This document describes the Dynamic Host Configuration Protocol (DHCP) Leasequery feature on the Cisco cable modem termination system (CMTS) router.
Your software release may not support all the features that are documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. The Feature Information Table at the end of this document provides information about the documented features and lists the releases in which each feature is supported.
 Note |
The hardware components that are introduced in a given Cisco IOS-XE Release are supported in all subsequent releases unless otherwise specified. |
To divert DHCP Leasequeries to a specific server, you must use the cable source-verify dhcp server ipaddress command and the no cable arp command before the Cisco CMTS router is enabled for DHCP Leasequery. Only one alternate server may be configured.
Problems can occur when viruses, denial of service (DoS) attacks, and theft-of-service attacks begin scanning a range of IP addresses, in an attempt to find unused addresses. When the Cisco CMTS router is verifying unknown IP addresses, this type of scanning generates a large volume of DHCP leasequeries, which can result in the following problems:
High CPU utilization on the Cisco CMTS router PRE card.
High utilization on the DHCP servers, resulting in a slow response time or no response at all.
Packets can be dropped by the Cisco CMTS router or DHCP server (or configured alternate server).
Lack of available bandwidth for other customers on the cable interface.
To prevent such a large volume of leasequery requests on cable interfaces, you can enable filtering of these requests on upstream interfaces, downstream interfaces, or both. When the Cable DHCP Leasequery feature is enabled, the Cisco CMTS allows only a certain number of DHCP leasequery requests for each service ID (SID) on an interface within the configured interval time period. If an SID generates more Leasequeries than the maximum, the router drops the excess number of requests until the next interval period begins.
You can configure both the number of allowable DHCP leasequery requests and the interval time period, so as to match the capabilities of your DHCP server (or configured alternate server) and cable network.
To configure the Cisco CMTS router to send DHCP leasequery requests to the DHCP server, use the cable source-verify dhcp and no cable arp commands. Unknown IP addresses that are found in packets for customer premises equipment (CPE) devices that use the cable modems on the cable interface are verified. The DHCP server returns a DHCP ACK message with the DHCP relay information and lease information of the CPE device that has been assigned this IP address, if any.
When cable source-verify dhcp and no cable arp commands are configured, DHCP leasequery is sent for downstream packets to verify unknown IP addresses within the IP address range configured on the cable bundle interface.
For DHCP leasequery to work in the downstream direction, the Cisco Network Registrar (CNR) should be made aware of the DHCP Option 82. This is required to make the CMTS map the CPE IP address to the correct CM. To do this, configure the ip dhcp relay information option command on the bundle interface to insert service class relay agent option into the DHCP DISCOVER messages. When the configuration is in place, during DHCP DISCOVER the values of DHCP Option 82 is cached by the CNR and is returned to the CMTS on any subsequent DHCP leasequery for that IP address.
To configure the Cisco CMTS router to divert DHCP leasequery requests to a server other than the DHCP server, use the cable source-verify dhcp server ipaddress and no cable arp commands.
The Cisco CMTS supports two types of DHCP leasequery implementation, Cisco standard compliant DHCP leasequery and RFC 4388 standard compliant DHCP leasequery. These two standards differ mostly in the identifiers used to query or respond to the DHCP Server. You can choose between these two implementations depending on which standard is supported on your DHCP Server.
Use the ip dhcp compatibility lease-query client {cisco | standard } command to configure the Cisco CMTS in either Cisco mode or RFC 4388 standard mode.
For more information about this command, see the “DHCP Commands” chapters in the Cisco IOS IP Addressing Services Command Reference , Release 12.2 at the following URL: http://www.cisco.com/en/US/docs/ios/ipaddr/command/reference/iad_book.html.
The Cisco IOS Release 12.3(13)BC introduces the ability to exclude trusted MAC addresses from the standard DHCP source verification checks, as supported in earlier Cisco IOS releases for the Cisco CMTS. This feature enables packets from trusted MAC addresses to pass when otherwise packets would be rejected with standard DHCP source verification. This feature overrides the cable source-verify command on the Cisco CMTS for the specified MAC address, yet maintains overall support for standard and enabled DHCP source verification processes. This feature is supported on the Performance Routing Engine 1 (PRE1), PRE2, and PRE4 modules on the Cisco uBR10012 router chassis.
This feature enables the ability to exclude trusted MAC addresses from the standard DHCP source verification checks for the Cisco CMTS. The DHCP MAC Address Exclusion List feature enables packets from trusted MAC addresses to pass when otherwise packets would be rejected with standard DHCP source verification. This feature overrides the cable source-verify command on the Cisco CMTS for the specified MAC address, yet maintains overall support for standard and enabled DHCP source verification processes. This feature is supported on the Performance Routing Engine 1 (PRE1), PRE2, and PRE4 modules on the Cisco cBR router chassis.
To enable packets from trusted source MAC addresses in DHCP to pass without source verification checks, use the cable trust command in global configuration mode. To remove a trusted MAC address from the MAC exclusion list, use the no form of this command. Removing a MAC address from the exclusion list subjects all packets from that source to standard DHCP source verification.
For more information on the cable trust command, see the Cisco IOS CMTS Cable Command Reference Guide .
The Cisco IOS Release 12.2(33)SCF1 introduces support for unitary DHCPv6 leasequery protocol (RFC 5007) on the Cisco CMTS routers for upstream IPv6 source verification. This protocol verifies the authenticity of the IPv6 CPE behind a home or small office cable deployment.
This feature supports unitary DHCPv6 leasequery protocol (RFC 5007) on the Cisco CMTS routers for upstream IPv6 source verification. This protocol verifies the authenticity of the IPv6 CPE behind a home or small office cable deployment.
If the IPv6 source verification fails on the router and the cable ipv6 source-verify dhcp and no cable nd commands are configured on the bundle interface or subinterface, the Cisco CMTS triggers a unitary DHCPv6 leasequery to the Cisco Network Registrar (CNR). If a valid leasequery response is received from the CNR, the Cisco CMTS adds the CPE to its subscriber database and allows future traffic for the CPE.
The primary use of the unitary DHCPv6 leasequery protocol on the Cisco CMTS router is to recover lost CPE data including the Prefix Delegation (PD) route. The IPv6 CPE data can be lost from the Cisco CMTS in several ways. For example, PD route loss can occur during a Cisco CMTS reload.
The unitary DHCPv6 leasequery protocol also supports the following:
Use the following procedures to configure the filtering of DHCP Leasequery requests on the Cisco CMTS downstreams and upstreams:
Use the following procedure to start filtering DHCP leasequeries on all downstreams of a cable interface.
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
enable Example: |
Enables privileged EXEC mode.
|
| Step 2 |
configure terminal Example: |
Enters global configuration mode. |
| Step 3 |
cable source-verify leasequery-filter downstream threshold interval Example: |
Enables leasequery filtering on all downstreams on the specified bundle interface, using the specified threshold and interval values. |
| Step 4 |
end Example: |
Exits configuration mode and returns to privileged EXEC mode. |
Use the following procedure to start filtering DHCP Leasequeries on all upstreams on a bundle interface.
| Command or Action | Purpose | |||||
|---|---|---|---|---|---|---|
| Step 1 |
enable Example: |
Enables privileged EXEC mode.
|
||||
| Step 2 |
configure terminal Example: |
Enters global configuration mode. |
||||
| Step 3 |
interface bundle bundle-no Example: |
Enters interface configuration mode for the specified bundle interface. |
||||
| Step 4 |
cable source-verify leasequery-filter upstream threshold interval Example: |
Enables leasequery filtering on all upstreams on the specified bundle interface, using the specified threshold and interval values.
|
||||
| Step 5 |
end Example: |
Exits interface configuration mode and returns to privileged EXEC mode. |
Use the following procedure to configure the Cisco CMTS router to send Leasequeries to a DHCP server to verify the authenticity of the IPv6 CPE. You can also enable filtering of these requests to prevent large volumes of Leasequery requests on the bundle interfaces. Similarly, the number of allowable Leasequery requests and the interval time period can also be configured.
Note |
When the leasequery timer expires, only the IPv4 static CPE is automatically removed from the host database. |
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
enable Example: |
Enables privileged EXEC mode.
|
| Step 2 |
configure terminal Example: |
Enters global configuration mode. |
| Step 3 |
interface bundle bundle-no Example: |
Enters interface configuration mode for the specified bundle interface. |
| Step 4 |
cable ipv6 source-verify orcable ipv6 source-verify dhcp [server ipv6-address] Example: |
Enables leasequery filtering on the specified bundle interface and verifies the IP address with multiple DHCPv6 servers. or Enables leasequery filtering on the specified bundle interface and verifies the IP address with a specified DHCPv6 server. |
| Step 5 |
cable ipv6 source-verify leasetimer value Example: |
Enables leasequery timer on the specified bundle interface, for the Cisco CMTS to check its internal CPE database for IPv6 addresses whose lease time has expired. |
| Step 6 |
cable ipv6 source-verify leasequery-filter threshold interval Example: |
Enables filtering of the IPv6 leasequery requests. |
| Step 7 |
end Example: |
Exits interface configuration mode and returns to privileged EXEC mode. |
Use the following procedure to start filtering DHCP Leasequeries on all downstreams of a cable interface.
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
enable Example: |
Enables privileged EXEC mode.
|
| Step 2 |
configure terminal Example: |
Enters global configuration mode. |
| Step 3 |
cable ipv6 source-verify leasequery-filter downstream threshold interval Example: |
Enables leasequery filtering on all downstreams on the specified bundle interface, using the specified threshold and interval values: |
| Step 4 |
end Example: |
Exits interface configuration mode and returns to privileged EXEC mode. |
This section provides the following examples on how to configure the DHCP leasequery filtering feature:
The following example shows an excerpt from a typical configuration of a bundle interface that is configured for filtering DHCP leasequery requests on both its upstream and downstream interfaces:
Note |
If an alternate server has been configured to receive leasequery requests, the cable source-verify dhcp server ipaddress command would display in place of the cable source-verify dhcp command below. |
.
.
.
cable source-verify leasequery-filter downstream 5 20
.
.
.
interface bundle 1
.
.
.
cable source-verify dhcp
cable source-verify leasequery-filter upstream 1 5
no cable arp
.
.The following example shows how to display the total number of DHCPv6 leasequery requests that have been filtered on the router in Cisco IOS Release 12.2(33)SCF1:
Router# show cable leasequery-filter
IPv4 Lease Query Filter statistics for Unknown Sid
Requests Sent : 0 total. 0 unfiltered, 0 filtered
IPv6 Lease Query Filter statistics for Unknown Sid
Requests Sent : 0 total. 0 unfiltered, 0 filtered
The following example shows how to display the total number of DHCP leasequery requests that have been filtered on a particular cable interface in Cisco IOS Release 12.2(33)SCF1:
Router# show cable leasequery-filter cable 7/0/0
IPv4 Lease Query Filter statistics for Cable7/0/0:
Requests Sent : 0 total. 0 unfiltered, 0 filtered
IPv6 Lease Query Filter statistics for Cable7/0/0:
Requests Sent : 0 total. 0 unfiltered, 0 filtered
The following example shows how to display a list of cable modems on a cable interface and the number of DHCP leasequery messages filtered per interface in Cisco IOS Release 12.2(33)SCF1:
Router# show cable leasequery-filter cable 7/0/0 requests-filtered
Sid MAC Address IP Address Req-Filtered
1 0018.6835.2756 0.0.0.0 0
2 0025.2e2d.7440 0.0.0.0 0
Sid MAC Address IP Address Req-Filtered
1 0018.6835.2756 2001:DB8:1::1 0
2 0025.2e2d.7440 2001:DB8:1::2 0
| Description | Link |
|---|---|
|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
Use Cisco Feature Navigator to find information about the platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to the www.cisco.com/go/cfn link. An account on the Cisco.com page is not required.
Note |
The following table lists the software release in which a given feature is introduced. Unless noted otherwise, subsequent releases of that software release train also support that feature. |
|
Feature Name |
Releases |
Feature Information |
|---|---|---|
|
Cable DHCP leasequery |
Cisco IOS XE Fuji 16.7.1 |
This feature was integrated into Cisco IOS XE Fuji 16.7.1 on the Cisco cBR Series Converged Broadband Routers. |
Feedback