Cable DHCP Leasequery

This document describes the Dynamic Host Configuration Protocol (DHCP) Leasequery feature on the Cisco cable modem termination system (CMTS) router.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http:/​/​tools.cisco.com/​ITDIT/​CFN/​. An account on http:/​/​www.cisco.com/​ is not required.

Contents

Hardware Compatibility Matrix for Cisco cBR Series Routers


Note

The hardware components introduced in a given Cisco IOS-XE Release are supported in all subsequent releases unless otherwise specified.

Table 1 Hardware Compatibility Matrix for the Cisco cBR Series Routers

Cisco CMTS Platform

Processor Engine

Interface Cards

Cisco cBR-8 Converged Broadband Router

Cisco IOS-XE Release 16.5.1 and Later Releases

Cisco cBR-8 Supervisor:

  • PID—CBR-CCAP-SUP-160G

  • PID—CBR-CCAP-SUP-60G

  • PID—CBR-SUP-8X10G-PIC

Cisco IOS-XE Release 16.5.1 and Later Releases

Cisco cBR-8 CCAP Line Cards:

  • PID—CBR-LC-8D30-16U30

  • PID—CBR-LC-8D31-16U30

  • PID—CBR-RF-PIC

  • PID—CBR-RF-PROT-PIC

  • PID—CBR-CCAP-LC-40G-R

Cisco cBR-8 Downstream PHY Modules:

  • PID—CBR-D30-DS-MOD

  • PID—CBR-D31-DS-MOD

Cisco cBR-8 Upstream PHY Modules:

  • PID—CBR-D30-US-MOD

Prerequisites for Cable DHCP Leasequery

  • You must configure a cable interface with the cable source-verify dhcp command and the no cable arp command before the Cisco CMTS router can enable DHCP Leasequery. Lease queries are sent to the DHCP server or to a configured alternate server.

To divert DHCP Leasequeries to a specific server, you must use the cable source-verify dhcp server ipaddress command and the no cable arp command before the Cisco CMTS router is enabled for DHCP Leasequery. Only one alternate server may be configured.

  • You must configure the ipv6 route command when IPv6 Customer Premise Equipment (CPE) routers are deployed on the Cisco CMTS router.

Restrictions for Cable DHCP Leasequery

  • Leasequeries are sent to the DHCP server unless an alternate server is configured.
  • Only one alternate server can be configured.
  • Users are responsible for the synchronization of the DHCP server and the configured alternate server.
  • If the configured alternate server fails, leasequery requests are not returned to the DHCP server.
  • Only one IA_IADDR is supported per client. If the leasequery returns multiple results, only the IA_ADDR matching the query is added to the Cisco CMTS subscriber database.
  • The Cisco CMTS will not verify the source of the IPv6 link-local address of a CPE.

Information About Cable DHCP Leasequery

Problems can occur when viruses, denial of service (DoS) attacks, and theft-of-service attacks begin scanning a range of IP addresses, in an attempt to find unused addresses. When the Cisco CMTS router is verifying unknown IP addresses, this type of scanning generates a large volume of DHCP leasequeries, which can result in the following problems:

  • High CPU utilization on the Cisco CMTS router PRE card.

  • High utilization on the DHCP servers, resulting in a slow response time or no response at all.

  • Packets can be dropped by the Cisco CMTS router or DHCP server (or configured alternate server).

  • Lack of available bandwidth for other customers on the cable interface.

To prevent such a large volume of leasequery requests on cable interfaces, you can enable filtering of these requests on upstream interfaces, downstream interfaces, or both. When the Cable DHCP Leasequery feature is enabled, the Cisco CMTS allows only a certain number of DHCP leasequery requests for each service ID (SID) on an interface within the configured interval time period. If an SID generates more Leasequeries than the maximum, the router drops the excess number of requests until the next interval period begins.

You can configure both the number of allowable DHCP leasequery requests and the interval time period, so as to match the capabilities of your DHCP server (or configured alternate server) and cable network.

To configure the Cisco CMTS router to send DHCP leasequery requests to the DHCP server, use the cable source-verify dhcp and no cable arp commands. Unknown IP addresses that are found in packets for customer premises equipment (CPE) devices that use the cable modems on the cable interface are verified. The DHCP server returns a DHCP ACK message with the DHCP relay information and lease information of the CPE device that has been assigned this IP address, if any.

When cable source-verify dhcp and no cable arp commands are configured, DHCP leasequery is sent for downstream packets to verify unknown IP addresses within the IP address range configured on the cable bundle interface.

For DHCP leasequery to work in the downstream direction, the Cisco Network Registrar (CNR) should be made aware of the DHCP Option 82. This is required to make the CMTS map the CPE IP address to the correct CM. To do this, configure the ip dhcp relay information option command on the bundle interface to insert service class relay agent option into the DHCP DISCOVER messages. When the configuration is in place, during DHCP DISCOVER the values of DHCP Option 82 is cached by the CNR and is returned to the CMTS on any subsequent DHCP leasequery for that IP address.

To configure the Cisco CMTS router to divert DHCP leasequery requests to a server other than the DHCP server, use the cable source-verify dhcp server ipaddress and no cable arp commands.

The Cisco CMTS supports two types of DHCP leasequery implementation, Cisco standard compliant DHCP leasequery and RFC 4388 standard compliant DHCP leasequery. These two standards differ mostly in the identifiers used to query or respond to the DHCP Server. You can choose between these two implementations depending on which standard is supported on your DHCP Server.

Use the ip dhcp compatibility lease-query client {cisco | standard} command to configure the Cisco CMTS in either Cisco mode or RFC 4388 standard mode.

DHCP MAC Address Exclusion List

This feature enables the ability to exclude trusted MAC addresses from the standard DHCP source verification checks for the Cisco CMTS. The DHCP MAC Address Exclusion List feature enables packets from trusted MAC addresses to pass when otherwise packets would be rejected with standard DHCP source verification. This feature overrides the cable source-verify command on the Cisco CMTS for the specified MAC address, yet maintains overall support for standard and enabled DHCP source verification processes. This feature is supported on the Performance Routing Engine 1 (PRE1), PRE2, and PRE4 modules on the Cisco cBR router chassis.

To enable packets from trusted source MAC addresses in DHCP to pass without source verification checks, use the cable trust command in global configuration mode. To remove a trusted MAC address from the MAC exclusion list, use the no form of this command. Removing a MAC address from the exclusion list subjects all packets from that source to standard DHCP source verification.

For more information on the cable trust command, see the Cisco IOS CMTS Cable Command Reference Guide .

Unitary DHCPv6 Leasequery

This feature supports unitary DHCPv6 leasequery protocol (RFC 5007) on the Cisco CMTS routers for upstream IPv6 source verification. This protocol verifies the authenticity of the IPv6 CPE behind a home or small office cable deployment.

If the IPv6 source verification fails on the router and the cable ipv6 source-verify dhcp and no cable nd commands are configured on the bundle interface or subinterface, the Cisco CMTS triggers a unitary DHCPv6 leasequery to the Cisco Network Registrar (CNR). If a valid leasequery response is received from the CNR, the Cisco CMTS adds the CPE to its subscriber database and allows future traffic for the CPE.

The primary use of the unitary DHCPv6 leasequery protocol on the Cisco CMTS router is to recover lost CPE data including the Prefix Delegation (PD) route. The IPv6 CPE data can be lost from the Cisco CMTS in several ways. For example, PD route loss can occur during a Cisco CMTS reload.

The unitary DHCPv6 leasequery protocol also supports the following:

  • DHCPv6 leasequery protocol.
  • Rogue client database for failed source-verify clients.
  • DHCPv6 leasequery filters.
  • DHCPv6 leasequeries to a specific DHCPv6 server.

How to Configure Filtering of Cable DHCP Leasequery Requests

Use the following procedures to configure the filtering of DHCP Leasequery requests on the Cisco CMTS downstreams and upstreams:

Enabling DHCP Leasequery Filtering on Downstreams

Use the following procedure to start filtering DHCP leasequeries on all downstreams of a cable interface.

Procedure
     Command or ActionPurpose
    Step 1enable


    Example: 
    Router> enable
     

    Enables privileged EXEC mode.

    • Enter your password if prompted.
     
    Step 2configure terminal


    Example: 
    Router# configure terminal
     

    Enters global configuration mode.

     
    Step 3cable source-verify leasequery-filter downstream threshold interval


    Example: 
    Router(config)# cable source-verify leasequery-filter downstream 5 10
     

    Enables leasequery filtering on all downstreams on the specified bundle interface, using the specified threshold and interval values.

     
    Step 4end


    Example: 
    Router(config)# end
     

    Exits configuration mode and returns to privileged EXEC mode.

     

    Enabling DHCP Leasequery Filtering on Upstreams

    Use the following procedure to start filtering DHCP Leasequeries on all upstreams on a bundle interface.

    Procedure
       Command or ActionPurpose
      Step 1enable


      Example: 
      Router> enable
       

      Enables privileged EXEC mode.

      • Enter your password if prompted.
       
      Step 2configure terminal


      Example: 
      Router# configure terminal
       

      Enters global configuration mode.

       
      Step 3interface bundle bundle-no


      Example: 
      Router(config)# interface bundle 1
       

      Enters interface configuration mode for the specified bundle interface.

       
      Step 4cable source-verify leasequery-filter upstream threshold interval


      Example: 
      Router(config-if)# cable source-verify leasequery-filter upstream 2 5
       

      Enables leasequery filtering on all upstreams on the specified bundle interface, using the specified threshold and interval values.

      Note    The cable source-verify leasequery-filter upstream command can only be configured under bundle interface.
      Note    Repeat step 3 and step 4 to enable the filtering of DHCP Leasequeries on the upstreams for other bundle interfaces. Master and slave interfaces in a cable bundle must be configured separately.
       
      Step 5end


      Example: 
      Router(config-if)# end
       

      Exits interface configuration mode and returns to privileged EXEC mode.

       

      Configuring Unitary DHCPv6 Leasequery Filtering

      Use the following procedure to configure the Cisco CMTS router to send Leasequeries to a DHCP server to verify the authenticity of the IPv6 CPE. You can also enable filtering of these requests to prevent large volumes of Leasequery requests on the bundle interfaces. Similarly, the number of allowable Leasequery requests and the interval time period can also be configured.


      Note
      When the leasequery timer expires, only the IPv4 static CPE is automatically removed from the host database.
      Before You Begin
      • Disable the IPv6 Neighbor Discovery (ND) Gleaning feature using the no form of the cable nd command in bundle interface configuration mode before configuring the unitary DHCPv6 leasequery protocol. For details on IPv6 ND gleaning, see IPv6 on Cable feature guide.
      • Configure the cable ipv6 source-verify dhcp command under the Cisco CMTS bundle or bundle subinterface to enable the unitary DHCPv6 leasequery protocol.
      • Use the cable ipv6 source-verify dhcp [server ipv6-address] command for a single DHCP server.
      • Use the cable ipv6 source-verify dhcp command without any keywords for multiple DHCP servers.
      Procedure
         Command or ActionPurpose
        Step 1enable


        Example: 
        Router> enable
         

        Enables privileged EXEC mode.

        • Enter your password if prompted.
         
        Step 2configure terminal


        Example: 
        Router# configure terminal
         

        Enters global configuration mode.

         
        Step 3interface bundle bundle-no


        Example: 
        Router(config)# interface bundle 1
         

        Enters interface configuration mode for the specified bundle interface.

         
        Step 4cable ipv6 source-verify orcable ipv6 source-verify dhcp [server ipv6-address]

        Example: 
        Router(config-if)# cable ipv6 source-verify
or
Router(config-if)# cable ipv6 source-verify dhcp server 2001:DB8:1::1
         

        Enables leasequery filtering on the specified bundle interface and verifies the IP address with multiple DHCPv6 servers. or Enables leasequery filtering on the specified bundle interface and verifies the IP address with a specified DHCPv6 server.

         
        Step 5cable ipv6 source-verify leasetimer value


        Example: 
        Router(config-if)# cable ipv6 source-verify leasetimer 200
         

        Enables leasequery timer on the specified bundle interface, for the Cisco CMTS to check its internal CPE database for IPv6 addresses whose lease time has expired.

         
        Step 6cable ipv6 source-verify leasequery-filter threshold interval


        Example: 
        Router(config-if)# cable ipv6 source-verify leasetimer 5 10
         

        Enables filtering of the IPv6 leasequery requests.

         
        Step 7end


        Example: 
        Router(config-if)# end
         

        Exits interface configuration mode and returns to privileged EXEC mode.

         

        Enabling DHCPv6 Leasequery Filtering on Downstreams

        Use the following procedure to start filtering DHCP Leasequeries on all downstreams of a cable interface.

        Procedure
           Command or ActionPurpose
          Step 1enable


          Example: 
          Router> enable
           

          Enables privileged EXEC mode.

          • Enter your password if prompted.
           
          Step 2configure terminal


          Example: 
          Router# configure terminal
           

          Enters global configuration mode.

           
          Step 3cable ipv6 source-verify leasequery-filter downstream threshold interval


          Example: 
          Router(config-if)# cable ipv6 source-verify leasetimer 5 10
           

          Enables leasequery filtering on all downstreams on the specified bundle interface, using the specified threshold and interval values:

           
          Step 4end


          Example: 
          Router(config-if)# end
           

          Exits interface configuration mode and returns to privileged EXEC mode.

           

          Configuration Examples for Filtering of DHCP Leasequery

          This section provides the following examples on how to configure the DHCP leasequery filtering feature:

          Example: DHCP Leasequery Filtering

          The following example shows an excerpt from a typical configuration of a bundle interface that is configured for filtering DHCP leasequery requests on both its upstream and downstream interfaces:


          Note
          If an alternate server has been configured to receive leasequery requests, the cable source-verify dhcp server ipaddress command would display in place of the cable source-verify dhcp command below. 
          
.
.
.
cable source-verify leasequery-filter downstream 5 20 
.
.
.
interface bundle 1
.
.
.
 cable source-verify dhcp 
 cable source-verify leasequery-filter upstream 1 5 
 no cable arp 
.
.

          Example: Unitary DHCPv6 Leasequery Filtering

          The following example shows how to display the total number of DHCPv6 leasequery requests that have been filtered on the router in Cisco IOS Release 12.2(33)SCF1: 

          Router# show cable leasequery-filter 
IPv4 Lease Query Filter statistics for Unknown Sid
  Requests Sent : 0 total. 0 unfiltered, 0 filtered
IPv6 Lease Query Filter statistics for Unknown Sid
  Requests Sent : 0 total. 0 unfiltered, 0 filtered

          Additional References

          Technical Assistance

          Description Link

          The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

          To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

          Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

          http:/​/​www.cisco.com/​support

          Feature Information for Cable DHCP Leasequery

          Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http:/​/​www.cisco.com/​go/​cfn. An account on Cisco.com is not required.


          Note

          The table below lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

          Table 2 Feature Information for Cable DHCP Leasequery

          Feature Name

          Releases

          Feature Information

          Cable DHCP leasequery

          Cisco IOS-XE Release 16.5.1

          This feature was integrated into Cisco IOS-XE Release 16.5.1 on the Cisco cBR Series Converged Broadband Routers.