This document discusses the reason why console or Telnet access to a
cable modem that has achieved online status is disabled.
Readers of this document should have a basic understanding of the
Data-over-Cable Service Interface Specifications (DOCSIS) protocol.
This document is not restricted to specific software and hardware
For more information on document conventions, refer to the
Cisco Technical Tips
When the cable interface on the cable modem is not initialized, console
and Telnet access to the cable modem function as on any other Cisco router.
However, once the modem achieves online status and the cable interface is
initialized, console access is disabled automatically following a new
configuration that is downloaded into the cable modem through the DOCSIS
configuration file. This newly downloaded configuration contains a new enable
password and new Telnet passwords that are not visible to the end user. These
changes are all controlled by the service provider, so no configuration can be
done on the cable modem side to override them. Any previously stored
configurations are superseded by the newly downloaded configuration file. This
is done so that tampering with cable modem configurations is prevented once the
cable modem is online. This security measure was a request by the majority of
cable providers in the United States.
Moreover, users with active enable sessions are forced out of enable
mode before the download occurs, and the console is locked, preventing users
from getting back into enable mode or changing the password. This approach also
addresses concerns that security is compromised by users being able to display
the running configuration. For example, Simple Network Management Protocol
(SNMP) community passwords are not compromised.
Copying a Cisco IOS® Software configuration file to a running
configuration file each time the interface initializes prevents the need to
write the configuration to nonvolatile RAM (NVRAM). If Telnet access through
the Ethernet interface is restricted by setting filters through the cable
device MIB, the running configuration file is never visible to the user.
Note: For detailed information on how to download a Cisco IOS Software
configuration file, refer to the Cisco Vendor Specific Fields section in
Building DOCSIS 1.0 Configuration Files Using Cisco DOCSIS
(registered customers only)
. To verify that the configuration is working, make a Telnet
connection to the cable modem from the head end router using the passwords that
were created in the configuration file. The following should appear in the
show version command output on the cable
Host configuration file is "ios.cnf", booted via tftp from ......