Setting Up a Device Provisioning Engine
This chapter describes how you set up the Cisco Broadband Access Center (Cisco BAC) Device Provisioning Engine (DPE).
A DPE caches provisioning information and handles all configuration requests, including downloading configuration files to devices. It is integrated with the CNR DHCP server to control the assignment of IP addresses. Multiple DPEs can communicate with a single DHCP server.
To configure the DPE from the CLI, you must have a valid license. If you run the commands described in this chapter on an unlicensed DPE, the following message appears:
This DPE is not licensed. Your request cannot be serviced. Please check with your
system administrator for DPE licenses.
For details on DPE licensing and how to install your license, see Licensing Cisco BAC, page 5-1.
This chapter describes:
•Accessing the DPE CLI
•Logging In
•Configuring a DPE for Data
•Configuring a DPE for Voice Technology
Accessing the DPE CLI
You can access the CLI of a DPE in one of two ways: from a local or remote host.
Accessing from a Local Host
To access the CLI from a local host, use:
or
Accessing from a Remote Host
To access the CLI from a remote host, enter:
# telnet remote-hostname 2323
Note If you cannot establish a Telnet connection to the CLI, the CLI server is probably not running. You may need to start the server. To start the server, enter:
# /etc/init.d/bprAgent start cli
Logging In
To log in to the DPE:
Step 1 At the password prompt, enter the login password. The default user password is changeme.
For example:
Broadband Access Center 4.1.0.1 (SOL_BAC4_1_0_1_00000000_0000)
Device Provisioning Engine local_bac_dpe
For security reasons, we recommend that you change the original password.
Step 2 Enter the enable command to enter privileged mode. You must be working in privileged mode to configure the DPE.
For example:
Step 3 The system prompts you for the password to access the privileged mode. At the prompt, enter the password; the default is changeme.
The system displays the privileged mode prompt.
For example:
Step 4 Change your login and privileged mode passwords.
a. To change the login password:
1. Access the DPE in the privileged mode. See Step 2.
2. At the prompt, enter the password command.
For example:
3. At the password prompt, enter the new password, then re-enter it.
For example:
New password: <password1>
Retype new password: <password1>
Password changed successfully.
b. To change the privileged mode password:
1. Access the DPE in the privileged mode. See Step 2.
2. At the prompt, enter the enable password command.
For example:
3. At the password prompt, enter the new password, then re-enter it.
For example:
New enable password: <password2>
Retype new enable password: <password2>
Password changed successfully.
Configuring a DPE for Data
To configure a DPE, you must know the:
•IP address or fully qualified domain name (FQDN) of the RDU for the DPE.
•Provisioning group or groups to which the DPE belongs.
Tip You can use the show run command to view the running configuration. A complete list of commands is available through the use of the show commands command. For additional information, see the Cisco Broadband Access Center DPE CLI Reference, 4.1.
To configure a DPE:
Step 1 Configure the DPE interface to handle provisioning requests, by specifying the IP address of the interface in the IPv4 or the IPv6 addressing formats.
For example:
Using IPv4 format:
bac_dpe# interface ip 10.10.10.133 provisioning
% OK (Requires DPE restart "> dpe reload")
Using IPv6 format:
bac_dpe# interface ip 2001:0DB8:0:0:203:baff:fe12:d5ea provisioning
% OK (Requires DPE restart "> dpe reload")
Note The values provided here are sample values only. Use values appropriate for your network.
Step 2 Configure the IPv4 ONLY address for communication with CNR.
For example:
bac_dpe# interface ip 10.10.10.133 pg-communication
% OK (Requires DPE restart "> dpe reload")
Step 3 Enter the IP address for the RDU or its domain name if you are implementing DNS. Also, identify the port on which the RDU is listening. The default listening port is 49187.
For example:
bac_dpe# dpe rdu-server 10.10.10.1 49187
% OK (Requires appliance restart "> reload")
Step 4 Specify the provisioning group or groups of which the DPE is part. Where appropriate, specify the secondary provisioning group of which the DPE is a member.
For example:
bac_dpe# dpe provisioning-group primary group1
% OK (Requires appliance restart "> reload")
bac_dpe# dpe provisioning-group secondary group2
% OK (Requires appliance restart "> reload")
Step 5 Set the shared secret password to be the same as that on the RDU.
For example:
bac_dpe# dpe shared-secret secret
% OK (Requires DPE restart "> dpe reload")
Step 6 Enable the TFTP service running on the DPE.
For example:
Using IPv4:
bac_dpe# service tftp 1 ipv4 enabled true
% OK (Requires DPE restart "> dpe reload")
Using IPv6:
bac_dpe# service tftp 1 ipv6 enabled true
% OK (Requires DPE restart "> dpe reload")
Step 7 Enable the Time of Day (ToD) service running on the DPE.
For example:
Using IPv4:
bac_dpe# service tod 1 ipv4 enabled true
% OK (Requires DPE restart "> dpe reload")
Using IPv6:
bac_dpe# service tod 1 ipv6 enabled true
% OK (Requires DPE restart "> dpe reload")
Step 8 For the configuration to take effect, you must reload the DPE.
For example:
After you reload the DPE, you can establish a Telnet session to the DPE using its IP address. Remember to use the new login and enable password that you created in Logging In.
Configuring a DPE for Voice Technology
This section describes the configuration tasks that you must perform to set up a DPE to support voice technology.
The tips provided in this section see the dpe.properties file, located in the BPR_HOME/dpe/conf directory. You change the properties specified, as indicated in the tips, to enable the described feature. If you edit the properties, you must restart the DPE.
Caution
In the
dpe.properties file,
there should be only one instance of each property described in these tips.
Setting Up Voice Technology
To set up voice technology on your DPE:
Step 1 To set the FQDN for each enabled DPE interface in the IPv4 or IPv6 format, enter:
interface ip ip_address provisioning fqdn fqdn
Tip dpe.properties: /server/provFQDNs=FQDN[IP address]:port. This could translate, for example, into c3po.pcnet.cisco.com[10.10.10.5]:49186.
The FQDN is sent as the SNMPEntity in DHCP option 177 suboption 3.
For example:
Using the IPv4 format:
bac_dpe# interface ip 10.10.1.2 provisioning fqdn dpe.example.com
% OK (Requires DPE restart "> dpe reload")
Using the IPv6 format:
bac_dpe# interface ip 2001:0DB8:0:0:203:baff:fe12:d5ea provisioning fqdn dpe.example.com
% OK (Requires DPE restart "> dpe reload")
Step 2 Configure the IPv4 ONLY address for communication with CNR.
For example:
bac_dpe# interface ip 10.10.10.133 pg-communication fqdn dpe.example.com
% OK (Requires DPE restart "> dpe reload")
Step 3 To configure voice technology at DPE, enter:
service packetcable 1 registration kdc-service-key password
Note The DPE password that you enter by using this CLI command must match the corresponding password used in the KeyGen utility when generating service keys for the KDC.
Tip dpe.properties: /pktcbl/regsvr/KDCServiceKey=(xx: ... xx)
where (xx: ... xx) represents a 24-byte randomly selected, colon-separated, hexadecimal value; for example: 31:32:33:34:35:36:37:38:39:30:31:32:33:34:3 5:36:37:38:39:30:31:32:33:34.
For example:
bac_dpe# service packetcable 1 registration kdc-service-key password3
% OK (Requires DPE restart "> dpe reload")
Step 4 To control the choice of encryption algorithm for use during SNMPv3, enter:
service packetcable 1 registration policy-privacy value
If you enter a value of zero (which is the default value) for this policy privacy, the MTA will choose a privacy option for SNMPv3. Entering any nonzero value means the Provisioning Server will set its privacy option in SNMPv3 to a specific protocol. Although, currently, DES is the only privacy option supported by voice technology.
Tip dpe.properties: /pktcbl/regsvr/policyPrivacy=1 (enables DES privacy)
For example:
bac_dpe# service packetcable 1 registration policy-privacy 1
% OK (Requires DPE restart "> dpe reload">
Step 5 Enter this command to set the SNMP service key used for SNMPv3 cloning to the RDU.
service packetcable 1 snmp key-material password
The default value for this command is null. Enter this default to disable SNMPv3 cloning on this DPE.
Caution
To enable SNMP cloning, set this property to the identical 46 hexadecimal bytes that are used at the RDU (
rdu.properties file, which resides in the /
BPR_HOME/rdu/conf directory).
Tip dpe.properties: to turn SNMPv3 cloning off, use /pktcbl/snmp/keyMaterial= ; to turn it on, use /pktcbl/snmp/keyMaterial=key. For example, /pktcbl/snmp/keyMaterial=31:32:33:34: 35:36:37:38:39:30:31:32:33:34:35:36:37:38:39:30:31:32:33:34:35:36:37:38:39:30:31:32:33:
34:35:36:37:38:39:30:31:32:33:34:35:36
For example:
bac_dpe# service packetcable 1 snmp key-material password4
% OK (Requires DPE restart "> dpe reload")
Step 6 Enter this command to enable the PacketCable voice technology.
service packetcable 1 enable true
You can disable voice technology by entering service packetcable 1 enable false.
Tip dpe.properties: /pktcbl/enable=enabled
For example:
bac_dpe# service packetcable 1 enable true
% OK (Requires DPE restart "> dpe reload")
Step 7 Run the dpe reload command.
For example:
Controls Available
The commands described in this section provide additional configuration settings.
•service packetcable 1 registration encryption enable—This command optionally enables encryption of the MTA configuration file.
Tip dpe.properties: /pktcbl/regsvr/configEncrypt=1
•no service packetcable 1 registration encryption enable—This command optionally disables encryption of the MTA configuration file.
Tip dpe.properties: /pktcbl/regsvr/configEncrypt=0
•service packetcable 1 snmp timeout timeout—This command dynamically sets the number of seconds that the DPE waits for a response to an SNMPv3 SET operation. The timeout is expressed in seconds and the default value is 10 seconds.
Tip dpe.properties: /pktcbl/snmp/timeout=1 and /pktcbl/snmp/timeout=10