Document ID: 20711
Contents
Introduction
Prerequisites
Requirements
Security
VPN Issues
Components Used
Conventions
Parameter Definitions
Configure the Cisco 2600 Router
Enter Configuration Mode
Configure the NAT When Using Private IPs on BBSM Network(s) (Optional)
Route to the Internet
Route to the Internal BBSM Network
Configure the SNMP Engine
Configure the Access List for Security Control
Configure the Serial Interface
Configure the Ethernet Interface
Configure the Telnet Interface
Common Oversights and Mistakes
Configure BBSM
WEBConfig > Routers Tab
Create the DHCP Super Scope
Disable the Client DHCP Scope
Configure Additional DHCP Scope Options
Reactivate the Client DHCP Scope
Run LeaseToReservation.exe
Common Oversights and Mistakes
Configure the 3500 XL Switch - Base Switch Configuration (Optional)
Enter Configuration Mode
Global Configuration
Configure the Access List for Security Control
Configure the FastEthernet0/1 - 0/23 Interface
Configure the FastEthernet0/1 - 0/24 Interface Storm Control (Optional)
Configure the VLAN 1 Interface
Configure the Telnet Interface
Common Oversights and Mistakes
Configure the uBR7100 Cable Modem Termination System
Enter Configuration Mode
Global Configuration
Configure the Access List for Security Control
Configure the FastEthernet0/0 Interface
Configure the FastEthernet0/1 Interface
Configure the Cable1/0 Interface
Configure the Bridgegroup Virtual Interface 1 Interface
Configure the Telnet Interface
Common Oversights and Mistakes
Related Information
Introduction
This document represents best practice methodologies for Cisco MxU Broadband Solution Deployment. The Building Broadband Solution Unit (BBSU) Total Implementation Package (TIP) utilizes Cisco Systems, Inc. Building Broadband Service Manager (BBSM), Ethernet, Long Reach Ethernet (LRE), Aironet, and Cable Product offerings to provide broadband connectivity for the MxU market.
This document is a supplemental tool that is intended for internal use by Cisco partners, resellers, and customers for the deployment of Cisco products. This tool is subject to the terms and conditions of the Cisco TIP License Agreement.
The purpose of this document is to provide baseline configuration guidelines for a Cisco Systems BBSM Network within a COAX cable plant, and is not a replacement for individual Point Product Configuration documentation.
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
-
BBSM network design
-
BBSM Internet Protocol (IP) scheme for the property (BBSM to router, BBSM to client)
-
External IP scheme from the Internet service provider (ISP) including a Domain Name System (DNS) forwarder and a Simple Mail Transfer Protocol (SMTP) forwarder
-
Internal network design, for example, IP addresses of all switches and application processes (APs)
Testing:
After all equipment is configured, perform Acceptance Test Procedure Test Case 2 to verify Ethernet end users.
Security
The configurations contained in this documentation are provided as a sample only and might require further modifications for use in your particular network. Access lists have been provided in the Configuring the Access List for Security Control for the Cisco 2600 Router, Configuring the Access List for Security Control for the 3500 XL Switch, and Configuring the Access List for Security Control for the uBR7100 Cable Modem Termination System sections of the documentation as examples of how to prevent unauthorized access to routers and switches. These security measures are by no means comprehensive and should be modified as required for each individual network. Any additions or modifications to access lists and other configuration items should be fully tested prior to inclusion into a production network environment.
It is the responsibility of the network administrator to analyze all security risks and respond to security issues for the BBSM network. Cisco assumes no responsibility for damage done by unauthorized personnel accessing network equipment.
VPN Issues
BBSM supports all Virtual Private Network (VPN) solutions once a customer has connected to the BBSM service. Problems can occur. However, they depend on the IP Scheme of the BBSM Internal Network. Some VPNs do not support Network Address Translation (NAT) or Port Address Translation (PAT). NAT and / or PAT must occur when you use a private or non-routable IP scheme (10.10.0.0 for example). Translation of a private address to a public, routable address occurs on the router and is what actually causes some VPN solutions not to work. The Cisco VPN 3000 Concentrator, for example, is a system that can support VPN over NAT.
The entire BBSM solution must use a routable (public) IP scheme to ensure that all VPNs work all of the time. Also keep in mind that even though routable IP addresses are used, customers that rely on Plug&Play to connect to BBSM using statically configured IP addresses may not be able to activate a VPN session. The reason for this is because BBSM uses a form of NAT to translate between their static IP address and an IP address from the Foreign Range. If the customer requires a VPN connection and cannot initiate one using a static IP address, then the customer must configure their computer for DHCP.
Components Used
This document is not restricted to specific software and hardware versions.
Conventions
Refer to Cisco Technical Tips Conventions for more information on document conventions.
Parameter Definitions
BBSM_External_IP_Network—The network ID of the BBSM external network.
BBSM_Internal_IP_Network—The network ID of the BBSM internal network.
BBSM_External_NIC—The Internet Protocol (IP) address of the BBSM external Network Interface Card (NIC).
BBSM_I/E_NIC—The IP Address of the Internal and External NIC. Commands with this parameter should be repeated for both the Internal and External NICs.
BBSM_Internal_NIC—The Internet Protocol (IP) address of the BBSM internal Network Interface Card (NIC).
CD_Drive—The drive letter of the computer's CD drive.
CM_End_IP_Address—The Last available DHCP IP address for the cable modems.
CM_Net_ID—Cable modem network ID.
CM_Network_IP_Address—IP address for the CMTS as a router for the cable modem network.
CM_Start_IP_Address—The first available DHCP IP address for the cable modems.
DOCSIS_Config_File_Name—Filename of the Data-over-Cable Service Interface Specifications (DOCSIS) cable modem configuration file. This file must be loaded on and accessible from the Trivial File Transfer Protocol (TFTP) server.
DS_Freq—Downstream frequency.
DS_Mod—Downstream signal modulation.
IP_Addr—Destination IP address or IP network for router access-list 100.
IP_Address_1—The IP address of the router Serial0/0 interface.
IP_Address_2—The IP address of the router Ethernet0/0 interface.
ISP_Gateway—The gateway IP address for the router, received from the ISP.
Int_Depth—Interleave depth.
IP_of_tftp_server—IP address of the TFTP server. This may or may not be the BBSM server.
Man_Network—Integrator and/or corporate network for monitoring and administrating the network.
Netmask—Subnet mask.
Offset—Number of seconds offset from Greenwich Mean Time (GMT) in hex (PST = -8 hours = -28800 sec = 0xffff8f80).
password_1—Password required to enter Privileged mode.
password_2—Password required to logon to the switch via Telnet.
Private_IP_(X)—The private IP address to receive a 1:1 NAT mapping to a Real_IP_(X).
Real_IP_(X)—Real IP addresses obtained from the ISP.
RO_String—Read-only SNMP community string.
RW_String—Read-write SNMP community string.
Switch_IP—IP address of the switch.
ToD_Server—IP address of the Time of Day server. This may or may not be the BBSM server.
USx_Freq—Upstream frequency for USx (US0, US1, US2, US3).
USx_Power—Upstream power level from the cable modem for USx.
USx_Ch_Width—Upstream channel width for USx.
Wildcard—Used with IP_Addr to determine the size of the destination network for router access-list 100.
Configure the Cisco 2600 Router
Enter Configuration Mode
Issue these commands to enter Configuration mode.
Router>enable !--- Enter password if prompted. Router#config terminal Router(config)#enable secret <password_1> Router(config)#hostname SJ1 !--- Use a unique hostname for each router for easy identification.
Configure the NAT When Using Private IPs on BBSM Network(s) (Optional)
Issue these commands to configure the NAT pool for BBSM end users.
SJ1(config)#ip nat pool all_clients <Real_IP_2> <Real_IP_3> netmask <Netmask> SJ1(config)#ip nat inside source list 1 pool all_clients overload SJ1(config)#ip nat inside source static <Private_IP_X> <Real_IP_X> SJ1(config)#access-list 1 permit <BBSM_Internal_IP_Network> <Wildcard> SJ1(config)#access-list 1 permit <BBSM_External_IP_Network> <Wildcard>
Route to the Internet
Issue this command to route to the Internet.
SJ1(config)#ip route 0.0.0.0 0.0.0.0 <ISP_Gateway>
Route to the Internal BBSM Network
Issue these command to route to the internal BBSM network.
SJ1(config)#ip route <BBSM_Internal_IP_Network> <Netmask> <BBSM_External_NIC>
Configure the SNMP Engine
Issue these commands to configure the SNMP engine.
SJ1(config)#snmp community <RW_String> RW SJ1(config)#snmp community <RO_String> RO
Configure the Access List for Security Control
Issue these commands to configure the access list for security control.
SJ1(config)#access-list 100 permit icmp <Man_Network> <Wildcard> any echo SJ1(config)#access-list 100 permit tcp <Man_Network> <Wildcard> host <BBSM_I/E_NIC> eq 9488 SJ1(config)#access-list 100 permit tcp <Man_Network> <Wildcard> host <BBSM_I/E_NIC> eq ftp SJ1(config)#access-list 100 permit tcp <Man_Network> <Wildcard> host <BBSM_I/E_NIC> eq snmp SJ1(config)#access-list 100 permit tcp <Man_Network> <Wildcard> host <BBSM_I/E_NIC> eq telnet SJ1(config)#access-list 100 permit tcp <Man_Network> <Wildcard> host <BBSM_I/E_NIC> eq www SJ1(config)#access-list 100 permit udp <Man_Network> <Wildcard> host <BBSM_I/E_NIC> eq tftp SJ1(config)#access-list 100 permit icmp <Man_Network> <Wildcard> <IP_Addr> <Wildcard> echo SJ1(config)#access-list 100 permit tcp <Man_Network> <Wildcard> <IP_Addr> <Wildcard> eq telnet SJ1(config)#access-list 100 permit tcp <Man_Network> <Wildcard> <IP_Addr> <Wildcard> eq www SJ1(config)#access-list 100 permit tcp <Man_Network> <Wildcar>> <IP_Addr> <Wildcard> eq snmp SJ1(config)#access-list 100 permit udp <Man_Network> <Wildcard> <IP_Addr> <Wildcard> eq tftp SJ1(config)#access-list 100 deny ip any <IP_Addr> <Wildcard> SJ1(config)#access-list 100 deny icmp any any echo SJ1(config)#access-list 100 permit ip any any
Note: These access list statements can be repeated for multiple source and destination IP addresses, source and destination port numbers and protocols.
Configure the Serial Interface
Issue these commands to configure the serial interface.
SJ1(config)#interface serial0/0 SJ1(config-if)#ip address <IP_Address_1> <Netmask> SJ1(config-if)#ip nat outside SJ1(config-if)#ip access-group 100 in
Configure the Ethernet Interface
Issue these commands to configure the Ethernet interface.
SJ1(config-if)#interface Ethernet0/0 SJ1(config-if)#ip address <IP_Address_2> <Netmask> SJ1(config-if)#ip nat inside
Configure the Telnet Interface
Issue these commands to configure the Telnet interface.
SJ1(config-if)#line vty 0 4 SJ1(config-line)#password <password_2> SJ1(config-line)#login SJ1(config-line#line vty 5 15 SJ1(config-line)#login SJ1(config-line)#^Z !--- CTRL-Z ends the configuration session.
Common Oversights and Mistakes
These common oversights and mistakes are associated with configuring the Cisco 2600 router:
-
Incorrectly configured or missing NAT configurations.
-
Missing or incorrect route for the BBSM internal network.
Configure BBSM
Detailed instructions for configuring the BBSM software are included on the BBSM Installation CD at <CD_Drive>:\Documentation\config.pdf.
Note: Adobe Acrobat Reader must be installed to view this file.
WEBConfig > Routers Tab
Open WEBConfig > Routers and enter this information:
-
Router Number: 1 (or the next available number)
-
Router IP Address: <CM_Network_IP_Address>
-
Gateway to Router: <BBSM_Network_IP_Address>
-
Client Start: <Client_Start_IP_Address>
-
Client End: <Client_End_IP_Address>
-
Subnet Mask: <CM_Network_SNM>
-
Router Supports SNMP: Yes (checked)
-
SNMP password: <RW_String>
-
Create DHCP Scope: Yes (checked)
Create the DHCP Super Scope
Complete these steps to create the Dynamic Host Configuration Protocol (DHCP) Super scope.
-
Right-click on the computer name.
-
Select New Super scope.
-
Click Next on the Super scope wizard.
-
Input the Super scope name and click Next.
-
Select all applicable scopes on the list and click Next.
-
Verify that the information is correct in completing the new Super scope wizard.
-
Click Finish.
Disable the Client DHCP Scope
Complete these steps to disable the client DHCP scope.
-
Expand the tree under the BBSM server name.
-
Right mouse click on the client scope.
-
Select deactivate.
-
When the warning appears, click Yes.
Configure Additional DHCP Scope Options
Enter this information to configure additional DHCP scope options. After you enter each option, click Apply or Add.
-
Enter 002 Time Offset: <Offset>
-
Verify 003 Router:<CM_Network_IP_Address>
-
Enter 004 Time Server: <ToD_Server>
-
Verify 006 DNS Server: <BBSM_Internal_NIC>
-
Enter 007 Log Server: <BBSM_Internal_NIC>
-
Enter 010 Impress Server: <BBSM_Internal_NIC>
-
Enter 011 Resource Location Server: <BBSM_Internal_NIC>
-
Enter 066 Boot Server Host Name: <IP_of_tftp_server>
-
Enter 067 Bootfile Name: <DOCSIS_Config_File_Name>
Reactivate the Client DHCP Scope
When all modems have received an IP address and have come Online, right mouse click the client scope and select activate.
Run LeaseToReservation.exe
Run LeasetoReservation.exe to convert the private DHCP leases into DHCP reservations.
Common Oversights and Mistakes
These oversights and mistakes are common when you configure BBSM.
-
When clients are not disconnected from the network prior to start, this can result in some clients receiving IP addresses in the cable modem pool. Some VPN solutions might also fail to work properly.
-
Some clients receive an IP address from the cable modem pool when LeaseToReservation.exe is not executed. Open a case with Cisco Technical Support to obtain a copy of the LeaseToReservation.exe utility.
-
If an error is committed during the installation of the BBSM software, stop the installation, reformat the hard drive, and begin the installation with a clean copy of the Windows 2000 Server.
Configure the 3500 XL Switch - Base Switch Configuration (Optional)
Enter Configuration Mode
Issue these commands to enter Configuration mode.
Switch>enable !--- Enter password if prompted. Switch#config terminal
Global Configuration
Issue these commands for global configuration.
Switch(config)#enable secret <password_1> Switch(config)#hostname BaseSwitch1 !--- Use a unique hostname for each switch for easy identification. BaseSwitch1(config)#ip default-gateway <BBSM_Internal_NIC> BaseSwitch1(config)#snmp community <RW_String> RW BaseSwitch1(config)#snmp community <RO_String> RO
Configure the Access List for Security Control
Issue these commands to configure the access list for security control.
BaseSwitch1(config)#access-list 100 permit icmp host <BBSM_Internal_NIC> host <Switch_IP> echo BaseSwitch1(config)#access-list 100 permit tcp host <BBSM_Internal_NIC> host <Switch_IP> eq telnet BaseSwitch1(config)#access-list 100 permit tcp host <BBSM_Internal_NIC> host <Switch_IP> eq www BaseSwitch1(config)#access-list 100 permit udp host <BBSM_Internal_NIC> host <Switch_IP> eq tftp BaseSwitch1(config)#access-list 100 permit udp host <BBSM_Internal_NIC> host <Switch_IP> eq snmp
Configure the FastEthernet0/1 - 0/23 Interface
Issue these commands to configure the FastEthernet0/1 - 0/23 interface.
BaseSwitch1(config)#interface fastethernet0/x !--- Where x equals the interface number, for example 0/1, 0/23. BaseSwitch1(config-if)#port protected BaseSwitch1(config-if)#spanning-tree rootguard BaseSwitch1(config-if)#spanning-tree portfast
Configure the FastEthernet0/1 - 0/24 Interface Storm Control (Optional)
Issue these commands to configure the FastEthernet0/1 - 0/24 interface storm control.
BaseSwitch1(config-if)#port block unicast BaseSwitch1(config-if)#port block multicast
Configure the VLAN 1 Interface
Issue these commands to configure the VLAN 1 interface.
BaseSwitch1(config-if)#interface vlan 1 BaseSwitch1(config-if)#ip address <Switch_IP> <Netmask> BaseSwitch1(config-if)#ip access-group 100 in BaseSwitch1(config-if)#no ip directed-broadcast BaseSwitch1(config-if)#no ip route-cache
Configure the Telnet Interface
Issue these commands to configure the Telnet interface.
BaseSwitch1(config-if)#line vty 0 4 BaseSwitch1(config-line)#password <password_2> BaseSwitch1(config-line)#login BaseSwitch1(config-line)#line vty 5 15 BaseSwitch1(config-line)#login BaseSwitch1(config-line)#^Z !--- CTRL-Z ends the configuration session.
Common Oversights and Mistakes
These oversights and mistakes are common when you configure the 3500 XL switch for a base switch configuration.
-
Base switches should not be included in WEBConfig > Switches.
-
Interface FastEthernet0/24, the port pointing towards the BBSM server, cannot be configured with the port protected, spanning-tree rootguard, or spanning-tree portfast commands.
Configure the uBR7100 Cable Modem Termination System
Enter Configuration Mode
Issue these commands to enter Configuration mode.
Router>enable !--- Enter password if prompted. Router#config terminal
Global Configuration
Issue these commands for global configuration.
Router(config)#enable secret <password_1> Router(config)#hostname uBR7100 !--- Use a unique hostname for each CMTS for easy identification. uBR7100(config)#cable time-server uBR7100(config)#ip routing uBR7100(config)#ip subnet-zero uBR7100(config)#no ip domain-lookup uBR7100(config)#ip name-server <BBSM_Internal_NIC> uBR7100(config)#bridge irb uBR7100(config)#ip classless uBR7100(config)#no ip http server uBR7100(config)#ip route 0.0.0.0 0.0.0.0 <BBSM_Internal_NIC> uBR7100(config)#snmp community <RW_String> RW uBR7100(config)#snmp community <RO_String> RO uBR7100(config)#bridge 1 protocol ieee uBR7100(config)#bridge 1 route ip
Configure the Access List for Security Control
Issue these commands to configure the access list for security control.
uBR7100(config)#access-list 100 permit icmp host <BBSM_Internal_NIC> host <Switch IP> echo uBR7100(config)#access-list 100 permit tcp host <BBSM_Internal_NIC> host <Switch IP> eq telnet uBR7100(config)#access-list 100 permit tcp host <BBSM_Internal_NIC> host <Switch IP> eq www uBR7100(config)#access-list 100 permit udp host <BBSM_Internal_NIC> host <Switch IP> eq tftp uBR7100(config)#access-list 100 permit udp host <BBSM_Internal_NIC> host <Switch IP> eq SNMP uBR7100(config)#access-list 100 permit ip host <BBSM_Internal_NIC> <CM_Net_ID> <Wildcard_Mask_2> uBR7100(config)#access-list 100 permit ip <CM_Net_ID> <Wildcard_Mask_2> host <BBSM_Internal_NIC>
Configure the FastEthernet0/0 Interface
Issue these commands to configure the FastEthernet0/0 interface.
uBR7100(config)#interface fastethernet0/0 uBR7100(config-if)#no ip address uBR7100(config-if)#no ip route-cache uBR7100(config-if)#no ip mroute-cache uBR7100(config-if)#duplex auto uBR7100(config-if)#speed auto uBR7100(config-if)#bridge-group 1 uBR7100(config-if)#no bridge-group 1 subscriber-loop-control
Configure the FastEthernet0/1 Interface
Issue these commands to configure the FastEthernet0/1 interface.
uBR7100(config-if)#interface fastethernet0/1 uBR7100(config-if)#no ip address uBR7100(config-if)#no ip route-cache uBR7100(config-if)#no ip mroute-cache uBR7100(config-if)#shutdown uBR7100(config-if)#duplex auto uBR7100(config-if)#speed auto uBR7100(config-if)#bridge-group 1 uBR7100(config-if)#no bridge-group 1 subscriber-loop-control
Configure the Cable1/0 Interface
Issue these commands to configure the Cable1/0 interface.
uBR7100(config-if)#interface cable1/0 uBR7100(config-if)#no ip address uBR7100(config-if)#no ip route-cache uBR7100(config-if)#no ip mroute-cache uBR7100(config-if)#cable downstream annex B uBR7100(config-if)#cable downstream modulation <DS_Mod> uBR7100(config-if)#cable downstream interleave-depth <Int_Depth> uBR7100(config-if)#cable downstream frequency <DS_Freq> uBR7100(config-if)#no cable downstream rf-shutdown uBR7100(config-if)#cable upstream 0 frequency <US0_Freq> uBR7100(config-if)#cable upstream 0 power-level <US0_Power> uBR7100(config-if)#cable upstream 0 channel-width <US0_Ch_Width> uBR7100(config-if)#no cable upstream 0 shutdown uBR7100(config-if)#cable upstream 1 frequency <US1_Freq> uBR7100(config-if)#cable upstream 1 power-level <US1_Power> uBR7100(config-if)#cable upstream 1 channel-width <US1_Ch_Width> uBR7100(config-if)#no cable upstream 1 shutdown uBR7100(config-if)#cable upstream 2 frequency <US2_Freq> uBR7100(config-if)#cable upstream 2 power-level <US2_Power> uBR7100(config-if)#cable upstream 2 channel-width <US2_Ch_Width> uBR7100(config-if)#no cable upstream 2 shutdown uBR7100(config-if)#cable upstream 3 frequency <US3_Freq> uBR7100(config-if)#cable upstream 3 power-level <US3_Power> uBR7100(config-if)#cable upstream 3 channel-width <US3_Ch_Width> uBR7100(config-if)#no cable upstream 3 shutdown uBR7100(config-if)#bridge-group 1 uBR7100(config-if)#no bridge-group 1 subscriber-loop-control
Configure the Bridgegroup Virtual Interface 1 Interface
Issue these commands to configure the Bridgegroup Virtual Interface 1 interface.
uBR7100(config-if)#interface bvi 1 uBR7100(config-if)#ip address <Switch IP> <BBSM_Network_SNM> secondary uBR7100(config-if)#ip address <CM_Network_IP_Address> <CM_Network_SNM> uBR7100(config-if)#ip access-group 100 in uBR7100(config-if)#ip helper-address <BBSM_Internal_NIC> uBR7100(config-if)#no ip route-cache uBR7100(config-if)#no ip mroute-cache uBR7100(config-if)#no keepalive
Configure the Telnet Interface
Issue these commands to configure the Telnet interface.
uBR7100 (config-if)#line vty 0 4 uBR7100 (config-line)#password <password_2> uBR7100 (config-line)#login uBR7100 (config-line)#line vty 5 15 uBR7100 (config-line)#login uBR7100 (config-line)#^Z !--- CTRL-Z ends the configuration session.
Common Oversights and Mistakes
These oversights and mistakes are common when you configure the uBR7100 cable modem termination system.
-
The uBR7114 has four Upstream ports. The uBR7111 has only one US port. Only US0 can be configured. Refer to Configure the Cable 1/0 Interface for more information.
-
When you use a uBR7114, all of the Upstream frequencies must be different and cannot overlap.
-
Turn off the subscriber-loop-control on all interfaces and copy a startup-config with the no bridge 1 subscriber-loop-control command for cable 1/0. It is normally turned on by default for Cable 1/0 and reappears after a reboot if it is not disabled.
-
Physical interfaces do not receive IP addresses in Integrated Routing and Bridging (IRB) mode.
Related Information
| Updated: Jun 08, 2006 | Document ID: 20711 |