DOCSIS Set-Top Gateway (DSG) for the Cisco CMTS

This document describes the DOCSIS Set-Top Gateway (DSG) feature with its configuration and monitoring from Issue 0.9 through Issue 1.0 on the Cisco Cable Modem Termination System (CMTS).

DSG is a CableLabsŽ specification that allows cable headends such as the Cisco CMTS to provide a class of cable services known as out-of-band (OOB) messaging to set-top boxes (STBs) over existing Data-over-Cable Service Interface Specifications (DOCSIS) cable networks. DSG 1.0 allows cable Multi-System Operators (MSOs) and other service providers to combine both DOCSIS and STB operations over a single, open and vendor-independent network without requiring any changes to the existing DOCSIS network infrastructure.

At the time of this Cisco publication, the CableLabsŽ DOCSIS DSG specification is in the current status of "Issued" as characterized by stability, rigorous review in industry and cross-vendor interoperability. The latest version of this developing specification is available at the following locations:


Feature History
Release	Modification
Release 12.3(9a)BC	This feature was introduced for the Cisco uBR10012 universal broadband router. The following DSG 1.0 features are supported for each Cisco CMTS platform: •Vendor names are supported to 20 characters per SNMP requirements. •SNMP MIB support introduced for the DSG-IF-MIB. •Multicast MAC addresses are supported for DSG tunnels. DSG tunnel MAC addresses are no longer limited only to unicast addresses. •DSG 1.0 prevents the configuration of any reserved or otherwise inappropriate IP multicast addresses.
Release 12.2(15)BC2	This feature was introduced for the Cisco uBR7100 series and Cisco uBR7246VXR universal broadband routers.

Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

Prerequisites for DOCSIS Set-Top Gateway

General Prerequisites

•

With Cisco uBR7100 series and Cisco uBR7246VXR routers, the Cisco CMTS must be running Cisco IOS Release 12.2(15)BC2 or later Cisco IOS 12.2 BC release.

•

With the Cisco uBR10012 router, the Cisco CMTS must be running Cisco IOS Release 12.3(9a)BC or later Cisco IOS 12.3 BC release.

•

Set-top boxes must support the CableLabs DSG specifications through Version 1.0, available at the following locations:

IP Multicast Prerequisites

•

IP multicast routing must be enabled on the Cisco router for proper DSG operations. To enable IP multicast routing, use the ip multicast-routing command in global configuration mode.

•

Protocol Independent Multicast (PIM) must be enabled on the cable interface and all outgoing WAN interfaces, using the ip pim interface command, before enabling and configuring the DOCSIS Set-Top Gateway feature. The DOCSIS Set-Top Gateway feature supports the following PIM modes:

–

sparse-dense-mode—The interface is treated in either sparse mode or dense mode of operation, depending on the mode in which the multicast group is operating.

•

For best performance, Cisco recommends enabling fast switching of IP multicast on incoming and outgoing interfaces, using the ip mroute-cache command.

•

(Optional) Multicast rate-limiting can be enabled on those cable interfaces that are configured for DSG operations, using the ip multicast rate-limit out group-list command.

•

(Optional) To restrict which multicast groups can be seen by the hosts, use the ip igmp access-group command to selectively disable multicast groups from being seen by the set-top-boxes.

Restrictions for DOCSIS Set-Top Gateway

Restrictions for DSG Issue 0.9

•

Vendor names must be unique and are supported to a maximum of seven characters.

•

Each CA vendor can have one or more DSG tunnels on each cable interface, up to the maximum of eight tunnels per vendor.

•

You may have a maximum of eight DSG tunnels (as identified by the well-known MAC address) per CA vendor, for a maximum possible total of 32 DSG tunnels per router.

•

DSG traffic should be less than 2.048 Mbps per vendor, so as to conform to the DSG specifications.

•

If using bundled interfaces, configure the DSG configurations only on the master interface, not on the slave interfaces. However, when DSG has been properly configured on the master interface, DSG traffic can flow across both the master and slave interfaces.

•

The DOCSIS Set-Top Gateway feature does not support one-to-many mappings (one IP multicast group for multiple DSG tunnels). This means that multiple CA vendors cannot use the same DSG tunnel — two vendors cannot be using a tunnel with the same IP multicast address.

•

Cisco IOS Release 12.2(15)BC2 does not support the DOCSIS-SETTOP-GATEWAY-MIB in this initial implementation of the DOCSIS Set-Top Gateway feature.

•

In Cisco IOS Release 12.2(15)BC2, N+1 HCCP high-availability redundancy does not preserve the DSG traffic and configuration after a switchover. If you configure a cable interface for both N+1 HCCP redundancy and for DSG operations, DSG traffic does not continue after a switchover.

General Restrictions for DSG Issue 1.0

The following general restrictions apply to DSG Issue 1.0 on Cisco uBR7100 series, Cisco uBR7200 series and Cisco uBR10012 routers and the Cisco IOS 12.3(9a)BC release:

•

You may have a maximum of eight DSG tunnels (as identified by the well-known MAC address) per CA vendor, for a maximum possible total of 32 DSG tunnels per router.

•

DSG traffic should be less than 2.048 Mbps per vendor, so as to conform to the DSG specifications.

•

If using bundled interfaces, you must configure the DSG configurations only on the master interface, not on the slave interfaces. Error messages occur if you configure tunnels in the slave interface.

•

If an interface that has DSG tunnels is configured as a slave, the DSG tunnels configured in that interface are removed.

•

In DSG 1.0, you cannot configure DSG tunnels in subinterfaces or main interfaces that have subinterfaces.

Unicast Restrictions for DSG Issues 0.9 and 1.0

•

DSG-related IP unicast traffic is supported only by configuring Network Address Translation (NAT) on the cable and WAN interfaces, as described in the "Configuring NAT to Support Unicast Messaging (optional)" section. If this is not done, the CMTS receives the unicast traffic from the DSG network controllers, but it does not forward that traffic to the set-top boxes.

Multicast Restrictions for DSG Issues 0.9 and 1.0

•

You cannot create use the same IP multicast groups for both DSG traffic and for other IP multicast traffic. If an IP multicast group is being used for DSG traffic, do not use the ip igmp static-group command to manually configure that same IP multicast group for other, non-DSG traffic.

•

Different CA vendors cannot share IP multicast addresses. Each vendor must use a unique set of IP multicast addresses, and after an IP multicast address is assigned to a DSG tunnel, that same address cannot be used for any other purpose. However, all other multicast addresses and groups can still be used on the interface for other multicast applications.

Information About DOCSIS Set-Top Gateway

Feature Overview

The DOCSIS Set-Top Gateway (DSG) feature allows the Cisco CMTS to provide a class of cable services known as out-of-band (OOB) messaging to set-top boxes (STBs) over existing DOCSIS networks. This allows MSOs and other service providers to combine both DOCSIS and STB operations over one, open, vendor-independent network, without any change to the existing network or cable modems.

Out-of-Band Messaging

Out-of-band (OOB) messages allow network control and management messages to be sent to customer premises equipment (CPE) devices, without interfering with the normal data traffic flow. OOB messages also have an advantage over in-band messages in that OOB messages are not dependent on the type of traffic or applications being sent over the network. This allows new OOB messages to be developed and implemented, without requiring any corresponding changes in the network application software.

Previously, OOB messages have been carried over dedicated channels that use proprietary video standards such as SCTE/DVS-167, SCTE/DVS-178, and DVB-RCCL/DAVIC-RCC. These existing systems have the following limitations:

•

Multi-System Operators (MSOs) and other service providers are locked into legacy systems that require proprietary application servers and STBs, which might require additional licensing fees and service charges.

•

Existing OOB messages (DVS167/178) are delivered over legacy transport mechanisms that are not adaptable for future service offerings.

•

Upstream performance limitations (a maximum of 256 kbps) are unsuitable for large-scale deployment of a variety of interactive, real-time services.

To respond to these limitations, the CableLabs consortium developed the DSG specification to provide a multi-vendor solution that works with both legacy STB and DOCSIS transport paths. This allows MSOs and other service providers to use their legacy systems and STBs over their existing DOCSIS cable plants, while still preparing for DSG-capable STBs that support applications such as Video-on-Demand (VoD), online gaming and other interactive services.

DSG systems allow a wide variety of OOB messages, such as the following standard messages, in addition to generic and vendor-defined messages:

•

Conditional Access (CA) messages, to identify which programs and services a user is entitled to receive.

•

System Information (SI) messages for the management of the STB and its channels.

•

Electronic program guide (EPG) to provide up-to-date program information for STB services and programs.

Basic Structure of a DSG Network

The DOCSIS Set-Top Gateway feature implements the DSG specification on the Cisco CMTS platform, allowing a Cisco CMTS to support both STBs and cable modems over the existing DOCSIS cable network. The CMTS creates a one-way IP datagram channel, called a DSG tunnel, to transport OOB messages to the STBs, allowing the consolidation of cable modem and STB traffic over the same DOCSIS downstream channel.

•

Customer Premises Equipment (CPE)—Set-top box or computer that receives the cable signals coming from the cable modem termination system (CMTS).

•

Set-Top Box (STB)—Customer premises equipment (CPE) that can access subscription and pay-per-view broadcast television services and interactive TV services. In a DSG network, each STB is a member of one or more multicast groups, which allows the STB to receive the OOB messages that are needed to receive the programs they are authorized to view.

•

Point of Deployment (POD) module—Removable security card that is plugged into a STB to uniquely identify and authenticate the STB. This allows the CA servers to securely identify the STB and determine which programs and services it is authorized to receive.

•

Network Controller—Network controllers originate out of band (OOB) DSG messages whose destinations are STBs.

•

Conditional Access Server—Server systems that encrypt video programs using conditional access (CA) techniques so that only authorized subscribers are able to decrypt and view the programs. Typically, each vendor providers their own CA servers, which also maintain the other back office support systems that are necessary for billing and network management of the STBs.

•

DSG Gateway—CMTS that forwards the DSG traffic from the network controllers to STBs.

•

DSG Tunnel—This is an IP multicast datagram stream originating at the DOCSIS Set-Top Gateway and carrying out-of-band messages intended for set-top terminals. It is carried over the downstream DOCSIS channel and is identified by a well-known Ethernet MAC address. The well-known Ethernet unicast MAC address is reserved and published by the CA/POD provider. Multiple DSG tunnels may exist on a single downstream DOCSIS channel.

The CA servers transmit OOB messages on the network using multicast IP packets, which are received by STBs that are members of the appropriate multicast groups.

Using Point of Deployment Modules and DSG Tunnels

CA vendors typically provide a Point of Deployment (POD) security module to each set-top box customer. Each POD contains a unique ID and a unique X.509 digital certificate that allows the CA/POD vendor's provisioning systems to securely identify and authenticate each set-top box.

Having securely identified and authenticated a set-top box, the CA/POD vendor transmits the OOB messages to the STB over a DSG tunnel, which is an IP multicast datagram stream carried over the DOCSIS downstream channel. Each DSG tunnel is identified by a well-known Ethernet unicast address that is reserved and published by the CA/POD vendor.

The CA/POD vendors can use the different DSG tunnels to provide different services. For example, one CA/POD vendor could define one tunnel for an Electronic Program Guide (EPG), another tunnel for conditional access (CA) programming, a third tunnel for emergency alerts, and a fourth tunnel for software upgrades. Other vendors can define their tunnels in different ways to provide other services.

DSG Addressing

The DOCSIS Set-Top Gateway feature uses the following types of addressing to ensure that the proper OOB messages are delivered to the appropriate STBs:

•

Well-known MAC address—Defines the DSG tunnel being used. Each CA/POD vendor reserves and publishes one or more well-known MAC addresses that it uses for its particular services. The POD security modules from that vendor instruct the STB examine packets for one or more of the vendor's MAC addresses. If a packet has the correct well-known MAC address, the STB reads that particular packet.

•

IP Multicast address—Each STB is a member of at least one multicast group. The STB itself does not use these IP addresses, but the Cisco CMTS uses these IP multicast addresses to perform the appropriate multicast joins for the appropriate STBs. This ensures that the STB receives the traffic that is appropriate for its multicast group.

The Cisco CMTS router supports an unlimited number of destination multicast addresses, which can be mapped to MAC addresses as follows:

•

Many-to-one mapping—Multiple IP multicast groups per one DSG tunnel (MAC address)

Note

Cisco IOS Release 12.2(15)BC2 does not support one-to-many mappings (one IP multicast group per multiple MAC addresses/DSG tunnels). This means that multiple CA vendors cannot use the same DSG tunnel (that is, two vendors on the same interface cannot be using a tunnel with the same IP multicast address).

DSG Operation

DSG maps traffic based on the incoming multicast address or a well-known unicast address. The Cisco CMTS performs the following functions when the CMTS receives an OOB packet from the CA servers over the IP network:

The CMTS looks at the destination address (either the multicast group address or the well-known unicast address that the network controller and the CMTS agree on).

If the destination IP address matches the multicast group or the unicast address that will be translated via NAT, then MAC addresses for the packet are overwritten.

The CMTS then forwards the new packet on the downstream ports that are mapped to those well-known MAC addresses, using either a unicast or multicast broadcast, as appropriate.

The STBs on those downstreams receive the packet and examine the IP address. If the STB belongs to a multicast group that matches this multicast IP address, the STB examines the packet's MAC address.

If the MAC address is a well-known MAC address for the appropriate CA/POD vendor, the STB reads the packet and operates on the OOB messages that it contains.

Feature List

Cisco IOS Release 12.3(9a)BC introduces support for DOCSIS Set-Top Gateway (DSG) Issue 1.0 on the following Cisco CMTS platforms:

•

Performance enhancements through the Cisco uBR10012 PRE2 route processing engine

In Cisco IOS Release 12.2(15)BC2, the DOCSIS Set-Top Gateway feature provides the following features:

•

Provides transparent transport of OOB messages to DOCSIS STBs over a maximum of eight DSG tunnels per vendor, using the existing DOCSIS 1.0/1.1 cable network.

•

Supports well-known MAC addresses for CA/POD vendor. These can include any or all of the following existing services:

•

Optionally supports mapping to Internet Group Management Protocol (IGMP) multicast tunnels (using RFC 1112 IP to MAC address translation), in addition to mapping to DSG multicast tunnels.

•

One DSG tunnel can receive OOB messages from multiple IP addresses, over any type of IP network connection.

•

Supports existing provisioning systems. STBs do not need to register with the CMTS using a DOCSIS ranging and registration sequence, nor do STBs need to obtain an IP address. The CMTS does not need to know the STB's native Ethernet MAC address.

•

Supports the transmission of OOB messages to multiple STBs using IP multicast.

•

DSG tunnels are transparent to the application data. You do not need to change existing applications or data streams to use the DOCSIS Set-Top Gateway feature.

•

Supports using IP and IGMP access lists to provide a way of determining which IP packets are forwarded to the DSG tunnels and which are dropped. IP access lists can provide packet filtering and rate-limiting, while IGMP access lists can provide filtering on IP multicast groups.

Benefits

The DOCSIS Set-Top Gateway feature provides the following benefits to cable MSOs, service providers, and their partners and customers.

The DOCSIS Set-Top Gateway feature is a CableLabs ( http://www.cablelabs.com) specification allows cable MSOs and service providers to create and deploy new interactive services over existing cable networks. Providers can introduce new services, without impacting their existing customers.

The DOCSIS Set-Top Gateway feature interoperates with existing DOCSIS-capable networks that can support new interactive services, such as VoD and online gaming, that are expected to become available on cable networks in the future. DOCSIS cable operators can deploy innovative interactive services using the best of the available advanced STB products and middleware and applications software, while still preserving their investment in existing headend systems.

The DOCSIS Set-Top Gateway feature allows cable operators to offer Internet access, e-mail, chat services, and other high-bandwidth services, in addition to the existing STB services (such as EPG and CA). Providers can deliver high-speed data services to their cable TV subscribers using the DOCSIS network.

The DOCSIS Set-Top Gateway feature allows cable operators to offer services from many CA/POD vendors, as opposed to existing networks that typically limit the operator to only one vendor per network. This allows greater flexibility in combining or sharing operations between operators or providers.

The DOCSIS Set-Top Gateway feature uses existing DOCSIS 1.0, DOCSIS 1.1, and DOCSIS 2.0 networks. MSOs and other service providers can continue to create open-standard, vendor-independent DOCSIS networks, without having to maintain legacy STB systems that could disrupt DOCSIS operations.

MSOs and other service providers can use one simplified return channel architecture to support both STBs and DOCSIS cable modems, instead of using two separate return channels. This lowers the complexity of managing CPE devices and requires less investment in headend equipment, which in turn lowers the overall operations and support costs.

Depending on the CMTS platform, the higher bandwidth available in DOCSIS networks allows MSOs and other service providers to support a higher maximum number of STBs per headend system.

How to Configure the DOCSIS Set-Top Gateway Feature

See the following sections for how to enable, configure, disable, and monitor the DOCSIS Set-Top Gateway feature:

Note

All procedures begin and end at the privileged EXEC prompt (Router#).

Enabling and Configuring the DOCSIS Set-Top Gateway Feature

This section describes how to enable and configure the DOCSIS Set-Top Gateway on one or more cable interfaces.

SUMMARY STEPS

DETAILED STEPS


	Command or Action	Purpose
Step 1	configure terminal Example: Router# configure terminal Router(config)#	Enters global configuration mode.
Step 2	interface cable interface Example: Router(config)# interface cable 3/0 Router(config-if)#	Enters interface configuration mode for the specified cable interface. Note You can also specify a cable subinterface. If using subinterfaces, though, you should configure DSG operations only on the subinterfaces (and preferably only one subinterface), and not on the main interface.
Step 3	cable dsg tunnel-MAC-address group-ip-address CA-vendor-name Example: Router(config-if)# cable dsg 0010.0025.0025 224.3.3.105 AAA Router(config-if)# cable dsg 0006.0006.0006 224.4.4.1 BBB Router(config-if)# cable dsg 0010.0001.0001 224.4.4.4 CCC Router(config-if)#	Configures the cable interface for DSG operations, using the following parameters to create the DSG tunnel: •tunnel-MAC-address = Well-known MAC address for the DSG tunnel. If the MAC address is 0.0.0, the DSG tunnel will create a one-way multicast tunnel, using the RFC 1112 algorithm for converting host group addresses to Ethernet MAC addresses. •group-ip-address = The multicast group IP address that is mapped to the specified tunnel for the DSG stream. You can specify only globally-scoped (224.0.1.0 through 238.255.255.255) and administratively-scoped (239.0.0.0 through 239.255.255.255) addresses. You cannot use local scope addresses (224.0.0.0 through 224.0.0.255). •CA-vendor-name = Unique name (up to 20 characters) for the Conditional Access (CA) vendor that owns the DSG tunnel. (You can support up to four vendors per router.)
	Note Repeat Step 2 and Step 3 for each cable interface and DSG tunnel to be configured.
Step 4	exit Example: Router(config-if)# exit Router(config)#	Exits interface configuration mode.
Step 5	cable dsg keepalive Example: Router(config)# cable dsg keepalive Router(config)#	(Optional) Enables keepalive messages over DSG tunnels on all cable interfaces. The default is no cable dsg keepalive, which disables the keepalive messages. Note Do not enable keepalive messages on the DSG tunnels unless you have found that your applications and set-top boxes require these messages.
Step 6	exit Example: Router(config)# exit Router#	Exits global configuration mode and returns to privileged EXEC mode.

Configuring IP Multicast Operations

This section describes how to configure the operation of IP multicast transmissions on the cable and WAN interfaces on the Cisco CMTS. You should perform this configuration on each cable interface being used for DSG traffic and for each WAN interface that is connected to a network controller or Conditional Access (CA) server that is forwarding IP multicast traffic.

SUMMARY STEPS

DETAILED STEPS


	Command or Action	Purpose
Step 1	configure terminal Example: Router# configure terminal Router(config)#	Enters global configuration mode.
Step 2	ip multicast-routing Example: Router(config)# ip multicast-routing Router(config)#	Enables multicast routing on the router.
Step 3	interface interface Example: Router(config)# interface cable 3/0 Router(config-if)#	Enters interface configuration mode for each cable interface or WAN interface being used for DSG traffic.
Step 4	ip pim {dense-mode \| sparse-dense-mode \| sparse-mode} Example: Router(config-if)# ip pim dense-mode Router(config-if)#	Enables Protocol Independent Multicast (PIM) on the cable interface, which is required to use the DSG feature: •sparse-mode—Enables sparse mode of operation. •sparse-dense-mode—The interface is treated in either sparse mode or dense mode of operation, depending on which mode the multicast group operates in. •dense-mode—Enables dense mode of operation. Note You must configure this command on each interface that forwards multicast traffic.
Step 5	ip multicast rate-limit out group-list access-list rate Example: Router(config-if)# ip multicast rate-limit out group-list 10 2048 Router(config-if)#	(Optional) Enables multicast rate-limiting on the cable interface, using the following parameters: •group-list access-list = Access list number or name that controls which multicast groups are subject to the rate limit. •rate = Maximum transmission rate (in kbps). Any packets sent at greater than this value are silently discarded. The valid range is 0 to 4294967 kbps, but for DSG operations the maximum valid rate is 2048 kbps. The default is 0, which means no traffic is permitted.
Step 6	ip mroute-cache Example: Router(config-if)# ip mroute-cache Router(config-if)#	(Optional) Enables IP multicast fast switching, also known as multicast distributed switching (MDS), on the interface.
	Note Repeat Step 3 through Step 6 for each cable interface that is being used for DSG traffic. Also repeat these steps on each WAN interface that is forwarding IP multicast traffic from the DSG network controllers and Conditional Access (CA) servers.
Step 7	exit Example: Router(config-if)# exit Router#	Exits interface configuration mode and returns to privileged EXEC mode.

Configuring NAT to Support Unicast Messaging (optional)

This section describes how to configure a Cisco CMTS router for Network Address Translation (NAT) so as to enable the use of IP unicast addresses for DSG messaging. This allows the Cisco CMTS router to translate incoming IP unicast addresses into the appropriate IP multicast address for the DSG traffic.

Tip

This procedure should be performed after the cable interface has already been configured for DSG operations, as described in the "DSG Configuration Example" section.

Note

The Cisco CMTS router supports NAT only when it is running an "IP Plus" (-i-) Cisco IOS software image. Refer to the release notes for your Cisco IOS release for complete image availability and requirements.

SUMMARY STEPS

DETAILED STEPS


	Command or Action	Purpose
Step 1	configure terminal Example: Router# configure terminal Router(config)#	Enters global configuration mode.
Step 2	interface wan-interface Example: Router(config)# interface FastEthernet0/0 Router(config-if)#	Enters interface configuration mode for the specified WAN interface.
Step 3	ip nat outside Example: Router(config-if)# ip nat outside Router(config-if)#	Configures the WAN interface as the "outside" (public) NAT interface.
Step 4	interface cable interface Example: Router(config-if)# interface cable 3/0 Router(config-if)#	Enters interface configuration mode for the specified cable interface. Note This cable interface should have previously been configured for DSG operations, as described in Enabling and Configuring the DOCSIS Set-Top Gateway Feature.
Step 5	ip address ip-address mask secondary Example: Router(config-if)# ip address 192.168.18.1 255.255.255.0 secondary Router(config-if)#	Configures the cable interface with an IP address and subnet that should match the unicast address being used for DSG traffic. This IP address and its subnet must not be used by any other cable interfaces, cable modems, or any other types of traffic in the cable network.
Step 6	ip nat inside Example: Router(config-if)# ip nat inside Router(config-if)#	Configures the cable interface as the "inside" NAT (private) interface.
Step 7	exit Example: Router(config-if)# exit Router(config)#	Exits interface configuration mode and returns to global configuration mode.
Step 8	ip nat inside source static ip-multicast-address cable-ip-address Example: Router(config)# ip nat inside source static 224.3.2.1 192.168.18.2 Router(config)#	Maps the unicast IP address assigned to the cable interface to the multicast address that should be used for the DSG traffic. •ip-multicast-address = This address should match the multicast address that was used when enabling DSG on the cable interface in Enabling and Configuring the DOCSIS Set-Top Gateway Feature. •cable-ip-address = This address should match the IP address of the incoming unicast packet.
	Note Repeat Step 2 and Step 8 for each cable interface to be configured for DSG unicast traffic.
Step 9	exit Example: Router(config)# exit Router#	Exits global configuration mode and returns to privileged EXEC mode.

Disabling the DOCSIS Set-Top Gateway Feature

This section describes how to disable the DOCSIS Set-Top Gateway feature on one or more cable interfaces.

SUMMARY STEPS

DETAILED STEPS


	Command or Action	Purpose
Step 1	configure terminal Example: Router# configure terminal Router(config)#	Enters global configuration mode.
Step 2	interface cable interface Example: Router(config)# interface cable 3/0 Router(config-if)#	Enters interface configuration mode for the specified cable interface.
Step 3	no cable dsg tunnel-MAC-address group-ip-address CA-vendor-name Example: Router(config-if)# no cable dsg Router(config-if)#	Disables the DSG tunnel and removes its configuration from the cable interface. Note This command also automatically removes the IGMP static multicast group that is associated with this DSG tunnel. You do not need to manually remove the group using the no ip igmp static-group command.
	Note Repeat Step 2 and Step 3 for each cable interface to be configured.
Step 4	exit Example: Router(config)# exit Router#	Exits global configuration mode and returns to privileged EXEC mode.

Configuring a Standard IP Access List for Packet Filtering (Optional)

This section describes how to configure a standard IP access list so that only authorized traffic is allowed on the cable interface.

Tip

This procedure assumes a basic knowledge of how access lists use an IP address and bitmask to determine the range of IP addresses that are allowed access. For full details on configuring access lists, see the documents listed in the "Additional References" section.

SUMMARY STEPS

DETAILED STEPS


	Command or Action	Purpose
Step 1	configure terminal Example: Router# configure terminal Router(config)#	Enters global configuration mode.
Step 2	access-list access-list permit group-ip-address [mask] Example: Router(config)# access-list 90 permit 228.1.1.1 Router(config)#	Creates an access list specifying that permits access to the specific multicast address that matches the specified group-ip-address and mask. •access-list = Number or name of a standard IP access list. The number can range from 1 to 99 with no default. •group-ip-address = IP address to be used as a base for this access list. It should be based on the group IP address used for the interface's DSG tunnels. •mask = (Optional) Bitmask that determines which addresses in the group-ip-address will be allowed access. The default is 255.255.255.255.
Step 3	access-list access-list deny group-ip-address [mask] Example: Router(config)# access-list 90 deny 224.0.0.0 15.255.255.255 Router(config)#	Configures the access list that denies access to any multicast address that matches the specified group-ip-address and mask. •access-list = Number or name of a standard IP access list. The number can range from 1 to 99 with no default. •group-ip-address = IP address to be used as a base for this access list. It should be based on the group IP address used for the interface's DSG tunnels. •mask = (Optional) Bitmask that determines which addresses in the group-ip-address will be allowed access. The default is 255.255.255.255.
Step 4	access-list access-list deny any Example: Router(config)# access-list 90 deny any Router(config)#	Configures the access list so that it denies access to any IP addresses other than the ones previously configured.
Step 5	interface cable interface Example: Router(config)# interface cable 3/0 Router(config-if)#	Enters interface configuration mode for the specified cable interface.
Step 6	ip access-group access-list Example: Router(config-if)# ip access-group 90 Router(config-if)#	(Optional, but recommended) Configures the interface with the access list, so that packets are filtered by the list before being accepted on the interface. •access-list = Number or name of a standard IP access list. The number can range from 1 to 99 and should be the same list created in Step 3.
Step 7	exit Example: Router(config-if)# exit Router#	Exits interface configuration mode and returns to Privileged EXEC mode.

Configuring a Standard IP Access List for Multicast Group Filtering (Optional)

This section describes how to configure a standard IP access list so that non-DOCSIS devices, such as DSG set-top boxes, can access only the authorized multicast group addresses and DSG tunnels.

Tip

SUMMARY STEPS

DETAILED STEPS


	Command or Action	Purpose
Step 1	configure terminal Example: Router# configure terminal Router(config)#	Enters global configuration mode.
Step 2	access-list access-list permit group-ip-address [mask] Example: Router(config)# access-list 90 permit 228.1.1.1 Router(config)#	Creates an access list specifying that permits access to the specific multicast address that matches the specified group-ip-address and mask. •access-list = Number or name of a standard IP access list. The number can range from 1 to 99 with no default. •group-ip-address = IP address to be used as a base for this access list. It should be based on the group IP address used for the interface's DSG tunnels. •mask = (Optional) Bitmask that determines which addresses in the group-ip-address will be allowed access. The default is 255.255.255.255.
Step 3	access-list access-list deny group-ip-address [mask] Example: Router(config)# access-list 90 deny 224.0.0.0 15.255.255.255 Router(config)#	Configures the access list that denies access to any multicast address that matches the specified group-ip-address and mask. •access-list = Number or name of a standard IP access list. The number can range from 1 to 99 with no default. •group-ip-address = IP address to be used as a base for this access list. It should be based on the group IP address used for the interface's DSG tunnels. •mask = (Optional) Bitmask that determines which addresses in the group-ip-address will be allowed access. The default is 255.255.255.255.
Step 4	access-list access-list deny any Example: Router(config)# access-list 90 deny any Router(config)#	Configures the access list so that it denies access to any IP addresses other than the ones previously configured.
Step 5	interface cable interface Example: Router(config)# interface cable 3/0 Router(config-if)#	Enters interface configuration mode for the specified cable interface.
Step 6	ip igmp access-group access-list [version] Example: Router(config-if)# ip igmp access-group 90 Router(config-if)#	(Optional, but recommended) Configures the interface to accept traffic only from the associated access list, so that only authorized devices are allowed to access the DSG tunnels. •access-list = Number or name of a standard IP access list. The number can range from 1 to 99 and should be the same list created in Step 3. •version = (Optional) Specifies the IGMP version. The default is 2.
Step 7	exit Example: Router(config-if)# exit Router#	Exits interface configuration mode and returns to privileged EXEC mode.

Monitoring the DOCSIS Set-Top Gateway Feature

This section describes the following procedures you can use to monitor and display information about the DOCSIS Set-Top Gateway feature:

Displaying a DOCSIS Set-Top Gateway Tunnel Configuration

To display the mapping table for a specific DSG tunnel, use the show cable dsg command in privileged EXEC mode. You can display information about DSG statistics and about DSG tunnels. The following examples are typical displays of each command:

The following example displays the mapping table for all DSG tunnel MAC addresses in Cisco IOS Release 12.3(9a)BC:

The following example displays the mapping table for the specified DSG tunnel MAC address:

Table Of Contents

DOCSIS Set-Top Gateway for the Cisco CMTS

Contents

Prerequisites for DOCSIS Set-Top Gateway

General Prerequisites

IP Multicast Prerequisites

Restrictions for DOCSIS Set-Top Gateway

Restrictions for DSG Issue 0.9

General Restrictions for DSG Issue 1.0

Unicast Restrictions for DSG Issues 0.9 and 1.0

Multicast Restrictions for DSG Issues 0.9 and 1.0

Information About DOCSIS Set-Top Gateway

Feature Overview

Out-of-Band Messaging

Basic Structure of a DSG Network

Using Point of Deployment Modules and DSG Tunnels

DSG Addressing

DSG Operation

Feature List

Benefits

How to Configure the DOCSIS Set-Top Gateway Feature

Enabling and Configuring the DOCSIS Set-Top Gateway Feature

SUMMARY STEPS

DETAILED STEPS

Configuring IP Multicast Operations

SUMMARY STEPS

DETAILED STEPS

Configuring NAT to Support Unicast Messaging (optional)

SUMMARY STEPS

DETAILED STEPS

Disabling the DOCSIS Set-Top Gateway Feature

SUMMARY STEPS

DETAILED STEPS

Configuring a Standard IP Access List for Packet Filtering (Optional)

SUMMARY STEPS

DETAILED STEPS

Configuring a Standard IP Access List for Multicast Group Filtering (Optional)

SUMMARY STEPS

DETAILED STEPS

Monitoring the DOCSIS Set-Top Gateway Feature

Displaying a DOCSIS Set-Top Gateway Tunnel Configuration