Table Of Contents
DOCSIS Internal Configuration File Generator for the Cisco CMTS
Contents
Prerequisites for the Internal DOCSIS Configuration File Generator
Restrictions for the Internal DOCSIS Configuration File Generator
Information About the Internal DOCSIS Configuration File Generator
Feature Overview
DOCSIS Configuration File Commands
Benefits
Related Features
How to Use the Internal DOCSIS Configuration File Generator
Creating and Configuring a DOCSIS Configuration File
Specifying SNMP MIB Objects (Option 11)
Specifying Multiple SNMP Managers and Community Strings
Specifying an LLC Filter
Specifying a Filter to Block Microsoft NetBIOS Networking and File-Sharing Traffic
Specifying Vendor-Specific Information Fields (Option 43)
Specifying the Download of a Cisco IOS Configuration File
Typical H.323 VoIP Configuration
Configuring the Router's Onboard TFTP Server
Configuration Examples for the Internal DOCSIS Configuration File Generator
Platinum.cm
Platinum.cm with BPI Enabled
Disable.cm
Configuration Files and DHCP Server Configuration
Additional References
Related Documents
Standards
MIBs
RFCs
Technical Assistance
DOCSIS Internal Configuration File Generator for the Cisco CMTS
Revised: February 5, 2007, 0L-1467-08
Feature Specifications for the Internal DOCSIS Configuration File Generator
Feature History
|
Release
|
Modification
|
Release 12.1(2)EC
|
This feature was supported on the Cisco uBR7200 series routers.
|
Release 12.1(5)EC
|
This feature was supported on the Cisco uBR7100 series routers.
|
Release 12.2(4)BC1
|
This feature was supported on the Release 12.2 BC train for all Cisco CMTS platforms.
|
Supported Platforms
|
Cisco uBR7100 series, Cisco uBR7200 series, Cisco uBR10012 universal broadband routers.
|
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
This document contains the following major sections that describe the Internal DOCSIS Configuration File Generator for the Cisco CMTS routers:
•
Prerequisites for the Internal DOCSIS Configuration File Generator
•Restrictions for the Internal DOCSIS Configuration File Generator
•Information About the Internal DOCSIS Configuration File Generator
•How to Use the Internal DOCSIS Configuration File Generator
•Configuration Examples for the Internal DOCSIS Configuration File Generator
•Additional References
Prerequisites for the Internal DOCSIS Configuration File Generator
•The Internal DOCSIS Configuration File Generator feature supports the Baseline Privacy Interface (BPI) options only in Cisco IOS software images that support BPI or BPI+ encryption.
•To allow CMs to download the configuration files, you must also enable the router's onboard TFTP server, using the tftp-server command. Unless you are running on a small lab network, you should also remove the default limit of 10 TFTP sessions by using the service udp-small-serves max-servers no limit command.
•The following commands are also recommended when using the Internal DOCSIS Configuration File Generator feature:
–cable time-server—Enables the Cisco CMTS to function as a time-of-day (ToD) server.
–ip dhcp pool—Configures the Cisco CMTS as a DHCP server. Otherwise, you need an external DHCP server.
–ip dhcp ping packets 0—Improves the scalability of the Cisco CMTS DHCP server.
Restrictions for the Internal DOCSIS Configuration File Generator
•The Internal DOCSIS Configuration File Generator feature supports a shared secret (using the cable shared-secret command) but does not support secondary shared secrets (using the cable shared-secondary-secret command).
•The DOCSIS specifications limit the size of MAC-layer management messages to 1522 bytes, which in turn limits the amount of Vendor-Specific Information Fields (VSIF) you can include in the DOCSIS configuration file. This is because DOCSIS requires that when the cable modem sends its Registration Request (REG-REQ) message to the CMTS, it must include the configuration information, including the VSIF fields, found in the DOCSIS configuration file.
In particular, this maximum packet size imposes a limit on the number of Cisco IOS CLI commands you can include as VSIF fields in the DOCSIS configuration file. The exact number of commands that will fit depends on the other information included in the file, as well as the length of each command.
If the REG-REQ message is larger than 1522 bytes, the cable modem will likely report errors similar to the following errors that appear on Cisco uBR900 series cable access routers:
%LINK-4-TOOBIG: Interface cable-modem0, Output packet size of 1545 bytes too big
%LINEPROTO-5-UPDOWN: Line protocol on Interface cable-modem0, changed state to down
In addition, the CMTS also reports that the cable modem timed out during the registration process. If this occurs, you can try the following steps:
–Reduce the length of the commands by using the abbreviated form of the command. For example, you can specify the int c0 instead of the full command interface cable-modem0.
–SNMP MIB objects are not included in the Registration Request message, so wherever possible, replace the CLI commands with the corresponding SNMP MIB object statements in the DOCSIS configuration file.
–If a large number of CLI commands must be given, use VSIF option 128 to download a Cisco IOS configuration file to the cable modem.
Tip For complete details on what is included in the REG-REQ message, see Chapter 6 of the DOCSIS 1.1 specification.
Information About the Internal DOCSIS Configuration File Generator
This section provides the following information about the Internal DOCSIS Configuration File Generator feature:
•Feature Overview
•DOCSIS Configuration File Commands
•Benefits
Feature Overview
The Data-over-Cable Service Interface Specifications (DOCSIS) standard requires that cable modems download a DOCSIS configuration file before being allowed to register on the cable network. This configuration file contains parameters that control the modem's access to the network, such as the maximum upstream and downstream rates, the maximum number of customer premises equipment (CPE) devices supported by the cable modem, and whether the connected CPE is allowed access to the service provider's network.
DOCSIS configuration files are saved in a binary format, as required by the DOCSIS specifications. Typically service providers use a separate DOCSIS configuration file editor on an external server to create the DOCSIS configuration files that are used on their network. Then the providers must save the files to the appropriate Trivial File Transfer Protocol (TFTP) server so that they can be delivered to cable modems as they register on the cable network.
To simplify this process, Cisco CMTS routers offer the option of creating DOCSIS configuration files on the router. These files are stored as text commands that are part of the router's Cisco IOS configuration. When a cable modem requests a DOCSIS configuration file, the Cisco CMTS router dynamically creates the binary version of the file and uses the router's onboard TFTP server to deliver it to the appropriate cable modem.
Service providers thus have the following options as to how DOCSIS configuration files can be created and delivered to cable modems:
•The Cisco Internal DOCSIS Configurator File Generator creates DOCSIS configuration files as part of the router's Cisco IOS configuration. When the file is to be transmitted by the TFTP server, the router creates the binary file that is required by the DOCSIS specifications, and the TFTP server transmits that binary file to the cable modem. This allows rapid changes to be made to a DOCSIS configuration file simply by giving the appropriate Cisco IOS command-line interface (CLI) commands.
•A standalone DOCSIS configuration file editor can be used to create the binary DOCSIS configuration file, which is then transferred to the router's Flash memory or PCMCIA memory device. The TFTP server can then be instructed to send that file to cable modems as requested. To make a change in this file, the standalone DOCSIS configuration file editor must make those changes and the new file must be transferred back to the router's Flash memory or PCMCIA memory device.
•A standalone DOCSIS configuration file editor can be used to create the binary DOCSIS configuration file, which is then stored on a separate TFTP server in the cable headend network. This TFTP server is responsible for transmitting that file to cable modems as requested. To make a change in this file, the standalone DOCSIS configuration file editor must make those changes and the new file transferred back to the standalone TFTP server.
DOCSIS Configuration File Commands
To create a DOCSIS configuration file, use the cable config-file command in global configuration mode. This command creates the configuration file in the router's running configuration and then enters cable configuration file mode, at which point you can enter any or all of the subcommands listed in Table 9-1.
Table 9-1 DOCSIS Configuration File Editor Subcommands
Command
|
Description
|
access-denied
|
Specifies whether CPE devices attached to the cable modem are allowed access to the cable network.
Note This subcommand does NOT disconnect the cable modem from the cable network. It instead prevents the CPE devices connected to the cable modem from accessing the cable network.
|
channel-id
|
Specifies the upstream channel ID to be used by the cable modem.
|
cpe max
|
Specifies the maximum number of CPE devices that can use the cable modem to connect to the network.
|
download
|
Specifies that the cable modem should download a new software image, if necessary, from a TFTP server before beginning operations on the cable network.
|
frequency
|
Specifies the center frequency for a downstream channel for the cable modem.
|
option
|
Specifies configuration file options that are not supported by the other cable config-file commands. In particular, this command allows unspecified vendor-specific options that can vary from vendor to vendor and from model to model.
|
privacy
|
Enables or disables Baseline Privacy Interface (BPI) encryption on the cable modem.
Note To enable BPI operations on a cable modem, you must use both the privacy and service-class privacy commands.
|
service-class
|
Specifies additional class of service (CoS) profiles to support different types of traffic flows, such as real-time traffic and traffic that has a guaranteed minimum bandwidth.
|
snmp manager
|
Specifies the IP address for a Simple Network Management Protocol (SNMP) manager that is allowed access to the cable modem.
|
timestamp
|
Enables the time-stamping of a DOCSIS configuration file when it is sent to a cable modem so that it cannot be captured and replayed at a later time for a cable modem that is not authorized to use that file.
Also, the time-stamp feature automatically ensures time synchronization between the DOCSIS configuration file and the CMTS. To ensure time synchronization between an external TFTP server and the CMTS, the TFTP server should use a time synchronization protocol, such as Network Time Protocol (NTP).
|
Benefits
•Allows multiple service operator provisioners, service providers, and other users to create, edit, and internally store a DOCSIS configuration file on the CMTS to provide operational instructions for DOCSIS cable modems and set-top boxes.
•Because this is a built-in tool on the Cisco CMTS, this feature removes the requirement for standalone TFTP servers to create and deliver DOCSIS configuration files.
•Changes can be made to DOCSIS configuration files by giving one or more CLI commands. You do not have to use a standalone DOCSIS configuration file editor to make the changes, create a new binary file, and then transfer it to the Cisco CMTS router.
Related Features
The Internal DOCSIS Configuration File Generator feature creates DOCSIS configuration files and saves them as part of the Cisco CMTS router's startup or running configuration file. To create standalone DOCSIS configuration files, you can use the standalone DOCSIS configuration file editor that is available at the following URL:
http://www.cisco.com/pcgi-bin/tablebuild.pl/cpe-conf
Note You must have an account on Cisco.com to access this location.
How to Use the Internal DOCSIS Configuration File Generator
To create and use the router's onboard DOCSIS configuration file editor, see the following sections. Each task in the list is identified as either required or optional.
•Creating and Configuring a DOCSIS Configuration File (required)
•Specifying SNMP MIB Objects (Option 11) (optional)
•Specifying Vendor-Specific Information Fields (Option 43) (optional)
•Configuring the Router's Onboard TFTP Server (required)
For syntax and usage information on the cable-specific commands shown in this section, see the Cisco Broadband Cable Command Reference Guide on Cisco.com and on the Documentation CD-ROM.
For information about any other commands, see the Cisco IOS Release 12.2 documentation set on Cisco.com.
Creating and Configuring a DOCSIS Configuration File
The following shows how to use the cable config-file and its subcommands to create a DOCSIS configuration file that is stored as part of the router's running configuration memory.
SUMMARY STEPS
1. enable
2. configure terminal
3. cable config-file filename
4. access-denied
5. channel-id upstreamchan-id
6. cpe maxcpe-num
7. download image filename [oui oui-list]
8. download server ip-address
9. frequency freq
10. option n [instance inst-num] {ascii string | hex hexstring | ip ip-address}
11. privacy grace-time {authorization value | tek value}
12. privacy timeout {authorize value| operational value| re-authorize value| reject value| rekey value}
13. service-class class {guaranteed-upstream us-bandwidth max-burst burst-size max-downstream max-dsbandwidth max-upstream max-usbandwidth priority priority-num privacy}
14. snmp manager ip-address
15. timestamp
16. exit
17. exit
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
cable config-file filename
Example:
Router(config)# cable config-file new.cm
|
Creates a DOCSIS configuration file and enters cable config-file configuration mode. The filename can be any arbitrary string that uniquely identifies this configuration file. This is also the filename to be used when sending the configuration file to a cable modem with a TFTP server.
|
Step 4
|
access-denied
Example:
Router(config-file)# access-denied
|
(Optional) Instructs the cable modem to prevent CPE devices from accessing the cable network. The default is the no form of this command, which allows CPE devices to access the cable network.
|
Step 5
|
channel-id upstreamchan-id
Example:
Router(config-file)# channel-id 4
|
(Optional) Instructs the cable modem to use a specific upstream channel ID. The valid range for upstreamchan-id is 0 to 255, depending on the number of upstream ports on the cable interface card. For telco-return cable modems, this value must either be 0 or left unspecified.
|
Step 6
|
cpe maxcpe-num
Example:
Router(config-file)# cpe 8
|
(Optional) Specifies the maximum number of CPE devices that can use the cable modem to connect to the network. The valid range for maxcpe-num is 1 to 254, with a default of 1.
|
Step 7
|
download image filename [oui oui-list]
Example:
Router(config-file)# download image
ubr925-v9y-mz oui 00.00.0C
|
(Optional) Specifies that the cable modem should download and execute a new software image before coming online.
•filename = Fully qualified path name for the software image as it exists on the TFTP server.
•oui-list = (Optional) Specifies up to eight Organizational Unique Identifiers (OUIs). The cable modem must match one of these OUI values before it can download the software image. This ensures that a cable modem downloads software images made only by the proper vendor.
|
Step 8
|
download server ip-address
Example:
Router(config-file)# download server
10.10.10.13
|
(Optional) Specifies the IP address for the TFTP server from which the cable modem should download new software images. If not specified, the cable modem uses the same TFTP server that provided its DOCSIS configuration file.
|
Step 9
|
frequency freq
Example:
Router(config-file)# frequency 453000000
|
(Optional) Specifies the center frequency for the downstream channel to be used by the cable modem. The valid range for freq is 88 to 860 MHz. The default is for the modem to scan the downstream for available frequencies.
|
Step 10
|
option n [instance inst-num] {ascii string |
hex hexstring | ip ip-address}
Example:
Router(config-file)# option 43 hex
08:03:00:00:0C:80:07:69:6F:73:2E:63:66:67
|
(Optional) Specifies a TLV option that is not otherwise available, such as VSIF fields.
•n = TLV option code. The valid range range is 5 to 254.
•instance inst-num = (Optional) Specifies an instance of this option so that you can give the same option multiple times.The valid range is 0 to 255.
•ascii string = Specifies the data as a network verification tool (NVT) ASCII string. If the string contains white space, you must surround it with quotes.
•hex hexstring = Specifies the data as a raw hexadecimal string. Each byte is two hexadecimal digits, and each byte can be separated by a period, colon, or white space. A maximum of 254 bytes can be specified.
•ip ip-address = Specifies the data in the form of an IP address.
|
Step 11
|
privacy grace-time {authorization value | tek
value}
Example:
Router(config-file)# privacy grace-time
authorization 1000
Router(config-file)# privacy grace-time tek 800
|
(Optional) Enables Baseline Privacy Interface (BPI) encryption and configures the grace-time timer values:
•authorization value = Specifies the authorization grace time in seconds. The valid range is 1 to 1800 seconds, with a default of 600 seconds.
•tek value = Specifies the Traffic Exchange Key (TEK) grace time in seconds. The valid range is 1 to 1800 seconds, with a default of 600 seconds.
|
Step 12
|
privacy timeout {authorize value| operational
value| re-authorize value| reject value| rekey
value}
Example:
Router(config-file)# privacy timeout authorize
15
|
(Optional) Enables Baseline Privacy Interface (BPI) encryption and configures the following timeout values:
•authorize value = Specifies the authorize wait timeout in seconds. The valid range is 2 to 30 seconds, with a default of 10 seconds.
•operational value = Specifies the operational wait timeout in seconds. The valid range is 1 to 10 seconds, with a default of 1 second.
•re-authorize value = Specifies the re-authorize wait timeout in seconds. The valid range is 1 to 20 seconds, with a default of 10 seconds.
•reject value = Specifies the authorize reject wait timeout in seconds. The valid range is 1 to 600 seconds, with a default of 60 seconds.
•rekey value = Specifies the rekey wait timeout in seconds. The valid range is 1 to 10 seconds, with a default of 1 second.
|
| |
Note To enable BPI operations on the cable modem, you must use the privacy command to enable BPI operations in general, and then use the service-class privacy command to enable BPI on that specific CoS profile.
|
Step 13
|
service-class class {guaranteed-upstream
us-bandwidth max-burst burst-size
max-downstream max-dsbandwidth max-upstream
max-usbandwidth priority priority-num privacy}
Example:
Router(config-file)# service-class 8
max-downstream 100000 priority 4 privacy
|
(Optional) Creates a class of service (CoS) profile that specifies the quality of service (QoS) parameters the cable modem can use for traffic.
•class = Specifies service class number. The valid range is 1 to 16, with a default of 1.
•guaranteed-upstream us-bandwidth = Specifies the guaranteed upstream bandwidth in kbps. The valid range is 0 to 100000 kbps, with a default of 0, which indicates no guaranteed bandwidth.
•max-burst burst-size = Specifies the maximum upstream burst size in bytes. The valid range is 0 to 65535, with a default value of 0, which signifies unlimited burst length. Cisco recommends a valud in the range of 1600 to 1800 bytes.
•max-downstream max-dsbandwidth = Specifies the maximum downstream data rate in kilobits/sec allowed for traffic associated with this class of service. The valid range is 0 to 100000 kbps, with a default of 0.
•max-upstream max-usbandwidth = Specifies the maximum upstream bandwidth in kilobits/sec for traffic associated with this class of service. The valid range is 0 to 100000 kbps, with a default of 0, which is no maximum upstream data rate.
•priority priority-num = Specifies the service class priority. The valid range is 0 to 7, where 7 is the highest-priority service-class setting.
•privacy = Enables Baseline Privacy Interface (BPI) on this service flow.
|
Step 14
|
snmp manager ip-address
Example:
Router(config-file)# snmp manager 10.10.10.143
|
(Optional) Specifies the IP address of an SNMP manager allowed to manage the cable modem. The default is that no SNMP manager is defined.
|
Step 15
|
timestamp
Example:
Router(config-file)# timestamp
|
(Optional) Enables time-stamp generation of DOCSIS configuration files. When the router's TFTP server sends the DOCSIS configuration file to the cable modem, it adds a field containing the current date and time, to avoid unauthorized parties from capturing the file and replaying it at a later time.
|
Step 16
|
Router(config-file)# exit
Example:
Router(config-file)# exit
|
Exits cable configuration file mode.
|
Step 17
|
Example:
Router(config)# exit
|
Exits global configuration mode.
|
Note When you have enabled a DOCSIS shared secret, using the cable shared-secret command, it is automatically applied to the DOCSIS configuration files that are created by the Internal DOCSIS Configuration File Generator feature when the file is sent to a cable modem requesting it.
Specifying SNMP MIB Objects (Option 11)
The DOCSIS specification allows SNMP objects to be set using option 11 in the DOCSIS configuration file. Most writable SNMP attributes can be set using this option. The cable modem treats the SET requests in the DOCSIS configuration file as fully authorized, so SNMP attributes can be set in the DOCSIS configuration file without specifying an SNMP manager or community string.
This section demonstrates the following common uses of this technique to set attributes in DOCS-CABLE-DEVICE-MIB (defined in RFC 2669 or the SNMP management of DOCSIS cable devices):
•Specifying Multiple SNMP Managers and Community Strings
•Specifying an LLC Filter
•Specifying a Filter to Block Microsoft NetBIOS Networking and File-Sharing Traffic
Specifying Multiple SNMP Managers and Community Strings
The DOCS-CABLE-DEVICE-MIB contains a set of attributes that specify the SNMP managers that are allowed access to the cable modem. This section illustrates how to use SNMP to define the following sets of SNMP managers:
•SNMP Manager 1—Allows read-only access to all IP addresses on all interfaces, with a community string of Public.
•SNMP Manager 2—Allows read-write access to SNMP managers only on the network 10.0.0.0 on the cable interface, with the community string of Private.
These entries are created as instances of the docsDevNmAccessEntry table in DOCS-CABLE-DEVICE-MIB. Table 9-2 shows the SNMP attributes that must be set to enable these SNMP managers. Following this table are the cable config-file commands that create a DOCSIS configuration file that sets these attributes.
Note To specify only an IP address for an SNMP manager in the DOCSIS configuration file, use the cable config-file snmp manager command.
Table 9-2 docsDevNmAccessEntry
Object ID Number / Name
|
Type
|
Value
|
Description
|
SNMP Manager Entry 1—Allows read-only access to all IP addresses on all interfaces, with a community string of Public
|
1.3.6.1.2.1.69.1.2.1.7.1
docsDevNmAccessStatus.1
|
Integer
|
5
|
Creates table entry number 1 but does not activate it yet.
|
1.3.6.1.2.1.69.1.2.1.2.1
docsDevNmAccessIp.1
|
IP Address
|
255.255.255.255*
|
Allows SNMP requests from any source IP address.
|
1.3.6.1.2.1.69.1.2.1.3.1
docsDevNmAccessIpMask.1
|
IP Address
|
0.0.0.0
|
Specifies that any subnet mask is allowed for the source IP address.
|
1.3.6.1.2.1.69.1.2.1.4.1
docsDevNmAccessCommunity.1
|
Octet String
|
Public
|
Sets the community string for this group of SNMP managers to Public.
|
1.3.6.1.2.1.69.1.2.1.5.1
docsDevNmAccessControl.1
|
Integer
|
2
|
Specifies that this group of SNMP Managers has read-only access.
|
1.3.6.1.2.1.69.1.2.1.6.1
docsDevNmAccessInterfaces.1
|
Octet String
|
0
|
Allows SNMP access from all interfaces on the cable modem.
|
1.3.6.1.2.1.69.1.2.1.7.1
docsDevNmAccessStatus.1
|
Integer
|
1
|
Enables this entry to allow access by the specified SNMP managers.
|
SNMP Manager Entry 2—Allows read-write access to SNMP managers only on the network 10.0.0.0 on the cable interface, with the community string of Private
|
1.3.6.1.2.1.69.1.2.1.7.2
docsDevNmAccessStatus.2
|
Integer
|
5
|
Creates table entry number 2 but does not activate it yet.
|
1.3.6.1.2.1.69.1.2.1.2.2
docsDevNmAccessIp.2
|
IP Address
|
10.0.0.0
|
Allows SNMP requests from hosts only on the network 10.0.0.0.
|
1.3.6.1.2.1.69.1.2.1.3.2
docsDevNmAccessIpMask.2
|
IP Address
|
255.0.0.0
|
Specifies the subnet mask for the allowable hosts.
|
1.3.6.1.2.1.69.1.2.1.4.2
docsDevNmAccessC`ommunity.2
|
Octet String
|
Private
|
Sets the community string for this group of SNMP managers to Private.
|
1.3.6.1.2.1.69.1.2.1.5.2
docsDevNmAccessControl.2
|
Integer
|
3
|
Specifies that this group of SNMP Managers has read-write access.
|
1.3.6.1.2.1.69.1.2.1.6.2
docsDevNmAccessInterfaces.2
|
Octet String
|
0x40
|
Allows SNMP access only from the cable interface.
|
1.3.6.1.2.1.69.1.2.1.7.2
docsDevNmAccessStatus.1
|
Integer
|
1
|
Enables this entry to allow access by the specified SNMP managers.
|
The following commands are the lines in the CMTS Cisco IOS configuration file that would create the DOCSIS configuration file that sets up these filters on the cable modem:
!SNMP Manager Entry 1—Allows read-only access to all IP addresses on all interfaces,
! with a community string of Public
option 11 instance 1 hex 30 82 00 10 06 0B 2B 06 01 02 01 45 01 02 01 07 01 02 01 05
option 11 instance 2 hex 30 82 00 13 06 0B 2B 06 01 02 01 45 01 02 01 02 01 40 04 FF FF FF FF
option 11 instance 3 hex 30 82 00 13 06 0B 2B 06 01 02 01 45 01 02 01 03 01 40 04 00 00 00 00
option 11 instance 4 hex 30 82 00 15 06 0B 2B 06 01 02 01 45 01 02 01 04 01 04 06 70 75 62 6C 69 63
option 11 instance 5 hex 30 82 00 10 06 0B 2B 06 01 02 01 45 01 02 01 05 01 02 01 02
option 11 instance 6 hex 30 82 00 10 06 0B 2B 06 01 02 01 45 01 02 01 06 01 04 01 C0
option 11 instance 7 hex 30 82 00 10 06 0B 2B 06 01 02 01 45 01 02 01 07 01 02 01 01
! SNMP Manager Entry 2—Allows read-write access to SNMP managers only on the
! network 10.0.0.0 on the cable interface, with the community string of Private
option 11 instance 8 hex 30 82 00 10 06 0B 2B 06 01 02 01 45 01 02 01 07 02 02 01 05
option 11 instance 9 hex 30 82 00 13 06 0B 2B 06 01 02 01 45 01 02 01 02 02 40 04 0A 00 00 00
option 11 instance 10 hex 30 82 00 13 06 0B 2B 06 01 02 01 45 01 02 01 03 02 40 04 FF 00 00 00
option 11 instance 11 hex 30 82 00 16 06 0B 2B 06 01 02 01 45 01 02 01 04 02 04 07 70 72 69 76 61 74 65
option 11 instance 12 hex 30 82 00 10 06 0B 2B 06 01 02 01 45 01 02 01 05 02 02 01 03
option 11 instance 13 hex 30 82 00 10 06 0B 2B 06 01 02 01 45 01 02 01 06 02 04 01 40
option 11 instance 14 hex 30 82 00 10 06 0B 2B 06 01 02 01 45 01 02 01 07 02 02 01 01
Specifying an LLC Filter
The DOCS-CABLE-DEVICE-MIB contains a set of attributes that can implement Layer 3 Logical Link Control (LLC) filters. This section illustrates the following LLC filters:
•Filter 1 allows IP packets on all interfaces.
•Filter 2 allows IP ARP packets on all interfaces.
•All other Layer 3 traffic is blocked.
These filters are created by creating instances of the docsDevFilterLLCEntry table in DOCS-CABLE-DEVICE-MIB. Table 9-3 shows the SNMP attributes that must be set to activate these filters. Following this table are the cable config-file commands that create a DOCSIS configuration file that sets these attributes.
Table 9-3 Setting Attributes in docsDevFilterLLCEntry to Allow only IP and IP ARP Traffic
Object ID Number / Name
|
Type
|
Value
|
Description
|
1.3.6.1.2.1.69.1.6.1.0
docsDevFilterLLCUnmatchedAction.0
|
Integer
|
1
|
Specifies that the default action is to discard all traffic that does not match one of the active LLC filters.
|
Filter 1—Allows IP traffic on all interfaces
|
1.3.6.1.2.1.69.1.6.2.1.2.1
docsDevFilterLLCStatus.1
|
Integer
|
5
|
Creates LLC filter 1 but doesn't activate it yet.
|
1.3.6.1.2.1.69.1.6.2.1.3.1
docsDevFilterLLCIfIndex.1
|
Integer
|
0
|
Applies this filter to all interfaces on the cable modem.
|
1.3.6.1.2.1.69.1.6.2.1.4.1
docsDevFilterLLCProtocolType.1
|
Integer
|
1
|
Specifies that Ethertype frames are being filtered.
|
1.3.6.1.2.1.69.1.6.2.1.5.1
docsDevFilterLLCProtocol.1
|
Integer
|
2048
|
Allows frames carrying IP traffic to pass.
|
1.3.6.1.2.1.69.1.6.2.1.2.1
docsDevFilterLLCStatus.1
|
Integer
|
1
|
Activates this filter.
|
Filter 2—Allows IP ARP traffic on all interfaces
|
1.3.6.1.2.1.69.1.6.2.1.2.2
docsDevFilterLLCStatus.2
|
Integer
|
5
|
Creates LLC filter 2 but doesn't activate it yet.
|
1.3.6.1.2.1.69.1.6.2.1.3.2
docsDevFilterLLCIfIndex.2
|
Integer
|
0
|
Applies this filter to all interfaces on the cable modem.
|
1.3.6.1.2.1.69.1.6.2.1.4.2
docsDevFilterLLCProtocolType.2
|
Integer
|
1
|
Specifies that Ethertype frames are being filtered.
|
1.3.6.1.2.1.69.1.6.2.1.5.2
docsDevFilterLLCProtocol.2
|
Integer
|
2054
|
Allows frames carrying IP ARP traffic to pass.
|
1.3.6.1.2.1.69.1.6.2.1.2.2
docsDevFilterLLCStatus.2
|
Integer
|
1
|
Activates this filter.
|
The following commands are the lines in the CMTS Cisco IOS configuration file that would create the DOCSIS configuration file that sets up these filters on the cable modem:
! Discards all traffic that does not match one of the LLC filters
option 11 instance 101 hex 30 82 00 0F 06 0A 2B 06 01 02 01 45 01 06 01 00 02 01 01
! Defines filter 1 to allow IP traffic to pass on all interfaces
option 11 instance 102 hex 0B 15 30 82 00 11 06 0C 2B 06 01 02 01 45 01 06 02 01 02 01 02 01 05
option 11 instance 103 hex 0B 15 30 82 00 11 06 0C 2B 06 01 02 01 45 01 06 02 01 03 01 02 01 00
option 11 instance 104 hex 0B 15 30 82 00 11 06 0C 2B 06 01 02 01 45 01 06 02 01 04 01 02 01 01
option 11 instance 105 hex 0B 16 30 82 00 12 06 0C 2B 06 01 02 01 45 01 06 02 01 05 01 02 02 08 00
option 11 instance 106 hex 0B 15 30 82 00 11 06 0C 2B 06 01 02 01 45 01 06 02 01 02 01 02 01 01
! Defines filter 2 to allow IP ARP traffic to pass on all interfaces
option 11 instance 107 hex 0B 15 30 82 00 11 06 0C 2B 06 01 02 01 45 01 06 02 01 02 02 02 01 05
option 11 instance 108 hex 0B 15 30 82 00 11 06 0C 2B 06 01 02 01 45 01 06 02 01 03 02 02 01 00
option 11 instance 109 hex 0B 15 30 82 00 11 06 0C 2B 06 01 02 01 45 01 06 02 01 04 02 02 01 01
option 11 instance 110 hex 0B 16 30 82 00 12 06 0C 2B 06 01 02 01 45 01 06 02 01 05 02 02 02 08 06
option 11 instance 111 hex 0B 15 30 82 00 11 06 0C 2B 06 01 02 01 45 01 06 02 01 02 02 02 01 01
Specifying a Filter to Block Microsoft NetBIOS Networking and File-Sharing Traffic
This section illustrates the following filters for IP traffic:
•Filter 1 blocks all TCP traffic on all interfaces to destination ports 137-139 (Microsoft NetBIOS networking and file-sharing traffic)
•Filter 2 blocks all UDP traffic on all interfaces to destination ports 137-139 (Microsoft NetBIOS networking and file-sharing traffic)
•Filter 3 blocks all inbound UDP traffic on the Ethernet interface from source ports 67 and 68 (DHCP and bootp servers)
•All other IP traffic that does not match one of these filters is allowed to pass.
These filters are created by creating instances of the docsDevFilterIpEntry table in DOCS-CABLE-DEVICE-MIB. Table 9-4 shows the SNMP attributes that must be set to activate these filters. Following this table are the cable config-file commands that create a DOCSIS configuration file that sets these attributes.
Note The values in Table 9-4 that are marked with an asterisk are the default values and do not need to be specified to create the filter.
Table 9-4 Setting Attributes in docsDevFilterIpEntry to Block Microsoft Networking and File Sharing
Object ID Number / Name
|
Type
|
Value
|
Description
|
1.3.6.1.2.1.69.1.6.3.0
docsDevFilterIpDefault.0
|
Integer
|
2
|
Sets the default behavior for IP packets, which is to allow any IP packet to pass if it does not match an activated filter.
|
Filter 1—Blocks TCP traffic to destination ports 137-139 on all interfaces
|
1.3.6.1.2.1.69.1.6.4.1.2.1
docsDevFilterIpStatus.1
|
Integer
|
5
|
Creates IP filter number 1 but does not activate it yet.
|
1.3.6.1.2.1.69.1.6.4.1.3.1
docsDevFilterIpControl.1
|
Integer
|
1*
|
Discards all IP packets matching filter number 1.
|
1.3.6.1.2.1.69.1.6.4.1.4.1
docsDevFilterIpIfIndex.1
|
Integer
|
0
|
Applies this filter to all interfaces on the cable modem.
|
1.3.6.1.2.1.69.1.6.4.1.5.1
docsDevFilterIpDirection.1
|
Integer
|
3
|
Applies this filter to both inbound and outbound traffic.
|
1.3.6.1.2.1.69.1.6.4.1.6.1
docsDevFilterIpBroadcast.1
|
Integer
|
2*
|
Applies this filter to all traffic (including broadcast and multicast traffic).
|
1.3.6.1.2.1.69.1.6.4.1.7.1
docsDevFilterIpSaddr.1
|
IP Address
|
0.0.0.0*
|
Matches any source IP address.
|
1.3.6.1.2.1.69.1.6.4.1.8.1
docsDevFilterIpSmask.1
|
IP Address
|
0.0.0.0*
|
1.3.6.1.2.1.69.1.6.4.1.9.1
docsDevFilterIpDaddr.1
|
IP Address
|
0.0.0.0*
|
Matches any destination IP address.
|
1.3.6.1.2.1.69.1.6.4.1.10.1
docsDevFilterIpDmask.1
|
IP Address
|
0.0.0.0*
|
1.3.6.1.2.1.69.1.6.4.1.11.1
docsDevFilterIpProtocol.1
|
Integer
|
6
|
Matches TCP packets.
|
1.3.6.1.2.1.69.1.6.4.1.12.1
docsDevFilterIpSourcePortLow.1
|
Integer
|
0*
|
Applies this filter to traffic for all source ports (0-65535).
|
1.3.6.1.2.1.69.1.6.4.1.13.1
docsDevFilterIpSourcePortHigh.1
|
Integer
|
65535*
|
1.3.6.1.2.1.69.1.6.4.1.14.1
docsDevFilterIpDestPortLow.1
|
Integer
|
137
|
Applies this filter to traffic for destination ports 137-139.
|
1.3.6.1.2.1.69.1.6.4.1.15.1
docsDevFilterIpDestPortHigh.1
|
Integer
|
139
|
1.3.6.1.2.1.69.1.6.4.1.2.1
docsDevFilterIpStatus.1
|
Integer
|
1
|
Activates this filter.
|
Filter 2—Blocks UDP traffic to destination ports 137-139 on all interfaces
|
1.3.6.1.2.1.69.1.6.4.1.2.2
docsDevFilterIpStatus.2
|
Integer
|
5
|
Creates IP filter number 2 but does not activate it yet.
|
1.3.6.1.2.1.69.1.6.4.1.3.2
docsDevFilterIpControl.2
|
Integer
|
1*
|
Discards all IP packets matching filter number 2.
|
1.3.6.1.2.1.69.1.6.4.1.4.2
docsDevFilterIpIfIndex.2
|
Integer
|
0
|
Applies this filter to all interfaces on the cable modem.
|
1.3.6.1.2.1.69.1.6.4.1.5.2
docsDevFilterIpDirection.2
|
Integer
|
3
|
Applies this filter to both inbound and outbound traffic.
|
1.3.6.1.2.1.69.1.6.4.1.6.2
docsDevFilterIpBroadcast.2
|
Integer
|
2*
|
Applies this filter to all traffic (including broadcast and multicast traffic).
|
1.3.6.1.2.1.69.1.6.4.1.7.2
docsDevFilterIpSaddr.2
|
IP Address
|
0.0.0.0*
|
Matches any source IP address.
|
1.3.6.1.2.1.69.1.6.4.1.8.2
docsDevFilterIpSmask.2
|
IP Address
|
0.0.0.0*
|
1.3.6.1.2.1.69.1.6.4.1.9.2
docsDevFilterIpDaddr.2
|
IP Address
|
0.0.0.0*
|
Matches any destination IP address.
|
1.3.6.1.2.1.69.1.6.4.1.10.2
docsDevFilterIpDmask.2
|
IP Address
|
0.0.0.0*
|
1.3.6.1.2.1.69.1.6.4.1.11.2
docsDevFilterIpProtocol.2
|
Integer
|
17
|
Matches UDP packets.
|
1.3.6.1.2.1.69.1.6.4.1.12.2
docsDevFilterIpSourcePortLow.2
|
Integer
|
0*
|
Applies this filter to traffic for all source ports (0-65535).
|
1.3.6.1.2.1.69.1.6.4.1.13.2
docsDevFilterIpSourcePortHigh.2
|
Integer
|
65535*
|
1.3.6.1.2.1.69.1.6.4.1.14.2
docsDevFilterIpDestPortLow.2
|
Integer
|
137
|
Applies this filter to traffic for destination ports 137-139.
|
1.3.6.1.2.1.69.1.6.4.1.15.2
docsDevFilterIpDestPortHigh.2
|
Integer
|
139
|
1.3.6.1.2.1.69.1.6.4.1.2.2
docsDevFilterIpStatus.2
|
Integer
|
1
|
Activates this filter.
|
Filter 3—Blocks DHCP servers on the Ethernet network (all inbound UDP traffic on the Ethernet interface from source port 67)
|
1.3.6.1.2.1.69.1.6.4.1.2.3
docsDevFilterIpStatus.3
|
Integer
|
5
|
Creates IP filter number 3 but does not activate it yet.
|
1.3.6.1.2.1.69.1.6.4.1.3.3
docsDevFilterIpControl.3
|
Integer
|
1
|
Discards all IP packets matching filter number 3.
|
1.3.6.1.2.1.69.1.6.4.1.4.3
docsDevFilterIpIfIndex.3
|
Integer
|
1
|
Applies this filter to all interfaces on the cable modem.
|
1.3.6.1.2.1.69.1.6.4.1.5.3
docsDevFilterIpDirection.3
|
Integer
|
1
|
Applies this filter to inbound traffic only.
|
1.3.6.1.2.1.69.1.6.4.1.6.3
docsDevFilterIpBroadcast.3
|
Integer
|
2*
|
Applies this filter to all traffic (including broadcast and multicast traffic).
|
1.3.6.1.2.1.69.1.6.4.1.7.3
docsDevFilterIpSaddr.3
|
IP Address
|
0.0.0.0*
|
Matches any source IP address.
|
1.3.6.1.2.1.69.1.6.4.1.8.3
docsDevFilterIpSmask.3
|
IP Address
|
0.0.0.0*
|
1.3.6.1.2.1.69.1.6.4.1.9.3
docsDevFilterIpDaddr.3
|
IP Address
|
0.0.0.0*
|
Matches any destination IP address.
|
1.3.6.1.2.1.69.1.6.4.1.10.3
docsDevFilterIpDmask.3
|
IP Address
|
0.0.0.0*
|
1.3.6.1.2.1.69.1.6.4.1.11.3
docsDevFilterIpProtocol.3
|
Integer
|
17
|
Matches UDP packets.
|
1.3.6.1.2.1.69.1.6.4.1.12.3
docsDevFilterIpSourcePortLow.3
|
Integer
|
67
|
Applies this filter to traffic from source ports 67 and 68.
|
1.3.6.1.2.1.69.1.6.4.1.13.3
docsDevFilterIpSourcePortHigh.3
|
Integer
|
68
|
1.3.6.1.2.1.69.1.6.4.1.14.3
docsDevFilterIpDestPortLow.3
|
Integer32
|
0*
|
Applies this filter to traffic for all destination ports.
|
1.3.6.1.2.1.69.1.6.4.1.15.3
docsDevFilterIpDestPortHigh.3
|
Integer32
|
65535*
|
1.3.6.1.2.1.69.1.6.4.1.2.3
docsDevFilterIpStatus.3
|
Integer
|
1
|
Activates this filter.
|
The following commands appear in the CMTS Cisco IOS configuration file that creates the DOCSIS configuration file that sets up these filters on the cable modem. The command lines that start with an exclamation point (!) are the default values and do not need to be specified to create the filters.
cable config-file setsnmp.cm
! Sets the default behavior for IP traffic, to allow traffic that does not match any filters to pass
option 11 instance 200 hex 30 82 00 0F 06 0A 2B 06 01 02 01 45 01 06 03 00 02 01 02
! These lines define filter 1 to block TCP traffic to ports 137—139 on all interface
option 11 instance 201 hex 30 82 00 11 06 0C 2B 06 01 02 01 45 01 06 04 01 02 01 02 01 05
option 11 instance 202 hex 30 82 00 11 06 0C 2B 06 01 02 01 45 01 06 04 01 03 01 02 01 01
option 11 instance 203 hex 30 82 00 11 06 0C 2B 06 01 02 01 45 01 06 04 01 04 01 02 01 00
option 11 instance 204 hex 30 82 00 11 06 0C 2B 06 01 02 01 45 01 06 04 01 05 01 02 01 03
!option 11 instance 205 hex 30 82 00 11 06 0C 2B 06 01 02 01 45 01 06 04 01 06 01 02 01 02
!option 11 instance 206 hex 30 82 00 14 06 0C 2B 06 01 02 01 45 01 06 04 01 07 01 40 04 00 00 00 00
!option 11 instance 207 hex 30 82 00 14 06 0C 2B 06 01 02 01 45 01 06 04 01 08 01 40 04 00 00 00 00
!option 11 instance 208 hex 30 82 00 14 06 0C 2B 06 01 02 01 45 01 06 04 01 09 01 40 04 00 00 00 00
!option 11 instance 209 hex 30 82 00 14 06 0C 2B 06 01 02 01 45 01 06 04 01 0A 01 40 04 00 00 00 00
option 11 instance 210 hex 30 82 00 11 06 0C 2B 06 01 02 01 45 01 06 04 01 0B 01 02 01 06
!option 11 instance 211 hex 30 82 00 11 06 0C 2B 06 01 02 01 45 01 06 04 01 0C 01 02 01 00
!option 11 instance 212 hex 30 82 00 13 06 0C 2B 06 01 02 01 45 01 06 04 01 0D 01 02 03 00 FF FF
option 11 instance 213 hex 30 82 00 12 06 0C 2B 06 01 02 01 45 01 06 04 01 0E 01 02 02 00 89
option 11 instance 214 hex 30 82 00 12 06 0C 2B 06 01 02 01 45 01 06 04 01 0F 01 02 02 00 8B
option 11 instance 215 hex 30 82 00 11 06 0C 2B 06 01 02 01 45 01 06 04 01 02 01 02 01 01
!These lines define filter 2 to block UDP traffic to ports 137-139 on all interfaces
option 11 instance 216 hex 30 82 00 11 06 0C 2B 06 01 02 01 45 01 06 04 01 02 02 02 01 05
option 11 instance 217 hex 30 82 00 11 06 0C 2B 06 01 02 01 45 01 06 04 01 03 02 02 01 01
option 11 instance 218 hex 30 82 00 11 06 0C 2B 06 01 02 01 45 01 06 04 01 04 02 02 01 00
option 11 instance 219 hex 30 82 00 11 06 0C 2B 06 01 02 01 45 01 06 04 01 05 02 02 01 03
!option 11 instance 220 hex 30 82 00 11 06 0C 2B 06 01 02 01 45 01 06 04 01 06 02 02 01 02
!option 11 instance 221 hex 30 82 00 14 06 0C 2B 06 01 02 01 45 01 06 04 01 07 02 40 04 00 00 00 00
!option 11 instance 222 hex 30 82 00 14 06 0C 2B 06 01 02 01 45 01 06 04 01 08 02 40 04 00 00 00 00
!option 11 instance 223 hex 30 82 00 14 06 0C 2B 06 01 02 01 45 01 06 04 01 09 02 40 04 00 00 00 00
!option 11 instance 224 hex 30 82 00 14 06 0C 2B 06 01 02 01 45 01 06 04 01 0A 02 40 04 00 00 00 00
option 11 instance 225 hex 30 82 00 11 06 0C 2B 06 01 02 01 45 01 06 04 01 0B 02 02 01 11
!option 11 instance 226 hex 30 82 00 11 06 0C 2B 06 01 02 01 45 01 06 04 01 0C 02 02 01 00
!option 11 instance 227 hex 30 82 00 13 06 0C 2B 06 01 02 01 45 01 06 04 01 0D 02 02 03 00 FF FF
option 11 instance 228 hex 30 82 00 12 06 0C 2B 06 01 02 01 45 01 06 04 01 0E 02 02 02 00 89
option 11 instance 229 hex 30 82 00 12 06 0C 2B 06 01 02 01 45 01 06 04 01 0F 02 02 02 00 8B
option 11 instance 230 hex 30 82 00 11 06 0C 2B 06 01 02 01 45 01 06 04 01 02 02 02 01 01
!These lines define filter 3 to block DHCP and BOOTP traffic on the Ethernet interface
option 11 instance 231 hex 30 82 00 11 06 0C 2B 06 01 02 01 45 01 06 04 01 02 03 02 01 05
option 11 instance 232 hex 30 82 00 11 06 0C 2B 06 01 02 01 45 01 06 04 01 03 03 02 01 01
option 11 instance 233 hex 30 82 00 11 06 0C 2B 06 01 02 01 45 01 06 04 01 04 03 02 01 01
option 11 instance 234 hex 30 82 00 11 06 0C 2B 06 01 02 01 45 01 06 04 01 05 03 02 01 01
!option 11 instance 235 hex 30 82 00 11 06 0C 2B 06 01 02 01 45 01 06 04 01 06 03 02 01 02
!option 11 instance 236 hex 30 82 00 14 06 0C 2B 06 01 02 01 45 01 06 04 01 07 03 40 04 00 00 00 00
!option 11 instance 237 hex 30 82 00 14 06 0C 2B 06 01 02 01 45 01 06 04 01 08 03 40 04 00 00 00 00
!option 11 instance 238 hex 30 82 00 14 06 0C 2B 06 01 02 01 45 01 06 04 01 09 03 40 04 00 00 00 00
!option 11 instance 239 hex 30 82 00 14 06 0C 2B 06 01 02 01 45 01 06 04 01 0A 03 40 04 00 00 00 00
option 11 instance 240 hex 30 82 00 11 06 0C 2B 06 01 02 01 45 01 06 04 01 0B 03 02 01 11
option 11 instance 241 hex 30 82 00 11 06 0C 2B 06 01 02 01 45 01 06 04 01 0C 03 02 01 43
option 11 instance 242 hex 30 82 00 11 06 0C 2B 06 01 02 01 45 01 06 04 01 0D 03 02 01 44
!option 11 instance 243 hex 30 82 00 11 06 0C 2B 06 01 02 01 45 01 06 04 01 0E 03 02 01 00
!option 11 instance 244 hex 30 82 00 13 06 0C 2B 06 01 02 01 45 01 06 04 01 0F 03 02 03 00 FF FF
option 11 instance 245 hex 30 82 00 11 06 0C 2B 06 01 02 01 45 01 06 04 01 02 03 02 01 01
Specifying Vendor-Specific Information Fields (Option 43)
The cable config-file option command allows you to specify DOCSIS configuration file parameters that are not supported by other cable config-file commands. The most common use of the cable config-file option command is to specify vendor-specific information field (option 43), which vendors use to implement features that are unique to their products.
When you use the vendor-specific option, you must specify the data using the hex option. The hexadecimal data must be presented in the DOCSIS Type/Length/Value (TLV) format, where the first byte specifies the suboption type, the second byte specifies the length of the data, and the remaining bytes specify the data itself. The exact meaning of the suboption type and data values is defined by each vendor.
For example, Cisco cable modems support a vendor-specific suboption (128) that instructs the cable modem to download and execute a Cisco IOS configuration file. The data for this suboption is the fully qualified path name of the Cisco IOS configuration file on the TFTP server. Other vendors, however, could define vendor-specific suboption 128 to have a totally different function.
To ensure that a vendor-specific option is executed only by equipment that supports that option, the vendor ID must always be the first part of the data in an option 43 command. The suboption number for the vendor ID function is 08, and the data is the 3-byte organization unique identifier (OUI) for that vendor, as issued by the Institute of Electrical and Electronics Engineers (IEEE).
The vendor could have defined a global OUI for all of their equipment, or they could have requested a separate OUI ID for different products or family of products. For example, the global OUI for Cisco equipment is 00 00 0C.
Note Each option 43 command must specify one and only one vendor ID, and the vendor ID must be the first TLV in the hex data string.
This section demonstrates how to use the option 43 command to configure the following Cisco vendor-specific options:
•Specifying the Download of a Cisco IOS Configuration File
•Typical H.323 VoIP Configuration
Specifying the Download of a Cisco IOS Configuration File
