Cisco IOS CMTS Cable Command Reference
Cable Commands: cable p through cable r
Download this chapter
Cable Commands: cable p through cable rCable Commands: cable p through cable r
Download the complete book
Cisco IOS CMTS Cable Command Reference Full-Book PDFCisco IOS CMTS Cable Command Reference Full-Book PDF (PDF - 20 MB)
give_us_feedback

Table Of Contents

Cable Commands: cable p through cable r

cable power

cable pre-equalization exclude

cable primary-sflow-qos11 keep

cable privacy

cable privacy add-certificate

cable privacy bpi-plus-enforce

cable privacy hotlist

cable privacy kek

cable privacy tek

cable proxy-arp

cable qos enforce-rule

cable qos permission

cable qos pro max-ds-burst

cable qos profile

cable redundancy hashfilter

cable redundancy myid

cable redundancy node

cable redundancy node frequency

cable redundancy target

cable redundancy threshold

cable registration-timeout

cable relay-agent-option

cable rf-bandwidth-percent

cable rf-channel


Cable Commands: cable p through cable r

Revised: October 27, 2008, OL-15510-05

New Commands

Command
Cisco IOS Software Release

cable rf-bandwidth-percent

12.3(23)BC


Modified Commands

Command
Cisco IOS Software Release

cable rf-bandwidth-percent

12.3(23)BC1

cable rf-channel

12.3(23)BC, 12.3(23)BC1


cable power

To manually power a cable interface line card on or off on a Cisco uBR10012 router, use the cable power command in privileged EXEC mode.

cable power [on | off] slot/card

Syntax Description

on

Turns on power to the specified cable interface line card.

off

Turns off power to the specified cable interface line card. Power to that particular card slot remains off until power is turned back on using the cable power on version of this command.

slot/card

Specifies the slot and card number for the desired cable interface card number. The valid range for slot is 5 to 8 and for card is 0 or 1.


Defaults

Cable interface line cards are powered on by default when the card is inserted into the chassis slot.

Command Modes

Privileged EXEC (#)

Command History

Release
Modification

12.2(4)BC1b

This command was introduced for the Cisco uBR10012 router.

12.2(8)BC1

This command is disabled if a working TCC+ card is not present in the Cisco uBR10012 router.

12.3BC

This command was integrated into Cisco IOS Release 12.3BC.

12.2(33)SCA

This command was integrated into Cisco IOS Release 12.2(33)SCA. Support for the Cisco uBR7225VXR router was added.


Usage Guidelines

This command is typically not used during normal operations, but it can be used for lab, diagnostic, and troubleshooting purposes. For example, using this command to first power off and then power on a card is functionally equivalent to performing an online insertion and removal (OIR) of the card.

Be aware of the following points when using this command:

Using the cable power off command is functionally equivalent to disconnect the cables from the card's upstream and downstream connectors and then removing the card from the chassis. When you use this command to turn off power to a card, the output for the show interface cable command for that card will display the message "Hardware is not present."

Note You can also use the LC Power off Status Reg and Line Card Presence Status Reg fields in the show controllers clock-reference command to determine whether a cable interface line card is actually present in the chassis and whether it has been powered on or off.

Powering off a cable interface line card automatically drops all sessions with the cable modems that are using that card's upstreams and downstreams. Do not use this command on a live network unless this is what you intend.

All cards are powered on when you upgrade to a new software image for the Cisco uBR10012 router, even if a card had previously been powered off using the cable power off command.

You can turn power both on and off to a cable interface line card slot, even if a card is not physically present in the slot.

This is the only CLI command that actually powers off a card. The hw module reset command appears to perform a similar function, but it performs only the equivalent of issuing the shutdown and no shutdown commands on the card.

When power is turned off for a cable interface line card, the power to that card slot will remain off until the cable power on command is used to turn the power back on. If you insert a cable interface card in to a slot that had been previously powered down, you will have to use the cable power on command to turn on power before being able to use the card.

This command requires that a working TCC+ card be present because the TCC+ card controls and monitors the operation of the cable interface line cards. In Cisco IOS Release 12.2(8)BC1 and later, this command is disabled if a working TCC+ card is not present in the router.

Note The Cisco uBR10012 router requires a working TCC+ card for normal operations. Using the router without a working TCC+ card is not a supported configuration.

Examples

The following example shows how to power off the first cable interface card in a Cisco uBR10012 chassis (card 5, slot 0). It also shows the output from the show interface cable command, with a line that indicates that the hardware is not present. 

router# cable power off 5/0 

Line Card 5/0 is POWERED OFF

router#  show int c5/0/0 

Cable5/0/0 is down, line protocol is down

  Hardware is not present

  Hardware is UBR10012 CLC, address is 0005.00e0.2f14 (bia 0005.00e0.2f14)

  Internet address is 10.20.42.1/24

  MTU 1500 bytes, BW 27000 Kbit, DLY 1000 usec,

     reliability 255/255, txload 1/255, rxload 1/255

...

router#

Note The show interface cable command will not display output for a card that is not physically present, so if you can use the show interface cable command but it indicates that the hardware is not present, this usually means that power to the card has been turned off using the cable power off command.

The following example shows the error message that results when you attempt to power on or off a cable interface card that is not physically present in the chassis: 

router# cable power off 6/1 

Line Card 6/1 is not present

router#

Note Power is still turned on or off to a cable interface line card slot, even when the card is not physically present in that slot.

Related Commands

Command
Description

hw module reset

Resets a line card, performing the equivalent of the shutdown, no shutdown commands.

show controllers clock-reference

Displays status information from the TCC+ card, including whether a line card is physically present and whether power has been turned off to its slot.

show interface cable

Displays configuration and status information for a cable interface line card.

show version

Displays the basic configuration of the router, including whether an active TCC+ card is present.

shutdown

Disables or enables the interface on a line card.


cable pre-equalization exclude

To exclude a cable modem (CM) from pre-equalization during registration with the Cisco CMTS router, use the cable pre-equalization exclude command in global configuration mode. To remove exclusion for the specified cable modem or interface, use the no form of this command.

cable pre-equalization exclude {modem mac-addr | oui id}

no cable pre-equalization exclude {modem mac-addr | oui id}

Syntax Description

modem mac-addr

Excludes the cable modem with the specified MAC address from pre-equalization during cable modem registration.

oui id

Excludes the specified Organizational Unique Identifier (OUI) from pre-equalization during cable modem registration.


Command Default

Pre-equalization is disabled by default on a Cisco CMTS router, and for cable modems that have a valid and operational DOCSIS configuration file.

Command Modes

Global configuration (config)

Command History

Release
Modification

12.3(17a)BC

This command was introduced to the Cisco uBR10012 router and the Cisco uBR7246VXR router.

12.2(33)SCA

This command was integrated into Cisco IOS Release 12.2(33)SCA. Support for the Cisco uBR7225VXR router was added.


Usage Guidelines

Use the cable pre-equalization exclude command to disable pre-equalization for DOCSIS 1.1 CMs that claim pre-equalization support but do not properly implement pre-equalization functions.

To enable pre-equalization, use the cable upstream equalization-coefficient interface configuration command. Pre-equalization starts when a cable modem that supports DOCSIS 1.1 or above sends the CMTS router a ranging request message indicating that pre-equalization is possible.

The following example of output from the show cable modem verbose command shows which modems are indicating pre-equalizer support during the DOCSIS registration process. In this example, the first two modems are capable of pre-equalization support, and the last two modems support DOCSIS 1.0, which does not support pre-equalization. You do not need to use the cable pre-equalization exclude command for DOCSIS 1.0 CMs. 

Router# show cable modem verbose | include MAC Address|Equalizer

MAC Address                         : 0019.474a.c4b0

Transmit Equalizer Support          : {Taps/Symbol= 1, Num of Taps= 24}

MAC Address                         : 0019.474a.c498

Transmit Equalizer Support          : {Taps/Symbol= 1, Num of Taps= 24}

MAC Address                         : 0020.40dc.4ce4

Transmit Equalizer Support          : {Taps/Symbol= 0, Num of Taps= 0}

MAC Address                         : 0020.4077.21a0

Transmit Equalizer Support          : {Taps/Symbol= 0, Num of Taps= 0}

Exclusion is supported for a specified DOCSIS 1.1 cable modem, or for a specified OUI value for the entire interface. Removing the cable pre-equalization exclude configuration returns the cable modem or interface to normal pre-equalization processes during cable modem registration.

Examples

The following example configures pre-equalization to be excluded for the specified cable modem. Pre-equalization data is not sent for the corresponding cable modem: 

Router(config)# cable pre-equalization exclude modem 1111.2222.3333

The following example configures pre-equalization to be excluded for the specified OUI value of the entire interface. Pre-equalization data is not sent for the corresponding OUI value of the entire interface: 

Router(config)# cable pre-equalization exclude oui 00.09.04

The following series of commands configures pre-equalization on the Cisco uBR10012 router with MC5X20U BPEs. On the PRE Console, configure the following commands. 

Router# conf t

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)# cable pre-equalization exclude oui 00.09.04

Router(config)# end

Router# show run

Router# show running-config | inc oui

cable pre-equalization exclude oui 00.09.04

Router#

On the line card console for the same Cisco uBR10012 router, verify the configuration with the following command: 

Linecard# show running-config | inc oui

cable pre-equalization exclude oui 00.09.04

The following series of commands configures pre-equalization on the Cisco uBR72436VXR router with MC28U cable interface line cards. On the Network Processing Engine (NPE) console, configure and verify with the following commands. 

Router# conf t

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)# cable pre-equalization exclude oui 00.09.24

Router(config)# end

Router#show run

02:58:10: %SYS-5-CONFIG_I: Configured from console by consolen

Router# show running-config | inc oui

cable pre-equalization exclude oui 00.09.24

On the line card console for the same Cisco uBR7246VXR router, verify the configuration with the following command: 

Linecard# show running-config | inc oui

cable pre-equalization exclude oui 00.09.24

After either of these exclusion methods for pre-equalization are configured, you can verify that all ranging messages do not include pre-equalization data. Use the following debug commands in global configuration mode:

debug cable range

debug cable interface cx/x/x mac-addr

Verify the ranging message for the non-excluded cable modems include pre-equalization data, and for the excluded cable modems, the ranging messages do not include such data.

The following example removes pre-equalization exclusion for the specified OUI and interface. This results in the cable modem or OUI to return to normal pre-equalization functions. Ranging messages resume sending pre-equalization data. 

Router(config)# no cable pre-equalization exclude {modem mac-addr | oui id}

You can verify removal of this feature using the debug cable interface command.

Related Commands

Command
Description

debug cable interface

Verifies pre-equalization data and configurations.

debug cable range

Verifies ranging messages for pre-equalization.


cable primary-sflow-qos11 keep

To preserve the traffic counters for primary service flows after a CM that was provisioned for DOCSIS 1.1 quality of service (QoS) goes offline, use the cable primary-sflow-qos11 keep command in global configuration mode. To return to the default configuration and reset the counters to zero when a DOCSIS 1.1-provisioned CM goes offline, use the no form of this command.

cable primary-sflow-qos11 keep {all | snmp-only}

no cable primary-sflow-qos11 keep

Syntax Description

all

Preserves all primary service flow traffic counters when a DOCSIS 1.1-provisioned CM goes offline. This includes the counters displayed by CLI commands and counters that are obtained through SNMP requests.

snmp-only

Preserves only the primary service flow traffic counters that are obtained through SNMP requests. The counters displayed by CLI commands are reset to zero when a DOCSIS 1.1-provisioned CM goes offline.


Command Default

Primary service flow traffic counters are not preserved after a DOCSIS 1.1-provisioned CM goes offline (no cable primary-sflow-qos11 keep). Service-flow information is always preserved for DOCSIS 1.0-provisioned CMs, regardless of the configuration of this command.

Command Modes

Global configuration

Command History

Release
Modification

12.2(15)CX, 12.2(15)BC2

This command was introduced.


Usage Guidelines

By default, when a CM that is provisioned for DOCSIS 1.1 quality of service (QoS) service flows goes offline, the CMTS deletes all service flow information, including traffic counters, that correspond to that CM. The cable primary-sflow-qos11 keep command preserves the service flow traffic counters after a DOCSIS 1.1-provisioned CM goes offline and then comes back online. This allows service providers to track the total usage of CMs over a period of time, regardless of the number of times the CMs go offline and reboot.

Note This command affects only CMs that are provisioned for DOCSIS 1.1 operations and that are currently online all cable interfaces on the Cisco CMTS. Information is not preserved for DOCSIS 1.1-provisioned CMs that went offline before this command was given. The service-flow information for CMs that are provisioned for DOCSIS 1.0 operations is always preserved, regardless of how this command is configured.

Examples

The following example shows how to preserve both the CLI and SNMP service flow counters when a DOCSIS 1.1-provisioned CM goes offline: 

Router(config)# cable primary-sflow-qos11 keep all 

Router(config)#

The following example shows how to preserve only the SNMP-based service flow counters when a DOCSIS 1.1-provisioned CM goes offline. The CLI-based counters are still reset to zero when this CM goes offline. 

Router(config)# cable primary-sflow-qos11 keep snmp-only 

Router(config)#

The following example shows how to disable this command and return to the default behavior, which is to reset all CLI-based and SNMP-based counters when a DOCSIS 1.1-provisioned CM goes offline. 

Router(config)# no cable primary-sflow-qos11 keep 

Router(config)#

Related Commands

Command
Description

cable sflog

Enables service flow logging and configures the number and duration of entries in the log.

show cable modem counters

Displays downstream and upstream traffic counters for one or more CMs.


cable privacy

To enable and configure BPI/BPI+ encryption, use the cable privacy command in cable interface configuration mode. To disable privacy or to remove a particular configuration, use the no form of this command.

cable privacy [40-bit-des | accept-self-signed-certificate | authenticate-modem | authorize-multicast | mandatory | oaep-support | dsx-support]

no cable privacy [40-bit-des | accept-self-signed-certificate | authenticate-modem | authorize-multicast | mandatory | oaep-support | dsx-support]

Syntax Description

40-bit-des

(Optional) Uses 40-bit DES encryption.

Note Cisco discourages the use of 40-bit DES encryption because it is not as secure as the other available methods of encryption.

accept-self-signed-certificate

(Optional) Allows cable modems to register using self-signed manufacturer certificates, as opposed to a manufacturer certificate that is chained to the DOCSIS root certificate.

authenticate-modem

(Optional) Uses AAA protocols in conjunction with BPI to authenticate all CMs.

authorize-multicast

(Optional) Uses AAA protocols with BPI to authorize all multicast stream (IGMP) join requests.

dsx-support

(Optional) Enables encryption for dynamic services SIDs.

mandatory

(Optional) Requires baseline privacy for all CMs.

oaep-support

(Optional) Enables Optimal Asymmetric Encryption Padding (OAEP) BPI+ encryption.


Command Default

BPI is disabled. When enabled, 56-bit DES encryption is enabled by default, and self-signed manufacturer certificates are not allowed.

Command Modes

Interface configuration (cable interface only)

Command History

Release
Modification

12.1 T

This command was introduced.

12.1(4)CX, 12.2(1)XF1, 12.2(4)BC1

Added the dsx-support and oaep-support keywords as part of support for BPI+ encryption.

12.2(11)BC1

Changed the accept-self-signed-certificate option from a global configuration option to a cable interface option.


Usage Guidelines

This command is applicable only on images that support BPI or BPI+ encryption.

Examples

The following example shows how to force baseline privacy to be used for all CMs on a particular cable interface: 

Router(config)# interface cable 3/1 

Router(config-if)# cable privacy mandatory

The following example shows how to turn on the baseline privacy interface (BPI) modem authentication for an interface: 

Router(config)# interface cable 5/1/1 

Router(config-if)# cable privacy authenticate-modem

The following example shows how to turn on BPI multicast authorization on a particular cable interface: 

Router(config)# interface cable 1/0 

Router(config-if) cable privacy authorize-multicast

The following example shows how to allow CMs to register with self-signed certificates on a particular cable interface: 

Router(config)# interface cable 7/1/0 

Router(config-if) cable privacy accept-self-signed-certificate

Note The cable privacy accept-self-signed-certificate command affects only those CMs that register after you give the command. For example, if you give the no cable privacy accept-self-signed-certificate command so that CMs cannot register using self-signed certificates, you must then issue the clear cable modem all reset command to force all CMs reregister using certificates that are chained to the DOCSIS root certificate.

Related Commands

Command
Description

cable privacy add-certificate

Adds CM certificates for BPI+ encryption.

cable privacy hotlist

Adds a CM certificate to the DOCSIS hotlist so that it is no longer accepted.

cable privacy kek

Sets key encryption keys and timeout periods.

cable privacy tek

Sets traffic encryption keys and timeout periods.

option

Determines whether a specific CM is online.

show cable privacy

Displays information about BPI status and operation.

debug cable privacy

Displays debug messages for BPI operation.


cable privacy add-certificate

To add a manufacturer or root CA certificate to the list of trusted certificates, use the cable privacy add-certificate command in global configuration mode. To remove a particular certificate, use the no form of this command.

cable privacy add-certificate {manufacturer hex-data | root hex-data}

no cable privacy add-certificate {manufacturer hex-data | root hex-data}

Syntax Description

manufacturer hex-data

Specifies the hexadecimal data for the manufacturer CA certificate. Enter multiple lines as needed, and use a blank line to terminate the string.

root hex-data

Specifies the hexadecimal data for the root CA certificate. Enter multiple lines as needed, and use a blank line to terminate the string.


Command Default

No default behavior or values.

Command Modes

Global configuration

Command History

Release
Modification

12.1(7)CX, 12.2(1)XF1, 12.2(4)BC1

This command was introduced.

12.2(11)BC1

The accept-self-signed-certificate option was moved to be part of the cable privacy cable interface command.


Usage Guidelines

This command is applicable only on images that support BPI or BPI+ encryption.

Examples

The following example adds a manufacturer CA certificate to the CMTS list of trusted certificates: 

Router(config)# cable privacy add-certificate manufacturer 
35c146353431a541463b41337343938333373142 

FEF03A8BC7A441313134749A0A592C9C66831412 


Router(config)#

The following example adds a root CA certificate to the CMTS list of trusted certificates: 

Router(config)# cable privacy add-certificate root 00908300 00300501 

308202A1 3082020A A0030201 02020800 90830000 00000130 0D06092A 864886F7 

0D010105 05003081 92310B30 09060355 04061302 4A503110 300E0603 55040A13 

07546F73 68696261 310F300D 06035504 0B130644 4F435349 53312730 25060355 

040B131E 312D312D 31205368 69626175 7261204D 696E6174 6F2D6B75 20546F6B 

796F3137 30350603 55040313 2E546F73 68696261 20436162 6C65204D 6F64656D 

20526F6F 74204365 72746966 69636174 65204175 74686F72 69747930 1E170D30 

30303331 38303830 3030305A 170D3230 30333138 30383030 30305A30 8192310B 

30090603 55040613 024A5031 10300E06 0355040A 1307546F 73686962 61310F30 

0D060355 040B1306 444F4353 49533127 30250603 55040B13 1E312D31 2D312053 

68696261 75726120 4D696E61 746F2D6B 7520546F 6B796F31 37303506 03550403 


Router(config)#

Related Commands

Command
Description

cable privacy

Enables and configures BPI+ encryption on a cable interface.

cable privacy hotlist

Adds a CM certificate to the DOCSIS hotlist so that it is no longer accepted.

cable privacy kek

Sets key encryption keys and timeout periods.

cable privacy tek

Sets traffic encryption keys and timeout periods.

option

Determines whether a specific CM is online.

show cable privacy

Displays information about BPI status and operation.

debug cable privacy

Displays debug messages for BPI operation.


cable privacy bpi-plus-enforce

To mandate that a cable modem provisioned in DOCSIS 1.1 or higher must register with DOCSIS Baseline Privacy Interface Plus (BPI+), and not use the earlier DOCSIS BPI, use the cable privacy bpi-plus-enforce command in global configuration mode. To remove this configuration, use the no form of this command.

cable privacy bpi-plus-enforce

no cable privacy bpi-plus-enforce

Note Non-DOCSIS-compliant cable modems that are commonly available contain an option to force registration in DOCSIS BPI as opposed to DOCSIS BPI+ mode even in DOCSIS 1.1-provisioned networks.

Syntax Description

No additional keywords or arguments

Defaults

The cable privacy bpi-plus-enforce command is not enabled by default, but must be configured for optimal DOCSIS BPI+ security. There is no legitimate reason for a cable modem provisioned with DOCSIS 1.1 QOS to register with DOCSIS 1.0 BPI. Such behavior is not compliant with the DOCSIS 1.1 specification.

Command Modes

Global configuration mode

Command History

Release
Modification

12.3(21)BC

This command was introduced to support Cloned Cable Modem Detection for DOCSIS BPI+ on the Cisco uBR10012 and Cisco uBR7246VXR routers.


Usage Guidelines

If the cable modem is not provisioned to use DOCSIS BPI or BPI+ security certificates, as characterized by not coming online with the above initialization states, then the existing behavior of the Cisco CMTS remains unchanged. The Cisco CMTS does not attempt to distinguish between two cable modems if neither is provisioned for BPI+ security.

Because this feature is enabled by default on the Cisco CMTS, the Cisco CMTS issues security breach notice in a log message in the generic system log or syslog if cable logging layer2events is not configured on the Cisco CMTS.

For additional information about the Cable Duplicate MAC Address Reject feature on the Cisco CMTS, or enforced DOCSIS 1.1 security, refer to the following document on Cisco.com:

Cable Duplicate MAC Address Reject for the Cisco CMTS

http://www.cisco.com/en/US/products/hw/cable/ps2217/products_feature_guide_chapter09186a008019b57f.html

Examples

The following brief example illustrates logging messages that are created with the detection of cloned cable modems behind the configuration in the above procedure. 

SLOT 7/0: Nov 14 12:07:26: %UBR10000-6-CMMOVED: Cable modem 0007.0e03.3e71 has been moved 
from interface Cable7/0/1 to interface Cable7/0/0.


Nov 14 12:07:57: %UBR10000-5-CLONED_CM_DETECTED: Cloned CM with MAC address 0013.7116.e726 
access detected at Cable7/0/0 interface

Related Commands

Command
Description

cable logging layer2events

Saves selected (low priority) DOCSIS events that are specified in the Cisco CMTS MIB Registry to the cable logging buffer (instead of to the general logging buffer).

show cable logging

Displays the log of messages about bad IP source addresses or DOCSIS-layer events on the cable interfaces.

show cable modem

Displays information for registered and non-registered cable modems on the Cisco CMTS.


cable privacy hotlist

To mark a manufacturer's or CM certificate as untrusted and add them to the CMTS hotlist of invalid certificates, thereby preventing those CMs from registering, use the cable privacy command in global configuration mode. To remove a particular CM or manufacturer's certificate from the hotlist, use the no form of this command.

cable privacy hotlist {cm mac-address | manufacturer cert-serial-number}

no cable privacy hotlist {cm mac-address | manufacturer cert-serial-number}

Syntax Description

cm mac-address

Specifies the MAC address for the CM certificate to be added to the hotlist. The mac-address should be specified as a hexadecimal string, without periods or other separators. In Cisco IOS Release 12.2(15)BC2 and later releases, you can also specify it as three sets of hexadecimal digits, separated by periods.

manufacturer cert-serial-number

Specifies the serial number for the particular manufacturer CA certificate. The cert-serial-number should be specified as a hexadecimal string up to 32 bytes in length. Enter multiple lines as needed, and use a blank line to terminate the string.


Command Default

The CMTS hotlist does not contain any certificates.

Command Modes

Global configuration

Command History

Release
Modification

12.1(7)CX, 12.2(1)XF1, 12.2(4)BC1

This command was introduced for the Cisco uBR7100 series and Cisco uBR7200 series routers.

12.2(11)BC1

The accept-self-signed-certificate option was moved to the cable privacy cable interface command.

12.2(15)BC2

The mac-address can be specified in the canonical form of three pairs of hexadecimal digits, separated by periods (for example, 0000.0001.0002).


Usage Guidelines

This command is applicable only on images that support BPI or BPI+ encryption.

Note The cable privacy hotlist command is not supported on the Cisco uBR10012 router. To add a manufacturer's or CM certificate to the hotlist on the Cisco uBR10012 router, use SNMP commands to set the appropriate attributes in DOCS-BPI-PLUS-MIB. For more information see the Configuring DOCSIS 1.1 on the Cisco CMTS chapter in the CMTS Feature Guide.

Examples

The following command adds the CM certificate with the MAC address of 00C0.8345.de51 to the hotlist, so that this particular CM cannot register with the CMTS: 

Router# config t 

Router(config)# cable privacy hotlist cm 00C08345de51  


Router(config)#

The following example adds a manufacturer CA certificate into the BPI+ hotlist, so that the CMTS will reject any CM attempting to register with a certificate from that particular manufacturer: 

Router# config t 

Router(config)# cable privacy hotlist manufacturer 
3435414631413439383335453731423733333643 


Router(config)#

Related Commands

Command
Description

cable privacy

Enables and configures BPI+ encryption on a cable interface.

cable privacy add-certificate

Adds CM certificates for BPI+ encryption.

cable privacy kek

Sets key encryption keys and timeout periods.

cable privacy tek

Sets traffic encryption keys and timeout periods.

option

Determines whether a specific CM is online.

show cable privacy

Displays information about BPI status and operation.

debug cable privacy

Displays debug messages for BPI operation.


cable privacy kek

To set key encryption keys (KEKs) grace-time and life-time values for baseline privacy on an HFC network, use the cable privacy kek command in cable interface configuration mode. To restore the default values, use the no form of this command.

cable privacy kek {grace-time [seconds] | life-time [seconds]}

no cable privacy kek {grace-time | life-time}

Note This command is applicable only on images that support BPI or BPI+ encryption.

Syntax Description

grace-time seconds

(Optional) Length of key encryption grace-time in seconds. Valid range is 60 to 1800 seconds. The default is 600 seconds (10 minutes).

life-time seconds

(Optional) Length of the key encryption life-time in seconds.Valid range is 300 to 604,8000. The default is 604,800 seconds (7 days).


Command Default

The grace-time option is set to 600 seconds (10 minutes), and the life-time option to 604,800 seconds (7 days).

Command Modes

Interface configuration (cable interface only)

Command History

Release
Modification

11.3 XA

This command was introduced.

12.1(4)CX, 12.2(1)XF1, 12.2(4)BC1

The valid range for both options was changed to support DOCSIS 1.1 and BPI+ encryption.


Usage Guidelines

Baseline privacy on an HFC network is configured with key encryption keys (KEKs) and traffic encryption keys (TEKs). The encryption is based on 40-bit or 56-bit data encryption standard (DES) encryption algorithms.

A KEK is assigned to a CM based on the CM service identifier (SID) and permits the CM to connect to the Cisco CMTS when baseline privacy is activated. KEKs can be set to expire based on a grace-time or a life-time value.

The grace-time keyword is used to assign a temporary key to a CM to access the network. The life-time keyword is used to assign a more permanent key to a CM.

A CM that has a grace-time or life-time key assigned by the Cisco CMTS requests a new key before the current one expires.

Note The cable privacy kek grace-time command is primarily intended for lab and testing use, and typically should not be used for normal operations because it changes the grace time for all CMs on the cable interface. To change the grace time for a particular cable modem, include the new value as part of the Baseline Privacy Configuration Settings in the DOCSIS configuration file that is downloaded to the CM.

Examples

The following example shows how to set the KEK privacy grace-time to 800 seconds: 

Router(config)# interface cable c5/1/0 

Router(config-if)# cable privacy kek grace-time 800 

Router(config-if)#

The following example shows how to set the KEK privacy life-time to 750,000 seconds: 

Router(config)# interface cable c3/0 

Router(config-if)# cable privacy kek life-time 750000 

Router(config-if)#

Related Commands

Command
Description

cable privacy add-certificate

Configures certificates for BPI+ encryption.

cable privacy

Enables and configures BPI+ encryption on a cable interface.

cable privacy tek

Sets traffic encryption keys and timeout periods.

option

Determines whether a specific CM is online.

privacy

Configures the BPI or BPI+ configuration parameters in a DOCSIS configuration file.

show cable privacy

Displays information about BPI status and operation.

show interface cable privacy

Displays the current values of the KEK and TEK timers for an interface.

debug cable privacy

Displays debug messages for BPI operation.


cable privacy tek

To set traffic encryption keys (TEKs) grace-time and life-time values for baseline privacy on an HFC network, use the cable privacy tek command in cable interface configuration mode. To restore the default value, use the no form of this command.

cable privacy tek {grace-time [seconds] | life-time [seconds]}

no cable privacy tek {grace-time | life-time}

Note This command is applicable only on images that support BPI or BPI+ encryption.

Syntax Description

grace-time seconds

(Optional) Length of traffic encryption grace-time in seconds. Valid range is 60 to 1800 seconds. Default is 600 seconds (10 minutes).

life-time seconds

(Optional) Length of the traffic encryption life-time in seconds. Valid range is 180 to 604,8000. Default is 43,200 seconds (12 hours).


Command Default

The grace-time option is set to 600 seconds (10 minutes), and the life-time option to 43200 seconds (12 hours).

Command Modes

Interface configuration (cable interface only)

Command History

Release
Modification

11.3 XA

This command was introduced.

12.1(4)CX, 12.2(1)XF1, 12.2(4)BC1

The valid range for both options was changed to support DOCSIS 1.1 and BPI+ encryption.


Usage Guidelines

Baseline privacy on an HFC network is configured with key encryption keys (KEKs) and traffic encryption keys (TEKs). The encryption is based on 40-bit or 56-bit data encryption standard (DES) encryption algorithms.

The TEK is assigned to a CM when its KEK has been established. The TEK is used to encrypt data traffic between the CM and the Cisco CMTS. TEKs can be set to expire based on a grace-time or a life-time value.

The grace-time keyword is used to assign a temporary key to a CM to access the network. The life-time keyword is used to assign a more permanent key to a CM.

A CM that has a grace-time or life-time key assigned by the Cisco CMTS requests a new key before the current one expires.

Note The cable privacy tek grace-time command is primarily intended for lab and testing use, and typically should not be used for normal operations because it changes the grace time for all CMs on the cable interface. To change the grace time for a particular cable modem, include the new value as part of the Baseline Privacy Configuration Settings in the DOCSIS configuration file that is downloaded to the CM.

Examples

The following example shows how to set the traffic encryption key grace-time to 800 seconds: 

Router(config)# interface cable c5/1/0 

Router(config-if)# cable privacy tek grace-time 800

Router(config-if)#

The following example shows how to set the traffic encryption key life-time to 800000 seconds: 

Router(config)# interface cable c3/0 

Router(config-if)# cable privacy tek life-time 800000 

Router(config-if)#

Related Commands

Command
Description

cable privacy add-certificate

Configures certificates for BPI+ encryption.

cable privacy

Enables and configures BPI+ encryption on a cable interface.

cable privacy kek

Sets key encryption keys and timeout periods.

option

Determines whether a specific CM is online.

privacy

Configures the BPI or BPI+ configuration parameters in a DOCSIS configuration file.

show cable privacy

Displays information about BPI status and operation.

show interface cable privacy

Displays the current values of the KEK and TEK timers for an interface.

debug cable privacy

Displays debug messages for BPI operation.


cable proxy-arp

To activate cable proxy Address Resolution Protocol (ARP) on the cable interface or subinterface, use the cable proxy-arp command in cable interface or subinterface configuration mode. To disable this feature, use the no form of this command.

cable proxy-arp

no cable proxy-arp

Syntax Description

This command has no arguments or keywords.

Command Default

Proxy APR service is enabled.

Command Modes

Cable interface and subinterface configuration

Command History

Release
Modification

11.3 XA

This command was introduced.

12.1(3a)EC

The subinterface support was added.


Usage Guidelines

This command enables or disables direct host-to-host communications over the same cable subnet. Because the downstream and upstream are separate interfaces, CMs cannot directly perform address resolution with other CMs on the cable plant. This means that the CMs must send all traffic through the CMTS, even if the destination CM is on the same subnet.

The cable proxy-arp command enables the Cisco CMTS to act as a proxy for ARP requests generated by the CMs, which allows CMs on the same cable subnet to communicate directly which each other, without the traffic having to be routed first through the CMTS. The no cable proxy-arp command disables this feature, preventing CMs on the same subnet from communicating with each other without routing the traffic through the CMTS.

Note Using the no cable arp and no cable proxy-arp commands shifts all responsibility for the management of the IP addresses used by CMs and CPE devices to the DHCP server and provisioning system.

Examples

The following example shows how to activate proxy ARP for host-to-host communications: 

Router(config-subif)# cable proxy-arp

The following example shows how to activate proxy ARP for host-to-host communications, on the cable subinterface: 

Router(config)# interface cable 6/0.1 

Router(config-subif)# cable proxy-arp

Related Commands

Command
Description

cable arp

Activates cable Address Resolution Protocol (ARP).


cable qos enforce-rule

To create an enforce-rule to enforce a particular quality of service (QoS) profile for subscriber traffic management, and to enter enforce-rule configuration mode, use the cable qos enforce-rule command in global configuration mode. To delete an enforce-rule and to remove it from the CMTS configuration, use the no form of this command.

cable qos enforce-rule rule-name

no cable qos enforce-rule rule-name

Syntax Description

rule-name

Name of the enforce-rule to be created and configured. This name can be any arbitrary and unique string from 1 to 15 characters in length.


Command Default

No enforce-rules are created.

Command Modes

Global configuration (config)

Command History

Release
Modification

12.2(15)BC1

This command was introduced.

12.3(9a)BC

This command was integrated into Cisco IOS Release 12.3(9a)BC. This command replaces the cable qos monitoring command.

12.2(33)SCA

This command was integrated into Cisco IOS Release 12.2(33)SCA. Support for the Cisco uBR7225VXR router was added.


Usage Guidelines

The cable qos enforce-rule command creates an enforce-rule with the specified name and then enters enforce-rule configuration mode. After entering enforce-rule configuration mode, use the following commands to configure the enforce-rule:

activate-rule at-byte-count

enabled (enforce-rule)

enforced qos-profile

monitoring-duration

penalty-period

registered qos-profile

At the very minimum, you must use the activate-rule at-byte-count and registered qos-profile commands to configure an enforce-rule, and the enabled command to activate it, before it takes effect.

Note Effective with Cisco IOS Release 12.3(9a)BC, the activate-rule at-byte-count command is not available in Cisco IOS software.

Maximum Number of Rules

The Cisco CMTS routers support a certain maximum number of enforce-rules depending on your Cisco IOS software release. If you have created the maximum number of enforce-rules and want to create another rule, you must first delete one of the existing rules.

Cisco IOS Release 12.2(15)BC1 and later—Supports a maximum of 20 enforce-rules.

Beginning in Cisco IOS Release 12.3(23)BC2—Supports a maximum of 40 enforce-rules.

Note The maximum number of enforce-rules is counted as the total number of rules created on both the upstreams and downstreams combined.

Examples

The following example shows the creation of an enforce-rule named "residential." The system then enters the enforce-rule configuration mode. 

Router# configure terminal 

Router(config)# cable qos enforce-rule residential 

Router(enforce-rule)# ? 


Configuration commands for QoS enforce rules:

  activate-rule        Activate rule parameters

  enabled              Enable the enforce-rule 

  enforced             Enforced qos-profile

  exit                 Exit from QoS enforce rule editing mode

  monitoring-duration  Monitoring duration parameters

  no                   Negate a command or set its defaults

  penalty-period       Penalty-period

  registered           Registered qos-profile


Router(enforce-rule)# activate-rule at-byte-count 50000000 downstream enforced 

Router(enforce-rule)# registered qos-profile 5 

Router(enforce-rule)# enforced qos-profile 99 

Router(enforce-rule)# monitoring-duration 120 sample-rate 20 

Router(enforce-rule)# penalty-period 1440 

Router(enforce-rule)# enabled 

Router(enforce-rule)# exit 

Router(config)# exit

The following example shows the deletion of an enforce-rule named "test": 

Router# configure terminal 

Router(config)# no cable qos enforce-rule test

The following example shows the error message that is displayed if you try to create more than 20 enforce-rules in Cisco IOS Release 12.3(23)BC1 and earlier: 

Router# configure terminal 

Router(config)#