This document describes the Dynamic Host Configuration Protocol (DHCP) Leasequery feature on the Cisco cable modem termination
system (CMTS) router.
Finding Feature Information
Your software release may not support all the features that are documented in this module. For the latest feature information
and caveats, see the release notes for your platform and software release. The Feature Information Table at the end of this
document provides information about the documented features and lists the releases in which each feature is supported.
Contents
Hardware Compatibility Matrix for the Cisco cBR Series Routers
Note
The hardware components that are introduced in a given Cisco IOS-XE Release are supported in all subsequent releases unless
otherwise specified.
Prerequisites for
Cable DHCP Leasequery
The Cisco CMTS router must
be running Cisco IOS Release 12.2(15)BC1d or Cisco IOS Release12.2(15)BC2b or
Cisco IOS Release 12.2(33)SCA or a later release.
You must configure a cable
interface with the
cablesource-verifydhcp command and the
nocablearp command before the Cisco CMTS router can
enable DHCP Leasequery. Lease queries are sent to the DHCP server or to a
configured alternate server.
To divert DHCP
Leasequeries to a specific server, you must use the cable
source-verifydhcpserver ipaddress command and the
nocablearp command before the Cisco CMTS router is
enabled for DHCP Leasequery. Only one alternate server may be configured.
You must
configure the
cable ipv6 pd-route command when IPv6
Customer Premise Equipment (CPE) routers are deployed on the Cisco CMTS router.
You must configure the
ipv6 route command when IPv6 Customer Premise
Equipment (CPE) routers are deployed on the Cisco CMTS router.
Restrictions for Cable DHCP Leasequery
Leasequeries are sent to the DHCP server unless an alternate server is configured.
Only one alternate server can be configured.
Users are responsible for the synchronization of the DHCP server and the configured alternate server.
If the configured alternate server fails, leasequery requests are not
returned to the DHCP server.
Only one IA_IADDR is supported per client. If the leasequery returns multiple results, only the IA_ADDR matching the query
is added to the Cisco CMTS subscriber database.
The Cisco CMTS will not verify the source of the IPv6 link-local address of a CPE.
Information About Cable DHCP Leasequery
Problems can occur when viruses, denial of service (DoS) attacks, and theft-of-service attacks begin scanning a range of IP
addresses, in an attempt to find unused addresses. When the Cisco CMTS router is verifying unknown IP addresses, this type
of scanning generates a large volume of DHCP leasequeries, which can result in the following problems:
High CPU utilization on the Cisco CMTS router PRE card.
High utilization on the DHCP servers, resulting in a slow response time or no response at all.
Packets can be dropped by the Cisco CMTS router or DHCP server (or configured alternate server).
Lack of available bandwidth for other customers on the cable interface.
To prevent such a large volume of leasequery requests on cable interfaces, you can enable filtering of these requests on upstream
interfaces, downstream interfaces, or both. When the Cable DHCP Leasequery feature is enabled, the Cisco CMTS allows only
a certain number of DHCP leasequery requests for each service ID (SID) on an interface within the configured interval time
period. If an SID generates more Leasequeries than the maximum, the router drops the excess number of requests until the next
interval period begins.
You can configure both the number of allowable DHCP leasequery requests and the interval time period, so as to match the capabilities
of your DHCP server (or configured alternate server) and cable network.
To configure the Cisco CMTS router to send DHCP leasequery requests to the DHCP server, use the cablesource-verifydhcp andnocablearpcommands. Unknown IP addresses that are found in packets for customer premises equipment (CPE) devices that use the cable
modems on the cable interface are verified. The DHCP server returns a DHCP ACK message with the DHCP relay information and
lease information of the CPE device that has been assigned this IP address, if any.
When cablesource-verifydhcpand nocablearp commands are configured, DHCP leasequery is sent for downstream packets to verify unknown IP addresses within the IP address
range configured on the cable bundle interface.
For DHCP leasequery to work in the downstream direction, the Cisco Network Registrar (CNR) should be made aware of the DHCP
Option 82. This is required to make the CMTS map the CPE IP address to the correct CM. To do this, configure the ipdhcprelayinformationoption command on the bundle interface to insert service class relay agent option into the DHCP DISCOVER messages. When the configuration
is in place, during DHCP DISCOVER the values of DHCP Option 82 is cached by the CNR and is returned to the CMTS on any subsequent
DHCP leasequery for that IP address.
To configure the Cisco CMTS router to divert DHCP leasequery requests to a server other than the DHCP server, use the cablesource-verifydhcpserveripaddressandnocablearp commands.
The Cisco CMTS supports two types of DHCP leasequery implementation, Cisco standard compliant DHCP leasequery and RFC 4388
standard compliant DHCP leasequery. These two standards differ mostly in the identifiers used to query or respond to the DHCP
Server. You can choose between these two implementations depending on which standard is supported on your DHCP Server.
Use the ipdhcpcompatibilitylease-queryclient {cisco | standard} command to configure the Cisco CMTS in either Cisco mode or RFC 4388 standard mode.
The Cisco IOS Release 12.3(13)BC introduces the ability
to exclude trusted MAC addresses from the standard DHCP source verification
checks, as supported in earlier Cisco IOS releases for the Cisco CMTS. This
feature enables packets from trusted MAC addresses to pass when otherwise
packets would be rejected with standard DHCP source verification. This feature
overrides the cable source-verify command on the Cisco CMTS for the specified
MAC address, yet maintains overall support for standard and enabled DHCP source
verification processes. This feature is supported on the Performance Routing
Engine 1 (PRE1), PRE2, and PRE4 modules on the Cisco uBR10012 router chassis.
This feature enables the ability to exclude trusted MAC addresses from the standard DHCP source verification checks for the
Cisco CMTS. The DHCP MAC Address Exclusion List feature enables packets from trusted MAC addresses to pass when otherwise
packets would be rejected with standard DHCP source verification. This feature overrides the cable source-verify command on
the Cisco CMTS for the specified MAC address, yet maintains overall support for standard and enabled DHCP source verification
processes. This feature is supported on the Performance Routing Engine 1 (PRE1), PRE2, and PRE4 modules on the Cisco cBR router
chassis.
To enable packets from trusted source MAC addresses in DHCP to pass without source verification checks, use the cable trust
command in global configuration mode. To remove a trusted MAC address from the MAC exclusion list, use the no form of this
command. Removing a MAC address from the exclusion list subjects all packets from that source to standard DHCP source verification.
The Cisco IOS Release 12.2(33)SCF1 introduces support
for unitary DHCPv6 leasequery protocol (RFC 5007) on the Cisco CMTS routers for
upstream IPv6 source verification. This protocol verifies the authenticity of
the IPv6 CPE behind a home or small office cable deployment.
This feature supports unitary DHCPv6
leasequery protocol (RFC 5007) on the Cisco CMTS routers for upstream IPv6
source verification. This protocol verifies the authenticity of the IPv6 CPE
behind a home or small office cable deployment.
If the IPv6 source
verification fails on the router and the
cableipv6source-verifydhcp and
nocablend commands are configured on the bundle interface
or subinterface, the Cisco CMTS triggers a unitary DHCPv6 leasequery to the
Cisco Network Registrar (CNR). If a valid leasequery response is received from
the CNR, the Cisco CMTS adds the CPE to its subscriber database and allows
future traffic for the CPE.
The primary use of
the unitary DHCPv6 leasequery protocol on the Cisco CMTS router is to recover
lost CPE data including the Prefix Delegation (PD) route. The IPv6 CPE data can
be lost from the Cisco CMTS in several ways. For example, PD route loss can
occur during a Cisco CMTS reload.
The unitary DHCPv6
leasequery protocol also supports the following:
DHCPv6 leasequery protocol.
Rogue client database for failed
source-verify clients.
DHCPv6 leasequery filters.
DHCPv6
leasequeries to a specific DHCPv6 server.
How to Configure Filtering of Cable DHCP Leasequery Requests
Use the following procedures to configure the filtering of DHCP
Leasequery requests on the Cisco CMTS downstreams and upstreams:
Enabling DHCP
Leasequery Filtering on Downstreams
Use the following
procedure to start filtering DHCP leasequeries on all downstreams of a cable
interface.
Enables
leasequery filtering on all upstreams on the specified bundle interface, using
the specified
threshold and
interval
values.
Note
The
cablesource-verifyleasequery-filterupstream command can only be configured under
bundle interface.
Note
Repeat
step 3 and step 4 to enable the filtering of DHCP Leasequeries on the upstreams
for other bundle interfaces. Master and slave interfaces in a cable bundle must
be configured separately.
Step 5
end
Example:
Router(config-if)# end
Exits
interface configuration mode and returns to privileged EXEC mode.
Configuring
Unitary DHCPv6 Leasequery Filtering
Use the following
procedure to configure the Cisco CMTS router to send Leasequeries to a DHCP
server to verify the authenticity of the IPv6 CPE. You can also enable
filtering of these requests to prevent large volumes of Leasequery requests on
the bundle interfaces. Similarly, the number of allowable Leasequery requests
and the interval time period can also be configured.
Note
When the
leasequery timer expires, only the IPv4 static CPE is automatically removed
from the host database.
Before you begin
Disable the IPv6 Neighbor
Discovery (ND) Gleaning feature using the
no form of
the
cablend command in bundle interface configuration mode
before configuring the unitary DHCPv6 leasequery protocol. For details on IPv6
ND gleaning, see
IPv6 on Cable feature
guide.
Configure the
cableipv6source-verifydhcpcommand, introduced from Cisco IOS Release 12.2(33)SCF1
onwards, under the Cisco CMTS bundle or bundle subinterface to enable the
unitary DHCPv6 leasequery protocol.
Configure the
cableipv6source-verifydhcpcommand under the Cisco CMTS bundle or bundle subinterface to
enable the unitary DHCPv6 leasequery protocol.
In
the cable ipv6 pd-route {enclosing-route | prefix-length} bundle-interface
command, enclosing-route | prefix-length parameters should not be the same as
IA_PD request and should be configured as a large prefix to include all the
pd-route prefix for the downstream lease query.
Use the
cableipv6source-verifydhcp [serveripv6-address]command for a single DHCP server.
Router(config-if)# cable ipv6 source-verify
or
Router(config-if)# cable ipv6 source-verify dhcp server 2001:DB8:1::1
Enables
leasequery filtering on the specified bundle interface and verifies the IP
address with multiple DHCPv6 servers. or Enables leasequery filtering on the
specified bundle interface and verifies the IP address with a specified DHCPv6
server.
Enables
leasequery timer on the specified bundle interface, for the Cisco CMTS to check
its internal CPE database for IPv6 addresses whose lease time has expired.
Enables
leasequery filtering on all downstreams on the specified bundle interface,
using the specified threshold and interval values:
Step 4
end
Example:
Router(config-if)# end
Exits
interface configuration mode and returns to privileged EXEC mode.
Configuration Examples for Filtering of DHCP Leasequery
This section provides the following examples on how to configure the DHCP leasequery filtering feature:
Example: DHCP Leasequery Filtering
The following example shows an excerpt from a typical configuration
of a bundle interface that is configured for filtering DHCP leasequery requests
on both its upstream and downstream interfaces:
Note
If an alternate server has been configured to receive leasequery
requests, the
cablesource-verifydhcpserveripaddress command
would display in place of the
cablesource-verifydhcp command below.
The following example shows how to display the total number of DHCPv6
leasequery requests that have been filtered on the router in Cisco IOS Release
12.2(33)SCF1:
Router# show cable leasequery-filter
IPv4 Lease Query Filter statistics for Unknown Sid
Requests Sent : 0 total. 0 unfiltered, 0 filtered
IPv6 Lease Query Filter statistics for Unknown Sid
Requests Sent : 0 total. 0 unfiltered, 0 filtered
The following example shows how to display the total number of DHCP leasequery requests that have been filtered on a particular
cable interface in Cisco IOS Release 12.2(33)SCF1:
Router# show cable leasequery-filter cable 7/0/0
IPv4 Lease Query Filter statistics for Cable7/0/0:
Requests Sent : 0 total. 0 unfiltered, 0 filtered
IPv6 Lease Query Filter statistics for Cable7/0/0:
Requests Sent : 0 total. 0 unfiltered, 0 filtered
The following example shows how to display a list of cable modems on a cable interface and the number of DHCP leasequery
messages filtered per interface in Cisco IOS Release 12.2(33)SCF1:
Router# show cable leasequery-filter cable 7/0/0 requests-filtered
Sid MAC Address IP Address Req-Filtered
1 0018.6835.2756 0.0.0.0 0
2 0025.2e2d.7440 0.0.0.0 0
Sid MAC Address IP Address Req-Filtered
1 0018.6835.2756 2001:DB8:1::1 0
2 0025.2e2d.7440 2001:DB8:1::2 0
Additional References
Technical Assistance
Description
Link
The Cisco Support website provides extensive online
resources, including documentation and tools for troubleshooting and resolving
technical issues with Cisco products and technologies.
To receive security and technical information about your
products, you can subscribe to various services, such as the Product Alert Tool
(accessed from Field Notices), the Cisco Technical Services Newsletter, and
Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website requires a
Cisco.com user ID and password.
Use Cisco Feature Navigator to find information about the platform support and software image support. Cisco Feature Navigator
enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature
Navigator, go to the www.cisco.com/go/cfn link. An account on the Cisco.com page is not required.
Note
The following table lists the software release in which a given feature is introduced. Unless noted otherwise, subsequent
releases of that software release train also support that feature.
Table 1. Feature Information for Cable DHCP Leasequery
Feature Name
Releases
Feature Information
Cable DHCP leasequery
Cisco IOS XE Fuji 16.7.1
This feature was integrated into Cisco IOS XE Fuji 16.7.1 on the Cisco cBR Series Converged Broadband Routers.