[Top][Contents][Prev][Next][Last]

Ascend Tunnel Management Protocol

Introduction to ATMP
Network settings for ATMP
Configuring a Foreign Agent
Configuring Home Agents
Configuring a Home-and-Foreign-Agent
Configuring IPX over ATMP

The MAX TNT supports Ascend Tunnel Management Protocol (ATMP) for Virtual Private Network (VPN) connectivity. For information about using other tunneling protocols for VPN connectivity, see Chapter 7, L2TP, PPTP, and IP-in-IP Tunneling.

Introduction to ATMP

ATMP is a UDP/IP-based protocol for tunneling between two Ascend units across an IP network. Data is transported through the tunnel in Generic Routing Encapsulation (GRE), as described in RFC 1701. (For a complete description of ATMP, see RFC 2107, K. Hamzeh, Ascend Tunnel Management Protocol - ATMP.)

Figure 6-1 shows one use for ATMP tunneling: mobile clients dial into a local ISP to log into a distant LAN across the Internet. ATMP creates and tears down a cross-Internet tunnel between the two Ascend units. In effect, the tunnel collapses the IP cloud and provides what looks like direct access to a home network.

Figure 6-1. ATMP tunnel from an ISP to a corporate home network

A mobile client dials into the Foreign Agent, which authenticates the Connection profile (or RADIUS profile) and initiates an IP connection to the specified Home Agent.

The Foreign Agent then requests a tunnel for the connected mobile client. The Home Agent authenticates the tunnel request (by password), and then registers the tunnel and assigns it an ID. If the Home Agent refuses the tunnel, the Foreign Agent disconnects the mobile client.

If the tunnel is successfully established, the Home Agent forwards or routes tunneled data to the home network. If the mobile client has a multichannel MP+ or MP connection, the tunnel remains active when the connection adds or subtracts channels, and is not torn down until the final channel of the call is disconnected.

The Home Agent must be able to access the home network either as a an ATMP gateway or by routing the packets. For a description of how the Home Agent operates as a gateway or router, see Home Agent ATMP profile settings.

Network settings for ATMP

Network settings for ATMP include settings related to the IP connection between Ascend units, settings related to the UDP communication required to establish tunnels, and settings related to packet fragmentation and reassembly.

System reset requirement

When you change the setting of the UDP-Port parameter in the ATMP profile of a Home Agent, a system reset is required for the ATMP subsystem to recognize the new UDP port number.

When you change the Agent-Mode parameter from its default Tunnel-Disabled setting to any other setting, a system reset is required for the new value to take effect.

All other parameter settings in the ATMP profile take effect as soon as possible after writing the profile.

System IP address recommendation

Ascend recommends that you set the System-IP-Addr parameter in a MAX TNT that is operating as an ATMP agent, particularly if the unit has multiple interfaces into the IP cloud that separates it from other ATMP agents. This recommendation has two aspects:

Figure 6-2 shows a Home Agent and Foreign Agent, with two Ethernet interfaces connecting them. (The principle is the same as if there were two WAN connections between the units.)

Figure 6-2. System IP addresses and routes between ATMP agents

When RIP is enabled on the IP interfaces between the two units, it advertises the system address on both ports. For example, suppose a Foreign Agent has the following system IP address and IP interface configuration:

[in IP-GLOBAL]
system-ip-addr = 10.100.100.100
[in IP-INTERFACE { {shelf-1 slot-1 1} 0 } ]
ip-address = 2.2.2.1/24
rip = both-v2
[in IP-INTERFACE { {shelf-1 slot-1 2} 0 } ]
ip-address = 3.3.3.1/24
rip = both-v2
and a Home Agent has the following system IP address and IP interface configuration:

[in IP-GLOBAL]
system-ip-addr = 10.100.100.101
[in IP-INTERFACE { {shelf-1 slot-7 1} 0 } ]
ip-address = 2.2.2.2/24
rip = both-v2
[in IP-INTERFACE { {shelf-1 slot-7 2} 0 } ]
ip-address = 3.3.3.2/24
rip = both-v2
With this configuration, the Foreign Agent advertises on both of its Ethernet ports a route to its own system address, 10.100.100.100. Similarly, the Home Agent advertises on both of its Ethernet ports a route to its own system address, 10.100.100.101.

When the Home Agent receives the advertisements for 10.100.100.100, it selects one of the ports advertising the route and adds that route to its routing table. The next time the Home Agent establishes a connection with the Foreign Agent, it uses the port indicated in the routing table. If that port becomes unavailable (for example, if the cable is disconnected), the Home Agent soon updates its routing table to use the other port to connect to the Foreign Agent.

Setting the UDP port

By default, ATMP agents use UDP port 5150 to exchange control information while establishing a tunnel. If the Home Agent ATMP profile specifies a different UDP port number, all tunnel requests to that Home Agent must specify the same UDP port.

Note: A system reset is required for the ATMP subsystem to recognize the new UDP port number.

Specifying tunnel retry limits

The Retry-Timeout and Retry-Limit parameters in the ATMP profile work together to limit how many tunnel RegisterRequest messages (to open a tunnel) and DeregisterRequest messages (to close a tunnel) are sent and the number of seconds between each message. If a tunnel request fails, the Foreign Agent times out, logs a message, and disconnects the mobile client. When a tunnel request succeeds, the Home Agent assigns a tunnel ID and the UDP port is no longer used for that tunnel. The actual data transfer uses the IP connection with GRE.

The Retry-Timeout and Retry-Limit parameters have default settings that are appropriate for most sites, but you might want to increase or decrease the values on the basis of what type of link connects the Foreign Agent and Home Agent. For example, if the link is a switched dial-out connection, you might want to increase the values to allow sufficient time to establish the connection. Or, if the Foreign Agent and the Home Agent are on the same Ethernet segment, you might want to reduce the values to provide a quicker response to the mobile client when the Home Agent is unavailable.

If you increase the Retry-Timeout and Retry-Limit values, keep in mind that the values determine response time to mobile clients when the Home Agent is unavailable. If a tunnel requests reaches a secondary Home Agent that is also unavailable, the mobile client waits for twice the specified period before being informed that the connection failed.

Setting an MTU limit

The type of link that connects a Foreign Agent and Home Agent determines the Maximum Transmission Unit (MTU). The link may be a switched dial-out connection, a Frame Relay connection, or an Ethernet link, and it may be a local network or routed through multiple hops. If the link between devices is multihop (if it traverses more than one network segment), the path MTU is the minimum MTU of the intervening segments.

Figure 6-1 shows an ATMP setup across a 100-BaseT Ethernet segment, which limits the path MTU to 1500 bytes.

Figure 6-3. Path MTU on an Ethernet segment

If any segment of the link between the agents has an MTU smaller than 1528, some packet fragmentation and reassembly will occur. You can push fragmentation and reassembly tasks to connection end-points (a mobile client and a device on the home network) by setting an MTU limit. Client software then uses MTU discovery mechanisms to determine the maximum packet size, and then fragments packets before sending them.

How link compression affects the MTU

Compression affects which packets must be fragmented, because compressed packets are shorter than their original counterparts. If any kind of compression is on (such as VJ header or link compression), the connection can transfer larger packets without exceeding a link's Maximum Receive Unit (MRU). If compressing a packet makes it smaller than the MRU, it can be sent across the connection, whereas the same packet without compression could not.

How ATMP tunneling causes fragmentation

To transmit packets through an ATMP tunnel, the MAX TNT adds an 8-byte GRE header and a 20-byte IP header to the frames it receives. The addition of these packet headers can make the packet larger than the MTU of the tunneled link, in which case the MAX TNT must either fragment the packet after encapsulating it or reject the packet.

Fragmenting packets after encapsulating them has several disadvantages for the Foreign Agent and Home Agent. For example, it causes a performance degradation because both agents have extra overhead. It also means that the Home Agent device cannot be a GRF switch. (To maintain its very high aggregate throughput, a GRF switch does not perform reassembly.)

Pushing the fragmentation task to connection end-points

To avoid the extra overhead incurred when ATMP agents perform fragmentation, you can either set up a link between the two units that has an MTU greater than 1528 (which means it cannot include Ethernet segments), or you can set the MTU-Limit parameter in the ATMP profile to a value that is 28 bytes less than the path MTU.

If MTU-Limit is set to zero (the default), the MAX TNT might have to fragment encapsulated packets before transmission. The other ATMP agent must then reassemble the packets.

If MTU-Limit is set to a nonzero value, the MAX TNT reports that value to the client software as the path MTU, causing the client to send packets of the specified size. This pushes the task of fragmentation and reassembly out to the connection end-points, lowering the overhead on the ATMP agents.

For example, if the MAX TNT is communicating with another ATMP agent across an Ethernet segment, you can set the MTU-Limit parameter to a value 28 bytes smaller than 1500 bytes, as shown in the following example, to enable the unit to send full-size packets that include the 8-byte GRE header and a 20-byte IP header without fragmenting the packets first:

With this setting, the connection end-point sends packets with a maximum size of 1472 bytes. When the MAX TNT encapsulates them, adding 28 bytes to the size, the packets still do not violate the 1500-byte Ethernet MTU.

Forcing fragmentation for interoperation with outdated clients

To discover the path MTU, some clients normally send packets that are larger than the negotiated Maximum Receive Unit (MRU) and that have the Don't Fragment (DF) bit set. Such packets are returned to the client with an ICMP message informing the client that the host is unreachable without fragmentation. This standard, expected behavior improves end-to-end performance by enabling the connection end-points to perform any required fragmentation and reassembly.

However, some outdated client software does not handle this process correctly and continues to send packets that are larger than the specified MTU-Limit. To enable the MAX TNT to interoperate with these clients, you can configure the MAX TNT to ignore the DF bit and perform the fragmentation that normally should be performed by the client software. This function in the MAX TNT is sometimes referred to as prefragmentation.

When the MTU-Limit parameter is set to a nonzero value, you can set the Force-Fragmentation parameter to Yes to enable the MAX TNT to prefragment packets it receives that are larger than the negotiated MRU with the DF bit set. It prefragments those packets, and then adds the GRE and IP headers.

Note: Setting the Force-Fragmentation parameter to Yes causes the MAX TNT to bypass the standard MTU discovery mechanism and fragment larger packets before encapsulating them in GRE. Because this changes expected behavior, it is not recommended except for interoperation with outdated client software that does not handle fragmentation properly.

Network isolation and duplicate IP addresses

A Foreign Agent will accept multiple ATMP connections using the same IP address as long as they request a different Home Agent or different home network names. This feature allows the use of unregistered IP addresses on multiple independent private networks.

Multiple connections using the same IP address is possible because ATMP provides full network isolation between different home networks. Mobile clients are allowed to reach only the home network where they are registered. They are not permitted to reach the IP network between the Foreign Agent and the Home Agent or any other home network. This network isolation is also the reason why a mobile client or a home network router does not receive a response when attempting to Ping a Foreign Agent or Home Agent.

For example, Figure 6-1 shows two mobile clients, one registered with Corporation A's home network and one with Corporation B's home network. Neither of the mobile clients is able to access the IP network between the Foreign Agent and the Home Agent or the other home network.

Table 6-1. Foreign Agent supporting duplicate IP addresses

To provide network isolation, the Foreign Agent does not create routes for mobile clients. Similarly, Gateway Home Agents do not create routes for ATMP gateway connections or for registered mobile clients. However, Router Home Agents do create routes for registered mobile clients.

Configuring the agent-to-agent connection

The link between a Foreign Agent and Home Agent can be any kind of connection (switched, nailed, Frame Relay, and so forth) or an Ethernet link. It may be a local network or routed through multiple hops. The only requirement is that the two units can communicate over an IP network.

For example, the following commands on a Home Agent configure an IP connection to a Foreign Agent. The Home Agent uses this profile to authenticate the Foreign Agent dialing in.

For details about IP connections, see Chapter 4, IP Routing.

If the system uses RADIUS for authentication or accounting (or both), see the MAX TNT RADIUS Guide for details about installing and configuring a basic RADIUS setup.

Note: If the Foreign Agent and Home Agent reside on the same Ethernet and use RADIUS authentication, you must use separate RADIUS servers for the tunnel endpoints to avoid session loopbacks.

Configuring a Foreign Agent

To configure a Foreign Agent, you must set parameters in the ATMP profile, configure a Connection or RADIUS profile to the Home Agent, and configure mobile client Connection or RADIUS profiles.

For information about configuring a connection to the Home Agent, see Configuring the agent-to-agent connection.

Foreign Agent ATMP profile settings

The ATMP profile contains the following parameters (shown with sample values) related to a Foreign Agent configuration:

[in ATMP]
agent-mode = foreign-agent
retry-timeout = 3
retry-limit = 10
mtu-limit = 0
force-fragmentation = no 






 Parameter



 Usage for Foreign Agent configuration




 Agent-Mode



 Must specify Foreign-Agent.




 Retry-Timeout
Retry-Limit



Together, these parameters specify how many tunnel RegisterRequest and DeregisterRequest messages are sent and the number of seconds between each message. They have default settings that are appropriate for most sites. (For details, see Specifying tunnel retry limits.)




 MTU-Limit



Specifies the Maximum Transmission Unit (MTU) for the path between the Foreign and Home Agents (as described in Setting an MTU limit).




 Force-Fragmentation



If outdated client software sends large packets with the DF bit set, you can set this parameter to force the MAX TNT to fragment the packets anyway (as described in Forcing fragmentation for interoperation with outdated clients).

Mobile client profile settings

 All mobile client profiles reside on the Foreign Agent side of the ATMP tunnel. A Foreign Agent can authenticate a mobile client locally in a Connection profile or externally in a RADIUS profile.

Settings in Connection profiles

The Tunnel-Options subprofile of a local Connection profile contains the following parameters (shown with sample values) related to a mobile client connection:

[in CONNECTION/mclient-1:tunnel-options]
profile-type = mobile-client
primary-tunnel-server = 2.2.2.2:8877
secondary-tunnel-server = 3.3.3.3:1555
udp-port = 5150
password = tunnel-password
home-network-name = "" 






 Parameter



 Usage for mobile client configuration




 Profile-Type



 Must specify Mobile-Client.




 Primary-Tunnel-Server



Must specify the System-IP-Addr or hostname of a Home Agent. 




 Secondary-Tunnel-Server



Specifies the System-IP-Addr or hostname of a secondary Home Agent. If a tunnel request to the first Home Agent fails, the Foreign Agent tries again with this host.




 UDP-Port



Specifies a UDP port set for one or both of the specified Home Agents. If the Home Agent specification includes a port number, that value overrides this parameter.




 Password



 Must specify the password set in the ATMP profile of the Home Agent, if any (up to 21 characters).




 Home-Network-Name



If the Home Agent is operating in gateway mode, must specify the name of the gateway profile to the home network.

Settings in RADIUS profiles

 RADIUS uses following attribute-value pairs to specify mobile client connections:

Attribute

Value
Tunnel-Type (64)

 Type of protocol used for the tunnel. To ensure forward compatibility, the Ascend-specific Tunneling-Protocol (127) attribute is converted into Tunnel-Type (value 4 means ATMP). To maintain backward compatibility, RADIUS accounting still generates the Tunneling-Protocol attribute.

Tunnel-Server-Endpoint (67)

 The System-IP-Addr or hostname of a Home Agent. The string may be followed by a colon and the UDP port number used on the ATMP Home Agent. To ensure forward compatibility, the Ascend-specific Ascend-Primary-Home-Agent (129) attribute is converted into Tunnel-Server-Endpoint.

Ascend-Secondary-Home-Agent (130)

 The System-IP-Addr or hostname of a secondary Home Agent. If a tunnel request fails with the first Home Agent, the Foreign Agent tries again with this host.

Ascend-Home-Agent-UDP-Port (186)

 A UDP port set for one or both of the specified Home Agents. If the Home Agent specification includes a port number, that value overrides this parameter.

Tunnel-Password (69)

The password set in the ATMP profile of the Home Agent, if any (up to 21 characters). To ensure forward compatibility, the Ascend-specific Home-Agent-Password (184) attribute is converted into Tunnel-Password. For more details, see Tunnel authentication.

Tunnel-Private-Group-ID (81)

 If the Home Agent is operating in gateway mode, you must specify the name of the gateway profile to the home network using this attribute or the Ascend vendor-specific Ascend-Home-Network-Name (185).

When a standard RADIUS attribute for tunneling is available, you can specify either the standard attribute or the Ascend vendor attribute. For example, the following RADIUS profiles are equivalent:

user1 Password = "pass1"
    User-Service = Framed-User,
    Framed-Protocol = PPP,
    Framed-Address = 10.1.1.1,
    Framed-Netmask = 255.255.255.255,
    Tunnel-Type = ATMP,
    Tunnel-Server-Endpoint = "atmp-ha1.example.com",
    Tunnel-Password = "tunnel-password"
user1 Password = "pass1"
    User-Service = Framed-User,
    Framed-Protocol = PPP,
    Framed-Address = 10.1.1.1,
    Framed-Netmask = 255.255.255.255,
    Tunneling-Protocol = ATMP
    Ascend-Primary-Home-Agent = "atmp-ha1.example.com",
    Ascend-Home-Agent-Password = "tunnel-password"

Specifying Home Agent addresses and port numbers

 When a mobile client connects to a Foreign Agent, the Foreign Agent sends an ATMP RegisterRequest command to the IP address of the primary Home Agent. (If the Home Agent is specified as a hostname, the Foreign Agent performs a DNS lookup first.) Depending on the network configuration, the Foreign Agent may dial a connection to reach the Home Agent.

If the Foreign Agent does not receive a response to its request, it tries again. The number of retries is controlled by the Retry-Limit setting in the Foreign Agent's ATMP profile.

If the Foreign Agent still does not receive a response or if it receives a negative response (such as Home Network Unreachable), it attempts to repeat the procedure with the secondary Home Agent address. If there is no secondary Home Agent address specified or if the registration with the secondary Home Agent also fails, the mobile client is disconnected.

If the Home Agent ATMP profile specifies a UDP port number other than the default of 5150, you can specify that port number as part of the Home Agent address by appending a colon character (:) followed by the port number. The following commands specify the system IP address followed by a UDP port number for a primary and secondary Home Agent:

Or, in a RADIUS profile:

user1 Password = "pass1"
    User-Service = Framed-User, 
    Framed-Address = 10.1.1.1,
    Framed-Netmask = 255.255.255.255,
    Tunnel-Type = ATMP,
    Tunnel-Server-Endpoint = "2.2.2.2:8877",
    Ascend-Secondary-Home-Agent = "3.3.3.3",
    Ascend-Home-Agent-UDP-Port = 4000
In this case, the Foreign Agent dials the connection to the primary Home Agent and requests a tunnel on port 8877. If that attempt fails, it dials the connection to the secondary Home Agent and requests a tunnel on port 4000. (If the address does not specify a port number, the Foreign Agent uses the value of the UDP-Port parameter in the mobile client Connection profile.) For example, with the following settings:

the Foreign Agent dials the connection to the Primary-Tunnel-Server and requests a tunnel on port 8877. If that attempt fails, it dials the connection to the Secondary-Tunnel-Server and requests a tunnel on port 6789.

Specifying the home network name

For definitions of Gateway and Router Home Agents, see Home Agent ATMP profile settings. For a mobile client tunnel to a Gateway Home Agent , you must specify the name of the gateway profile for connection to the home network. For example, for the following gateway profile on a Home Agent:

The mobile client's profile would specify the following home network name:

Or would include one of the following settings in a RADIUS profile:

    Tunnel-Private-Group-ID = "homenet"
    Ascend-Home-Network-Name = "homenet"
Note: If the mobile client tunnels to a Router Home Agent, you must leave the Home- Network parameter blank, or omit the Tunnel-Private-Group-ID or Ascend-Home-Network- Name attributes, in mobile-client profiles.

Example of a Foreign Agent configuration

Figure 6-4 shows a Foreign Agent that connects to two Home Agents across IP WAN connections. One is a Gateway Home Agent and the other is a Router Home Agent. The illustration also shows two mobile client connections, one to each of the Home Agents.

Figure 6-4. Foreign Agent tunneling to two Home Agents

In this example, the WAN connections are multichannel PPP connections, which typically negotiate a path MTU of 1500 bytes. The agents set the MTU-Limit to 1472, to enable the connection end-points to fragment packets at that size. For background information, see Setting an MTU limit.

Setting the Foreign Agent system address

The following commands set the Foreign Agent's system IP address:

Configuring the Foreign Agent ATMP profile

 The following commands configure a minimal ATMP profile:

Note: When you change the Agent-Mode parameter from its default Tunnel-Disabled setting to any other setting, you must reset the system for the new value to take effect.

Configuring a connection to the Gateway Home Agent

In this example, the Gateway Home Agent has the following System-IP-Addr setting:

[in IP-GLOBAL]
system-ip-addr = 2.2.2.2
The next commands configure a Connection profile to the Gateway Home Agent:

Following are comparable RADIUS profiles:

route-tnt-1 Password = "ascend", User-Service = Dialout-Framed-User
    Framed-Route = "2.0.0.0 2.2.2.2 1 n hagateway-out"
hagateway-out Password = "ascend", User-Service = Dialout-Framed-User
    User-Name = "hagateway",
    Framed-Protocol = MPP,
    Ascend-Route-IP = Route-IP-Yes,
    Framed-Address = 2.2.2.2,
    Ascend-Dial-Number = "9-1-333-555-1212",
    Ascend-Send-Auth = Send-Auth-CHAP,
    Ascend-Send-Password = "remotepw"

Configuring a connection to the Router Home Agent

 In this example, the Router Home Agent has the following System-IP-Addr setting:

[in IP-GLOBAL]
system-ip-addr = 3.3.3.3
The following commands configure a Connection profile to the Router Home Agent:

Following are comparable RADIUS profiles:

route-tnt-1 Password = "ascend", User-Service = Dialout-Framed-User
    Framed-Route = "3.0.0.0 3.3.3.3 1 n harouter-out"
harouter-out Password = "ascend", User-Service = Dialout-Framed-User
    User-Name = "harouter",
    Framed-Protocol = MPP,
    Ascend-Route-IP = Route-IP-Yes,
    Framed-Address = 3.3.3.3,
    Ascend-Dial-Number = "9-1-888-555-1234",
    Ascend-Send-Auth = Send-Auth-CHAP,
    Ascend-Send-Password = "remotepw"

Configuring a mobile-client connection to the Gateway Home Agent

 For the purposes of this example, the Gateway Home Agent has a nailed profile named Home-Router for connection to the home network. It also has the following settings in its ATMP profile:

[in ATMP]
agent-mode = home-agent
agent-type = gateway-home-agent
udp-port = 1555
password = tunnel-password
The next commands configure a mobile client connection on the Foreign Agent to the Gateway Home Agent:

Following is a comparable RADIUS profile:

mobile-client-1 Password = "my-password"
    User-Service = Framed-User, 
    Framed-Protocol = MPP,
    Ascend-IP-Route = Route-IP-Yes,
    Framed-Address = 10.1.1.1,
    Framed-Netmask = 255.255.255.248,
    Tunnel-Type = ATMP,
    Tunnel-Server-Endpoint = "2.2.2.2:1555",
    Tunnel-Password = "tunnel-password"
    Tunnel-Private-Group-ID = "home-router"

Configuring a mobile-client connection to the Router Home Agent

 For the purposes of this example, the Router Home Agent has the following settings in its ATMP profile:

[in ATMP]
agent-mode = home-agent
agent-type = router-home-agent
udp-port = 8877
password = tunnel-password
The next commands configure a mobile client connection on the Foreign Agent to the Router Home Agent:

Following is a comparable RADIUS profile:

mobile-client-2 Password = "my-password", User-Service= Framed-User
    Framed-Protocol = MPP,
    Ascend-IP-Route = Route-IP-Yes,
    Framed-Address = 11.1.1.1,
    Framed-Netmask = 255.255.255.255,
    Tunnel-Type = ATMP,
    Tunnel-Server-Endpoint = "3.3.3.3:8877",
    Tunnel-Password = "tunnel-password"

Example of a Foreign Agent that tunnels to a GRF switch

 When the MAX TNT is operating as a Foreign Agent tunneling to a GRF switch Home Agent, setting the MTU-Limit becomes a requirement rather than a recommendation. To maintain its very high throughput, the GRF does not perform packet reassembly. If MTU-Limit is not specified and a mobile client sends a large packet, the Foreign Agent may be forced to fragment it before sending it to the Home Agent. The GRF switch Home Agent drops such packets.

Figure 6-5 shows a Foreign Agent tunneling to a GRF Home Agent across a 100-BaseT Ethernet segment:

Figure 6-5. Foreign Agent tunneling to a GRF switch

The following commands configure the Foreign Agent ATMP profile for the MAX TNT in Figure 6-5:

Note: The GRF switch ATMP configuration should specify the same MTU-Limit.

Configuring Home Agents

To configure an ATMP Home Agent, you must set parameters in the ATMP profile, configure an IP connection to the Foreign Agent, and configure the connection to the home network.

For information about configuring a connection to the Foreign Agent, see Configuring the agent-to-agent connection.

Home Agent ATMP profile settings

The ATMP profile contains the following parameters (shown with sample values) related to a Home Agent:

[in ATMP]
agent-mode = home-agent 
agent-type = gateway-home-agent
udp-port = 5150
password = tunnel-password
retry-timeout = 3
retry-limit = 10
idle-timer = 30
mtu-limit = 0
force-fragmentation = no

Parameter

Usage for Home Agent configuration
Agent-Mode

 Must specify Home-Agent.

Agent-Type

 Specify Gateway-Home-Agent (the default) or Router-Home-Agent, depending on how the Home Agent accesses the home network.

UDP-Port

 Specifies the UDP port Foreign Agents must use to establish tunnels with the Home Agent, as described in Setting the UDP port.

Password

 Specifies the password Foreign Agents must supply to establish a tunnel with this unit. You can specify up to 21 characters.

Retry-Timeout
Retry-Limit

 Together, these parameters specify how many tunnel RegisterRequest and DeregisterRequest messages are sent and the number of seconds between each message. The default settings are appropriate for most sites, as described in Specifying tunnel retry limits.

Idle-Timer

 Specifies the number of minutes the Home Agent maintains an idle tunnel before disconnecting it.

MTU-Limit

 Specifies the Maximum Transmission Unit (MTU) for the path between the Foreign and Home Agents as described in Setting an MTU limit.

Force-Fragmentation

 Enables/disables prefragmentation of packets that have the DF bit set, as described in Forcing fragmentation for interoperation with outdated clients.

Specifying a Gateway Home Agent

A Gateway Home Agent delivers tunneled data to the home network without routing. A Gateway Home Agent cannot Ping or otherwise communicate with the home router. (The same restriction applies in the other direction.)

When the Gateway Home Agent receives tunneled data, it removes the GRE header and forwards the packets to the home router, as shown in Figure 6-6:

Figure 6-6. How a Gateway Home Agent works

The link to the home network cannot be a regular switched dial-out connection, because the Home Agent will not dial the connection on receipt of tunneled data. If the gateway connection is down when the Home Agent receives a tunnel request, it rejects the request. For more details about the gateway connection to the home network, see Home network gateway profile settings.

Following is an example of specifying a Gateway Home Agent:

Note: When you change the Agent-Mode parameter from its default Tunnel-Disabled setting to any other setting, you must reset the system for the new value to take effect.

Specifying a Router Home Agent

A Router Home Agent relies on packet routing to reach the home network.

Figure 6-7. How a Router Home Agent works

When the Router Home Agent receives tunneled data, it removes the GRE encapsulation, passes the packets to its router software, and adds a route to the mobile client. If the mobile client is a PPP client, it adds a host route. If the mobile client is a router, such as a Pipeline unit, it adds regular route to the subnet addresses assigned to that router.

Following is an example of specifying a Router Home Agent:

Note: When you change the Agent-Mode parameter from its default Tunnel-Disabled setting to any other setting, you must reset the system for the new value to take effect.

Specifying the tunnel password

The Home Agent typically requests a password before establishing a tunnel. The Foreign Agent returns an encrypted version of the password found in the mobile client profile. For details, see Tunnel authentication.

Setting an idle timer for unused tunnels

When a mobile client disconnects normally, the Foreign Agent sends a request to the Home Agent to close down the tunnel. However, when a Foreign Agent restarts, tunnels that were established to a Home Agent are not normally cleared, because the Home Agent is not informed that the mobile clients are no longer connected. The unused tunnels continue to hold memory on the Home Agent. To enable the Home Agent to reclaim the memory held by unused tunnels, you can now set an inactivity timer on a Home Agent y changing the default value of the following parameter:

[in ATMP]
idle-timer = 0
The inactivity timer runs only on the Home Agent side. Its value specifies the number of minutes (1 to 65535) that the Home Agent maintains an idle tunnel before disconnecting it. A value of 0 disables the timer, which means that idle tunnels remain connected forever. The setting affects only tunnels created after the timer was set. Tunnels that existed before the timer was set are not affected by it.

Home network gateway profile settings

When a Gateway Home Agent receives a tunnel RegisterRequest from the Foreign Agent, it checks the status of the connection to the home network. If the connection is down, the Home Agent rejects the tunnel request and does not attempt to dial the connection. If the connection goes down after a tunnel is established, all mobile clients that were using it are disconnected.

The gateway connection to the home network can be a nailed connection or a regular dial-in switched connection. Using an incoming connection from the home router enables the administrator of the home network to regulate when mobile clients can access the network. For example, the administrator of the home network could configure an access router to dial the Home Agent every weekday at 8:00 AM and disconnect at 5:00 PM, limiting mobile client access to those hours. In that case, the gateway connection must be up before mobile clients dial in, or their tunnel requests will fail.

To configure a gateway profile, set up a nailed or dial-in connection and specify the following parameters (shown with sample settings) in the Connection profile:

[in CONNECTION/gwprofile]
station* = gwprofile
[in CONNECTION/gwprofile:tunnel-options]
profile-type = gateway-profile
max-tunnels = 0
atmp-ha-rip = rip-send-v2 






 Parameter



 Usage for gateway profile configuration




 Station



 Specifies the name of the home router. The Home-Network-Name specified in mobile client profile on the Foreign Agent must specify the same name.




 Profile-Type



 Must specify Gateway-Profile.




 Max-Tunnels



 Specifies the maximum number of mobile clients that can use the connection, all at the same time, to tunnel into the home network. The default value of 0 sets no limit. 




 ATMP-HA-RIP



Enables/disables construction of mobile-client routes in RIP-v2 responses to the home router. This parameter does not apply unless Profile-Type is Gateway-Profile. The parameter operates independently of the RIP parameter in the IP-Options subprofile. For gateway profiles, the IP-Options RIP parameter should be Off.

Limiting the maximum number of tunnels

 If you decide to limit the maximum number of tunnels a gateway will support, you should consider the expected traffic per mobile client connection, the bandwidth of the connection to the home network, and the availability of alternative Home Agents (if any). For example, the lower the amount of traffic generated by each mobile client connection, the more tunnels a a gateway connection will be able to handle.

Enabling RIP on the interface to the home router

ATMP-HA-RIP enables the Gateway Home Agent to inform the home router about routes to its mobile clients. This eliminates the requirement for the home router to maintain a static route for each ATMP mobile client. It also provides the basis for a resilient configuration, where a secondary Home Agent can take over for a primary Home Agent when the primary agent becomes unavailable.

Informing the home router about routes to mobile clients
The router at the far end of the gateway profile must be able to route back to mobile clients. The easiest way to accomplish this is by setting the ATMP-HA-RIP parameter to RIP-Send-v2. With this setting, the Gateway Home Agent constructs a RIP-v2 Response(2) packet at every RIP interval and sends it to the home network from all tunnels using the gateway profile. For each tunnel, the Response packet contains the mobile client IP address, the subnet mask, the next hop = 0.0.0.0, metric = 1. RIP-v2 authentication and route tags are not supported.

The following commands enable ATMP-HA-RIP in the gateway profile to the home router:

Note: The Home Agent will not inspect RIP updates coming from the home network, regardless of the RIP setting in the IP-Options subprofile. If the Home Agent receives RIP updates from the home network, it forwards the update packets to the mobile clients, like any other type of packet.

The alternative: Maintaining static routes in the home router
If the gateway profile does not set ATMP-HA-RIP to RIP-Send-v2, the administrator of the home network must configure a static route to each mobile client. A static route to a mobile client can be specific to the client, where the route's destination is the mobile client IP address and the next-hop router is the Home Agent address. For example, in the following route the mobile client is a router (this is not a host route), and the Home Agent address is 2.2.2.2:

[in IP-ROUTE/mobile-client]
destination = 10.1.1.10/29
gateway = 2.2.2.2
Or, if the mobile clients have addresses allocated from the same address block (including router mobile client addresses with subnet masks less than 32 bits) and no addresses from that block are assigned to other hosts, the home network administrator can specify a single static route that encompass all mobile clients that use the same Home Agent. For example, in the following route all mobile clients are allocated addresses from the 10.4.n.n block (and no other hosts are allocated addresses from that block), and the Home Agent address is 2.2.2.2:

[in IP-ROUTE/mobile-clients]
destination = 10.4.0.0/16
gateway = 2.2.2.2
Routing in a resilient installation
 A resilient ATMP installation supports multiple ATMP paths to the same home network, providing resiliency in the event of Home Agent failure or failure of the link between a Home Agent and home router. In some cases, the two Home Agents connect to two home routers, as shown in Figure 6-8, or the Home Agents might connect to the same home router.

Figure 6-8. Resilient ATMP installation

Mobile clients access the home network through one of the Home Agents, but not always the same Home Agent. In this case, a static route maintained by the home router would not allow hosts on the home network to reliably send packets back to mobile clients. ATMP-HA-RIP resolves the routing problems that could occur in a resilient configuration.

The following example shows a gateway profile that could reside in both of the Home Agents shown in Figure 6-8:

Example of a Gateway Home Agent configuration

 Figure 6-9 shows a Gateway Home Agent with a fractional T1 connection to the home network. For details about fractional T1, see the MAX TNT Hardware Installation Guide.

Figure 6-9. Gateway Home Agent with leased line to home network

Note: In this example, the ATMP Foreign Agent and Home Agent are on the same Ethernet segment, so no Connection profiles are required for communication.

Setting the Home Agent's system address

The following commands set the Home Agent's system IP address:

Configuring the Home Agent ATMP profile

 The following commands configure the Home Agent ATMP profile, with the default setting of Gateway-Home-Agent for the Agent-Type parameter:

Note: When you change the Agent-Mode parameter from its default Tunnel-Disabled setting to any other setting, you must reset the system for the new value to take effect.

The Foreign Agent has an ATMP profile such as the following:

[in ATMP]
agent-mode = foreign-agent
agent-type = gateway-home-agent
udp-port = 5150
password = ""
retry-timeout = 3
retry-limit = 10
idle-timer = 0
mtu-limit = 1472
force-fragmentation = no

Configuring a gateway profile for connection to the home network

 In the next set of commands, which configure the interface to the home network, Call-Type is set to FT1 (nailed) and a group of nailed channels (group number 7) is assigned to the link. ATMP-HA-RIP is enabled on the interface.

Configuring a mobile client connection to the Gateway Home Agent

 Mobile client connections on the Foreign Agent will require a tunnel configuration such as the following in a local Connection profile:

[in CONNECTION/mclient:tunnel-options]
profile-type = mobile-client
primary-tunnel-server = 2.2.2.2:1234
password = tunnel-password
home-network-name = home-router
Or comparable settings in a RADIUS profile:

mclient Password = "local-password"
    User-Service = Framed-User, 
    Tunnel-Type = ATMP,
    Tunnel-Server-Endpoint = "2.2.2.2:1234",
    Tunnel-Password = "tunnel-password",
    Tunnel-Private-Group-ID = "home-router"

Example of a Router Home Agent configuration

 Figure 6-10 shows a Router Home Agent with an Ethernet connection to the home network. The ATMP Foreign Agent and Home Agent connect across a multichannel PPP link.

Figure 6-10. Router Home Agent on the home network

For information about configuring a connection to the Foreign Agent, see Configuring the agent-to-agent connection.

Setting the Home Agent's system address

The following commands set the Router Home Agent's system IP address:

Configuring the IP-Interface profile to the home network

 If you enable RIP on the interface that leads to the home network, other hosts and networks can route to the mobile client. Enabling RIP is particularly useful if the home network is one or more hops away. If RIP is turned off, intervening routers require static routes that specify the Home Agent as the route to mobile clients. You can also turn on proxy ARP to allow local hosts to ARP for mobile clients.For example:

Configuring the Home Agent's ATMP profile

 The following commands configure the Home Agent's ATMP profile:

Note: When you change the Agent-Mode parameter from its default Tunnel-Disabled setting to any other setting, you must reset the system for the new value to take effect.

The Foreign Agent has an ATMP profile such as the following:

[in ATMP]
agent-mode = foreign-agent
agent-type = gateway-home-agent
udp-port = 5150
password = ""
retry-timeout = 3
retry-limit = 10
idle-timer = 0
mtu-limit = 1472
force-fragmentation = no

Configuring a mobile client connection to the Router Home Agent

 Mobile client connections on the Foreign Agent will require a tunnel configuration such as the following in a local Connection profile:

[in CONNECTION/mclient:tunnel-options]
profile-type = mobile-client
primary-tunnel-server = 3.3.3.3
password = tunnel-password
Or comparable tunnel settings in a RADIUS profile:

mclient Password = "local-password"
    User-Service = Framed-User, 
    Tunnel-Type = ATMP,
    Tunnel-Server-Endpoint = "3.3.3.3",
    Tunnel-Password = "tunnel-password"

Configuring a Home-and-Foreign-Agent

In some configurations, the MAX TNT acts as a Home Agent for some mobile clients and as a Foreign Agent for others. The two configurations operate side-by-side without any conflict, provided that all requirements are met for each type of configuration.

Configuring the ATMP profile

The ATMP profile contains the following parameters related to the Home-and-Foreign-Agent configuration, shown with sample values:

[in ATMP]
agent-mode = home-and-foreign-agent
agent-type = gateway-home-agent
udp-port = 5150
password = tunnel-password
retry-timeout = 3
retry-limit = 10
idle-timer = 0
mtu-limit = 1472
force-fragmentation = no
The Agent-Mode parameter must specify Home-and-Foreign-Agent. For details about all of the other settings, see Configuring Home Agents or Configuring a Foreign Agent.

Example of a Home-and-Foreign-Agent configuration

Figure 6-11 shows a MAX TNT operating as Home Agent for home network B and as Foreign Agent for mobile clients tunneling into home network A:

Figure 6-11. MAX TNT acting as both Home Agent and Foreign Agent

For information about configuring connections between Home Agents and Foreign Agents, see Configuring the agent-to-agent connection.

Setting the system address

The following commands set the Home-and-Foreign Agent's system IP address:

Configuring the ATMP profile for Home-and-Foreign Agent

 The next commands configure the ATMP profile:

Note: When you change the Agent-Mode parameter from its default Tunnel-Disabled setting to any other setting, you must reset the system for the new value to take effect.

The Foreign Agent for Network B has an ATMP profile such as the following:

[in ATMP]
agent-mode = foreign-agent
agent-type = gateway-home-agent
udp-port = 5150
password = ""
retry-timeout = 3
retry-limit = 10
idle-timer = 0
mtu-limit = 1472
force-fragmentation = no
The Home Agent for Network A has an ATMP profile such as the following:

[in ATMP]
agent-mode = home-agent
agent-type = router-home-agent
udp-port = 8877
password = tunnel-password
retry-timeout = 3
retry-limit = 10
idle-timer = 0
mtu-limit = 1472
force-fragmentation = no

Configuring a mobile client profile

 The next commands configure a Connection profile for Mobile-Client-A in Figure 6-11. For this profile, the MAX TNT is operating as Foreign Agent to enable the mobile client to tunnel to home network A:

Following is a comparable RADIUS profile:

mobile-client-A Password = "local-password"
    User-Service = Framed-User, 
    Framed-Protocol = MPP,
    Ascend-IP-Route = Route-IP-Yes,
    Framed-Address = 11.1.1.1,
    Framed-Netmask = 255.255.255.255,
    Tunnel-Type = ATMP,
    Tunnel-Server-Endpoint = "10.22.33.44",
    Ascend-UDP-Port = 8877,
    Tunnel-Password = "tunnel-password"

Another example of a Home-and-Foreign-Agent configuration

 Figure 6-12 shows another configuration that makes use of the Home-and-Foreign-Agent setup. In this example, all three mobile clients want to tunnel to the home network, using TNT-2 as their Home Agent. The two ATMP units are geographically distant.

Figure 6-12. Enabling a mobile client to bypass the Foreign Agent connection

Mobile-Client-1 and Mobile-Client-2 make local calls to dial into the Foreign Agent (TNT-1) and then tunnel to the Home Agent. However, Mobile-Client-3 is geographically closer to TNT-2, and would prefer to dial directly into TNT-2. In this case, TNT-2 is configured to provide both Home Agent and Foreign Agent functionality to Mobile-Client-3. There is no need to encapsulate data to and from Mobile-Client-3 in GRE. The data comes in on one of TNT-2's interfaces and it is sent to another interface without encapsulation processing, but with all of the network isolation benefits that ATMP provides.

Setting the system IP address

The following commands set the Home-and-Foreign Agent's system IP address:

Configuring the ATMP profile for Home and Foreign Agent

 The following commands configure the ATMP profile in TNT-2:

Note: When you change the Agent-Mode parameter from its default Tunnel-Disabled setting to any other setting, you must reset the system for the new value to take effect.

TNT-1 has an ATMP profile such as the following:

[in ATMP]
agent-mode = foreign-agent
agent-type = gateway-home-agent
udp-port = 5150
password = ""
retry-timeout = 3
retry-limit = 10
idle-timer = 0
mtu-limit = 1472
force-fragmentation = no

Configuring a profile for Mobile-Client-3

 The next commands configure a Connection profile for Mobile-Client-3 in Figure 6-12. For this profile, the MAX TNT is operating as both Foreign Agent and Home Agent.

Following is a comparable RADIUS profile:

mobile-client-3 Password = "local-password"
    User-Service = Framed-User, 
    Framed-Protocol = MPP,
    Ascend-IP-Route = Route-IP-Yes,
    Framed-Address = 11.1.1.1,
    Framed-Netmask = 255.255.255.255,
    Tunnel-Type = ATMP,
    Tunnel-Server-Endpoint = "10.100.100.100:6789",
    Tunnel-Password = "tunnel-password"

Configuring IPX over ATMP

IPX ATMP enables ATMP mobile clients to tunnel into an IPX home network. IPX packets are encapsulated (GRE) through the tunnel, so the connection between the Foreign Agent and Home Agent does not require IPX routing. However, IPX routing is required for the connection between the mobile client and the Foreign Agent, and for the connection between the Home Agent and the home network, as shown in Figure 6-13:

Figure 6-13. IPX routing connections for IPX ATMP

For details about configuring IPX, see Chapter 8, IPX Routing.

For information about configuring connections between Home Agents and Foreign Agents, see Configuring the agent-to-agent connection.

Configuring the agents for IPX routing

For details about configuring the MAX TNT to route IPX, see Chapter 8, IPX Routing. The next commands configure a minimal IPX configuration to enable the MAX TNT to route IPX packets:

In addition to routing IPX, the Foreign Agent should typically define a unique IPX network for use in assigning addresses to NetWare dial-in clients. For example:

Example of IPX ATMP to a Gateway Home Agent

 After configuring the IP connection between the two agents (as described in the preceding section), and enabling IPX routing in the Foreign Agent, you must configure the IPX connections between the mobile client and Foreign Agent, and between the Home Agent and home network.

In this example, the mobile client is running Windows 98 with IPX enabled. The mobile client is assigned an address on the virtual IPX network defined in the Foreign Agent's IPX-Global profile (CCCC1234).

Figure 6-14. IPX ATMP with a Gateway Home Agent

The Gateway Home Agent communicates with an Ascend Pipeline unit configured for IPX routing (the home router). After the configurations described in the next sections have been set up, the mobile client can dial into the Foreign Agent and once connected, click on the NetworkNeighborhood icon to see the destination NetWare server and its contents.

Configuring a mobile client IPX connection

The next set commands configures a Connection profile for the mobile client in Figure 6-14:

Following is a comparable RADIUS profile:

mobile-client-1 Password = "mc-password"
    User-Service = Framed-User,
    Framed-Protocol = PPP,
    Ascend-Route-IPX = Route-IPX-Yes,
    Ascend-IPX-Peer-Mode = IPX-Peer-Dialin,
    Tunnel-Type = ATMP,
    Tunnel-Server-Endpoint = "2.2.2.2",
    Tunnel-Password = "tunnel-password"
    Tunnel-Private-Group-ID = "home-router"

Example of a gateway profile IPX connection

 The link between the Gateway Home Agent and the home network can be Frame Relay or nailed, but it cannot be a switched connection. (Data received through a tunnel does not cause the Gateway Home Agent to bring up the link.)

The Gateway Home Agent must be configured for IPX (see Configuring the agents for IPX routing).

The next commands configure a Connection profile to the home router. Note that IPX RIP and SAP are disabled in the profile, to prevent RIP and SAP information from being propagated from the Home Agent to the home network:

IPX home router requirements

 The Pipeline unit acting as home router requires an IPX-routing Connection profile to the Gateway Home Agent and a static IPX route to the mobile client. When the Home Agent is a Gateway, the home router requires a static IPX route to the mobile client. The destination network number of that route is the IPX network number used by the mobile client. The static route's destination node number must be the Ethernet MAC-Address of the Home Agent's shelf-controller Ethernet port. The MAC-Address is visible in the Ether-Info profile on the Home Agent. For example, the following profile shows the MAC-Address 00:c0:7b:6b:9f:d6.

In the sample static route that follows, the destination network number is CCCC1234 (the virtual network assigned to the client by the Foreign Agent), and the destination node number is the MAC-Address of the Home Agent's shelf-controller Ethernet port.The Connection # field specifies the number of the Pipeline unit's IPX-routing Connection profile to the Gateway Home Agent.

Example of IPX ATMP to a Router Home Agent

 After configuring the IP connection between the two agents (as described in Configuring the agent-to-agent connection), you must configure the IPX connections between the mobile client and Foreign Agent, and between the Home Agent and home network.

In this example, the mobile client is running Windows 98 with IPX enabled. The mobile client is assigned an address on the virtual IPX network defined in the Foreign Agent's IPX-Global profile (CCCC1234).

Figure 6-15. IPX ATMP with a Router Home Agent

After the configurations described in the next sections have been set up, the mobile client can dial into the Foreign Agent and once connected, click on the NetworkNeighborhood icon to see the destination NetWare server and its contents.

Configuring a mobile client IPX connection

The next set commands configures a Connection profile for the mobile client in Figure 6-15:

Following is a comparable RADIUS profile:

mobile-client-1 Password = "mc-password"
    User-Service = Framed-User, 
    Framed-Protocol = PPP,
    Ascend-Route-IPX = Route-IPX-Yes,
    Ascend-IPX-Peer-Mode = IPX-Peer-Dialin
    Tunnel-Type = ATMP,
    Tunnel-Server-Endpoint = "2.2.2.2",
    Tunnel-Password = "tunnel-password"

Example of an IPX Router Home Agent configuration

 In this example, the Router Home Agent resides on the home network, so a Connection profile is not needed. (In other setups, the Router Home Agent could communicate with another IPX router across a nailed connection.) On the Router Home Agent, the next commands configure a local Ethernet interface as the IPX home network:


[Top][Contents][Prev][Next][Last]

techpubs@ascend.com

Copyright © 1999, Ascend Communications, Inc. All rights reserved.