 Feedback
|
Table Of Contents
Filtering Cable DHCP Lease Queries
Prerequisites for Filtering Cable DHCP Lease Queries
Restrictions for Filtering Cable DHCP Lease Queries
Information About Filtering Cable DHCP Lease Queries
How to Configure Filtering Cable DHCP LEASEQUERY Requests
Enabling DHCP LEASEQUERY Filtering on Downstreams
Enabling DHCP LEASEQUERY Filtering on Upstreams
How to Configure the DHCP MAC Address Exclusion List for the cable-source verify dhcp Command
Configuration Examples for Filtering Cable DHCP Lease Queries
cable source-verify leasequery-filter downstream
cable source-verify leasequery-filter upstream
Filtering Cable DHCP Lease Queries
Document Revision History
02/13/2006
OL-2818-06
Added Document Revision History table. Incorporated Cisco IOS Release 12.3(17a)BC enhancements.
This document describes the Dynamic Host Configuration Protocol (DHCP) LEASEQUERY filter feature, which enables the Cisco Cable Modem Termination System (CMTS) router to filter excessive numbers of DHCP LEASEQUERY messages on either the upstream or the downstream cable interface, or both.
Feature History for Filtering Cable DHCP Lease Queries
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•
Prerequisites for Filtering Cable DHCP Lease Queries
•
•
•
•
•
Prerequisites for Filtering Cable DHCP Lease Queries
•
•
To divert DHCP lease queries to a server other than the DHCP server, you must use the cable source-verify dhcp server ipaddress command and the no cable arp command before the Cisco CMTS router can begin filtering DHCP lease queries. Only one alternate server may be configured.
Restrictions for Filtering Cable DHCP Lease Queries
•
•
•
•
Information About Filtering Cable DHCP Lease Queries
To configure the Cisco CMTS router to send DHCP LEASEQUERY requests to the DHCP server, use the cable source-verify dhcp and no cable arp commands. Unknown IP addresses that are found in packets for customer premises equipment (CPE) devices that use the cable modems on the cable interface will be verified. The DHCP server returns a DHCP ACK message with the MAC address of the CPE device that has been assigned this IP address, if any.
To configure the Cisco CMTS router to divert DHCP LEASEQUERY requests to a server other than the DHCP server, use the cable source-verify dhcp server ipaddress and no cable arp commands.
Regardless of which server is configured, the router can then use this information to verify that this CPE device is authorized to use this IP address. This prevents users from assigning unauthorized IP addresses to their CPE devices, without interfering with valid traffic on the upstream or downstream.
Problems can occur, though, when viruses, denial of service (DoS) attacks, and theft-of-service attacks begin scanning a range of IP addresses, in an attempt to find unused addresses. When the Cisco CMTS router is verifying unknown IP addresses, this type of scanning generates a large volume of DHCP lease queries, which can result in the following problems:
•
•
•
•
To prevent such a large volume of LEASEQUERY requests on cable interfaces, you can enable filtering of these requests on upstream interfaces, downstream interfaces, or both. When this feature is enabled, the Cisco CMTS allows only a certain number of DHCP LEASEQUERY requests for each service ID (SID) on an interface within the configured interval time period. If a SID generates more lease queries than the maximum, the router drops the excess number of requests until the next interval period begins.
You can configure both the number of allowable DHCP LEASEQUERY requests and the interval time period, so as to match the capabilities of your DHCP server (or configured alternate server) and cable network.
How to Configure Filtering Cable DHCP LEASEQUERY Requests
Use the following procedures to configure the filtering of DHCP LEASEQUERY requests on both the downstreams and upstreams of a cable interface:
•
•
Enabling DHCP LEASEQUERY Filtering on Downstreams
Use the following procedure to start filtering DHCP lease queries on all downstreams in a Cisco CMTS router.
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Enabling DHCP LEASEQUERY Filtering on Upstreams
Use the following procedure to start filtering DHCP lease queries on all upstreams on a particular cable interface.
SUMMARY STEPS
1.
2.
3.
or
interface cable x/y/z4.
5.
DETAILED STEPS
Step 1
enable
Example:Router> enable
Enables privileged EXEC mode. Enter your password if prompted.
Step 2
configure terminal
Example:Router# configure terminal
Enters global configuration mode.
Step 3
interface cable x/y
orinterface cable x/y/z
Example:Router(config)# interface cable 5/1
Router(config-if)#
Enters interface configuration mode for the specified cable interface.
Step 4
cable source-verify leasequery-filter upstream threshold interval
Example:Router(config-if)# cable source-verify leasequery-filter upstream 2 5
Router(config-if)#
Enables leasequery filtering on all upstreams on the specified cable interface, using the specified threshold and interval values:
•
•
Note
Step 5
end
Example:Router(config-if)# end
Exits interface configuration mode and returns to privileged EXEC mode.
How to Configure the DHCP MAC Address Exclusion List for the cable-source verify dhcp Command
Cisco IOS Release 12.3(13)BC introduces the ability to exclude trusted MAC addresses from standard DHCP source verification checks, as supported in previous Cisco IOS releases for the Cisco CMTS. This feature enables packets from trusted MAC addresses to pass when otherwise packets would be rejected with standard DHCP source verification. This feature overrides the cable source-verify command on the Cisco CMTS for the specified MAC address, yet maintains overall support for standard and enabled DHCP source verification processes. This feature is supported on Performance Routing Engine 1 (PRE1) and PRE2 modules on the Cisco uBR10012 router chassis.
To enable packets from trusted source MAC addresses in DHCP, use the cable trust command in global configuration mode. To remove a trusted MAC address from the MAC exclusion list, use the no form of this command. Removing a MAC address from the exclusion list subjects all packets from that source to standard DHCP source verification.
cable trust mac-address
no cable trust mac-address
Syntax Description
mac-address
The MAC address of a trusted DHCP source, and from which packets will not be subject to standard DHCP source verification.
Usage Guidelines
This command and capability are only supported in circumstances in which the Cable Source Verify feature is first enabled on the Cisco CMTS.
When this feature is enabled in addition to cable source verify, a packet's source must belong to the MAC Exclude list on the Cisco CMTS. If the packet succeeds this exclusionary check, then the source IP address is verified against Address Resolution Protocol (ARP) tables as per normal and previously supported source verification checks. The service ID (SID) and the source IP address of the packet must match those in the ARP host database on the Cisco CMTS. If the packet check succeeds, the packet is allowed to pass. Rejected packets are discarded in either of these two checks.
Any trusted source MAC address in the optional exclusion list may be removed at any time. Removal of a MAC address returns previously trusted packets to non-trusted status, and subjects all packets to standard source verification checks on the Cisco CMTS.
Note
For additional information about the enhanced Cable Source Verify DHCP feature, and general guidelines for its use, refer to the following documents on Cisco.com:
•
http://www.cisco.com/en/US/docs/ios/12_0t/12_0t7/feature/guide/sourcver.html
•
http://www.cisco.com/en/US/docs/cable/cmts/feature/cblsrcvy.html
•
http://www.cisco.com/en/US/docs/ios/cable/command/reference/cbl_book.html
•
http://www.cisco.com/en/US/tech/tk86/tk803/technologies_tech_note09186a00800a7828.shtml
Configuration Examples for Filtering Cable DHCP Lease Queries
This section provides the following examples of how to configure the DHCP lease query filtering feature:
DHCP Downstream and Upstream DHCP LEASEQUERY Filtering Configuration on an Individual Cable Interface: Example
The following example shows an excerpt from a typical configuration of a cable interface that is configured for filtering DHCP LEASEQUERY requests on both its upstream and downstream interfaces:
Note
!cable source-verify leasequery-filter downstream 5 20!interface Cable8/1/0...cable source-verify dhcpcable source-verify leasequery-filter upstream 1 5no cable arp...Additional References
The following sections provide references related to the DHCP LEASEQUERY filtering feature.
Related Documents
CMTS Command Reference
Cisco IOS CMTS Cable Command Reference Guide, at the following URL:
http://www.cisco.com/en/US/docs/ios/cable/command/reference/cbl_book.htmlCisco IOS Release 12.2 Command Reference
Cisco IOS Release 12.2 Configuration Guides and Command References, at the following URL:
http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/fsecur_r.html
Standards
Data-over-Cable Service Interface Specifications Radio Frequency Interface Specification, version 1.1 (http://www.cablelabs.com/cablemodem/)
MIBs
RFCs
Technical Assistance
Command Reference
This section documents the following new or modified commands that are needed to configure the DHCP Lease Query filter feature.
•
•
Note
Cisco IOS CMTS Cable Command Reference Guide, at the following URL:
http://www.cisco.com/en/US/docs/ios/cable/command/reference/cbl_book.html
All other commands used with this feature are documented in the Cisco IOS Release 12.2 command reference publications.
cable source-verify leasequery-filter downstream
To control the number of Dynamic Host Configuration Protocol (DHCP) LEASEQUERY request messages that are sent for unknown IP addresses on all cable downstream interfaces on the Cisco Cable Modem Termination System (CMTS) router, use the cable source-verify leasequery-filter downstream command in global configuration mode. To stop the filtering of DHCP lease queries, use the no form of this command.
cable source-verify leasequery-filter downstream threshold interval
no cable source-verify leasequery-filter downstream
Syntax Description
Defaults
Filtering of DHCP lease queries is disabled.
Command Modes
Global configuration
Command History
12.2(15)BC1d, 12.2(15)BC2b
This command was introduced for the Cisco uBR7100 series, Cisco uBR7246VXR, and Cisco uBR10012 universal broadband routers.
Usage Guidelines
When the cable source-verify dhcp (or cable source-verify dhcp server ipaddress) and no cable arp commands are configured on a cable interface, the Cisco CMTS router sends a DHCP LEASEQUERY request to the DHCP server (or configured alternate server) to verify unknown IP addresses that are found in packets to and from customer premises equipment (CPE) devices that are using the cable modems on the cable interface. The DHCP server (or configured alternate server) returns a DHCP ACK message with the MAC address of the CPE device that has been assigned this IP address, if any. The router can then verify that this CPE device is authorized to use this IP address, which prevents users from assigning unauthorized IP addresses to their CPE devices.
Problems can occur, though, when viruses, denial of service (DoS) attacks, and theft-of-service attacks scan ranges of IP addresses, in an attempt to find unused addresses. This type of activity can generate a large volume of DHCP LEASEQUERY requests, which can result in high CPU utilization and a lack of available bandwidth for other customers.
To prevent such a large volume of LEASEQUERY requests on all downstreams in the Cisco CMTS router, use the cable source-verify leasequery-filter downstream command. After configuring this command, the Cisco CMTS allows only a certain number of DHCP LEASEQUERY requests in the downstream direction within each interval time period.
For example, the cable source-verify leasequery-filter downstream 5 10 command configures the router so that it allows a maximum of 5 DHCP LEASEQUERY requests every 10 seconds for each SID on the downstream direction. This command applies to all downstream cable interfaces in the router.
Note
Tip
Examples
The following example shows how to configure the Cisco CMTS router so that it allows a maximum of 10 DHCP lease query requests per SID over each five-second interval on all downstream cable interfaces. This example also shows the configuration of cable source-verify dhcp and no cable arp commands on a cable interface, which are required to use this feature.
Note
Router# configure terminalRouter(config)# cable source-verify leasequery-filter downstream 10 5Router(config)# interface cable 5/1/0Router(config-if)# cable source-verify dhcpRouter(config-if)# no cable arpRouter(config-if)#Related Commands
cable source-verify leasequery-filter upstream
To control the number of Dynamic Host Configuration Protocol (DHCP) LEASEQUERY request messages that are sent for unknown IP addresses per each service ID (SID) on an upstream, use the cable source-verify leasequery-filter upstream command in cable interface configuration mode. To disable the filtering of DHCP lease queries, use the no form of this command.
cable source-verify leasequery-filter upstream threshold interval
no cable source-verify leasequery-filter upstream
Syntax Description
Defaults
Filtering of DHCP lease queries is disabled.
Command Modes
Interface configuration (cable interface only)
Command History
12.2(15)BC1d, 12.2(15)BC2b
This command was introduced for the Cisco uBR7100 series, Cisco uBR7246VXR, and Cisco uBR10012 universal broadband routers.
Usage Guidelines
When the cable source-verify dhcp (or cable source-verify dhcp server ipaddress) and no cable arp commands are configured on a cable interface, the Cisco Cable Modem Termination System (CMTS) router sends a DHCP LEASEQUERY request to the DHCP server (or configured alternate server) to verify unknown IP addresses that are found in packets to and from customer premises equipment (CPE) devices that are using the cable modems on the cable interface. The DHCP server (or configured alternate server) returns a DHCP ACK message with the MAC address of the CPE device that has been assigned this IP address, if any. The router can then verify that this CPE device is authorized to use this IP address, which prevents users from assigning unauthorized IP addresses to their CPE devices.
Problems can occur, though, when viruses, denial of service (DoS) attacks, and theft-of-service attacks scan ranges of IP addresses, in an attempt to find unused addresses. This type of activity can generate a large volume of DHCP LEASEQUERY requests, which can result in high CPU utilization and a lack of available bandwidth for other customers.
To prevent such a large volume of LEASEQUERY requests on the upstreams on a cable interface, use the cable source-verify leasequery-filter upstream command. After configuring this command, the Cisco CMTS allows only a certain number of DHCP LEASEQUERY requests in the upstream direction within each interval time period.
For example, the cable source-verify leasequery-filter upstream 5 5 command configures the router so that it allows a maximum of 5 DHCP LEASEQUERY requests every 5 seconds for each SID on the upstream direction. This command applies to all upstreams on the cable interface.
Note
Note
Tip
Examples
The following example shows how to configure the Cisco CMTS router so that it allows a maximum of five DHCP lease query requests per SID over each two-second interval on all upstreams on a particular cable interface. This example also shows the configuration of cable source-verify dhcp and no cable arp commands on the cable interface, which are required to use this feature.
Note
Router# configure terminalRouter(config)# interface cable 6/0Router(config-if)# cable source-verify dhcpRouter(config-if)# cable source-verify leasequery-filter upstream 5 2Router(config-if)# no cable arpRouter(config-if)#Related Commands
show cable leasequery-filter
To display the number of Dynamic Host Configuration Protocol (DHCP) LEASEQUERY request messages that have been filtered for all cable modems (CMs) or for a particular cable interface, use the show cable leasequery-filter command in privileged EXEC mode.
show cable leasequery-filter [cable slot/port [requests-filtered [minimum-requests] ] ]
show cable leasequery-filter [cable slot/subslot/port [requests-filtered [minimum-requests] ] ]
Syntax Description
Command Modes
Privileged EXEC
Command History
12.2(15)BC1d, 12.2(15)BC2b
This command was introduced for the Cisco uBR7100 series, Cisco uBR7246VXR, and Cisco uBR10012 universal broadband routers.
Usage Guidelines
The show cable leasequery-filter command displays the total number of DHCP LEASEQUERY requests that have been filtered on a Cisco Cable Modem Termination System (CMTS) router and on a particular cable interface. This command can also optionally display details for each particular cable modem on an interface that has had DHCP lease queries filtered.
Examples
The following example shows how to display the total number of DHCP LEASEQUERY requests that have been filtered on the router and on a particular cable interface:
Router# show cable leasequery-filterLease Query Filter statistics for Unknown SidRequests Sent : 138 total. 41 unfiltered, 97 filteredRouter# show cable leasequery-filter cable 8/1/0Lease Query Filter statistics for Cable8/1/0:Requests Sent : 35 total. 25 unfiltered, 10 filteredThe following example shows how to display a list of cable modems on a cable interface and the number of DHCP LEASEQUERY messages that have been filtered for each:
Router# show cable leasequery-filter cable 8/1/0 requests-filteredSid MAC Address IP Address Req-Filtered1 0050.7366.1243 92.1.1.20 02 0007.0e06.953b 95.1.1.24 03 0007.0e06.97b5 93.1.1.24 24 00d0.ba45.4bd5 91.1.1.35 05 0007.0e06.9773 95.1.1.23 126 0001.42aa.737d 94.1.1.23 6457 0001.42aa.738b 95.1.1.22 08 00d0.ba45.4955 92.1.1.23 09 0007.0e06.51ef 94.1.1.25 010 00d0.ba77.743b 91.1.1.36 311 0001.42aa.6e6f 93.1.1.22 212 0007.0e06.512f 91.1.1.23 213 0007.0e06.5137 92.1.1.25 014 0007.0e06.9be7 92.1.1.24 015 0002.b970.0027 92.1.1.22 116 0001.42aa.738d 91.1.1.21 10Router#The following example shows how to display a list of cable modems on a cable interface that have had 10 or more DHCP LEASEQUERY messages that have been filtered:
Router# show cable leasequery-filter cable 8/1/0 requests-filtered 10Sid MAC Address IP Address Req-Filtered5 0007.0e06.9773 95.1.1.23 126 0001.42aa.737d 94.1.1.23 64516 0001.42aa.738d 91.1.1.21 10Router#Related Commands
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Copyright © 2004-2009 Cisco Systems, Inc. All rights reserved.
