Table Of Contents
uBR7200 Series Access List Support Enhancements
Verifying Access Group Assignments
Monitoring and Maintaining Access Lists
Verifying Access List Assignments
Creating Extended Access Lists
uBR7200 Series Access List Support Enhancements
Feature Overview
This feature adds support for access lists on a per-modem and per-host basis. This allows devices receiving packets from cable modems or individual hosts based to filter these packets based on the sending modem or host.
You can pre-configure the filters by using the Command Line Interface (CLI) following standard IOS access list and access group configuration. You can assign these filters to a user or modem by using the CLI or Simple Network Management Protocol (SNMP).
This feature also supports traps to inform the user management system about the status of modems (that is, going offline or coming online).
Benefits
The filtering capability of this feature allows users to control the type of traffic, on a device-by-device or user-by-user basis, that each user can send up stream.
Restrictions
•
Filter definitions are not saved across system reboots.
•
•
Supported Platforms
The uBR7200 series routers are the only platforms supported by this feature.
Prerequisites
You must configure the uBR7200 series router with either an MC11 or MC16 line card.
Supported MIBs and RFCs
This feature supports the Cisco DOCSIS Extensions MIB. For descriptions of supported MIBs and how to use MIBs, see Cisco's MIB web site on CCO at the following URL: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.
No RFCs are supported by this feature.
Configuration Tasks
Perform the following tasks to configure access lists:
•
Configuring Access Lists
:
1
Sets up the access list 1 for a specific address.
2
Router # access-list acl permit any logSets up the access list 2.
Assigning Access Lists
:
Verifying Access Group Assignments
:
Monitoring and Maintaining Access Lists
Displays information on access group assignments for the selected cable modem or host.
Configuration Examples
The following example configures a standard IP access list.
Configuring Access Lists
router# access-list 1 deny 171.69.30.22 logrouter# access-list 2 permit any log! End of config terminalAssigning Access Lists
! In exec mode assign access-list 1 to the MAC of the cable modem.router# cable modem 0000.0000.0001 access-group 1! In exec mode assign access-list 2 to MAC address of PC.router# cable modem 0080.c76b.9ac2 access-group 2Verifying Access List Assignments
router# show cable modem access-groupMAC address Type Access-group0000.0000.0001 modem 1router# show cable device access-groupMAC address Type Access-group0000.0000.0001 modem 10080.c76b.9ac2 host 2! Ping from PC to host 171.69.30.22 passes.Creating Extended Access Lists
! Setup extended access-list to allow pings to a specific host and deny others.router# access-list 101 permit icmp host 171.69.225.108 host 171.69.30.22 logSetting Up Filters
! Setup host filter based on the IP address of the PC.router# cab host 171.69.225.108 acc 101router# sh cab host accMAC address Type Access-group0000.2427.33ba host0080.c76b.9ac2 host 1010080.c7bb.eb3d hostrouter# ping 171.69.30.22Reply from 171.69.30.22: bytes=32 time=10ms TTL=247Reply from 171.69.30.22: bytes=32 time=10ms TTL=247Reply from 171.69.30.22: bytes=32 time=10ms TTL=247Reply from 171.69.30.22: bytes=32 time=10ms TTL=247Nov 19 18:41:15.091: %SEC-6-IPACCESSLOGDP: list 101 permitted icmp 171.69.225.108 -> 171.69.30.22 (8/0), 4 packets! Setup modem filter based on the IP address of the modem.router# cable modem 10.128.100.101 acc 1Command Reference
This section documents new or modified commands. All other commands used with this feature are documented in the Cisco IOS Release 11.3 command references.
cable access-group
To attach an access list to a host or modem, use the cable EXEC command. Use the no form of this command to remove the access group.
cable {modem | host | device} {macaddr | ip-addr} access-group acl
Syntax Description
Defaults
No default behavior or values.
Command Modes
EXEC
Command History
Usage Guidelines
•
•
•
Example
The following example assigns access-list 1 to the MAC of the cable modem:
router# cable modem 000.000.0001 access-group 1Related Commands
show cable access-group
To display the access group assigned to a cable modem or host, use the show cable EXEC command.
show cable {modem | host | device} {macaddr | ip-addr} access-group
Syntax Description
Defaults
No default behavior or values.
Command Modes
EXEC
Command History
11.3 XA
This command was first introduced.
11.3(8)NA
The host, device, and access-group keywords were added.
Usage Guidelines
This command displays information for the specified modem or CPE system or all systems (modem or CPE) if you do not specify an address.
Examples
The following example is output from the show cable access-group command for the cable modem at MAC address 0000.0000.0001 assigned to access group 1:
router# show cable modem 000.000.0001 access-group 1MAC address Type Access-group0000.0000.0001 modem 1
Related Commands
Guest