The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
First Published: February 14, 2008
Last Updated: February 9, 2009
Note | Cisco IOS Release 12.2(33)SCA integrates support for this feature on the Cisco CMTS routers. This feature is also supported in Cisco IOS Release 12.3BC, and this document contains information that references many legacy documents related to Cisco IOS 12.3BC. In general, any references to Cisco IOS Release 12.3BC also apply to Cisco IOS Release 12.2SC. |
This document describes how to configure Cisco Cable Modem Termination System (CMTS) platforms so that they support onboard servers that provide Dynamic Host Configuration Protocol (DHCP), Time-of-Day (ToD), and Trivial File Transfer Protocol (TFTP) services for use in Data-over-Cable Service Interface Specifications (DOCSIS) networks. In addition, this document provides information about optional configurations that can be used with external DHCP servers.
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/. An account on http://www.cisco.com/ is not required.
The “all-in-one” configuration should not be used as the only set of servers except for small cable plants (approximately 2,500 cable modems, lab environments, initial testing, small deployments, and troubleshooting. The “all-in-one” configuration can be used in larger networks, however, to supplement other redundant and backup servers.
Note | The CMTS does not support the configuration of both Local DHCP Pools and DHCP Relay at the same time. |
The ToD server must use the UDP protocol to conform to DOCSIS specifications.
For proper operation of the DOCSIS network, especially a DOCSIS 1.1 network using BPI+ encryption and authentication, the system clock on the Cisco CMTS must be set accurately. You can achieve this by manually using the set clock command, or by configuring the CMTS to use either the Network Time Protocol (NTP) or the Simple Network Time Protocol (SNTP).
The internal DHCP server that is onboard the Cisco CMTS router does not support the cable source-verify command.
Cisco cBR series routers do not support internal DHCP servers.
This section provides the following information about the DHCP, ToD, and TFTP Services feature, and its individual components:
All Cisco CMTS platforms support onboard servers that provide DHCP, ToD, and TFTP proxy-services for use in DOCSIS cable networks. These servers provide the registration services needed by DOCSIS 1.0- and 1.1-compliant cable modems:
Although cable modems do not need to successfully complete the ToD request before coming online, this allows them to add accurate timestamps to their event logs so that these logs are coordinated to the clock used on the CMTS. In addition, having the accurate date and time is essential if the cable modem is trying to register with Baseline Privacy Interface Plus (BPI+) encryption and authentication.
You can configure and use each server separately, or you can configure an “all-in-one” configuration so that the CMTS acts as a DHCP, ToD, and TFTP server. With this configuration, you do not need any additional servers, although additional servers provide redundancy, load-balancing, and scalability.
Note | You can add additional servers in a number of ways. For example, most cable operators use Cisco Network Registrar (CNR) to provide the DHCP and TFTP servers. ToD servers are freely available for most workstations and PCs. You can install the additional servers on one workstation or PC or on different workstations and PCs. |
At power-up, DOCSIS cable modems send a broadcast message through the cable interface to find a DHCP server that can provide the information needed for IP connectivity across the network. After the cable modem comes online, the CPE devices connected to the cable modem can also make their own DHCP requests. You can configure all Cisco CMTS platforms to act as DHCP servers that provide the IP addressing and other networking information that is needed by DOCSIS cable modems and their CPE devices.
In its DHCP request message, the cable modem identifies itself by its MAC hardware address. In reply, a DOCSIS-compatible DHCP server should provide, at minimum, the following fields when replying to cable modems that are authorized to access the cable network:
If you decide to also provide IP addresses to the CPE devices connected to the cable modems, the DHCP server must also provide the following information for CPE devices:
The DHCP server on the Cisco CMTS can also provide a number of options beyond the minimum that are required for network operation. A basic configuration is suitable for small installations as well as lab and experimental networks.
You can also configure the CMTS in a more complex configuration that uses the functionality of DHCP pools. DHCP pools are configured in a hierarchical fashion, according to their network numbers. A DHCP pool with a network number that is a subset of another pool’s network number inherits all of the characteristics of the larger pool.
Because the DOCSIS specification requires cable modems to obtain their IP addresses from a DHCP server, cable networks are susceptible to certain types of configuration errors and theft-of-service attacks, including:
To help combat these attacks, the Cisco CMTS dynamically maintains a database that links the MAC and IP addresses of known CPE devices with the cable modems that are providing network access for those CPE devices. The CMTS builds this database using information from both internal and external DHCP servers:
Note | The Cisco CMTS also monitors IP traffic coming from CPE devices to associate their IP and MAC addresses with the cable modem that is providing their Internet connection. |
The CMTS can also use the DHCP Relay Agent Information option (DHCP option 82) to send particular information about a cable modem, such as its MAC address and the cable interface to which it is connected to the DHCP server. If the DHCP server cannot match the information with that belonging to a cable modem in its database, the Cisco CMTS identifies that the device is a CPE device. This allows the Cisco CMTS and DHCP server to retain accurate information about which CPE devices are using which cable modems and whether the devices should be allowed network access.
The DHCP Relay Agent Information option can also be used to identify cloned modems or gather geographical information for E911 and other applications. Using the cable dhcp-insert command, users configure the Cisco CMTS to insert downstream, upstream, service class, or hostname descriptors into DHCP packets. Multiple types of strings can be configured as long as the maximum relay information option size is not exceeded.
You can also configure any number of DHCP pools for the DHCP server to use in assigning IP addresses. A single pool can be used for a basic configuration, or you can optionally create separate pools for cable modems and CPE devices. You can also use DHCP address pools to provide special services, such as static IP addresses, to customers who are paying for those service.
When creating multiple DHCP pools, you can configure them independently, or you can optionally create a hierarchical structure of pools that are organized according to their network numbers. A DHCP pool that has a network number that is a subset of another pool’s network number inherits all of the characteristics of the larger pool. In addition to the inherited characteristics, you can further customize each pool with any number of options.
The advantage of DHCP pools is that you can create a number of different DHCP configurations for particular customers or applications, without having to repeat CLI commands for the parameters that the pools have in common. You can also change the configuration of one pool without affecting customers in other pools.
The Cisco CMTS router provides the following optional configurations that can enhance the operation and security of external DHCP servers that you are using on the DOCSIS cable network:
To combat theft-of-service attacks, you can enable the cable source-verify command on the cable interfaces on the Cisco CMTS router. This feature uses the router’s internal database to verify the validity of the IP packets that the CMTS receives on the cable interfaces, and provides three levels of protection:
The Source Address Verification (SAV) feature verifies the source IP address of an upstream packet to ensure that the SID/MAC and IP are consistent. The DOCSIS 3.0 Security Specification introduces prefix-based SAV where every CM may have static IPv4 or IPv6 prefixes configured. These prefixes are either preconfigured on the CMTS, or are communicated to the CMTS during CM registration. The Cisco CMTS uses these configured prefixes to verify the source IP address of all the incoming packets from that CM.
An SAV group is a collection of prefixes. A prefix is an IPv4 or IPv6 subnet address. You can use the cable source-verify group command in global configuration mode to configure SAV groups. A total of 255 SAV groups are supported on a CMTS, with each SAV group having a maximum of four prefixes. Prefixes can be configured using the prefix command.
During registration, CMs communicate their configured static prefixes to the CMTS using two TLVs, 43.7.1 and 43.7.2. The TLV 43.7.1 specifies the SAV prefix group name that the CM belongs to, and TLV 43.7.2 specifies the actual IPv4 or IPv6 prefix. Each CM can have a maximum of four prefixes configured. When the Cisco CMTS receives these TLVs, it first identifies if the specified SAV group and the prefixes are already configured on the Cisco CMTS. If they are configured, the Cisco CMTS associates them to the registering CM. However if they are not configured, the Cisco CMTS automatically creates the specified SAV group and prefixes before associating them to the registering CM.
The SAV group name and the prefixes that are provided by these TLVs are considered valid by the Cisco CMTS. The packets received (from the CM) with the source IP address belonging to the prefix specified by the TLV are considered authorized. For example, if a given CM has been configured with an SAV prefix of 10.10.10.0/24, then any packet received from this CM (or CPE behind the CM) that is sourced with this address in the subnet 10.10.10.0/24 is considered to be authorized.
For more information on how to configure SAV groups and prefixes see Configuring Prefix-based Source Address Verification.
The Cisco CMTS supports a Smart Relay feature (the ip dhcp smart-relay command), which automatically switches a cable modem or CPE device to secondary DHCP servers or address pools if the primary server runs out of IP addresses or otherwise fails to respond with an IP address. The relay agent attempts to forward DHCP requests to the primary server three times. After three attempts with no successful response from the primary, the relay agent automatically switches to the secondary server.
When you are using the cable dhcp-giaddr policy command to specify that the CPE devices should use the secondary DHCP pools corresponding to the secondary addresses on a cable interface, the smart relay agent automatically rotates through the available secondary in a round robin fashion until an available pool of addresses is found. This ensures that clients are not locked out of the network because a particular pool has been exhausted.
When using separate IP address pools for cable modems and CPE devices, you can use the cable dhcp-giaddr policy command to specify that cable modems should use an address from the primary pool and that CPE devices should use addresses from the secondary pool. The default is for the CMTS to send all DHCP requests to the primary DHCP server, while the secondary servers are used only if the primary server does not respond. The different DHCP servers are specified using the cable helper commands.
Beginning with Cisco IOS Release 12.2(33)SCD5, the GIADDR option simply changes the source IP address of the DHCP request so that the DHCP server can use different subnets to assign the right IP address depending on the types of CPE devices (namely cable modems, media terminal adapters [MTA], portal servers [PS], and set-top boxes [STB]). This enables faster processing of IP addresses; and in case the IP address does not belong to the subnets on the DHCP server, there is minimal usage of CPU resources.
The Cisco IOS Release 12.2(33)SCF2 introduces support for the DHCP Relay Agent Information sub-option (DHCP Option 82, Suboption 9) enhancement to simplify provisioning of the CPE devices. Using this sub-option, the cable operators can relay the service class or QoS information of the CPE to the DHCP server to get an appropriate IP address.
To provision a CPE, the DHCP server should be made aware of the service class or QoS information of the CPE. The DHCP server obtains this information using the DHCP DISCOVER message, which includes the service class or QoS information of the CM behind which the CPE resides.
During the provisioning process, the Cisco CMTS uses the DHCPv4 Relay Agent Information sub-option to advertise information about the service class or QoS profile of the CMs to the DHCP server. Using the same technique, the CPE information is relayed to the DHCP server to get an appropriate IP address.
To enable the service classes option, the service class name specified in the CM configuration file must be configured on the Cisco CMTS. This is done by using the cable dhcp-insert service-class command.
To configure service-class or QoS-profile on the Cisco CMTS, see Configuring DHCP Service.
Note | To insert service class relay agent information option into the DHCP DISCOVER messages, the ip dhcp relay information option-insert command must be configured on the bundle interface. |
The Cisco CMTS can function as a ToD server that provides the current date and time to the cable modems and other customer premises equipment (CPE) devices connected to its cable interfaces. This allows the cable modems and CPE devices to accurately timestamp their Simple Network Management Protocol (SNMP) messages and error log entries, as well as ensure that all of the system clocks on the cable network are synchronized to the same system time.
Tip | The initial ToD server on the Cisco CMTS did not work with some cable modems that used an incompatible packet format. This problem was resolved in Cisco IOS Release 12.1(8)EC1 and later 12.1 EC releases, and in Cisco IOS Release 12.2(4)BC1 and later 12.2 BC releases. |
The DOCSIS 1.0 and 1.1 specifications require that all DOCSIS cable modems request the following time-related fields in the DHCP request they send during their initial power-on provisioning:
After a cable modem successfully acquires a DHCP lease time, it then attempts to contact one of the ToD servers provided in the list provided by the DHCP server. If successful, the cable modem updates its system clock with the time offset and timestamp received from the ToD server.
If a ToD server cannot be reached or if it does not respond, the cable modem eventually times out, logs the failure with the CMTS, and continues on with the initialization process. The cable modem can come online without receiving a reply from a ToD server, but it must periodically continue to reach the ToD server at least once in every five-minute period until it successfully receives a ToD reply. Until it reaches a ToD server, the cable modem must initialize its system clock to midnight on January 1, 1970 GMT.
Note | Initial versions of the DOCSIS 1.0 specification specified that the cable device must obtain a valid response from a ToD server before continuing with the initialization process. This requirement was removed in the released DOCSIS 1.0 specification and in the DOCSIS 1.1 specifications. Cable devices running older firmware that is compliant with the initial DOCSIS 1.0 specification, however, might require receiving a reply from a ToD server before being able to come online. |
Because cable modems will repeatedly retry connecting with a ToD server until they receive a successful reply, you should consider activating the ToD server on the Cisco CMTS, even if you have one or more other ToD servers at the headend. This ensures that an online cable modem will always be able to connect with the ToD server on the Cisco CMTS, even if the other servers go down or are unreachable because of network congestion, and therefore will not send repeated ToD requests.
Tip | To be able to use the Cisco CMTS as the ToD server, either alone or with other, external servers, you must configure the DHCP server to provide the IP address Cisco CMTS as one of the valid ToD servers (DHCP option 4) for cable modems. See Creating and Configuring a DHCP Address Pool for Cable Modems for details on this configuration. |
In addition, although the DOCSIS specifications do not require that a cable modem successfully obtain a response from a ToD server before coming online, not obtaining a timestamp could prevent the cable modem from coming online in the following situations:
Note | DOCSIS cable modems must use RFC 868 -compliant ToD server to obtain the current system time. They cannot use the Network Time Protocol (NTP) or Simple Network Time Protocol (SNTP) service for this purpose. However, the Cisco CMTS can use an NTP or SNTP server to set its own system clock, which can then be used by the ToD server. Otherwise, you must manually set the clock on the CMTS using the clock set command each time that the CMTS boots up. |
Tip | Additional servers can be provided by workstations or PCs installed at the cable headend. UNIX and Solaris systems typically include a ToD server as part of the operating system, which can be enabled by putting the appropriate line in the inetd.conf file. Windows systems can use shareware servers such as Greyware and Tardis. The DOCSIS specifications require that the ToD servers use the User Datagram Protocol (UDP) protocol instead of the TCP protocol for its packets. |
All Cisco CMTS platforms can be configured to provide a TFTP server that can provide the following types of files to DOCSIS cable modems:
Note | Do not confuse the DOCSIS configuration file with the Cisco IOS configuration file. The DOCSIS configuration file is a binary file in the particular format that is specified by the DOCSIS specifications, and each DOCSIS cable modem must download a valid file before coming online. In contrast, the Cisco IOS configuration file is an ASCII text file that contains one or more Cisco IOS CLI configuration commands. Only Cisco cable devices can download a Cisco IOS file. |
All Cisco CMTS platforms can be configured as TFTP servers that can upload these files to the cable modem. The files can reside on any valid device but typically should be copied to the Flash memory device inserted into the Flash disk slot on the Cisco CMTS.
In addition, the Cisco CMTS platform supports an internal DOCSIS configuration file editor in Cisco IOS Release 12.1(2)EC, Cisco IOS Release 12.2(4)BC1, and later releases. When you create a DOCSIS configuration file using the internal configuration file editor, the CMTS stores the configuration file in the form of CLI commands. When a cable modem requests the DOCSIS configuration file, the CMTS then dynamically creates the binary version of the file and uploads it to the cable modem.
Note | The internal DOCSIS configuration file editor supports only DOCSIS 1.0 configuration files. To create DOCSIS 1.1 configuration files, you must use a separate configuration editor, such as the Cisco DOCSIS Configurator tool, which at the time of this document’s publication is available on Cisco.com at the following URL: http://www.cisco.com/cgi-bin/tablebuild.pl/cpe-conf |
For enhanced security, current versions of Cisco IOS software for Cisco CMTS platforms include a “TFTP Enforce” feature (cable tftp-enforce command) that allows you to require that all cable modems must attempt a TFTP download through the cable interface before being allowed to come online. This prevents a common theft-of-service attack in which hackers reconfigure their local network so that a local TFTP server downloads an unauthorized DOCSIS configuration file to the cable modem. This ensures that cable modems download only a DOCSIS configuration file that provides the services they are authorized to use.
See the following configuration tasks required to configure DHCP service, time-of-day service, and TFTP service on a Cisco CMTS:
All procedures are required unless marked as optional (depending on the desired network configuration and applications).
To configure the DHCP server on the Cisco CMTS, use the following procedures to create the required address pools for the server to use. You can create one pool for all DHCP requests (cable modems and CPE devices), or separate pools for cable modems and for CPE devices, as desired.
To use the DHCP server on the Cisco CMTS, you must create at least one address pool that defines the IP addresses and other network parameters that are given to cable modems that make DHCP requests. To create an address pool, use the following procedure, beginning in EXEC mode. Repeat this procedure as needed to create additional address pools.
In addition to providing IP addresses for cable modems, the DHCP server on the Cisco CMTS server can optionally provide IP addresses and other network parameters to the customer premises equipment (CPE) devices that are connected to the cable modems on the network. To do so, create a DHCP address pool for those CPE devices, using the following procedure, beginning in EXEC mode. Repeat this procedure as needed to create additional address pools.
Note | You can use the same address pools for cable modems and CPE devices, but it simplifies network management to maintain separate pools. |
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 | enable
Example: Router> enable |
Enables privileged EXEC mode. Enter your password if prompted. | ||
Step 2 | configure
terminal
Example: Router# configure terminal |
Enters global configuration mode. | ||
Step 3 | ip
dhcp
pool
name
Example: Router(config)# ip dhcp pool local |
Creates a DHCP address pool and enters DHCP pool configuration file mode. The name can be either an arbitrary string, such as service, or a number, such as 1. | ||
Step 4 | network
network-number
[mask ]
Example: Router(dhcp-config)# network 10.10.10.0 255.255.0.0 |
Configures the address pool with the specified network-number and subnet mask , which are the DHCP yiaddr field and Subnet Mask (DHCP option 1) field. If you do not specify the mask value, it defaults to 255.255.255.255.
| ||
Step 5 | default-router
address [address2
...address8 ]
Example: Router(dhcp-config)# default-router 10.10.10.12 |
Specifies the IP address for the Router Option (DHCP option 3) field, which is the default router for the cable modems and CPE devices in this address pool. You must specify at least one IP address, and can optionally specify up to eight IP addresses, where the default routers are listed in order of preference (address is the most preferred server, address2 is the next most preferred, and so on). | ||
Step 6 | dns-server
address [address2
...address8 ]
Example: Router(dhcp-config)# dns-server 10.10.10.13 |
Specifies one or more IP address for the Domain Name Server Option (DHCP option 6) field, which are the domain name system (DNS) servers that will resolve host names to IP addresses for the CPE devices. You must specify at least one IP address, and can optionally specify up to eight IP addresses, listed in order of preference. | ||
Step 7 | domain-namedomain
Example: Router(dhcp-config)# domain-name cisco.com |
Specifies the Domain Name (DHCP option 15) field, which is the fully-qualified domain name that the CPE devices should add to their hostnames. The domain parameter should be the domain name used by devices on the cable network. | ||
Step 8 | lease {days
[hours ][minutes
]|infinite}
Example: Router(dhcp-config)# lease 0 12 30 |
Specifies the IP Address Lease Time (option 51), which is the duration of the lease for the IP address that is assigned to the CPE device. Before the lease expires, the CPE device must make another DHCP request to remain online. The default is one day. You can specify the lease time as follows:
| ||
Step 9 | client-identifier
unique-identifier
Example: Router(dhcp-config)# client-identifier 0100.0C01.0203.04 |
(Optional) Specifies the MAC address that identifies a particular CPE device that should receive the parameters from this pool. The unique-identifier is created by combining the one-byte Ethernet identifier (“01”) with the six-byte MAC address for the device. For example, so specify a device with the MAC address of 9988.7766.5544, specify a unique-identifier of 0199.8877.6655.44.
| ||
Step 10 | cable
dhcp-insert
{downstream-description |
hostname |
service-class
|
upstream-description}
Example: Router(dhcp-config)# cable dhcp-insert service-class |
(Optional) Specifies which descriptors to append to DHCP packets. The DHCP server can then use these descriptors to identify CPEs and extract geographical information:
| ||
Step 11 | exit
Example: Router(dhcp-config)# exit |
Exits DHCP configuration mode. | ||
Step 12 | exit
Example: Router(config)# exit |
Exits global configuration mode. |
This section provides procedures for enabling and disabling the time-of-day (ToD) server on the Cisco CMTS routers.
To be able to use the Cisco CMTS as the ToD server, either alone or with other, external servers, you must configure the DHCP server to provide the IP address Cisco CMTS as one of the valid ToD servers (DHCP option 4) for cable modems. See "Creating and Configuring a DHCP Address Pool for Cable Modems" section for details on this configuration when using the internal DHCP server.
To enable the ToD server on a Cisco CMTS, use the following procedure, beginning in EXEC mode.
Command or Action | Purpose | |
---|---|---|
Step 1 | enable
Example: Router> enable Router# |
Enables privileged EXEC mode. Enter your password if prompted. |
Step 2 | configure
terminal
Example: Router# configure terminal Router(config)# |
Enters global configuration mode. |
Step 3 | service
udp-small-servers
max-servers
no-limit
Example: Router(config)# service udp-small-servers max-servers no-limit Router(config)# |
Enables use of minor servers that use the UDP protocol (such as ToD, echo, chargen, and discard). The max-servers no-limit option allows a large number of cable modems to obtain the ToD server at one time, in the event that a cable or power failure forces many cable modems offline. When the problem has been resolved, the cable modems can quickly reconnect. |
Step 4 | cable
time-server
Example: Router(config)# cable time-server Router(config)# |
Enables the ToD server on the Cisco CMTS. |
Step 5 | exit
Example: Router(config)# exit Router# |
Exits global configuration mode. |
To disable the ToD server, use the following procedure, beginning in EXEC mode.
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 | enable
Example: Router> enable Router# |
Enables privileged EXEC mode. Enter your password if prompted. | ||
Step 2 | configure
terminal
Example: Router# configure terminal Router(config)# |
Enters global configuration mode. | ||
Step 3 | no
cable
time-server
Example: Router(config)# cable time-server Router(config)# |
Disables the ToD server on the Cisco CMTS. | ||
Step 4 | no
service
udp-small-servers
Example: Router(config)# no service udp-small-servers Router(config)# |
(Optional) Disables the use of all minor UDP servers.
| ||
Step 5 | exit
Example: Router(config)# exit Router# |
Exits global configuration mode. |
To configure TFTP service on a Cisco CMTS where the CMTS can act as a TFTP server and download a DOCSIS configuration file to cable modems, perform the following steps:
Create the DOCSIS configuration files using the DOCSIS configuration editor of your choice.
You can also use the internal DOCSIS configuration file editor on the Cisco CMTS to create DOCSIS configuration files.
Note | If you are using the internal DOCSIS configuration editor on the Cisco CMTS to create the DOCSIS configuration files, you do not need to copy the files to a Flash memory device because they are already part of the router’s configuration. |
Each configuration task is required unless otherwise listed as optional.
Step 1 | Use the
show
file
systems command to display the Flash memory cards
that are available on your CMTS, along with the free space on each card and the
appropriate device names to use to access each card.
Most configurations of the Cisco CMTS platforms support both linear Flash and Flash disk memory cards. Linear Flash memory is accessed using the slot0 (or flash) and slot1 device names. Flash disk memory is accessed using the disk0 and disk1 device names. For example, the following command shows a Cisco uBR7200 series router that has two linear Flash memory cards installed. The cards can be accessed by the slot0 (or flash) and slot1 device names. Example: Router# show file systems File Systems: Size(b) Free(b) Type Flags Prefixes 48755200 48747008 flash rw slot0: flash: 16384000 14284000 flash rw slot1: 32768000 31232884 flash rw bootflash: * - - disk rw disk0: - - disk rw disk1: - - opaque rw system: - - opaque rw null: - - network rw tftp: 522232 507263 nvram rw nvram: - - network rw rcp: - - network rw ftp: - - network rw scp: Router# The following example shows a Cisco uBR10012 router that has two Flash disk cards installed. These cards can be accessed by the disk0 and sec-disk0 device names. Example: Router# show file systems File Systems: Size(b) Free(b) Type Flags Prefixes - - flash rw slot0: flash: - - flash rw slot1: 32768000 29630876 flash rw bootflash: * 128094208 95346688 disk rw disk0: - - disk rw disk1: - - opaque rw system: - - flash rw sec-slot0: - - flash rw sec-slot1: * 128094208 95346688 disk rw sec-disk0: - - disk rw sec-disk1: 32768000 29630876 flash rw sec-bootflash: - - nvram rw sec-nvram: - - opaque rw null: - - network rw tftp: 522232 505523 nvram rw nvram: - - network rw rcp: - - network rw ftp: - - network rw scp: Router#
| ||
Step 2 | Verify that the desired Flash memory card has sufficient free space for all of the files that you want to copy to the CMTS. | ||
Step 3 | Use the
ping command
to verify that the remote TFTP server that contains the desired files is
reachable. For example, the following shows a
ping command
being given to an external TFTP server with the IP address of 10.10.10.1:
Example: Router# ping 10.10.10.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 5/6/6 ms | ||
Step 4 | Use the
copy
tftp
devname
command to copy each file from the external TFTP server to
the appropriate Flash memory card on the CMTS, where
devname is
the device name for the destination Flash memory card. You will then be
prompted for the IP address for the external TFTP server and the filename for
the file to be transferred.
The following example shows the file docsis.cm being transferred from the external TFTP server at IP address 10.10.10.1 to the first Flash memory disk (disk0): Example: Router# copy tftp disk0 Address or name of remote host []? 10.10.10.1 Source filename []? config-files/docsis.cm Destination filename [docsis.cm]? Accessing tftp://10.10.10.1/config-file/docsis.cm...... Loading docsis.cm from 10.10.10.1 (via Ethernet2/0): !!! [OK - 276/4096 bytes] 276 bytes copied in 0.152 secs Router# | ||
Step 5 | Repeat Step 4 as needed to copy all of the files from the external TFTP server to the Flash memory card on the Cisco CMTS. | ||
Step 6 | Use the
dir command
to verify that the Flash memory card contains all of the transferred files.
Example: Router# dir disk0: Directory of disk0:/ 1 -rw- 10705784 May 30 2002 19:12:46 ubr10k-p6-mz.122-2.8.BC 2 -rw- 4772 Jun 20 2002 18:12:56 running.cfg.save 3 -rw- 241 Jul 31 2002 18:25:46 gold.cm 4 -rw- 225 Jul 31 2002 18:25:46 silver.cm 5 -rw- 231 Jul 31 2002 18:25:46 bronze.cm 6 -rw- 74 Oct 11 2002 21:41:14 disable.cm 7 -rw- 2934028 May 30 2002 11:22:12 ubr924-k8y5-mz.bin 8 -rw- 3255196 Jun 28 2002 13:53:14 ubr925-k9v9y5-mz.bin 128094208 bytes total (114346688 bytes free) Router# | ||
Step 7 | Use the
configure
terminal command to enter global configuration
mode:
Example: Router# configure terminal Router(config)# | ||
Step 8 | Use the
tftp-server
command to specify which particular files can be transferred
by the TFTP server that is onboard the Cisco CMTS. You can also use the
alias option
to specify a different filename that the DHCP server can use to refer to the
file. For example, the following commands enable the TFTP transfer of the
configuration files and software upgrade files:
Example: Router(config)# tftp-server disk0:gold.cm alias gold.cm Router(config)# tftp-server disk0:silver.cm alias silver.cm Router(config)# tftp-server disk0:bronze.cm alias bronze.cm Router(config)# tftp-server disk0:ubr924-k8y5-mz.bin alias ubr924-codefile Router(config)# tftp-server disk0:ubr925-k9v9y5-mz.bin alias ubr925-codefile Router(config)#
| ||
Step 9 | (Optional)
Use the following command to enable the use of the UDP small servers, and to
allow an unlimited number of connections at one time. This will allow a large
number of cable modems that have gone offline due to cable or power failure to
rapidly come back online.
Example: Router(config)# service udp-small-servers max-servers no-limit Router(config)# | ||
Step 10 | (Optional)
Use the
cable
tftp-enforce command in interface configuration
mode to require that each cable modem perform a TFTP download of its DOCSIS
configuration file through its cable interface with the CMTS before being
allowed to come online. This can prevent the most common types of
theft-of-service attacks in which users configure their local networks so as to
download an unauthorized configuration file to their cable modems.
Example: Router(config)# interface cable x/y Router(config-if)# cable tftp-enforce Router(config-if)# You can also specify the mark-only option so that cable modems can come online without attempting a TFTP download, but the cable modems are marked in the show cable modems command so that network administrators can investigate the situation further before taking any action. Example: Router(config)# interface cable x/y Router(config-if)# cable tftp-enforce mark-only Router(config-if)# |
The basic all-in-one configuration requires configuring the DHCP, ToD, and TFTP servers, as described in the following sections in this document:
You must also have the necessary DOCSIS configuration files available for the TFTP server. You can do this in two ways:
For an example of a basic all-in-one configuration, see the Basic All-in-One Configuration Example.
The advanced all-in-one configuration sample is identical to the basic configuration except that it uses a hierarchy of DHCP pools. Any DHCP pool with a network number that is a subset of another pool's network number inherits all the characteristics of that other pool. This saves having to repeat identical commands in the multiple DHCP pool configurations.
For information on the required tasks, see the following sections in this guide:
You must also have the necessary DOCSIS configuration files available for the TFTP server. You can do this in two ways:
For an example of an advanced all-in-one configuration, see the Advanced All-in-One Configuration Example.
The Cisco CMTS offers a number of options that can optimize the operation of external DHCP servers on a DOCSIS cable network. See the following sections for details. All procedures are optional, depending on the needs of your network and application servers.
To enhance security when using external DHCP servers, you can optionally configure the Cable Source Verify feature with the following procedure.
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 | enable
Example: Router> enable Router# |
Enables privileged EXEC mode. Enter your password if prompted. | ||
Step 2 | configure
terminal
Example: Router# configure terminal Router(config)# |
Enters global configuration mode. | ||
Step 3 | interface
cable
x/y
Example: Router(config)# interface cable 4/0 Router(config-if)# |
Enters cable interface configuration mode for the specified cable interface. | ||
Step 4 | cable
source-verify [dhcp |
leasetimer
value ]
Example: Router(config-if)# cable source-verify dhcp Example: Router(config-if)# cable source-verify leasetimer 30 Router(config-if)# |
(Optional) Ensures that the CMTS allows network access only to those IP addresses that DCHP servers issued to devices on this cable interface. The CMTS examines DHCP packets that pass through the cable interfaces to build a database of which IP addresses are valid on which interface.
| ||
Step 5 | no
cable
arp
Example: Router(config-if)# no cable arp Router(config-if)# |
(Optional) Blocks Address Resolution Protocol (ARP) requests originating from devices on the cable network. Use this command, together with the cable source-verify dhcp command, to block certain types of theft-of-service attacks that attempt to hijack or spoof IP addresses.
| ||
Step 6 | exit
Example: Router(config-if)# exit Router(config)# |
Exits interface configuration mode. | ||
Step 7 | ip
dhcp
relay
information
option
Example: Router(config)# ip dhcp relay information option Router(config)# |
(Optional) Enables the CMTS to insert DHCP relay information (DHCP option 82) in relayed DHCP packets. This allows the DHCP server to store accurate information about which CPE devices are using which cable modems. You should use this command if you are also using the cable source-verify dhcp command.
| ||
Step 8 | exit
Example:
Router(config)# exit Router# |
Exits global configuration mode.
|
To enhance security when using external DHCP servers, you can configure a prefix-based SAV with the following procedure, beginning in global configuration (config) mode.
Command or Action | Purpose | |
---|---|---|
Step 1 | enable
Example: Router> enable Router# |
Enables privileged EXEC mode. Enter your password if prompted. |
Step 2 | configure
terminal
Example: Router# configure terminal Router(config)# |
Enters global configuration mode. |
Step 3 | cable source-verify enable-sav-static
Example: Router# cable source-verify enable-sav-static Router(config)# |
Enables SAV prefix processing on the Cisco CMTS. |
Step 4 | cable
source-verify
group
groupname
Example: Router(config)# cable source-verify group sav-1 |
Configures the SAV group name. groupname— Name of the SAV group with a maximum length of 16 characters. |
Step 5 | prefix
[ipv4_prefix/ipv4_prefix_length
|
ipv6_prefix/ipv6_prefix_length ]
Example: Router(config-sav)# prefix 10.10.10.0/24 Router(config-sav)# |
Configures the IPv4 or IPv6 prefix associated with the SAV group.
A maximum of four prefixes can be configured in a single SAV group. These prefixes can be either IPv4s, IPv6s, or a combination of both. |
Step 6 | exit
Example: Router(config-sav)# exit |
Exits SAV configuration mode. |
Step 7 | exit
Example: Router(config)# exit |
Exits global configuration mode. |
When using an external DHCP server, the Cisco CMTS supports a number of options that can enhance operation of the cable network in certain applications. To configure these options, use the following procedure, beginning in EXEC mode.
Command or Action | Purpose | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
Step 1 | enable
Example: Router> enable Router# |
Enables privileged EXEC mode. Enter your password if prompted. | ||||||||||
Step 2 | configure
terminal
Example: Router# configure terminal Router(config)# |
Enters global configuration mode. | ||||||||||
Step 3 | ip
dhcp
smart-relay
Example: Router(config)# ip dhcp smart-relay Router(config)# |
(Optional) Enables the DHCP relay agent on the CMTS to automatically switch a cable modem or CPE device to a secondary DHCP server or address pool if the primary DHCP server does not respond to three successive requests. If multiple secondary servers have been defined, the relay agent forwards DHCP requests to the secondary servers in a round robin fashion. | ||||||||||
Step 4 | ip
dhcp
ping
packet
0
Example: Router(config)# ip dhcp ping packet 0 Router(config)# |
(Optional) Instructs the DHCP server to assign an IP address from its pool without first sending an ICMP ping to test whether a client is already currently using that IP address. Disabling the ping option can speed up address assignment when a large number of modems are trying to connect at the same time. However, disabling the ping option can also result in duplicate IP addresses being assigned if users assign unauthorized static IP addresses to their CPE devices.
| ||||||||||
Step 5 | ip
dhcp
relay
information
check
Example: Router(config)# ip dhcp relay information check Router(config)# |
(Optional) Configures the DHCP server to validate the relay agent information option in forwarded BOOTREPLY messages. Invalid messages are dropped.
| ||||||||||
Step 6 | interface
cable
x/y
Example: Router(config)# interface cable 4/0 Router(config-if)# |
Enters cable interface configuration mode for the specified cable interface. | ||||||||||
Step 7 | cable
dhcp-giaddr
policy [host
|
stb
|
mta
|
ps]
giaddr
Example: Router(config-if)# cable dhcp-giaddr policy mta 172.1.1.10 Router(config-if)# |
Sets the DHCP GIADDR field for DHCP request packets to the primary address for cable modems, and the secondary address for CPE devices. This enables the use of separate address pools for different clients.
| ||||||||||
Step 8 | cable
helper-address
address
[cable-modem
|
host
|
mta
|
stb]
Example: Router(config-if)# cable helper-address 10.10.10.13 Router(config-if)# |
(Optional) Enables load-balancing of DHCP requests from cable modems and CPE devices by specifying different DHCP servers according to the cable interface or subinterface. You can also specify separate servers for cable modems and CPE devices.
| ||||||||||
Step 9 | cable
dhcp-parse
option-optnum
Example: Router(config-if)# cable dhcp-parse option-43 Router(config-if)# |
(Optional) Enables the parsing of certain DHCP options.
| ||||||||||
Step 10 | cable
dhcp-giaddr
policy
Example: Router(config-if)# cable dhcp-giaddr policy |
Selects the control policy, so the primary address is used for cable modems and the secondary addresses are used for hosts and other customer premises equipment (CPE) devices. This setting is typically used when the CMs on the interface are configured for routing mode, so that the cabel modems and hosts can use IP addresses on different subnets. | ||||||||||
Step 11 | exit
Example: Router(config-if)# exit Router(config)# |
Exits interface configuration mode. | ||||||||||
Step 12 | exit
Example: Router(config)# exit Router# |
Exits global configuration mode. |
This section provides examples for the following configurations:
The following sections gave sample configurations for configuring DHCP pools for cable modems and CPE devices:
The following examples show three typical DHCP pools for cable modems. Each pool includes the following fields:
! ip dhcp pool cm-platinum network 10.128.4.0 255.255.255.0 bootfile platinum.cm next-server 10.128.4.1 default-router 10.128.4.1 option 2 hex ffff.8f80 option 4 ip 10.1.4.1 option 7 ip 10.1.4.1 lease 7 0 10 ! ip dhcp pool cm-gold network 10.129.4.0 255.255.255.0 bootfile gold.cm next-server 10.129.4.1 default-router 10.129.4.1 option 2 hex ffff.8f80 option 4 ip 10.1.4.1 option 7 ip 10.1.4.1 lease 7 0 10 ! ip dhcp pool cm-silver network 10.130.4.0 255.255.255.0 bootfile silver.cm next-server 10.130.4.1 default-router 10.130.4.1 option 2 hex ffff.8f80 option 4 ip 10.1.4.1 option 7 ip 10.1.4.1 lease 7 0 10
The following examples shows typical DHCP pool configurations for cable modems that disable network access for their attached CPE devices. With this configuration, the cable modem can come online and is able to communicate with the CMTS, but the CPE devices cannot access the cable network. Each pool includes the following fields:
! ip dhcp pool DisabledModem(0010.aaaa.0001) host 10.128.1.9 255.255.255.0 client-identifier 0100.10aa.aa00.01 bootfile disable.cm ! ip dhcp pool DisabledModem(0020.bbbb.0002) host 10.128.1.10 255.255.255.0 client-identifier 0100.20bb.bb00.02 bootfile disable.cm ip dhcp pool DisabledModem(1010.9581.7f66) host 10.128.1.11 255.255.255.0 client-identifier 0100.1095.817f.66 bootfile disable.cm
The following examples show a typical DHCP pool for CPE devices. Each pool includes the following fields:
! ip dhcp pool hosts network 10.254.1.0 255.255.255.0 default-router 10.254.1.1 dns-server 10.254.1.1 10.128.1.1 domain-name ExamplesDomainName.com lease 7 0 10 !
The following example shows a DHCP pool that assigns a permanent, static IP address to a particular CPE device. This example is identical to the previous pool except for the following commands:
! ip dhcp pool staticPC(0001.dddd.0001) host 10.254.1.12 255.255.255.0 client-identifier 0100.01dd.dd00.01 default-router 10.254.1.1 dns-server 10.254.1.1 10.128.1.1 domain-name ExamplesDomainName.com lease 7 0 10
The following example shows a typical ToD server configuration:
service udp-small-servers max-servers no-limit cable time-server
These are the only commands required to enable the ToD server.
The following lines are an excerpt from a configuration that includes a TFTP server. Change the files listed with the tftp-server command to match the specific files that are on your system.
! Enable the user of unlimited small servers service udp-small-servers max-servers no-limit ! ... ! Enable the TFTP server and specify the files that can be ! downloaded along with their aliases tftp-server disk0:gold.cm alias gold.cm tftp-server disk0:silver.cm alias silver.cm tftp-server disk0:bronze.cm alias bronze.cm tftp-server disk0:ubr924-k8y5-mz.bin alias ubr924-codefile tftp-server disk0:ubr925-k9v9y5-mz.bin alias ubr925-codefile
The basic “all-in-one configuration” sample below summarizes all the components described in examples in the Configuration Examples. Five DOCSIS configuration files are available. The internal DOCSIS configuration file editor has been used to create four (platinum.cm, gold.cm, silver.cm, and disable.cm), and the fifth file, bronze.cm, has been loaded on to the slot0 Flash memory device. The disable.cm file disables network access for all CPE devices attached to a cable modem, and the other four files provide different levels of Quality-of-Service (QoS).
The configuration has two DHCP pools with two different address spaces. One pool provides IP addresses and platinum-level service for cable modems, and the other pool provides IP addresses for CPE devices.
! version 12.1 no service pad ! provides nice timestamps on all log messages service timestamps debug datetime msec localtime service timestamps log uptime ! turn service password-encryption on to encrypt passwords no service password-encryption ! provides additional space for longer configuration file service compress-config ! supports a large number of modems / hosts attaching quickly service udp-small-servers max-servers no-limit ! hostname Router ! boot system disk0: ! no cable qos permission create no cable qos permission update cable qos permission modems ! permits cable modems to obtain Time of Day (TOD) from uBR7100 cable time-server ! ! High performance DOCSIS config file, additional options may be added ! 10 Mbit/sec download, 128 Kbit/sec upload speed, 10 Kbit/sec guaranteed upstream ! NOTE: cable upstream 0 admission-control 150 will prevent modems from ! connecting after 150% of guaranteed-bandwidth has been allocated to ! registered modems. This can be used for peek load balancing. ! max-burst 1600 prevents a modem with concatenation turned on from consuming ! too much wire time, and interfering with VoIP traffic. ! cpe max 8 limits the modem to 8 hosts connected before the CMTS refuses ! additional host MAC addresses. ! Timestamp option makes the config file only valid for a short period of time. ! cable config-file platinum.cm service-class 1 max-upstream 128 service-class 1 guaranteed-upstream 10 service-class 1 max-downstream 10000 service-class 1 max-burst 1600 cpe max 8 timestamp ! ! Medium performance DOCSIS config file, additional options may be added ! 5 Mbit/sec download, 128 Kbit/sec upload speed ! cable config-file gold.cm service-class 1 max-upstream 64 service-class 1 max-downstream 5000 service-class 1 max-burst 1600 cpe max 3 timestamp ! ! Low performance DOCSIS config file, additional options may be added ! 1 Mbit/sec download, 64 Kbit/sec upload speed ! cable config-file silver.cm service-class 1 max-upstream 64 service-class 1 max-downstream 1000 service-class 1 max-burst 1600 cpe max 1 timestamp ! ! No Access DOCSIS config file, used to correctly shut down an unused cable modem ! 1 kbit/sec download, 1 Kbit/sec upload speed, with USB/ethernet port shut down. ! cable config-file disable.cm access-denied service-class 1 max-upstream 1 service-class 1 max-downstream 1 service-class 1 max-burst 1600 cpe max 1 timestamp ! ip subnet-zero ! Turn on cef switching / routing, anything but process switching (no ip route-cache) ip cef ip cef accounting per-prefix ! Disables the finger server no ip finger ! Prevents CMTS from looking up domain names / attempting to connect to ! machines when mistyping commands no ip domain-lookup ! Prevents issuance of IP address that is already in use. ip dhcp ping packets 1 ! ! DHCP reply settings for DOCSIS cable modems. ! All settings here are "default response settings" for this DHCP pool. ! DOCSIS bootfile (cable modem config-file) as defined above ! next-server = IP address of server which sends bootfile ! default-router = default gateway for cable modems, necessary to get DOCSIS files ! option 4 = TOD server IP address ! option 2 = Time offset for TOD, in seconds, HEX, from GMT, -28,000 = PST = ffff.8f80 ! option 7 = Optional SYSLOG server ! Lease length, in days, hours, minutes ! ip dhcp pool CableModems-Platinum network 10.128.1.0 255.255.255.0 bootfile platinum.cm next-server 10.128.1.1 default-router 10.128.1.1 option 2 hex ffff.8f80 option 4 ip 10.128.1.1 option 7 ip 10.128.1.1 lease 7 0 10 ! ! DHCP reply settings for IP hosts behind DOCSIS cable modems. ! All settings here are "default response settings" for this DHCP pool. ! default-router = default gateway for cable modems, necessary to get DOCSIS files ! dns-server = IP address for DNS server, place up to 8 addresses on the same ! line as a list ! NOTE: changing the DNS-server on a Windows PC, Mac, or Unix box require ! reloading the OS, but changing it in the DHCP response is quick and easy. ! domain-name = default domain name for the host ! Lease length, in days, hours, minutes ! ip dhcp pool hosts network 10.254.1.0 255.255.255.0 default-router 10.254.1.1 dns-server 10.254.1.1 10.128.1.1 domain-name ExamplesDomainName.com lease 1 0 10 ! ! ! interface FastEthernet0/0 ip address 10.17.123.1 255.255.255.0 no ip mroute-cache no shutdown duplex auto speed auto ! interface FastEthernet0/1 no ip address no ip mroute-cache shutdown duplex auto speed auto ! ! Primary address is for cable modems, use only one, so make it large enough! ! Secondary addresses are for hosts, use as many as necessary ! These addresses must match the remainder of the configuration file, ! or modems won't work. ! cable downstream frequency sets the upconverter frequency ! cable down rf-power 55, sets the upconverter output power in dBmV ! each upstream interface can have a description, use it! ! All four upstreams have been set to the same default frequency, don't ! connect wire them together while on the same frequency! ! cable upstream 0 admission-control 150: limits the number of modems ! which can connect with guaranteed-bandwidth. ! NOTE: will prevent some modems from connecting once this limit is hit. ! ! High security option: ! no cable arp: prevents the uBR7100 from ever arping towards the cable modems ! for any IP-mac address pairing. Forces EVERY host to use DHCP at least ! once every time the uBR7100 is reloaded, or the arp table is cleared out. ! Forces users to use DHCP release/renew cycle on their computers if ! ARP entry is ever lost. ! Makes it impossible for an end user to type in a static IP address, ! or steal somebody else's IP address. ! ! cable-source verify dhcp: -- Forces the CMTS to populate the arp table from ! the DHCP server ! If the DHCP server does not have a valid DHCP lease for that IP / MAC combination, ! the host is unreachable. ! cable dhcp-giaddr policy: use primary IP address for modems, secondary for ! hosts behind modems ! ! interface Cable1/0 description Cable Downstream Interface ip address 10.254.1.1 255.255.255.0 secondary ip address 10.128.1.1 255.255.255.0 no keepalive cable downstream rate-limit token-bucket shaping cable downstream annex B cable downstream modulation 64qam cable downstream interleave-depth 32 cable downstream frequency 851000000 cable down rf-power 55 cable upstream 0 description Cable upstream interface, North cable upstream 0 frequency 37008000 cable upstream 0 power-level 0 cable upstream 0 admission-control 150 no cable upstream 0 shutdown cable upstream 1 description Cable upstream interface, South cable upstream 1 frequency 37008000 cable upstream 1 power-level 0 cable upstream 1 admission-control 150 no cable upstream 1 shutdown cable upstream 2 description Cable upstream interface, East cable upstream 2 frequency 37008000 cable upstream 2 power-level 0 cable upstream 2 admission-control 150 no cable upstream 2 shutdown cable upstream 3 description Cable upstream interface, West cable upstream 3 frequency 37008000 cable upstream 3 power-level 0 cable upstream 3 admission-control 150 no cable upstream 3 shutdown no cable arp cable source-verify dhcp cable dhcp-giaddr policy ! ! ! default route to Fast ethernet 0/0, probably best to set ! this as an IP address so interface flaps don't create route flaps. ! IP http server: enables internal http server ! ip classless no ip forward-protocol udp netbios-ns ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 ip http server ! ! ! Enable TFTP downloads of the silver.cm file on the Flash device ! this DOCSIS config file is built using DOCSIS CPE Configurator. tftp-server slot0:bronze.cm alias bronze.cm ! ! Aliases for frequently used commands ! alias exec scm show cable modem alias exec scf show cable flap alias exec scp show cable qos profile ! line con 0 exec-timeout 0 0 transport input none line aux 0 speed 19200 line vty 0 4 session-timeout 60 login ! ntp clock-period 17179977 ntp server 192.168.35.51 end
The advanced all-in-one configuration is identical to the basic configuration, except that it uses a hierarchical structure of DHCP pools to provide unique DHCP options, such as static IP addresses, to individual cable modems and CPE devices. The DHCP pools are given unique and relevant names to simplify administration, and the cable modems and CPE devices that use these pools are specified by the client-identifier commands.
The DHCP pools for the individual cable modems and CPE devices inherit the options from the parent pools, so you do not need to specify all of the required options for those particular pools. Instead, the new pools need to specify only those commands, such as client-identifier, that should be different from the parent pools.
Because the static IP addresses that are given to the cable modems and CPE devices are in the range of 10.1.4.60 and 10.1.4.70, the ip dhcp exclude command is used to instruct the DHCP server that it should not hand out addresses in this range to other cable modems or CPE devices.
! version 12.1 no service pad ! provides nice timestamps on all log messages service timestamps debug datetime msec localtime service timestamps log uptime ! turn service password-encryption on to encrypt passwords no service password-encryption ! provides additional space for longer configuration file service compress-config ! supports a large number of modems / hosts attaching quickly service udp-small-servers max-servers no-limit ! hostname Router ! boot system disk0: ! no cable qos permission create no cable qos permission update cable qos permission modems ! permits cable modems to obtain Time of Day (TOD) from uBR7100 cable time-server ! ! High performance DOCSIS config file, additional options may be added ! 10 Mbit/sec download, 128 Kbit/sec upload speed, 10 Kbit/sec guaranteed upstream ! NOTE: cable upstream 0 admission-control 150 will prevent modems from ! connecting after 150% of guaranteed-bandwidth has been allocated to ! registered modems. This can be used for peek load balancing. ! max-burst 1600 prevents a modem with concatenation turned on from consuming ! too much wire time, and interfering with VoIP traffic. ! cpe max 8 limits the modem to 8 hosts connected before the CMTS refuses ! additional host MAC addresses. ! Timestamp option makes the config file only valid for a short period of time. ! cable config-file platinum.cm service-class 1 max-upstream 128 service-class 1 guaranteed-upstream 10 service-class 1 max-downstream 10000 service-class 1 max-burst 1600 cpe max 8 timestamp ! ! Medium performance DOCSIS config file, additional options may be added ! 5 Mbit/sec download, 128 Kbit/sec upload speed ! cable config-file gold.cm service-class 1 max-upstream 64 service-class 1 max-downstream 5000 service-class 1 max-burst 1600 cpe max 3 timestamp ! ! Low performance DOCSIS config file, additional options may be added ! 1 Mbit/sec download, 64 Kbit/sec upload speed ! cable config-file silver.cm service-class 1 max-upstream 64 service-class 1 max-downstream 1000 service-class 1 max-burst 1600 cpe max 1 timestamp ! ! No Access DOCSIS config file, used to correctly shut down an unused cable modem ! 1 kbit/sec download, 1 Kbit/sec upload speed, with USB/ethernet port shut down. ! cable config-file disable.cm access-denied service-class 1 max-upstream 1 service-class 1 max-downstream 1 service-class 1 max-burst 1600 cpe max 1 timestamp ! ip subnet-zero ! Turn on cef switching / routing, anything but process switching (no ip route-cache) ip cef ip cef accounting per-prefix ! Disables the finger server no ip finger ! Prevents CMTS from looking up domain names / attempting to connect to ! machines when mistyping commands no ip domain-lookup ! Prevents the issuance of IP addresses in this range, allows for use in ! static configurations. ip dhcp excluded-address 10.128.1.60 10.128.1.70 ! Prevents issuance of IP address that is already in use. ip dhcp ping packets 1 ! ! DHCP reply settings for DOCSIS cable modems. ! All settings here are "default response settings" for this DHCP pool. ! DOCSIS bootfile (cable modem config-file) as defined above ! next-server = IP address of server which sends bootfile ! default-router = default gateway for cable modems, necessary to get DOCSIS files ! option 4 = TOD server IP address ! option 2 = Time offset for TOD, in seconds, HEX, from GMT, -28,000 = PST = ffff.8f80 ! option 7 = Optional SYSLOG server ! Lease length, in days, hours, minutes ! ip dhcp pool CableModems-Platinum network 10.128.1.0 255.255.255.0 bootfile platinum.cm next-server 10.128.1.1 default-router 10.128.1.1 option 2 hex ffff.8f80 option 4 ip 10.128.1.1 option 7 ip 10.128.1.1 lease 7 0 10 ! ! DHCP reply settings for IP hosts behind DOCSIS cable modems. ! All settings here are "default response settings" for this DHCP pool. ! default-router = default gateway for cable modems, necessary to get DOCSIS files ! dns-server = IP address for DNS server, place up to 8 addresses on the same ! line as a list ! NOTE: changing the DNS-server on a Windows PC, Mac, or Unix box require ! reloading the OS, but changing it in the DHCP response is quick and easy. ! domain-name = default domain name for the host ! Lease length, in days, hours, minutes ! ip dhcp pool hosts network 10.254.1.0 255.255.255.0 default-router 10.254.1.1 dns-server 10.254.1.1 10.128.1.1 domain-name ExamplesDomainName.com lease 1 0 10 ! ! DHCP reply settings for a static IP address for a PC and cable modems ! All settings here will override "default response settings" for this DHCP pool. ! client-identifier is the ethernet MAC address of the device, preceded by 01 ! Thus, the Host with an mac address of 08.00.09.af.34.e2 will ALWAYS get the ! same IP address ! Lease length, in days, hours, minutes, set to infinite. ! Use a relevant name here, as there will be lots of these entries. ! ip dhcp pool staticPC(0800.09af.34e2) host 10.254.1.12 255.255.255.0 client-identifier 0108.0009.af34.e2 client-name staticPC(0800.09af.34e2) lease infinite ip dhcp pool cm-0050.04f9.efa0cm- host 10.128.1.65 255.255.255.0 client-identifier 0100.107b.ed9b.45 bootfile disable.cm ! ip dhcp pool cm-0030.d002.41f5 host 10.128.1.66 255.255.255.0 client-identifier 0100.107b.ed9b.23 bootfile silver.cm ! ! DHCP reply settings for a cable modem, to change from default provisioning ! All settings here will override "default response settings" for this DHCP pool. ! client-identifier is the ethernet MAC address of the device, preceded by 01 ! Thus, the modem with a mac address of 00.10.95.81.7f.66 will ALWAYS get the ! same IP address ! This cable modem will get the gold.cm config file, and a consistent IP address ! some IP address within the DHCP pool for the cable downstream interface is ! required, or the reference correct config file will NOT be issued. ! Use a relevant name here, as there will be lots of these entries. ! ! WARNING: When changing config files for a modem, it is necessary to clear the ! address with “clear ip dhcp binding <ip-address>” and then reset the modem using ! "clear cable modem <mac-address> | <ip-address> reset" ! ip dhcp pool goldmodem host 10.128.1.67 255.255.255.0 client-identifier 0100.1095.817f.66 bootfile gold.cm ! ! DHCP reply settings for a disabled cable modem. ! This will prevent this cable modem user from accessing the network. ! client-identifier is the ethernet MAC address of the device, preceded by 01 ! This cable modem will get the disable.cm config file, and a consistent IP address ! some IP address within the DHCP pool for the cable downstream interface is ! required, or the reference correct config file will NOT be issued. ! Use a relevant name here, as there will be lots of these entries. ! ! WARNING: When changing config files for a modem, it is necessary to clear the ! address with “clear ip dhcp binding <ip-address>” and then reset the modem using ! "clear cable modem <mac-address> | <ip-address> reset" ! ip dhcp pool DisabledModem(0010.aaaa.0001) host 10.128.1.68 255.255.255.0 client-identifier 0100.1095.817f.66 bootfile disable.cm ! ip dhcp pool DisabledModem(0000.bbbb.0000) client-identifier 0100.00bb.bb00.00 host 10.128.1.69 255.255.255.0 bootfile disable.cm ! ! ! interface FastEthernet0/0 ip address 10.17.123.1 255.255.255.0 no ip mroute-cache no shutdown duplex auto speed auto ! interface FastEthernet0/1 no ip address no ip mroute-cache shutdown duplex auto speed auto ! ! Primary address is for cable modems, use only one, so make it large enough! ! Secondary addresses are for hosts, use as many as necessary ! These addresses must match the remainder of the configuration file, ! or modems won't work. ! cable downstream frequency sets the upconverter frequency ! cable down rf-power 55, sets the upconverter output power in dBmV ! each upstream interface can have a description, use it! ! All four upstreams have been set to the same default frequency, don't ! connect wire them together while on the same frequency! ! cable upstream 0 admission-control 150: limits the number of modems ! which can connect with guaranteed-bandwidth. ! NOTE: will prevent some modems from connecting once this limit is hit. ! ! High security option: ! no cable arp: prevents the uBR7100 from ever arping towards the cable modems ! for any IP-mac address pairing. Forces EVERY host to use DHCP at least ! once every time the uBR7100 is reloaded, or the arp table is cleared out. ! Forces users to use DHCP release/renew cycle on their computers if ! ARP entry is ever lost. ! Makes it impossible for an end user to type in a static IP address, ! or steal somebody else's IP address. ! ! cable-source verify dhcp: -- Forces the CMTS to populate the arp table from ! the DHCP server ! If the DHCP server does not have a valid DHCP lease for that IP / MAC combination, ! the host is unreachable. ! cable dhcp-giaddr policy: use primary IP address for modems, secondary for ! hosts behind modems ! ! interface Cable1/0 description Cable Downstream Interface ip address 10.254.1.1 255.255.255.0 secondary ip address 10.128.1.1 255.255.255.0 no keepalive cable downstream rate-limit token-bucket shaping cable downstream annex B cable downstream modulation 64qam cable downstream interleave-depth 32 cable downstream frequency 851000000 cable down rf-power 55 cable upstream 0 description Cable upstream interface, North cable upstream 0 frequency 37008000 cable upstream 0 power-level 0 cable upstream 0 admission-control 150 no cable upstream 0 shutdown cable upstream 1 description Cable upstream interface, South cable upstream 1 frequency 37008000 cable upstream 1 power-level 0 cable upstream 1 admission-control 150 no cable upstream 1 shutdown cable upstream 2 description Cable upstream interface, East cable upstream 2 frequency 37008000 cable upstream 2 power-level 0 cable upstream 2 admission-control 150 no cable upstream 2 shutdown cable upstream 3 description Cable upstream interface, West cable upstream 3 frequency 37008000 cable upstream 3 power-level 0 cable upstream 3 admission-control 150 no cable upstream 3 shutdown no cable arp cable source-verify dhcp cable dhcp-giaddr policy ! ! ! default route to Fast ethernet 0/0, probably best to set ! this as an IP address so interface flaps don't create route flaps. ! IP http server: enables internal http server on uBR7100 ! ip classless no ip forward-protocol udp netbios-ns ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 ip http server ! ! ! Enable TFTP downloads of the silver.cm file on the Flash device ! this DOCSIS config file is built using DOCSIS CPE Configurator. tftp-server slot0:bronze.cm alias bronze.cm ! ! Aliases for frequently used commands ! alias exec scm show cable modem alias exec scf show cable flap alias exec scp show cable qos profile ! line con 0 exec-timeout 0 0 transport input none line aux 0 speed 19200 line vty 0 4 session-timeout 60 login ! ntp clock-period 17179977 ntp server 192.168.35.51
For additional information related to DHCP, ToD, and TFTP Services for the CMTS Routers, refer to the following references:
Related Topic |
Document Title |
---|---|
All-In-One Configuration |
For information on how to configure a Cisco CMTS that acts as a Dynamic Host Configuration Protocol (DHCP), Time-of-Day (ToD), and TFTP server in an “all-in-one configuration,” see the following URL: http://www.cisco.com/en/US/tech/tk86/tk804/technologies_configuration_example09186a0080134b34.shtml |
DHCP Configuration |
To configure the DHCP server beyond the minimum options given in this chapter, see the “Configuring DHCP” chapter in the “IP Addressing and Services” section of the Cisco IOS IP and IP Routing Configuration Guide , Release 12.2 at the following URL: http://www.cisco.com/en/US/docs/ios/12_2/ip/configuration/guide/fipr_c.html For information on all DHCP commands, see the “DHCP Commands” chapter in the Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2 at the following URL: http://www.cisco.com/en/US/docs/ios/12_2/ipaddr/command/reference/fipras_r.html |
TFTP Server Command |
For more information about the tftp-server command, see the “Configuring Basic File-Transfer Services” section of the Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.2 at the following URL: http://www.cisco.com/en/US/docs/ios/12_2/configfun/configuration/guide/fcf011.html |
NTP or SNTP Configuration |
For information on configuring the Cisco CMTS to use NTP or SNTP to set its system clock, see the “Performing Basic System Management” chapter in the “System Management” section of the Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.2 , at the following URL: http://www.cisco.com/en/US/docs/ios/12_2/configfun/configuration/guide/fcf012.html |
Cable Source Verify Feature |
For a more detailed description of the cable source-verify command and how it can be used to prevent certain types of denial of service attacks, see the following Tech Note on Cisco.com: |
Calculating the Hexadecimal Value for DHCP Option 2 |
For information on how to calculate the hexadecimal time value that is used to set the DHCP Time Offset option (DHCP option 2), see the following URL: http://www.cisco.com/en/US/customer/tech/tk86/tk804/technologies_tech_note09186a0080093d76.shtml |
Cisco DOCSIS Configurator Tool |
For information on creating DOCSIS 1.1 configuration files, you can use the Cisco DOCSIS Configurator tool, which at the time of this document’s publication is available at the following URL: http://www.cisco.com/cgi-bin/tablebuild.pl/cpe-conf |
CMTS Command Reference |
Cisco IOS CMTS Cable Command Reference Guide, at the following URL: http://www.cisco.com/en/US/docs/ios/cable/command/reference/cbl_book.html |
Cisco IOS Release 12.2 Command Reference |
Cisco IOS Release 12.2 Configuration Guides and Command References, at the following URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_installation_and_configuration_guides_list.html http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/prod_command_reference_list.html |
Cisco uBR7100 Series Universal Broadband Router Documentation |
Cisco uBR7100 Series Universal Broadband Router Hardware Installation Guide , at the following URL: http://www.cisco.com/en/US/docs/cable/cmts/ubr7100/installation/guide/hig7100.html Cisco uBR7100 Series Universal Broadband Router Software Configuration Guide , at the following URL: http://www.cisco.com/en/US/docs/cable/cmts/ubr7100/configuration/guide/scg7100.html |
Cisco uBR7200 Series Universal Broadband Router Documentation |
Cisco uBR7200 Series Universal Broadband Router Hardware Installation Guide , at the following URL: http://www.cisco.com/en/US/docs/cable/cmts/ubr7200/installation/guide/ub72khig.html Cisco uBR7200 Series Universal Broadband Router Software Configuration Guide , at the following URL: http://www.cisco.com/en/US/docs/cable/cmts/ubr7200/configuration/guide/cr72scg.html |
Cisco uBR10012 Universal Broadband Router Documentation |
Cisco uBR10012 Universal Broadband Router Hardware Installation Guide , at the following URL: http://www.cisco.com/en/US/docs/cable/cmts/ubr10012/installation/guide/hig.html Cisco uBR10012 Universal Broadband Router Software Configuration Guide , at the following URL: http://www.cisco.com/en/US/docs/cable/cmts/ubr10012/configuration/guide/scg.html |
Standards1 |
Title |
---|---|
ANSI/SCTE 22-1 2002 (formerly SP-RFI-C01-011119) |
Data-Over-Cable Service Interface Specification DOCSIS 1.0 Radio Frequency Interface (RFI) ( http://www.cablemodem.com ) |
Data-over-Cable Service Interface Specifications Radio Frequency Interface Specification DOCSIS 1.1 ( http://www.cablemodem.com ) |
|
DOCSIS Baseline Privacy Interface Plus Specification ( http://www.cablemodem.com ) |
MIBs2 |
MIBs Link |
---|---|
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: |
RFCs3 |
Title |
---|---|
RFC4243 |
Description |
Link |
---|---|
Technical Assistance Center (TAC) home page, containing 30,000 pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content. |
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/. An account on http://www.cisco.com/ is not required.
Note | The below table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature. |
Feature Name |
Releases |
Feature Information |
---|---|---|
DHCP, ToD, and TFTP Services |
11.3 NA |
The cable source-verify and ip dhcp commands are now supported on the Cisco uBR7200 series routers. |
DHCP, ToD, and TFTP Services |
12.0(4)XI |
The cable time-server command is now supported. |
DHCP, ToD, and TFTP Services |
12.1(2)EC1 |
The following commands are now supported on the Cisco IOS Release 12.1 EC train: The cable source-verify command has been expanded to include the dhcp keyword. |
DHCP, ToD, and TFTP Services |
12.1(5)EC1 |
The Cisco uBR7100 series routers are now supported. |
DHCP, ToD, and TFTP Services |
12.2(4)BC1 |
The Cisco uBR7100 series, Cisco uBR7200 series, and Cisco uBR10012 routers now support the above commands. |
DHCP, ToD, and TFTP Services |
12.1(11b)EC1 12.2(8)BC2 |
The cable tftp-enforce command is now supported. |
DHCP, ToD, and TFTP Services |
12.1(13)EC 12.2(11)BC1 |
The cable source-verify command has been expanded to include the leasetimer keyword. |
DHCP, ToD, and TFTP Services |
12.3(13)BC |
The cable source-verify dhcp command has been expanded to allow exclusion of MAC addresses. |
DHCP, ToD, and TFTP Services |
12.3(21)BC |
The cable helper-address command has been expanded to further specify where to forward DHCP packets based on origin: from a cable modem, MTA, STB, or other cable devices. The cable dhcp-insert command allows users to configure the CMTS to insert descriptors into DHCP packets using option 82. DHCP servers can then detect cable modem clones and extract geographical information. The show cable modem docsis device-class command is now supported. |
DHCP, ToD, and TFTP Services |
12.2(33)SCD5 |
The cable dhcp-giaddr command was modified to support the host, mta, ps, and stb keywords. |
Prefix-based Source Address Verification |
12.2(33)SCC |
The support for the prefix-based Source Address Verification (SAV) feature was added. The following new commands were introduced: |
DHCP Relay Agent Sub-Option |
12.2(33)SCF2 |
Support was added for the DHCP Relay Agent Information Sub-Option enhancement. The following commands was modified:
|
Supported Platforms |
||
Cisco uBR7100 series, Cisco uBR7200 series, Cisco uBR10012 universal broadband routers. |