This document discusses the reason why console or Telnet access to a cable modem that has achieved online status is disabled.
Readers of this document should have a basic understanding of the Data-over-Cable Service Interface Specifications (DOCSIS) protocol.
This document is not restricted to specific software and hardware versions.
For more information on document conventions, refer to the Cisco Technical Tips Conventions.
When the cable interface on the cable modem is not initialized, console and Telnet access to the cable modem function as on any other Cisco router. However, once the modem achieves online status and the cable interface is initialized, console access is disabled automatically following a new configuration that is downloaded into the cable modem through the DOCSIS configuration file. This newly downloaded configuration contains a new enable password and new Telnet passwords that are not visible to the end user. These changes are all controlled by the service provider, so no configuration can be done on the cable modem side to override them. Any previously stored configurations are superseded by the newly downloaded configuration file. This is done so that tampering with cable modem configurations is prevented once the cable modem is online. This security measure was a request by the majority of cable providers in the United States.
Moreover, users with active enable sessions are forced out of enable mode before the download occurs, and the console is locked, preventing users from getting back into enable mode or changing the password. This approach also addresses concerns that security is compromised by users being able to display the running configuration. For example, Simple Network Management Protocol (SNMP) community passwords are not compromised.
Copying a Cisco IOS® Software configuration file to a running configuration file each time the interface initializes prevents the need to write the configuration to nonvolatile RAM (NVRAM). If Telnet access through the Ethernet interface is restricted by setting filters through the cable device MIB, the running configuration file is never visible to the user.
Note: For detailed information on how to download a Cisco IOS Software configuration file, refer to the Cisco Vendor Specific Fields section in Building DOCSIS 1.0 Configuration Files Using Cisco DOCSIS Configurator (registered customers only) . To verify that the configuration is working, make a Telnet connection to the cable modem from the head end router using the passwords that were created in the configuration file. The following should appear in the show version command output on the cable modem:
Host configuration file is "ios.cnf", booted via tftp from ......