To require that
all CMs on a cable interface attempt to download a DOCSIS configuration file
using the Trivial File Transfer Protocol (TFTP) through the cable interface
before being allowed to register and come online, use the
cable
tftp-enforce
command in cable interface configuration mode. To disable this
feature, use the
no form of
this command.
cable tftp-enforce [mark-only]
no cable tftp-enforce [mark-only]
Syntax Description
mark-only
|
(Optional) Allow CMs to come online without attempting to download a DOCSIS
configuration file through the Cisco CMTS cable interface, but prints a warning
message and marks those CMs with a pound sign (#) in the
show
cable
modem command.
|
Command Default
TFTP downloads
through the Cisco CMTS are not required (no
cable
tftp-enforce ).
Command Modes
Interface configuration—cable interface only (config-if)
Command History
Release
|
Modification
|
12.1(11b)EC1
|
This
command was introduced for the Cisco uBR7100 series and Cisco uBR7200 series
universal broadband routers.
|
12.1(19)EC
|
CMs
that fail the TFTP checked are now marked with a reject(c) error in the
show
cable
modem command, instead of the original reject(m)
error, so as to be consistent with the behavior in the Release 12.2 BC train.
|
12.2(8)BC2
|
Support
for this command was added to the 12.2 BC release train for the Cisco uBR7100
series, Cisco uBR7200 series, and Cisco uBR10012 universal broadband routers.
|
12.2(15)BC1
|
The
command was enhanced on the Cisco uBR10012 router to prevent the router from
rejecting cable modems that did properly download a DOCSIS configuration file.
|
IOS-XE 3.15.OS
|
This command is not supported on the Cisco cBR Series
Converged Broadband Routers.
|
Usage Guidelines
The
cable
tftp-enforce cable interface configuration command
requires all cable modems on a cable interface to attempt a TFTP request for
the DOCSIS configuration file through the cable interface with the Cisco CMTS
router before being allowed to register and come online. This can help prevent
the following situations from occurring:
- Users who attempt
theft-of-service by reconfiguring their local networks to allow the downloading
of an unauthorized DOCSIS configuration file from a local TFTP server.
Typically, some users do this to obtain services that they have not paid for,
such as higher guaranteed bandwidths or a higher priority Quality of Service
(QoS) profile.
- Some brands or models of
cable modems might be running older software releases that cache the DOCSIS
configuration file and use the cached version instead of downloading the actual
file from a TFTP server during the registration process. Although this can
marginally speed up the registration process, it also violates the DOCSIS
requirements and could create a situation in which the cable modem is not using
the proper DOCSIS configuration file. A user might then be mistakenly accused
of theft-of-service, when in reality the problem is the non-DOCSIS-compliant
cable modem.
The
cable
tftp-enforce command identifies these situations
and can block these cable modems from registering and coming online. This
command also has a
mark-only
option that allows these cable modems to come online, but it also identifies
the cable modems so that the network administrators can investigate the
situation further before taking any action.
When the command
is used without the
mark-only
option, cable modems that do not download a TFTP file through the cable
interface are blocked from registering and coming online. The following message
is displayed on the console when such a cable modem attempts to register:
06:53:57: %UBR7200-4-REGISTRATION_BEFORE_TFTP: Registration request unexpected:
Cable Modem did not attempt TFTP. Registration Rejected. CM Mac Addr <00ff.ff66.12fb>
The
mark-only
option allows cable modems that do not download the TFTP file to come online,
but it also prints a warning message on the console and marks the cable modem
in the
show
cable
modem command with a pound sign (#). The following
message is displayed on the console when such a cable modem registers with the
Cisco CMTS.
06:53:57: %UBR7200-4-REGISTRATION_BEFORE_TFTP: Registration request unexpected:
Cable Modem did not attempt TFTP. Modem marked with #. CM Mac Addr <00ff.ff66.12fb>
Tip
|
Cisco
recommends that you initially configure cable interfaces with the
mark-only
option, so that potential problems are identified without immediately
interfering with users’ ability to come online. After you identify and resolve
these initial problems, reconfigure the cable interfaces without the
mark-only
option to block problem cable modems that attempt to come online without
downloading a valid DOCSIS configuration file.
|
The default
behavior is not to require the TFTP download through the cable interface with
the Cisco CMTS router. Each cable interface must be configured with this
command to require the TFTP download.
Note
|
The
cable
tftp-enforce command cannot be used on
subinterfaces or on non-cable interfaces.
|
Operation on the Cisco
uBR10012 Router
In Cisco IOS
Release 12.2(15)BC1 and later releases, the Cisco uBR10012 router can
occasionally allow a cable modem to temporarily come online before the system
has received confirmation that the cable modem has downloaded the proper DOCSIS
configuration file. This situation can occur when the cable interface line card
receives a registration request (REG-REQ) message from a cable modem before the
PRE1 module has notified the line card whether the modem did download the
proper file from the TFTP server.
In previous
Cisco IOS releases, these cable modems were not allowed to come online (or
marked as TFTP violators) even if they had successfully downloaded the
appropriate DOCSIS configuration file. In Cisco IOS Release 12.2(15)BC1 and
later releases, however, the Cisco uBR10012 router allows these cable modems to
temporarily come online until the PRE1 module has finished determining the
modem’s TFTP status. If the system determines that the modem did not download
the appropriate DOCSIS configuration file, it is then taken offline (or marked
as a TFTP violator).
Note
|
In the above
situation, cable modems that do not download a DOCSIS configuration file are
marked as “offline” instead of “reject(c)” by the
show
cable
modem command. The console still displays the
%UBR10000-4-REGISTRATION_BEFORE_TFTP error message, however, to allow you to
identify these cable modems as TFTP violators.
|
Examples
The following
example shows how to enforce TFTP downloads for all of the cable modems on
cable interface 3/0. These cable modems must attempt a TFTP download of the
DOCSIS configuration file through the cable interface with the Cisco CMTS. If
they do not, they are not allowed to register or come online, and they are
marked as having either a registration error—reject(c)—in the
show
cable
modem command.
Note
|
The initial
version of this feature marked CMs that failed the TFTP check as having a
Message Integrity Check (MIC) failure—reject(m). The command was changed to
show reject(c) in Cisco IOS Release 12.2(8)BC2 and Release 12.1(19)EC.
|
Router# configure terminal
Router(config)# interface cable 3/0
Router(config-if)# cable tftp-enforce
Router(config-if)# exit
Router(config)#
Router# show cable modems
Interface Prim Online Timing Rec QoS CPE IP address MAC address
Sid State Offset Power
Cable3/0/U1 1 online(pt) 2734 0.50 5 0 10.1.1.38 00ff.fffa.0a35
Cable3/0/U0 2 online(pt) 2729 0.25 5 0 10.1.1.50 00ff.ff07.382f
Cable3/0/U0 3 init(i) 2732 0.25 2 0 10.1.1.48 00ff.ff03.307d
Cable3/0/U1 4 online(pt) 2737 0.75 5 0 10.1.1.34 00ff.ff59.4477
Cable3/0/U1 5 reject(m) 2215 0.25 2 0 10.1.1.47 00ff.ff66.12fb
Router#
Note
|
DOCSIS-compliant cable modems that are rejected with a MIC failure go into the
offline state for a short period of time and then retry the registration
process.
|
The
debug
cable
registration command can be used to display
additional information:
Router# debug cable interface c3/0 verbose
Router# debug cable registration CMTS registration debugging is on
Jun 6 23:27:15.859: Registration request from 00ff.ff66.12fb, SID 7 on Cable3/0/U1
Jun 6 23:27:15.859: Found a network access control parameter: Ok
Jun 6 23:27:15.859: Found a class of service block: Ok
Jun 6 23:27:15.859: Found Baseline Privacy config: Ok
Jun 6 23:27:15.859: Found Max CPE: Ok
Jun 6 23:27:15.859: Found CM MIC: Ok
Jun 6 23:27:15.859: Found CMTS MIC: Ok
Jun 6 23:27:15.859: Found modem ip: Ok
Jun 6 23:27:15.859: Found modem capabilities: Ok
Jun 6 23:27:15.859: Finished parsing REG Request
Jun 6 23:27:15.859: Cable Modem sent Registration Request without attempting required TFTP
22:33:21 %UBR7200-4-REGISTRATION_BEFORE_TFTP: Registration request unexpected:
Cable Modem did not attempt TFTP. Registration Rejected. CM Mac Addr <00ff.ff66.12fb>
Registration failed for Cable Modem 00ff.ff66.12fb on interface Cable3/0/U0:
CoS/Sflow/Cfr/PHS failed in REG-REQ
Jun 6 23:27:15.859: REG-RSP Status : failure (2)
Jun 6 23:27:15.859: Registration Response:
Jun 6 23:27:15.859: 0x0000: C2 00 00 1B 00 00 00 50 73 4E B4 19 00 05 00 E0
Jun 6 23:27:15.859: 0x0010: 56 AC 00 09 00 00 03 01 07 00 00 02 02
Jun 6 23:27:15.859: Registration Response Transmitted
The following
example of the
mark-only
option shows how that cable modems that do not attempt a TFTP download through
the Cisco CMTS are allowed to register and come online, but they are marked
with a pound sign (#) when using the
show
cable
modem command.
Router# configure terminal
Router(config)# interface cable 3/0
Router(config-if)# cable tftp-enforce mark-only
Router(config-if)# exit
Router(config)#
Router# show cable modems
Interface Prim Online Timing Rec QoS CPE IP address MAC address
Sid State Offset Power
Cable3/0/U1 1 online(pt) 2734 0.50 5 0 10.1.1.38 00ff.fffa.0a35
Cable3/0/U0 2 online(pt) 2729 0.25 5 0 10.1.1.50 00ff.ff07.382f
Cable3/0/U0 3 init(i) 2732 0.25 2 0 10.1.1.48 00ff.ff03.307d
Cable3/0/U1 4 online(pt) 2737 0.75 5 0 10.1.1.34 00ff.ff59.4477
Cable3/0/U1 5 #online 2213 0.25 6 0 10.1.1.47 00ff.ff66.12fb
Router#
Thedebug
cable
registration command can be used to display
additional information:
Jun 6 23:27:15.859: Registration request from 00ff.ff66.12fb, SID 7 on Cable3/0/U1
Jun 6 23:27:15.859: Found a network access control parameter: Ok
Jun 6 23:27:15.859: Found a class of service block: Ok
Jun 6 23:27:15.859: Found Baseline Privacy config: Ok
Jun 6 23:27:15.859: Found Max CPE: Ok
Jun 6 23:27:15.859: Found CM MIC: Ok
Jun 6 23:27:15.859: Found CMTS MIC: Ok
Jun 6 23:27:15.859: Found modem ip: Ok
Jun 6 23:27:15.859: Found modem capabilities: Ok
Jun 6 23:27:15.859: Finished parsing REG Request
Jun 6 23:27:15.859: Cable Modem sent Registration Request without attempting required TFTP
23:27:15: %UBR7200-4-REGISTRATION_BEFORE_TFTP: Registration request unexpected:
Cable Modem did not attempt TFTP. Modem marked with #. CM Mac Addr <00ff.ff66.12fb>
Jun 6 23:27:15.859: Sec sids obtained for all requested classes of service
Jun 6 23:27:15.859: Performing connection admission control (CAC) for each Sid
Jun 6 23:27:15.859: CAC Status for ClassID:1 is CAC_SUCCESS
Jun 6 23:27:15.859: Registration Status: ok (0)
Jun 6 23:27:15.859: Registration Response Transmitted
Tip
|
You can also
use the
show
interface
cable
sid and
show
cable
qos
profile commands to examine the SID and service
classes in use, to determine whether a CM has registered using unauthorized QoS
parameters.
|