Cisco IOS Cookbook 中文精简版第二十四章移动IP

24.1. 本地移动性（Local Area Mobility）

提问 配置本地移动性来实现设备的网络漫游

回答

归属地路由器HomeRouter

RouterHome#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

RouterHome(config)#interface FastEthernet0/0

RouterHome(config-if)#ip address 192.168.10.1 255.255.255.0

RouterHome(config-if)#ip proxy-arp

RouterHome(config-if)#ip mobile arp

RouterHome(config-if)#exit

RouterHome(config)#router eigrp 99

RouterHome(config-router)#network 192.168.10.0

RouterHome(config-router)#default-metric 10000 10 255 1 1500

RouterHome(config-router)#redistribute mobile

RouterHome(config-router)#no auto-summary

RouterHome(config-router)#exit

RouterHome(config)#end

RouterHome#

访问地路由器ForeignRouter

RouterForeign#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

RouterForeign(config)#interface FastEthernet0/0

RouterForeign(config-if)#ip address 192.168.110.1 255.255.255.0

RouterForeign(config-if)#ip proxy-arp

RouterForeign(config-if)#ip mobile arp

RouterForeign(config-if)#exit

RouterForeign(config)#router eigrp 99

RouterForeign(config-router)#network 192.168.100.0

RouterForeign(config-router)#default-metric 10000 10 255 1 1500

RouterForeign(config-router)#redistribute mobile

RouterForeign(config-router)#no auto-summary

RouterForeign(config-router)#exit

RouterForeign(config)#end

RouterForeign#

注释 Local Area Mobility是思科通过Proxy Arp来实现的一种简单移动IP，只是作为没有DHCP的暂时替代方案，当访问地使用ARP查到了访问设备以后会在路由表生成一条主机路由，然后此主机路由会通过路由协议被归属地所学到，比如访问地的ARP和路由表

RouterForeign#show ip arp FastEthernet0/0

Protocol Address Age (min) Hardware Addr Type Interface

Internet 192.168.110.1 - 000e.d7d6.1060 ARPA FastEthernet0/0

Internet 192.168.10.109 1 00b0.64ab.0580 ARPA FastEthernet0/0

Internet 192.168.110.9 21 0000.0c75.c684 ARPA FastEthernet0/0

RouterForeign#

RouterForeign#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C 192.168.110.0/24 is directly connected, FastEthernet0/0

192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks

M 192.168.10.109/32 [3/1] via 192.168.10.109, 00:17:59, FastEthernet0/0

D 192.168.10.0/24 [90/2172416] via 192.168.55.11, 00:29:43, Serial0/0

C 192.168.55.0/24 is directly connected, Serial0/0

RouterForeign#

归属地通过EIGRP学到

RouterHome#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

D 192.168.110.0/24 [90/2172416] via 192.168.55.12, 00:31:43, Serial0/0

192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks

D EX 192.168.10.109/32 [170/2172416] via 192.168.55.12, 00:18:19, Serial0/0

C 192.168.10.0/24 is directly connected, FastEthernet0/0

C 192.168.55.0/24 is directly connected, Serial0/0

RouterHome#

进入讨论组讨论。

24.2. 归属地代理（Home Agent）配置

提问 配置路由器成为移动终端的归属地代理

回答

RouterHome#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

RouterHome(config)#interface Loopback0

RouterHome(config-if)#ip address 192.168.9.1 255.255.255.255

RouterHome(config-if)#exit

RouterHome(config)#router mobile

RouterHome(config-router)#exit

RouterHome(config)#router eigrp 99

RouterHome(config-router)#redistribute mobile

RouterHome(config-router)#network 192.168.9.0

RouterHome(config-router)#network 192.168.10.0

RouterHome(config-router)#default-metric 10000 10 255 1 1500

RouterHome(config-router)#no auto-summary

RouterHome(config-router)#exit

RouterHome(config)#ip mobile home-agent address 192.168.9.1

RouterHome(config)#ip mobile virtual-network 192.168.10.0 255.255.255.0

RouterHome(config)#ip mobile host 192.168.10.1 192.168.10.254 virtual-network 192.168.10.0 255.255.255.0

RouterHome(config)#ip mobile secure host 192.168.10.110 spi 100 key ascii neoshi

RouterHome(config)#ip mobile secure host 192.168.10.111 spi 100 key ascii neoshi

RouterHome(config)#ip mobile secure host 192.168.10.112 spi 100 key ascii neoshi

RouterHome(config)#ip mobile secure host 192.168.10.113 spi 100 key ascii neoshi

RouterHome(config)#ip mobile secure host 192.168.10.114 spi 100 key ascii neoshi

RouterHome(config)#ip mobile secure host 192.168.10.115 spi 100 key ascii neoshi

RouterHome(config)#end

RouterHome#

注释 配置归属地代理是配置移动IP的第一步，首先是基本的移动IP配置然后是定义Home Agent的IP地址和定义移动终端的地址段，最后是配置对不同移动终端的认证，对于认证也可以使用AAA来增强扩展性

RouterHome(config)#aaa new-model

RouterHome(config)#aaa authorization ipmobile default group tacacs+

RouterHome(config)#ip mobile secure mn-aaa spi 200 algorithm md5

注重一点移动IP隧道使用的IP协议号是55

24.3. 访问地代理（Foreign Agent）配置

提问 配置路由器成为移动终端的访问地代理

回答

RouterForeign#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

RouterForeign(config)#router mobile

RouterForeign(config-router)#exit

RouterForeign(config)#router eigrp 99

RouterForeign(config-router)#network 192.168.110.0

RouterForeign(config-router)#no auto-summary

RouterForeign(config-router)#exit

RouterForeign(config)#interface Ethernet0/0

RouterForeign(config-if)#ip address 192.168.110.1 255.255.255.0

RouterForeign(config-if)#ip irdp

RouterForeign(config-if)#ip mobile foreign-service

RouterForeign(config-if)#exit

RouterForeign(config)#ip mobile foreign-agent care-of Ethernet0/0

RouterForeign(config)#end

RouterForeign#

注释 移动IP的第二步配置就是配置访问地代理，初始配置和归属地代理配置基本相同，然后就是在接口启用IRDP，移动终端通过IRDP来发现访问地代理地址，然后启用归属地代理，最后是配置归属地的转交地址（care-of address）此地址用来和归属地地址建立隧道。有趣的是不论在归属地还是访问地的配置中都没有定义对端的地址，因为这个地址在移动终端会宣告。

另外为了增加安全性可以配置归属地代理和访问地代理的认证

RouterHome(config)#ip mobile secure foreign-agent 192.168.110.1 spi 100 key ascii neoshi

RouterForeign(config)#ip mobile secure home-agent 192.168.9.1 spi 100 key ascii neoshi

24.4. 配置路由器成为移动终端

提问 配置路由器作为移动终端

回答

RouterMobile#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

RouterMobile(config)#router mobile

RouterMobile(config-router)#exit

RouterMobile(config)#ip mobile secure home-agent 192.168.9.1 spi 100 key ascii neoshi

RouterMobile(config)#ip mobile router

RouterMobile(mobile-router)#address 192.168.10.112 255.255.255.0

RouterMobile(mobile-router)#home-agent 192.168.9.1

RouterMobile(mobile-router)#exit

RouterMobile(config)#interface FastEthernet0/0

RouterMobile(config-if)#ip address 192.168.10.112 255.255.255.0

RouterMobile(config-if)#ip irdp

RouterMobile(config-if)#ip mobile router-service roam

RouterMobile(config-if)#ip mobile router-service solicit

RouterMobile(config-if)#exit

RouterMobile(config)#end

RouterMobile#

注释 从12.2(4)T以后路由器开始支持配置为移动终端

24.5. 反向隧道转发（Reverse-Tunnel Forwarding）

提问 强制所有数据包都通过隧道转发来避免网络中为了防止地址欺骗所定义的控制列表

回答

RouterMobile#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

RouterMobile(config)#ip mobile router

RouterMobile(mobile-router)#reverse-tunnel

RouterMobile(mobile-router)#exit

RouterMobile(config)#end

RouterMobile#

注释 由移动终端回程的数据包到了访问地代理后可能会通过本地路由而不是通过隧道转发回归属地代理，这样可能回违反访问地代理的安全策略，因此启用此特性来强制回程数据包也必须通过隧道转发，不过这个特性需要协商，验证：

RouterForeign#show ip mobile tunnel

Mobile Tunnels:

Tunnel0:

src 192.168.110.1, dest 192.168.9.1

encap IP/IP, mode reverse-allowed, tunnel-users 1

IP MTU 1480 bytes

Path MTU Discovery, mtu: 0, ager: 10 mins, eXPires: never

outbound interface Serial0/0

FA created, fast switching enabled, ICMP unreachable enabled

105 packets input, 8462 bytes, 0 drops

0 packets output, 0 bytes

RouterForeign#

24.6. 配置归属地代理HSRP支持来增加冗余性

提问 通过配置多个归属地代理来增加冗余

回答

RouterHome1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

RouterHome1(config)#interface FastEthernet0/0

RouterHome1(config-if)#ip address 192.168.9.2 255.255.255.0

RouterHome1(config-if)#standby 1 ip 192.168.9.1

RouterHome1(config-if)#standby 1 name HA-GROUP

RouterHome1(config-if)#exit

RouterHome1(config)#router mobile

RouterHome1(config-router)#exit

RouterHome1(config)#router eigrp 99

RouterHome1(config-router)#redistribute mobile

RouterHome1(config-router)#network 192.168.9.0

RouterHome1(config-router)#network 192.168.10.0

RouterHome1(config-router)#default-metric 10000 10 255 1 1500

RouterHome1(config-router)#no auto-summary

RouterHome1(config-router)#exit

RouterHome1(config)#ip mobile home-agent address 192.168.9.1

RouterHome1(config)#ip mobile home-agent redundancy HA-GROUP virtual-network

RouterHome1(config)#ip mobile virtual-network 192.168.10.0 255.255.255.0

RouterHome1(config)#ip mobile host 192.168.10.1 192.168.10.254 virtual-network 192.168.10.0 255.255.255.0

RouterHome1(config)#ip mobile secure home-agent 192.168.9.3 spi 100 key ascii cisco

RouterHome1(config)#ip mobile secure host 192.168.10.110 spi 100 key ascii cookbook

RouterHome1(config)#ip mobile secure host 192.168.10.111 spi 100 key ascii cookbook

RouterHome1(config)#ip mobile secure host 192.168.10.112 spi 100 key ascii cookbook

RouterHome1(config)#ip mobile secure host 192.168.10.113 spi 100 key ascii cookbook

RouterHome1(config)#ip mobile secure host 192.168.10.114 spi 100 key ascii cookbook

RouterHome1(config)#ip mobile secure host 192.168.10.115 spi 100 key ascii cookbook

RouterHome1(config)#end

RouterHome1#

RouterHome2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

RouterHome2(config)#interface FastEthernet0/0

RouterHome2(config-if)#ip address 192.168.9.3 255.255.255.0

RouterHome2(config-if)#standby 1 ip 192.168.9.1

RouterHome2(config-if)#standby 1 name HA-GROUP

RouterHome2(config-if)#exit

RouterHome2(config)#router mobile

RouterHome2(config-router)#exit

RouterHome2(config)#router eigrp 99

RouterHome2(config-router)#redistribute mobile

RouterHome2(config-router)#network 192.168.9.0

RouterHome2(config-router)#network 192.168.10.0

RouterHome2(config-router)#default-metric 10000 10 255 1 1500

RouterHome2(config-router)#no auto-summary

RouterHome2(config-router)#exit

RouterHome2(config)#ip mobile home-agent address 192.168.9.1

RouterHome2(config)#ip mobile home-agent redundancy HA-GROUP virtual-network

RouterHome2(config)#ip mobile virtual-network 192.168.10.0 255.255.255.0

RouterHome2(config)#ip mobile host 192.168.10.1 192.168.10.254 virtual-network 192.168.10.0 255.255.255.0

RouterHome2(config)#ip mobile secure home-agent 192.168.9.2 spi 100 key ascii cisco

RouterHome2(config)#ip mobile secure host 192.168.10.110 spi 100 key ascii cookbook

RouterHome2(config)#ip mobile secure host 192.168.10.111 spi 100 key ascii cookbook

RouterHome2(config)#ip mobile secure host 192.168.10.112 spi 100 key ascii cookbook

RouterHome2(config)#ip mobile secure host 192.168.10.113 spi 100 key ascii cookbook

RouterHome2(config)#ip mobile secure host 192.168.10.114 spi 100 key ascii cookbook

RouterHome2(config)#ip mobile secure host 192.168.10.115 spi 100 key ascii cookbook

RouterHome2(config)#end

RouterHome2#

注释 使用HSRP的虚拟地址来作为归属地地址来增加冗余，另外多了ip mobile home-agent redundancy HA-GROUP virtual-network 命令来关联相应的HSRP组，同时需要配置两个归属地代理之间的认证来同步信息ip mobile secure home-agent 192.168.9.3 spi 100 key ascii cisco

进入讨论组讨论。

• ·isdn answer1, isdn answ
• ·网络故障排除四部曲“望、闻、问、切”
• ·PIX upgrade to PIX OS 7
• ·安全性问题是否会制约VOIP发展？
• ·用IP转发和Route路由实现跨网段互访
• ·Cisco IOS Cookbook 中文精简
• ·Cisco IOS Cookbook 中文精简
• ·Cisco PIX515防火墙的典型多接口配置
• ·Cisco PIX 网络访问认证相关配置实例
• ·思科：值得关注的十大趋势