The Dualcrypt Encryption feature enables the Session and Resource Manager (SRM) to configure the PowerKey and DVB CAS sessions on the same line card (LC) of the Cisco cBR-8 Converged Broadband Router.
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/. An account on http://www.cisco.com/ is not required.
![]() Note | The hardware components introduced in a given Cisco IOS-XE Release are supported in all subsequent releases unless otherwise specified. |
You can use this feature when you want the PowerKey and DVB sessions on the same QAM channel. This feature is applicable only to GQI-based sessions, as it uses the Generic QAM Interface (GQI) protocol.
To configure the dualcrypt encryption mode, you should set up connections with Event Information Scheduler (EIS) and Entitlement Control Message Generator (ECMG).
Ensure that the following components are available on your system before configuring dualcrypt encryption for sessions.
Service Distribution Group (SDG)
Virtual Carrier Group (VCG) with encrypt
Logical Edge Device (LED) with GQI protocol
Event Information Scheduler (EIS)
Entitlement Control Message Generator (ECMG)
Ensure that the VCG is bound to SDG
Ensure that the VCG is associated to LED
Ensure that the Virtual Edge Input is configured only on LED
Ensure that the following configurations are available on your system:
The encryption algorithm of the line card is set to DVB-CSA.
linecard <slot>/<bay> ca-system dualcrypt scrambler dvb-csa
The virtual port group interface is configured and the same is set for the management interface under cable video, because the DVB requires a management IP address for communicating with external servers.
configure terminal cable video mgmt-intf VirtualPortGroup <id>
The CA interface on the line card and the route for reaching the ECMG server are specified for session-based scrambling.
ca-interface linecard <slot>/<bay> <IP_Address> route-ecmg <ECMG_Server_IP_Address> <Netmask> <Interface> <Forwarding_Router_IP_Address>
ca-interface linecard <slot>/<bay> <IP_Address> vrf <vrf_name>
(Optional) The bind option is used to associate EIS with specific IP address or GQI-based LED
To use a single IP address for GQI (create and delete sessions) and EIS (provision/de-provision SCGs), the operator should bind the EIS with GQI-based LED using the IP option and configure the required IP address. The IP address should be the subnet of the configured virtual port group. By default, the EIS uses the management IP address configured under DVB and the GQI uses the management IP address configured under LED for session control.
configure terminal cable video encryption dvb eis <name of eis> listening-port <1-65535> bind ip <ip address> or listening-port <1-65535> bind led <id | name> <led id | led name>
The following restrictions are applicable for configuring DualCrypt encryption mode:
The DualCrypt Encryption feature is applicable only to GQI-based remapped sessions.
Use this feature only for PowerKey, DVB, and Clear sessions.
Do not use this feature along with tier-based scrambling mode.
![]() Note | To know more about the commands referenced in this module, see the Cisco IOS Master Command List. |
This section explains how to configure the session-based scrambling with DualCrypt encryption mode.
enable configure terminal cable video mgmt-intf VirtualPortGroup <group_id> encryption linecard <lcslot/subslot> ca-system dualcrypt scrambler dvb-csa dvb route-ecmg ECMG_Server_IP_Address Netmask Interface Forwarding_Router_IP_Address mgmt-ip IP_Address eis EIS_Name id EIS_ID listening-port port_number [bind {ip <ip address> | led < id <led id >| name <led name>>}] ca-interface linecard <slot>/<bay> IP_Address ecmg ECMG_Name id ECMG_ID mode vod linecard <slot>/<bay> type <standard/hitachi/irdeto/nagra/pkey> ca-system-id CA_System_ID CA_Subsystem_ID ecm-pid-source <sid/auto/ecm-id> connection id ID priority connection_priority IP_Address Port
Router#show cable video encryption linecard 8/0 Line card: 8/0 CA System Scrambler DVB-Conformance =============================================== dualcrypt dvb-csa Enabled
Router#show cable video encryption scrambler brief Scrambler information Chassis wide scrambler: none –––––––––––––––––––––––––––––––––––––––––––– Linecard Current Configured Scrambler Scrambler =============================================== 1 Not Ready None 2 Not Ready None 3 Not Ready None 4 Not Ready None 5 Not Ready None 6 Not Ready None 7 dvb-csa None 8 dvb-csa dvb-csa 9 des/dvs042 None
Router#show cable video encryption dvb ecmg id <ID> connection ----------------------------------------------------------------------------------------------------------------------- ECMG ECMG ECMG CA Sys CA Subsys PID Lower Upper Streams/ Open Streams/ Auto Chan Slot ECMG ECMG ID Name Type ID ID Source limit limit ECMG ECMG ID Connections Application ----------------------------------------------------------------------------------------------------------------------- 1 test standard 0x950 0x0 sid 0 0 1 1 Enabled 7 1 VOD ECMG Connections for ECMG ID = 1 ----------------------------------------------------------------- Conn Conn IP Port Channel Conn Open -ID Priority Address Number ID Status Streams ----------------------------------------------------------------- 1 1 10.10.1.1 9878 1 Open 1 -----------------------------------------------------------------The Conn Status field shows the status of the connection with the ECMG server and the Open Streams field indicates the number of active ECM streams.
Router#show cable video encryption dvb eis id <ID> ---------------------------------------------------------------------------------------- EIS EIS Peer Management TCP CP CP Overwrite Fail-To-Clear Connection ID Name IP IP Port Overrule Duration SCG Duration Status ---------------------------------------------------------------------------------------- 1 test 10.10.1.1 10.10.1.10 9898 DISABLED 0 DISABLED 0 Connected
Router>show cable video gqi connection LED Management Server Connection Version Event Reset Encryption ID IP IP Status Pending Indication Discovery --------------------------------------------------------------------------- 2 10.10.1.1 10.100.1.1 Connected 2 0 ACKED Sent
Router>show cable video logical-edge-device id <ID> statistics Create Delete Insert Cancel Switch Reset Encryption Event Session Session Packet Packet Source Indication Discovery Notification ------------------------------------------------------------------------------- Success 4 0 0 0 0 3 7 0 Error 0 0 0 0 0 0 0 0 Total 4 0 0 0 0 3 7 0
Router>show cable video session logical-edge-device id <ID> Total Sessions = 4 Session Output Streaming Session Session Source UDP Output Input Output Input Output Encrypt Encrypt Low Session Id Port Type Type Ucast Dest IP/Mcast IP (S,G) Port Program State State Bitrate Bitrate Type Status Latency Name ---------------------------------------------------------------------------------------------------------------------------------------------------------------- 1048580 20 Passthru UDP 10.10.10.11 49152 - ACTIVE-PSI ON 1713128 1698122 CLEAR - N 0x00000000000000000001 1048581 20 Remap UDP 10.10.10.11 49153 2 ACTIVE-PSI ON 1711859 1707422 DVB Encrypted N 0x00000000000000000002 1048582 23 Passthru UDP 10.10.10.11 49154 - ACTIVE-PSI ON 1711962 1699101 CLEAR - N 0x00000000000000000003 1048583 23 Remap UDP 10.10.10.11 49155 4 ACTIVE-PSI ON 1712498 1707834 DVB Encrypted N 0x00000000000000000004
The session's Encrypt Status should be Encrypted. The Output State should be ON to show the proper Encrypt Status for DVB sessions. If the Output State is Pending, the Encrypt Status will be shown as Pending.
Router>show cable video scg allq SCGs: 4 Carriers with SCGs: 3 -------------------------------------------------------------------- SCG ON TS SCG Ref Activation CP Duration SCG Sess LED/ ID ID ID ID Time (msec) Status Id EIS -------------------------------------------------------------------- 900 1 20 65535 Immediate 10000 Active N/A 1 Service IDs : 2 ES PIDs : NA 9001 1 20 65535 Immediate 10000 Active N/A 1 Service IDs : 1 ES PIDs : NA 9006 1 22 65535 Immediate 10000 Active N/A 1 Service IDs : 1 ES PIDs : NA 9002 1 23 65535 Immediate 10000 Active N/A 1 Service IDs : 4 ES PIDs : NA Number of SCGs = 4
Logical Edge Device: led1 Id: 1 Protocol: GQI Service State: Active Discovery State: Disable Management IP: 10.10.10.11 MAC Address: Number of Servers: 1 Server 1: 10.10.10.11 Reset Interval: 5 Keepalive Interval: 5 Retry Count:3 Number of Virtual Carrier Groups: 1 Number of Share Virtual Edge Input: 1 Number of Physical Qams: 39 Number of Sessions: 4 No Reserve PID Range Virtual Edge Input: Input Port VEI Slot/Bay Bundle Gateway ID IP ID IP ----------------------------------------------------------------- 1 10.10.10.11 7/0 - - Virtual Carrier Group: ID Name Total Total Service-Distribution-Group Service-Distribution-Group VEI RF-channel Name ID ---------------------------------------------------------------------------- 1 vcg1 0 39 sdg1 1 QAM Port Physical Admin Operational TSID ONID Output VCG SDG Encryption Controller Type QAM ID State State Port ID ID Capable --------------------------------------------------------------------------------- 7/0/0:0 RF Port 0 ON UP 1 1 1 1 1 dualcrypt 7/0/0:1 RF Port 1 ON UP 2 1 2 1 1 dualcrypt 7/0/0:2 RF Port 2 ON UP 3 1 3 1 1 dualcrypt 7/0/0:3 RF Port 3 ON UP 4 1 4 1 1 dualcrypt 7/0/0:4 RF Port 4 ON UP 5 1 5 1 1 dualcrypt 7/0/0:5 RF Port 5 ON UP 6 1 6 1 1 dualcrypt 7/0/0:6 RF Port 6 ON UP 7 1 7 1 1 dualcrypt 7/0/0:7 RF Port 7 ON UP 8 1 8 1 1 dualcrypt 7/0/0:8 RF Port 8 ON UP 9 1 9 1 1 dualcrypt 7/0/0:9 RF Port 9 ON UP 10 1 10 1 1 dualcrypt 7/0/0:10 RF Port 10 ON UP 11 1 11 1 1 dualcrypt 7/0/0:20 RF Port 20 ON UP 20 1 20 1 1 dualcrypt 7/0/0:21 RF Port 21 ON UP 21 1 21 1 1 dualcrypt 7/0/0:22 RF Port 22 ON UP 22 1 22 1 1 dualcrypt 7/0/0:23 RF Port 23 ON UP 23 1 23 1 1 dualcrypt 7/0/0:24 RF Port 24 ON UP 24 1 24 1 1 dualcrypt 7/0/0:25 RF Port 25 ON UP 25 1 25 1 1 dualcrypt 7/0/0:26 RF Port 26 ON UP 26 1 26 1 1 dualcrypt 7/0/0:27 RF Port 27 ON UP 27 1 27 1 1 dualcrypt 7/0/0:28 RF Port 28 ON UP 28 1 28 1 1 dualcrypt 7/0/0:29 RF Port 29 ON UP 29 1 29 1 1 dualcrypt 7/0/0:30 RF Port 30 ON UP 30 1 30 1 1 dualcrypt 7/0/0:31 RF Port 31 ON UP 31 1 31 1 1 dualcrypt 7/0/0:32 RF Port 32 ON UP 32 1 32 1 1 dualcrypt 7/0/0:33 RF Port 33 ON UP 33 1 33 1 1 dualcrypt 7/0/0:34 RF Port 34 ON UP 34 1 34 1 1 dualcrypt 7/0/0:35 RF Port 35 ON UP 35 1 35 1 1 dualcrypt 7/0/0:36 RF Port 36 ON UP 36 1 36 1 1 dualcrypt 7/0/0:37 RF Port 37 ON UP 37 1 37 1 1 dualcrypt 7/0/0:38 RF Port 38 ON UP 38 1 38 1 1 dualcrypt 7/0/0:39 RF Port 39 ON UP 39 1 39 1 1 dualcrypt 7/0/0:40 RF Port 40 ON UP 40 1 40 1 1 dualcrypt 7/0/0:41 RF Port 41 ON UP 41 1 41 1 1 dualcrypt 7/0/0:42 RF Port 42 ON UP 42 1 42 1 1 dualcrypt 7/0/0:43 RF Port 43 ON UP 43 1 43 1 1 dualcrypt 7/0/0:44 RF Port 44 ON UP 44 1 44 1 1 dualcrypt 7/0/0:45 RF Port 45 ON UP 45 1 45 1 1 dualcrypt 7/0/0:46 RF Port 46 ON UP 46 1 46 1 1 dualcrypt 7/0/0:47 RF Port 47 ON UP 47 1 47 1 1 dualcrypt
If some configuration errors occur, see the following troubleshooting tips:
The Management IP must be unique and in the subnet of virtual port group.
Ensure that the ECMG Server is pingable with source interface as the virtual port group from the Cisco cBR-8 console. This indicates that the ECMG Server is reachable and route is valid.
Ensure that the TCP port number configured for the ECMG Server in the Cisco cBR-8 is the same as that of the ECMG Server listening port.
Ensure that the management IP is pingable from the EIS Server. Otherwise, check the routing between the cBR-8 chassis and the EIS server.
Ensure that the listening port that is configured for the EIS is used for establishing the connection from the EIS Server.
Ensure that the Virtual Port Group interface is active.
Ensure that the TenGigabitEthernet interface using which the management traffic reaches the Cisco cBR-8 and the interface through which the CA interface route is configured are active.
Ensure that the GQI connection is active and sessions are available to be set up.
Ensure that the EIS connection is active and SCG is available in Cisco cBR-8.
Ensure that the CAS configured for ECMG matches the ECM group in SCG.
Ensure that the ONID, TSID, and Program Number are synchronized with the configured sessions and SCG.
This section provides examples for configuring DualCrypt Encryption Mode:
cable video mgmt-intf VirtualPortGroup 0 encryption linecard 8/0 ca-system dualcrypt scrambler dvb-csa dvb route-ecmg 10.10.10.11 255.255.255.224 Port-channel26 2.26.1.2 mgmt-ip 10.10.10.11 eis test id 1 listening-port 9898 ca-interface linecard 8/0 10.10.10.12 ecmg test id 1 mode vod linecard 8/0 type standard ca-system-id 950 0 auto-channel-id ecm-pid-source sid connection id 1 priority 1 10.10.10.13 9878 service-distribution-group sdg1 id 1 rf-port integrated-cable 8/0/0 virtual-carrier-group vcg1 id 1 encrypt service-type narrowcast rf-channel 20-47 tsid 20-47 output-port-number 20-47 bind-vcg vcg vcg1 sdg sdg1 logical-edge-device led1 id 1 protocol gqi mgmt-ip 10.10.10.10 server 10.100.10.11 virtual-edge-input-ip 10.10.10.11 input-port-number 1 vcg vcg1 active
cable video mgmt-intf VirtualPortGroup 0 encryption linecard 8/0 ca-system dualcrypt scrambler dvb-csa dvb route-ecmg 10.10.10.11 255.255.255.224 Port-channel26 10.10.10.10 mgmt-ip 10.10.10.13 eis test id 1 listening-port 9898 bind led id 1 ca-interface linecard 8/0 10.10.10.14 ecmg test id 1 mode vod linecard 8/0 type standard ca-system-id 950 0 auto-channel-id ecm-pid-source sid connection id 1 priority 1 10.10.10.11 9878 service-distribution-group sdg1 id 1 onid 1 rf-port integrated-cable 8/0/0 virtual-carrier-group vcg1 id 1 encrypt service-type narrowcast rf-channel 20-47 tsid 20-47 output-port-number 20-47 bind-vcg vcg vcg1 sdg sdg1 logical-edge-device led1 id 1 protocol gqi mgmt-ip 10.10.10.11 server 10.10.10.112 virtual-edge-input-ip 10.10.10.11 input-port-number 1 vcg vcg1 active
cable video mgmt-intf VirtualPortGroup 0 encryption linecard 8/0 ca-system dualcrypt scrambler dvb-csa dvb route-ecmg 10.10.10.11 255.255.255.224 Port-channel26 10.10.10.11 mgmt-ip 10.10.10.11 eis test id 1 listening-port 9898 bind led name led1 ca-interface linecard 8/0 10.10.10.11 ecmg test id 1 mode vod linecard 8/0 type standard ca-system-id 950 0 auto-channel-id ecm-pid-source sid connection id 1 priority 1 10.10.10.11 9878 service-distribution-group sdg1 id 1 onid 1 rf-port integrated-cable 8/0/0 virtual-carrier-group vcg1 id 1 encrypt service-type narrowcast rf-channel 20-47 tsid 20-47 output-port-number 20-47 bind-vcg vcg vcg1 sdg sdg1 logical-edge-device led1 id 1 protocol gqi mgmt-ip 10.10.10.11 server 10.10.10.112 virtual-edge-input-ip 10.10.10.11 input-port-number 1 vcg vcg1 active
cable video mgmt-intf VirtualPortGroup 0 encryption linecard 8/0 ca-system dualcrypt scrambler dvb-csa dvb route-ecmg 10.10.10.11 255.255.255.224 Port-channel26 10.10.10.11 mgmt-ip 10.10.10.11 eis test id 1 listening-port 9898 bind ip 10.10.10.11 ca-interface linecard 8/0 10.10.10.11 ecmg test id 1 mode vod linecard 8/0 type standard ca-system-id 950 0 auto-channel-id ecm-pid-source sid connection id 1 priority 1 10.10.10.11 9878 service-distribution-group sdg1 id 1 onid 1 rf-port integrated-cable 8/0/0 virtual-carrier-group vcg1 id 1 encrypt service-type narrowcast rf-channel 20-47 tsid 20-47 output-port-number 20-47 bind-vcg vcg vcg1 sdg sdg1 logical-edge-device led1 id 1 protocol gqi mgmt-ip 10.10.10.11 server 10.10.10.11 virtual-edge-input-ip 10.10.10.11 input-port-number 1 vcg vcg1 active
cable video multicast-uplink Loopback410 access-list all-multicast vrf vrf_script_red_1 next-hop 10.10.10.11 mgmt-intf VirtualPortGroup 0 encryption linecard 1/0 ca-system dvb scrambler dvb-csa dvb route-ecmg 10.10.10.11 255.255.255.224 Port-channel21 10.10.10.1 route-ecmg 10.10.10.16 255.255.255.224 Port-channel21 10.10.10.1 mgmt-ip 10.10.10.10 eis pytool1 id 1 listening-port 2500 cp-overrule 6 overwrite-scg ca-interface linecard 1/0 10.10.10.0 vrf vrf_script_red_1 ecmg emcg1 id 1 mode vod linecard 1/0 type standard ca-system-id 952 0 auto-channel-id ecm-pid-source sid connection id 1 priority 1 10.10.10.11 5678 connection id 2 priority 1 10.10.10.16 8765 ecmg emcg2 id 2 mode vod linecard 1/0 type standard ca-system-id 951 0 auto-channel-id ecm-pid-source sid connection id 1 priority 1 10.10.10.14 8765 ecmg emcg3 id 3 mode vod linecard 1/0 type standard ca-system-id 950 0 auto-channel-id ecm-pid-source sid connection id 1 priority 1 10.10.10.11 5678 interface VirtualPortGroup0 vrf forwarding vrf_script_red_1 ip address 10.10.10.11 255.255.224.0 no mop enabled no mop sysid
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
![]() Note | The table below lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature. |
Feature Name |
Releases |
Feature Information |
---|---|---|
DualCrypt Encryption Mode |
Cisco IOS XE Everest 16.6.1 |
This feature was integrated on the Cisco cBR Series Converged Broadband Routers. |