Table Of Contents

Cable DHCP Leasequery

Finding Feature Information

Contents

Prerequisites for Cable DHCP Leasequery

Restrictions for Cable DHCP Leasequery

Information About Cable DHCP Leasequery

DHCP MAC Address Exclusion List

Unitary DHCPv6 Leasequery

How to Configure Filtering of Cable DHCP Leasequery Requests

Enabling DHCP Leasequery Filtering on Downstreams

Enabling DHCP Leasequery Filtering on Upstreams

Configuring Unitary DHCPv6 Leasequery Filtering

Prerequisites

Enabling DHCPv6 Leasequery Filtering on Downstreams

Configuration Examples for Filtering of DHCP Leasequery

Example: DHCP Leasequery Filtering

Example: Unitary DHCPv6 Leasequery Filtering

Troubleshooting

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Feature Information for Cable DHCP Leasequery

Cable DHCP Leasequery

---

First Published: February 14, 2008

Last Updated: September 30, 2011

This document describes the Dynamic Host Configuration Protocol (DHCP) Leasequery feature on the Cisco cable modem termination system (CMTS) router.

---

Note Cisco IOS Release 12.2(33)SCA integrates support for this feature on the Cisco CMTS routers. This feature is also supported in Cisco IOS Release 12.3BC, and this document contains information that references many legacy documents related to Cisco IOS 12.3BC. In general, any references to Cisco IOS Release 12.3BC also apply to Cisco IOS Release 12.2SC.

---

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Cable DHCP Leasequery" section.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Contents

•Prerequisites for Cable DHCP Leasequery

•Restrictions for Cable DHCP Leasequery

•Information About Cable DHCP Leasequery

•How to Configure Filtering of Cable DHCP Leasequery Requests

•Configuration Examples for Filtering of DHCP Leasequery

•Additional References

•Feature Information for Cable DHCP Leasequery

Prerequisites for Cable DHCP Leasequery

•The Cisco CMTS router must be running Cisco IOS Release 12.2(15)BC1d or Cisco IOS Release12.2(15)BC2b or Cisco IOS Release 12.2(33)SCA or a later release.

•You must configure a cable interface with the cable source-verify dhcp command and the no cable arp command before the Cisco CMTS router can enable DHCP Leasequery. Lease queries are sent to the DHCP server or to a configured alternate server.

To divert DHCP Leasequeries to a specific server, you must use the cable source-verify dhcp server ipaddress command and the no cable arp command before the Cisco CMTS router is enabled for DHCP Leasequery. Only one alternate server may be configured.

•You must configure the cable ipv6 pd-route command when IPv6 Customer Premise Equipment (CPE) routers are deployed on the Cisco CMTS router.

Restrictions for Cable DHCP Leasequery

•Leasequeries are sent to the DHCP server unless an alternate server is configured.

•Only one alternate server can be configured.

•Users are responsible for the synchronization of the DHCP server and the configured alternate server.

•If the configured alternate server fails, leasequery requests are not returned to the DHCP server.

•Only one IA_IADDR is supported per client. If the leasequery returns multiple results, only the IA_ADDR matching the query is added to the Cisco CMTS subscriber database.

•The Cisco CMTS will not verify the source of the IPv6 link-local address of a CPE.

Information About Cable DHCP Leasequery

Problems can occur, though, when viruses, denial of service (DoS) attacks, and theft-of-service attacks begin scanning a range of IP addresses, in an attempt to find unused addresses. When the Cisco CMTS router is verifying unknown IP addresses, this type of scanning generates a large volume of DHCP leasequeries, which can result in the following problems:

•High CPU utilization on the Cisco CMTS router PRE card.

•High utilization on the DHCP servers, resulting in a slow response time or no response at all.

•Packets can be dropped by the Cisco CMTS router or DHCP server (or configured alternate server).

•Lack of available bandwidth for other customers on the cable interface.

To prevent such a large volume of leasequery requests on cable interfaces, you can enable filtering of these requests on upstream interfaces, downstream interfaces, or both. When the Cable DHCP Leasequery feature is enabled, the Cisco CMTS allows only a certain number of DHCP leasequery requests for each service ID (SID) on an interface within the configured interval time period. If a SID generates more Leasequeries than the maximum, the router drops the excess number of requests until the next interval period begins.

You can configure both the number of allowable DHCP leasequery requests and the interval time period, so as to match the capabilities of your DHCP server (or configured alternate server) and cable network.

To configure the Cisco CMTS router to send DHCP leasequery requests to the DHCP server, use the cable source-verify dhcp and no cable arp commands. Unknown IP addresses that are found in packets for customer premises equipment (CPE) devices that use the cable modems on the cable interface are verified. The DHCP server returns a DHCP ACK message with the DHCP relay information and lease information of the CPE device that has been assigned this IP address, if any.

When cable source-verify dhcp and no cable arp commands are configured, DHCP leasequery is sent for downstream packets to verify unknown IP addresses within the IP address range configured on the cable bundle interface.

For DHCP leasequery to work in the downstream direction, the Cisco Network Registrar (CNR) should be made aware of the DHCP Option 82. This is required to make the CMTS map the CPE IP address to the correct CM. To do this, configure the ip dhcp relay information option command on the bundle interface to insert service class relay agent option into the DHCP DISCOVER messages. When the configuration is in place, during DHCP DISCOVER the values of DHCP Option 82 is cached by the CNR and is returned to the CMTS on any subsequent DHCP leasequery for that IP address.

To configure the Cisco CMTS router to divert DHCP leasequery requests to a server other than the DHCP server, use the cable source-verify dhcp server ipaddress and no cable arp commands.

The Cisco CMTS supports two types of DHCP leasequery implementation, Cisco standard compliant DHCP leasequery and RFC 4388 standard compliant DHCP leasequery. These two standards differ mostly in the identifiers used to query or respond to the DHCP Server. You can choose between these two implementations depending on which standard is supported on your DHCP Server.

Use the ip dhcp compatibility lease-query client {cisco | standard} command to configure the Cisco CMTS in either Cisco mode or RFC 4388 standard mode. For more information about this command, see the "DHCP Commands" chapters in the Cisco IOS IP Addressing Services Command Reference, Release 12.2 at the following URL:

http://www.cisco.com/en/US/docs/ios/ipaddr/command/reference/iad_book.html

DHCP MAC Address Exclusion List

The Cisco IOS Release 12.3(13)BC introduces the ability to exclude trusted MAC addresses from the standard DHCP source verification checks, as supported in earlier Cisco IOS releases for the Cisco CMTS. This feature enables packets from trusted MAC addresses to pass when otherwise packets would be rejected with standard DHCP source verification. This feature overrides the cable source-verify command on the Cisco CMTS for the specified MAC address, yet maintains overall support for standard and enabled DHCP source verification processes. This feature is supported on the Performance Routing Engine 1 (PRE1), PRE2, and PRE4 modules on the Cisco uBR10012 router chassis.

To enable packets from trusted source MAC addresses in DHCP to pass without source verification checks, use the cable trust command in global configuration mode. To remove a trusted MAC address from the MAC exclusion list, use the no form of this command. Removing a MAC address from the exclusion list subjects all packets from that source to standard DHCP source verification.

For more information on the cable trust command, see the Cisco IOS CMTS Cable Command Reference Guide.

Unitary DHCPv6 Leasequery

The Cisco IOS Release 12.2(33)SCF1 introduces support for unitary DHCPv6 leasequery protocol (RFC 5007) on the Cisco CMTS routers for upstream IPv6 source verification. This protocol verifies the authenticity of the IPv6 CPE behind a home or small office cable deployment.

If the IPv6 source verification fails on the router and the cable ipv6 source-verify dhcp and no cable nd commands are configured on the bundle interface or subinterface, the Cisco CMTS triggers a unitary DHCPv6 leasequery to the Cisco Network Registrar (CNR). If a valid leasequery response is received from the CNR, the Cisco CMTS adds the CPE to its subscriber database and allows future traffic for the CPE.

The primary use of the unitary DHCPv6 leasequery protocol on the Cisco CMTS router is to recover lost CPE data including the Prefix Delegation (PD) route. The IPv6 CPE data can be lost from the Cisco CMTS in several ways. For example, PD route loss can occur during a Cisco CMTS reload.

The unitary DHCPv6 leasequery protocol also supports the following:

•DHCPv6 leasequery protocol.

•Rogue client database for failed source-verify clients.

•DHCPv6 leasequery filters.

•DHCPv6 leasequeries to a specific DHCPv6 server.

How to Configure Filtering of Cable DHCP Leasequery Requests

Use the following procedures to configure the filtering of DHCP Leasequery requests on the Cisco CMTS downstreams and upstreams:

•Enabling DHCP Leasequery Filtering on Downstreams

•Enabling DHCP Leasequery Filtering on Upstreams

•Configuring Unitary DHCPv6 Leasequery Filtering

•Enabling DHCPv6 Leasequery Filtering on Downstreams

Enabling DHCP Leasequery Filtering on Downstreams

Use the following procedure to start filtering DHCP leasequeries on all downstreams of a cable interface.

SUMMARY STEPS

1. enable

2. configure terminal

3. cable source-verify leasequery-filter downstream threshold interval

4. end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	cable source-verify leasequery-filter downstream threshold interval Example: Router(config)# cable source-verify leasequery-filter downstream 5 10	Enables leasequery filtering on all downstreams on the specified bundle interface, using the specified threshold and interval values: •threshold—Maximum number of DHCP Leasequeries allowed per SID for each interval period. The valid range is from 0 to 255 Leasequeries. •interval—Time period, in seconds, over which Leasequeries should be monitored. The valid range is from 1 to 10 seconds.
Step 4	end Example: Router(config)# end	Exits configuration mode and returns to privileged EXEC mode.

Enabling DHCP Leasequery Filtering on Upstreams

Use the following procedure to start filtering DHCP Leasequeries on all upstreams on a bundle interface.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface bundle bundle-no

4. cable source-verify leasequery-filter upstream threshold interval

5. end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	interface bundle bundle-no Example: Router(config)# interface bundle 1	Enters interface configuration mode for the specified bundle interface.
Step 4	cable source-verify leasequery-filter upstream threshold interval Example: Router(config-if)# cable source-verify leasequery-filter upstream 2 5	Enables leasequery filtering on all upstreams on the specified bundle interface, using the specified threshold and interval values: Note The cable source-verify leasequery-filter upstream command can only be configured under bundle interface. •threshold—Maximum number of DHCP Leasequeries allowed per SID for each interval period. The valid range is from 0 to 20 Leasequeries. •interval—Time period, in seconds, over which Leasequeries should be monitored. The valid range is from 1 to 5 seconds.
	Note Repeat Step 3 and Step 4 to enable the filtering of DHCP Leasequeries on the upstreams for other bundle interfaces. Master and slave interfaces in a cable bundle must be configured separately.
Step 5	end Example: Router(config-if)# end	Exits interface configuration mode and returns to privileged EXEC mode.

Configuring Unitary DHCPv6 Leasequery Filtering

Use the following procedure to configure the Cisco CMTS router to send Leasequeries to a DHCP server to verify the authenticity of the IPv6 CPE. You can also enable filtering of these requests to prevent large volumes of Leasequery requests on the bundle interfaces. Similarly, the number of allowable Leasequery requests and the interval time period can also be configured.

---

Note When the leasequery timer expires, only the IPv4 static CPE is automatically removed from the host database.

---

Prerequisites

•Disable the IPv6 Neighbor Discovery (ND) Gleaning feature using the no form of the cable nd command in bundle interface configuration mode before configuring the unitary DHCPv6 leasequery protocol. For details on IPv6 ND gleaning, see IPv6 on Cable feature guide.

•Configure the cable ipv6 source-verify dhcp command, introduced from Cisco IOS Release 12.2(33)SCF1 onwards, under the Cisco CMTS bundle or bundle subinterface to enable the unitary DHCPv6 leasequery protocol.

•Provision the cable ipv6 pd-route {enclosing-route | prefix-length} bundle-interface command on the Cisco CMTS, if any IPv6 CPE router is deployed on the Cisco CMTS.

•Use the cable ipv6 source-verify dhcp [server ipv6-address] command for a single DHCP server.

•Use the cable ipv6 source-verify dhcp command without any keywords for multiple DHCP servers.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface bundle bundle-no

4. cable ipv6 source-verify
or
cable ipv6 source-verify dhcp [server ipv6-address]

5. cable ipv6 source-verify leasetimer value

6. cable ipv6 source-verify leasequery-filter threshold interval

7. end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	interface bundle bundle-no Example: Router(config)# interface bundle 1	Enters interface configuration mode for the specified bundle interface.
Step 4	cable ipv6 source-verify or cable ipv6 source-verify dhcp [server ipv6-address] Example: Router(config-if)# cable ipv6 source-verify or Router(config-if)# cable ipv6 source-verify dhcp server 2001:DB8:1::1	Enables leasequery filtering on the specified bundle interface and verifies the IP address with muliple DHCPv6 servers. or Enables leasequery filtering on the specified bundle interface and verifies the IP address with a specified DHCPv6 server. •server—(Optional) Specifies a default leasequery server to send the DHCPv6 Leasequeries. •ipv6-address—(Optional) IPv6 address of the alternate leasequery server.
Step 5	cable ipv6 source-verify leasetimer value Example: Router(config-if)# cable ipv6 source-verify leasetimer 200	Enables leasequery timer on the specified bundle interface, for the Cisco CMTS to check its internal CPE database for IPv6 addresses whose lease time has expired. •value—Lease time value. The valid range is from 1 to 240 minutes, with a default of 60 minutes.
Step 6	cable ipv6 source-verify leasequery-filter threshold interval Example: Router(config-if)# cable ipv6 source-verify leasetimer 5 10	Enables filtering of the IPv6 leasequery requests. •threshold—Maximum number of DHCP Leasequeries allowed per SID for each interval period. The valid range is from 0 to 255. •interval—Time period, in seconds, over which Leasequeries should be monitored. The valid range is from 1 to 10 seconds.
Step 7	end Example: Router(config-if)# end	Exits interface configuration mode and returns to privileged EXEC mode.

Enabling DHCPv6 Leasequery Filtering on Downstreams

Use the following procedure to start filtering DHCP Leasequeries on all downstreams of a cable interface.

SUMMARY STEPS

1. enable

2. configure terminal

3. cable ipv6 source-verify leasequery-filter downstream threshold interval

4. end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	cable ipv6 source-verify leasequery-filter downstream threshold interval Example: Router(config-if)# cable ipv6 source-verify leasetimer 5 10	Enables leasequery filtering on all downstreams on the specified bundle interface, using the specified threshold and interval values: •threshold—Maximum number of DHCP Leasequeries allowed per SID for each interval period. The valid range is from 0 to 255 Leasequeries. •interval—Time period, in seconds, over which Leasequeries should be monitored. The valid range is from 1 to 10 seconds.
Step 4	end Example: Router(config-if)# end	Exits interface configuration mode and returns to privileged EXEC mode.

Configuration Examples for Filtering of DHCP Leasequery

This section provides the following examples on how to configure the DHCP leasequery filtering feature:

•Example: DHCP Leasequery Filtering

•Example: Unitary DHCPv6 Leasequery Filtering

Example: DHCP Leasequery Filtering

The following example shows an excerpt from a typical configuration of a bundle interface that is configured for filtering DHCP leasequery requests on both its upstream and downstream interfaces:

---

Note If an alternate server has been configured to receive leasequery requests, the cable source-verify dhcp server ipaddress command would display in place of the cable source-verify dhcp command below.

---

.

.

.

cable source-verify leasequery-filter downstream 5 20 

.

.

.

interface bundle 1

.

.

.

 cable source-verify dhcp 

 cable source-verify leasequery-filter upstream 1 5 

 no cable arp 

.

.

Example: Unitary DHCPv6 Leasequery Filtering

The following example shows how to display the total number of DHCPv6 leasequery requests that have been filtered on the router in Cisco IOS Release 12.2(33)SCF1:

Router# show cable leasequery-filter 

IPv4 Lease Query Filter statistics for Unknown Sid

  Requests Sent : 0 total. 0 unfiltered, 0 filtered

IPv6 Lease Query Filter statistics for Unknown Sid

  Requests Sent : 0 total. 0 unfiltered, 0 filtered

The following example shows how to display the total number of DHCP leasequery requests that have been filtered on a particular cable interface in Cisco IOS Release 12.2(33)SCF1:

Router# show cable leasequery-filter cable 7/0/0 

IPv4 Lease Query Filter statistics for Cable7/0/0:

  Requests Sent : 0 total. 0 unfiltered, 0 filtered

IPv6 Lease Query Filter statistics for Cable7/0/0:

  Requests Sent : 0 total. 0 unfiltered, 0 filtered

The following example shows how to display a list of cable modems on a cable interface and the number of DHCP leasequery messages filtered per interface in Cisco IOS Release 12.2(33)SCF1:

Router# show cable leasequery-filter cable 7/0/0 requests-filtered 

Sid  MAC Address    IP Address      Req-Filtered

1    0018.6835.2756 0.0.0.0         0           

2    0025.2e2d.7440 0.0.0.0         0           

Sid  MAC Address    IP Address          Req-Filtered

1    0018.6835.2756 2001:DB8:1::1       0           

2    0025.2e2d.7440 2001:DB8:1::2       0 

Troubleshooting

The following debug commands help you to troubleshoot an improper DHCPv6 leasequery filtering configuration:

•debug cable ipv6—Enables debug operation for the IPv6 transactions on a cable interface.

•debug cable ipv6 db—Displays debug messages associated with host database transactions.

•debug cable ipv6 dhcp—Displays debug messages associated with DHCPv6 transactions.

•debug cable ipv6 ha—Displays debug messages associated with High Availability (HA) IPv6 transactions.

•debug cable ipv6 lq—Displays debug messages associated with leasequery (LQ) transactions.

•debug cable ipv6 nd—Displays debug messages associated with Neighbor Discovery (ND) transactions.

•debug cable ipv6 source-verify—Displays debug messages associated with source verification transactions.

For detailed information on these and other debug commands, see the Cisco IOS CMTS Cable Command Reference Guide.

Additional References

The following sections provide references related to the Cable DHCP Leasequery feature.

Related Documents

Related Topic	Document Title
IPv6	IPv6 on Cable
Cisco CMTS Command Reference	Cisco IOS CMTS Cable Command Reference Guide, at the following URL: http://www.cisco.com/en/US/docs/ios/cable/command/reference/ cbl_book.html
Cisco IOS Release 12.2 Command Reference	Cisco IOS Release 12.2 Configuration Guides and Command References, at the following URL: http://www.cisco.com/en/US/docs/ios/12_2/security/command/ reference/fsecur_r.html

Standards

Standards	Title
SP-RFIv1.1-I09-020830	Data-over-Cable Service Interface Specifications Radio Frequency Interface Specification, version 1.1

MIBs

MIBs	MIBs Link
No new or modified MIBs are supported by this feature.	To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs

RFCs

RFCs	Title
RFC 826	An Ethernet Address Resolution Protocol (ARP)
RFC 4388	Dynamic Host Configuration Protocol (DHCP) Leasequery
RFC 5007	Unitary DHCPv6 Leasequery

Technical Assistance

Description	Link
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.	http://www.cisco.com/cisco/web/support/index.html

Feature Information for Cable DHCP Leasequery

Table 1 lists the release history for this feature.

Table 1 lists the features in this module and provides links to specific configuration information.

Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

---

Note Table 1 lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

---

Table 1 Feature Information for Cable DHCP Leasequery 

Feature Name	Releases	Feature Information
Cable DHCP Leasequery	12.2(15)BC1d, 12.2(15)BC2b	This feature was introduced for the Cisco uBR7100 series, Cisco uBR7246VXR, and Cisco uBR10012 universal broadband routers.
Cable DHCP Leasequery	12.3(13)BC	Added support for the MAC Address Exclusion List for the cable-source verify dhcp command.
Filtering Cable DHCP Leasequery	12.3(17a)BC	Added support for the configurable leasequery server using the cable source-verify dhcp server ipaddress command.
RFC4388 Compliance Cable Leasequery	12.2(33)SCE1	Added support for RFC 4388 compliant DHCP leasequery. The ip dhcp compatibility lease-query client {cisco | standard} command was integrated to this feature.
Unitary DHCPv6 Leasequery protocol (RFC 5007)	12.2(33)SCF1	Added support for RFC 5007 compliant DHCPv6 leasequery protocol. The following sections provide information about this feature: •Unitary DHCPv6 Leasequery •Configuring Unitary DHCPv6 Leasequery Filtering The following commands were introduced or modified: cable ipv6 source-verify, cable ipv6 source-verify leasequery-filter downstream, show cable leasequery-filter, and debug cable ipv6 lq.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

© 2006-2011 Cisco Systems, Inc. All rights reserved.