support Mobile Nodes:
RouterForeign#configure terminal Enter configuration commands, one per line. End with CNTL/Z. RouterForeign(config)#router mobile RouterForeign(config-router)#exit RouterForeign(config)#router eigrp 99 RouterForeign(config-router)#network 192.168.110.0 RouterForeign(config-router)#no auto-summary RouterForeign(config-router)#exit RouterForeign(config)#interface Ethernet0/0 RouterForeign(config-if)#ip address 192.168.110.1 255.255.255.0 RouterForeign(config-if)#ip irdp RouterForeign(config-if)#ip mobile foreign-service RouterForeign(config-if)#exit RouterForeign(config)#ip mobile foreign-agent care-of Ethernet0/0 RouterForeign(config)#end RouterForeign#
Discussion
Throughout this recipe, when we refer to the Home Agent, we mean the configuration shown in the previous recipe. The Discussion in this recipe follows directly from Recipe 24.2.
The configuration for a Foreign Agent router is considerably simpler than what we saw in Recipe 24.2 for a Home Agent, but there are several points that you have to make sure to cover. The first thing that we have done in the configuration in the Solution section is enable IP Mobility support and configure this router to take part in the same routing protocol as the Home Agent:
RouterForeign(config)#router mobile RouterForeign(config-router)#exit RouterForeign(config)#router eigrp 99 RouterForeign(config-router)#network 192.168.110.0 RouterForeign(config-router)#no auto-summary RouterForeign(config-router)#exit
Naturally, you could run IP Mobility across a large network, or even across the public Internet, as long as you were able to exchange routing information between the Home and Foreign Agent routers. We show them here as belonging to the same IGP Autonomous System for simplicity.
The one thing that you should note from the EIGRP configuration section is that we have not included a command to redistribute mobile routes into EIGRP. This is because the Home Agent will do all of the redistribution.
Next we configure the interface that will support the Mobile Nodes:
RouterForeign(config)#interface Ethernet0/0 RouterForeign(config-if)#ip address 192.168.110.1 255.255.255.0 RouterForeign(config-if)#ip irdp RouterForeign(config-if)#ip mobile foreign-service
The ip irdp command enables ICMP Router Discover Protocol, which is defined in RFC 1256. This is a very simple protocol that just sends out ICMP packets onto the network, allowing routers to advertise their services and end nodes to learn about available routers on the network segment. There are two types of IRDP messages. Routers will periodically advertise themselves using Advertisement packets, and other nodes can send IRPD Solicitation packets to try to find an available router. IP Mobility uses IRDP to allow Mobile Nodes to find the address of the Foreign Agent.
Then the ip mobile foreign-service command simply allows this interface to act as a Foreign Agent.
Finally, we must configure a care-of address for the Foreign Agent. The care-of agent is the address on the Foreign end of the tunnel. The other end of this tunnel will be the Home Agent's advertised address:
RouterForeign(config)#ip mobile foreign-agent care-of Ethernet0/0
In this case, we use the address of the Ethernet interface that will be supporting the Mobile Nodes. A physical failure of this interface will bring down the tunnel, but it will also make the Foreign Agent router lose contact with the Mobile Node. In this case, losing the tunnel is a good thing.
We note in passing that we didn't configure either a Home Agent address in the Foreign Agent router or a Foreign Agent Care-of address in the Home Agent router. This is because the Foreign Agent is, in principle, capable of accommodating a Mobile Node from any home network. The Mobile Node knows its Home Agent and requests that the Foreign Agent make the connection on its behalf. When it does so, it tells the Home Agent about its own Care-of address. So the Mobile Node must initiate this exchange of information.
Authenticating the Foreign Agent
The configurations shown in this recipe and Recipe 24.2 will in principle allow any Foreign Agent router to connect to any Home Agent router. This is usually acceptable, since the Mobile Node must authenticate anyway. However, you can improve the overall security of the exchange and decrease the likelihood of man-in-the-middle attacks by forcing the Foreign Agent to authenticate with the Home Agent.
To enable this additional level of authentication, you simply configure a security association and a key on the Foreign and Home Agent routers. On the Home Agent router, you do this with the ip mobile secure foreign-agent command, and specify the Care-of address on the Foreign Agent router:
RouterHome(config)#ip mobile secure foreign-agent 192.168.110.1 spi 100 key ascii xenophobia
On the Foreign Agent router, you configure the same key and SPI, but you use the Home Agent IP address with the ip mobile secure home-agent command:
RouterForeign(config)#ip mobile secure home-agent 192.168.9.1 spi 100 key ascii xenophobia
See Also
Recipe 24.2; RFC 1256