Step 1
| Verify the following
configuration settings on the DPE:
- Ensure that PacketCable
services are enabled, by using the
show run command.
To enable the PacketCable
service, use the
service
packetcable
1..1
enable command.
For example:
dpe# show run
aaa authentication radius
dpe port 49186
dpe provisioning-group primary default
service packetcable 1 enable
snmp-server location equipmentrack5D
snmp-server udp-port 8001
tacacs-server retries 2
tacacs-server timeout 5
For details on the commands, see the
Cisco Prime Cable
Provisioning 5.3 DPE CLI Reference Guide.
- Ensure that the security used for communication between the KDC and a DPE is set, by using the
show run command.
To generate and set the security key, use the
service
packetcable
1..1
registration kdc-service-key command.
For example:
dpe# show run
aaa authentication radius
debug dpe events
dpe port 49186
service packetcable 1 enable
service packetcable 1 registration kdc-service-key <value is set>
snmp-server contact AceDuffy-ext1234
For details on the commands, see the
Cisco Prime Cable
Provisioning 5.3 DPE CLI Reference Guide.
- Ensure that the security key that permits secure communication between the DPE and the RDU for PacketCable SNMPv3 cloning is set. Again, use the
show run command. To generate and set the security key, use the
service
packetcable
1..1
snmp key-material command.
For example:
dpe# show run
aaa authentication radius
debug dpe events
dpe port 49186
service packetcable 1 enable
service packetcable 1 registration kdc-service-key <value is set>
service packetcable 1 snmp key-material <value is set>
For details about the commands, and the specific security privileges to run these commands, see the
Cisco Prime Cable
Provisioning 5.3 DPE CLI Reference Guide.
Note
|
When you configure PacketCable settings on the DPE, ensure that you run the
dpe reload command so that the changes take effect.
|
|
Step 2
| In the configuration file for Network Registrar extension points (cnr_ep.properties), verify if the
/ccc/kerb/realm parameter is set to the primary realm; in this case, CISCO.COM. To do this, run the
more cnr_ep.properties command from the
BPR_HOME/cnr_ep/conf directory.
For example:
/opt/CSCObac/cnr_ep/conf# more cnr_ep.properties
#DO NOT MODIFY THIS FILE.
#Tue Aug 13 23:24:00 PDT 2013
/ccc/tgt=01
/cccv6/dssid/primary=ff\:ff\:ff\:ff
/secure/keystore/file=/opt/CSCObac/lib/security/.keystore
/ccc/dhcp/primary=10.81.90.90
/secure/keystore/password=f2c2060fdbca0e60ae1864adb73155b9
/lib/cpcp/ssllib=/opt/nwreg2/local/lib/libssl.so.1.0.1
/rdu/fqdn=bactst-lnx-4
/server/rdu/secure/enabled=true
/rdu/port=49188
/cnr/sharedSecret=fgL7egT9zcYHs
/ccc/kerb/realm=CISCO.COM
/provgroup/capability/both/packetcable/ipv6=enabled
/provgroup/capability/both/packetcable/ipv4=enabled
/lib/cpcp/cryptolib=/opt/nwreg2/local/lib/libcrypto.so.1.0.1
/ccc/dns/primary=10.81.90.90
/cccv6/dssid/secondary=ff\:ff\:ff\:ff
/cnr/sharedSecret/digest=a3\:1f\:32\:6e\:57\:ed\:83\:b7\:68\:42\:f3\:31\:2b\:47\:d3\:36\:eb\:85\:93\:98
/cache/provGroupList=default
[root@bactst-lnx-7 ~]#
|
Step 3
| Enable static routes appropriately to ensure
Prime Cable
Provisioning connectivity with devices behind the CMTS.
|
Step 4
| Create DNS realm zones for the DNS server that is listed in the
cnr_ep.properties file. You can add zones using the Network Registrar Admin UI via the
DNS > Forward Zones > List/Add Zones pages.
Note
|
Ensure that the zones you add contain the SRV record and the DNS ‘A’ record for the KDC server, and that the SRV record for each zone (in this example, CISCO.COM, CISCO1.COM, and CISCO2.COM) point to one KDC.
|
For information on configuring zones from the Admin UI, see the
Cisco Prime Network Registrar 8.1 User Guide.
|
Step 5
| Configure certificates using the PKCert.sh tool.
- Create directories for the secondary realms (for example, CISCO1.COM and CISCO2.COM) under
BPR_HOME/kdc/<Operating System>/packetcable/certificates.
For example:
/opt/CSCObac/kdc/<Operating System>/packetcable/certificates# mkdir CISCO1.COM
/opt/CSCObac/kdc/<Operating System>/packetcable/certificates# mkdir CISCO2.COM
For more information on creating directories, see Solaris documentation.
- Create a directory in which you can copy the following certificates:
For example:
# cd /var
# mkdir certsInput
Note
|
The
/certsInput directory created under the
/var directory is only an example. You can choose to create any directory under any other directory. For more information on creating directories, see the specific Operating System documentation.
|
- Copy the certificates mentioned in the previous step into the directory that you created.
- Copy the following certificates to the
BPR_HOME/kdc/<Operating System>/packetcable/certificates directory:
For information on copying files, see Solaris documentation on the
cp command.
- Create the KDC certificate and its associated private key for the primary realm.
For example:
# ./opt/CSCObac/kdc/PKCert.sh -c "-s /var/certsInput -d /var/certsOutput
-k /var/certsInput/Local_System.der -c /var/certsInput/Local_System.cer
-r CISCO.COM -n 100 -a bactest.cisco.com -o"
Pkcert Version 1.0
Logging to pkcert.log
Source Directory: /var/certsInput
Destination Directory: /var/certsOutput
Private Key File: /var/certsInput/Local_System.der
Certificate File: /var/certsInput/Local_System.cer
Realm: CISCO.COM
Serial Number: 100
DNS Name of KDC: bactest.cisco.com
WARNING - Certificate File will be overwritten
SP Cert subject name: C=US,O=CableLabs\, Inc.,OU=ABC Cable Company,CN=Shared-01 CableLabs Local System CA
File written: /var/certsOutput/KDC_private_key.pkcs8
File written: /var/certsOutput/KDC_private_key_proprietary.
File written: /var/certsOutput/KDC_PublicKey.der
File written: /var/certsOutput/KDC.cer
KDC Certificate Successfully Created at /var/certsOutput/KDC.cer
Copy KDC.cer to the KDC certificate directory (i.e. /opt/CSCObac/kdc/<Operating System>/
packetcable/certificates)
Copy KDC_private_key.pkcs8 to the KDC platform directory (i.e. /opt/CSCObac/
kdc/solaris)
Copy KDC_private_key_proprietary. to the KDC platform directory (i.e. /opt/CSCObac/
kdc/solaris)
For more information on the tool, see
Using PKCert.sh.
- Copy the KDC.cer file to the KDC certificate directory (BPR_HOME/kdc/<Operating System>/
packetcable/certificates). For information on copying files, see Solaris documentation on the cp command.
- Copy the private key KDC_private_key.pkcs8 to the KDC platform directory (BPR_HOME/
kdc/<Operating System>). For information on copying files, see Solaris documentation on the
cp command.
- Copy the private key KDC_private_key_proprietary. to the KDC platform directory (BPR_HOME/
kdc/solaris). For information on copying files, see Solaris documentation on the
cp command.
- Create the KDC certificate and its associated private key for the secondary realm; in this case, CISCO1.COM.
For example:
# ./opt/CSCObac/kdc/PKCert.sh -c "-s /var/certsInput -d /var/certsOutput
-k /var/certsInput/Local_System.der -c /var/certsInput/Local_System.cer
-r CISCO1.COM -n 100 -a bactest.cisco.com -o"
Pkcert Version 1.0
Logging to pkcert.log
Source Directory: /var/certsInput
Destination Directory: /var/certsOutput
Private Key File: /var/certsInput/Local_System.der
Certificate File: /var/certsInput/Local_System.cer
Realm: CISCO.COM
Serial Number: 100
DNS Name of KDC: bactest.cisco.com
WARNING - Certificate File will be overwritten
SP Cert subject name: C=US,O=CableLabs\, Inc.,OU=ABC Cable Company,CN=Shared-01 CableLabs Local System CA
File written: /var/certsOutput/KDC_private_key.pkcs8
File written: /var/certsOutput/KDC_private_key_proprietary.
File written: /var/certsOutput/KDC_PublicKey.der
File written: /var/certsOutput/KDC.cer
KDC Certificate Successfully Created at /var/certsOutput/KDC.cer
Copy KDC.cer to the KDC certificate directory (i.e. /opt/CSCObac/kdc/<Operating System>/
packetcable/certificates)
Copy KDC_private_key.pkcs8 to the KDC platform directory (i.e. /opt/CSCObac/
kdc/solaris)
Copy KDC_private_key_proprietary. to the KDC platform directory (i.e. /opt/CSCObac/
kdc/solaris)
For more information on the tool, see
Using PKCert.sh.
- Copy
KDC.cer
to the secondary realm directory; for example, the
/CISCO1.COM directory under
BPR_HOME/kdc/<Operating System>/packetcable/certificates. For information on copying files, see Solaris documentation on the
cp command.
- Copy the private key KDC_private_key.pkcs8 to the secondary realm directory; for example, the
/CISCO1.COM directory under
BPR_HOME/kdc/<Operating System>/packetcable/certificates. For information on copying files, see Solaris documentation on the
cp command.
- Copy the private key KDC_private_key_proprietary. to the secondary realm directory; for example, the
/CISCO1.COM directory under
BPR_HOME/kdc/<Operating System>/packetcable/certificates. For information on copying files, see Solaris documentation on the
cp command.
- Create the KDC certificate and its associated private key for the secondary CISCO2.COM realm.
For example:
# ./opt/CSCObac/kdc/PKCert.sh -c "-s /var/certsInput -d /var/certsOutput
-k /var/certsInput/Local_System.der -c /var/certsInput/Local_System.cer
-r CISCO2.COM -n 100 -a bactest.cisco.com -o"
Pkcert Version 1.0
Logging to pkcert.log
Source Directory: /var/certsInput
Destination Directory: /var/certsOutput
Private Key File: /var/certsInput/Local_System.der
Certificate File: /var/certsInput/Local_System.cer
Realm: CISCO.COM
Serial Number: 100
DNS Name of KDC: bactest.cisco.com
WARNING - Certificate File will be overwritten
SP Cert subject name: C=US,O=CableLabs\, Inc.,OU=ABC Cable Company,CN=Shared-01 CableLabs Local System CA
File written: /var/certsOutput/KDC_private_key.pkcs8
File written: /var/certsOutput/KDC_private_key_proprietary.
File written: /var/certsOutput/KDC_PublicKey.der
File written: /var/certsOutput/KDC.cer
KDC Certificate Successfully Created at /var/certsOutput/KDC.cer
Copy KDC.cer to the KDC certificate directory (i.e. /opt/CSCObac/kdc/<Operating System>/
packetcable/certificates)
Copy KDC_private_key.pkcs8 to the KDC platform directory (i.e. /opt/CSCObac/
kdc/solaris)
Copy KDC_private_key_proprietary. to the KDC platform directory (i.e. /opt/CSCObac/
kdc/solaris)
For information on the tool, see
Using PKCert.sh.
- Copy
KDC.cer to the secondary realm directory; for example, the
/CISCO2.COM directory under
BPR_HOME/kdc/<Operating System>/packetcable/certificates. For information on copying files, see Solaris documentation on the
cp command.
- Copy the private key KDC_private_key.pkcs8 to the secondary realm directory; for example, the
/CISCO2.COM directory under
BPR_HOME/kdc/<Operating System>/packetcable/certificates. For information on copying files, see Solaris documentation on the
cp command.
- Copy the private key KDC_private_key_proprietary. to the secondary realm directory; for example, the
/CISCO2.COM directory under
BPR_HOME/kdc/<Operating System>/packetcable/certificates. For information on copying files, see Solaris or Linux documentation on the
cp command.
|
Step 6
| Generate PacketCable service keys by using the KeyGen tool.
Note
|
Ensure that the password that you use to generate a service key matches the password that you set on the DPE by using the
packetcable registration kdc service-key command.
For example:
# /opt/CSCObac/kdc/keygen bactest.cisco.com CISCO.COM changeme
# /opt/CSCObac/kdc/keygen bactest.cisco.com CISCO1.COM changeme
# /opt/CSCObac/kdc/keygen bactest.cisco.com CISCO2.COM changeme
For details, see
Using PKCert.sh.
|
|
Step 7
| Ensure that the service keys you generated in Step 6, exist in the
BPR_HOME/kdc/<Operating System>/keys directory.
For example:
/opt/CSCObac/kdc/<Operating System>/keys# ls -l
total 18
-rw-r--r-- 1 root other 2 Nov 4 09:44 krbtgt,CISCO1.COM@CISCO1.COM
-rw-r--r-- 1 root other 2 Nov 4 09:44 krbtgt,CISCO2.COM@CISCO2.COM
-rw-r--r-- 1 root other 2 Nov 4 09:44 krbtgt,CISCO.COM@CISCO.COM
-rw-r--r-- 1 root other 2 Nov 4 09:44 mtafqdnmap,bactest.cisco.com@CISCO1.COM
-rw-r--r-- 1 root other 2 Nov 4 09:44 mtafqdnmap,bactest.cisco.com@CISCO2.COM
-rw-r--r-- 1 root other 2 Nov 4 09:44 mtafqdnmap,bactest.cisco.com@CISCO.COM
-rw-r--r-- 1 root other 2 Nov 4 09:44 mtaprovsrvr,bactest.cisco.com@CISCO1.COM
-rw-r--r-- 1 root other 2 Nov 4 09:44 mtaprovsrvr,bactest.cisco.com@CISCO2.COM
-rw-r--r-- 1 root other 2 Nov 4 09:44 mtaprovsrvr,bactest.cisco.com@CISCO.COM
For more information, see Solaris documentation.
|
Step 8
| Ensure that the various certificates and service keys exist in the
BPR_HOME/kdc directory.
For example:
/opt/CSCObac/kdc# ls
PKCert.sh internal keygen lib pkcert.log solaris bacckdc.license
/opt/CSCObac/kdc# cd /internal/bin
/internal/bin# ls
kdc runKDC.sh shutdownKDC.sh
# cd /opt/CSCObac/kdc/lib
# ls
libgcc_s.so.1 libstdc++.so.5 libstlport_gcc.so
# cd /opt/CSCObac/<Operating System>/logs
# ls
kdc.log kdc.log.1
# cd /opt/CSCObac/solaris
# ls
logs kdc.ini packetcable KDC_private_key_proprietary.
# cd keys
# ls
krbtgt,CISCO1.COM@CISCO1.COM
krbtgt,CISCO2.COM@CISCO2.COM
krbtgt,CISCO.COM@CISCO.COM
mtafqdnmap,bactest.cisco.com@CISCO1.COM
mtafqdnmap,bactest.cisco.com@CISCO2.COM
mtafqdnmap,bactest.cisco.com@CISCO.COM
mtaprovsrvr,bactest.cisco.com@CISCO1.COM
mtaprovsrvr,bactest.cisco.com@CISCO2.COM
mtaprovsrvr,bactest.cisco.com@CISCO.COM
# cd ./<Operating System>/packetcable/certificates
# ls
KDC.cer
Local_System.cer
CableLabs_Service_Provider_Root.cer MTA_Root.cer
CISCO1.COM Service_Provider.cer
CISCO2.COM
# cd ./<Operating System>/packetcable/certificates/CISCO1.COM
# ls
KDC.cer
KDC_private_key_proprietary.
# cd ./<Operating System>/packetcable/certificates/CISCO2.COM:
# ls
KDC.cer
KDC_private_key_proprietary.
For more information, see Solaris/Linux documentation.
|
Step 9
| Restart the KDC.
For example:
# /etc/init.d/bprAgent restart kdc
For more information, see
Using Prime Cable Provisioning Process Watchdog from CLI.
|
Step 10
| Configure the Prime Cable Provisioning Admin UI for multiple realms.
- Add DHCP Criteria for the secondary realm; in this case, CISCO1.COM.
For example:
-
From
Configuration > DHCP Criteria > Manage DHCP Criteria, click the
Add button.
-
The Add DHCP Criteria page appears.
-
Enter
cisco1 in the DHCP Name field.
-
Click
Submit.
-
Return to the Manage DHCP Criteria page, and click the cisco1 DHCP criteria. The Modify DHCP Criteria page appears.
-
Under Property Name, select
/ccc/kerb/realm and enter CISCO1.COM in the Property Value field.
-
Click
Add and
Submit.
For more information, see
Configuring DHCP Criteria.
- Add DHCP Criteria for the secondary realm; in this case, CISCO2.COM.
For example:
-
From
Configuration > DHCP Criteria > Manage DHCP Criteria, click the
Add button.
-
The Add DHCP Criteria page appears.
-
Enter
cisco2 in the DHCP Name field.
-
Click
Submit.
-
Return to the Manage DHCP Criteria page, and click the cisco2 DHCP criteria. The Modify DHCP Criteria page appears.
-
Under Property Name, select /ccc/kerb/realm and enter cisco2.COM in the Property Value field.
-
Click
Add and
Submit.
For more information, see
Configuring DHCP Criteria.
- Add templates as files to Prime Cable Provisioning for each of the devices being provisioned; in this step, for the Motorola MTA.
For example:
-
Choose
Configuration > Files. The Manage Files page appears.
-
Click
Add, and the Add Files page appears.
-
Select the CableLabs Configuration Template option from the File Type drop-down list.
-
Add the
mot-mta.tmpl file. This file is the template used to provision a Motorola MTA. For template syntax, see the example,
Template Used to Provision a Motorola MTA.
-
Click
Submit.
For more information, see
Managing Files.
- Add templates as files to Prime Cable Provisioning for each of the devices being provisioned; in this step, for the Linksys MTA.
For example:
-
Choose
Configuration > Files. The Manage Files page appears.
-
Click
Add, and the Add Files page appears.
-
Select the CableLabs Configuration Template option from the File Type drop-down list.
-
Add the linksys-mta.tmpl file. This file is the template used to provision a Linksys MTA. For template syntax, see the example,
Template Used to Provision a Linksys MTA.
-
Click
Submit.
For more information, see
Managing Files.
- Add templates as files to Prime Cable Provisioning for each of the devices being provisioned; in this step, for the SA MTA.
For example:
-
Choose
Configuration > Files. The Manage Files page appears.
-
Click
Add, and the Add Files page appears.
-
Select the CableLabs Configuration Template option from the File Type drop-down list.
-
Add the sa-mta.tmpl file. This file is the template used to provision an SA MTA. For template syntax, see the example,
Template Used to Provision an SA MTA.
-
Click
Submit.
For more information, see
Managing Files.
- Add a Class of Service for the primary realm; in this case, CISCO.COM.
For example:
-
Choose
Configuration > Class of Service.
-
Click
Add. The Add Class of Service page appears.
-
Enter mot-mta as the name of the new Class of Service for the CISCO.COM realm.
-
Choose the Class of Service Type as PacketCableMTA.
-
Select
/cos/packetCableMTA/file from the Property Name drop-down list and associate it to the mot-mta.tmpl template file (which is used to provision the Motorola MTA in the primary CISCO.COM realm).
-
Click
Add and
Submit.
For more information, see
Configuring Class of Service.
- Add a Class of Service for the secondary realm; in this case, CISCO1.COM.
For example:
-
Choose
Configuration > Class of Service.
-
Click
Add. The Add Class of Service page appears.
-
Enter linksys-mta as the name of the new Class of Service for the CISCO1.COM realm.
-
Choose the Class of Service Type as PacketCableMTA.
-
Select
/cos/packetCableMTA/file from the Property Name drop-down list and associate it to the linksys-mta.tmpl template file (which is used to provision the Linksys MTA in the secondary CISCO1.COM realm).
-
Click
Add and
Submit.
For more information, see
Configuring Class of Service.
- Add a Class of Service for the secondary realm; in this case, CISCO2.COM.
For example:
-
Choose
Configuration > Class of Service.
-
Click
Add. The Add Class of Service page appears.
-
Enter sa-mta as the name of the new Class of Service for the CISCO1.COM realm.
-
Choose the Class of Service Type as PacketCableMTA.
-
Select
/cos/packetCableMTA/file from the Property Name drop-down list and associate it to the sa-mta.tmpl template file (which is used to provision the SA MTA in the secondary CISCO2.COM realm).
-
Click
Add and
Submit.
For more information, see
Configuring Class of Service.
|
Step 11
| Bring the devices online and provision them. See the following examples that describe the provisioning process.
Example 1
The following example describes how you can provision the Motorola SBV5120.
- Provision the cable modem part of the device by setting it to use the
sample-bronze-docsis Class of Service.
- To provision the MTA part, go to the
Devices > Manage Devices page. Search and select the PacketCable device you want to provision. The Modify Device page appears.
- Set the domain name. This example uses bacclab.cisco.com.
- From the drop-down list corresponding to Registered Class of Service, select
mot-mta. This is the Class of Service that you added in Step 10-f.
- From the drop-down list corresponding to Registered DHCP Criteria, select the
default option.
- Click
Submit.
Example 2
The following example illustrates how you can provision the Linksys CM2P2.
- Provision the cable modem part of the device by setting it to use the
sample-bronze-docsis Class of Service.
- To provision the MTA part, go to the
Devices > Manage Devices page. Search and select the PacketCable device you want to provision. The Modify Device page appears.
- Set the domain name. This example uses bacclab.cisco.com.
- From the drop-down list corresponding to Registered Class of Service, select
linksys-mta. This is the Class of Service that you added in Step 10-g.
- From the drop-down list corresponding to Registered DHCP Criteria, select the
cisco1 option. This is the DHCP Criteria that you added for the secondary CISCO1.COM realm in Step 10-a.
- Click
Submit.
Example 3
The following example illustrates how you can provision the SA WebStar DPX 2203.
- Provision the cable modem part of the device by setting it to use the
sample-bronze-docsis Class of Service.
- To provision the MTA part, go to the
Devices > Manage Devices page. Search and select the PacketCable device you want to provision. The Modify Device page appears.
- Set the domain name. This example uses bacclab.cisco.com.
- From the drop-down list corresponding to Registered Class of Service, select
sa-mta. This is the Class of Service that you added in Step 10-h.
- From the drop-down list corresponding to Registered DHCP Criteria, select the
cisco2 option. This is the DHCP Criteria that you added for the secondary CISCO2.COM realm in Step 10-b.
- Click
Submit.
|
Step 12
| Verify if multiple realm support is operational by using an ethereal trace. See the sample output from the KDC and DPE log files shown here from the sample setup used in this procedure.
Example 1
The following example features excerpts from the KDC and DPE log files for the Motorola SBV 5120 MTA provisioned in the primary CISCO.COM realm:
KDC Log Sample Output–Motorola MTA
INFO [Thread-4] 2007-02-07 07:56:21,133 (DHHelper.java:114) - Time to create DH key pair(ms): 48
INFO [Thread-4] 2007-02-07 07:56:21,229 (DHHelper.java:114) - Time to create DH key pair(ms): 49
INFO [Thread-4] 2007-02-07 07:56:21,287 (DHHelper.java:150) - Time to create shared secret: 57 ms.
INFO [Thread-4] 2007-02-07 07:56:21,289 (PKAsReqMsg.java:104) - ##MTA-9a Unconfirmed AS Request: 1133717956 Received from /10.10.1.2
INFO [Thread-4] 2007-02-07 07:56:21,298 (KRBProperties.java:612) - Replacing property: 'minimum ps backoff' Old Value:'150' New Value: '150'
INFO [Thread-4] 2007-02-07 07:56:21,324 (KDCMessageHandler.java:257) - AS-REQ contains PKINIT - QA Tag.
INFO [Thread-4] 2007-02-07 07:56:21,325 (KDCMessageHandler.java:279) - PK Request from MTA received. Client is MTA - QA Tag
INFO [Thread-4] 2007-02-07 07:56:21,365 (KDCMessageHandler.java:208) - ##MTA-9b KDC Reply AS-REP Sent to /10.10.1.2:1039 Time(ms): 290
WARN [main] 2005-11-07 07:56:23,193 (KDC.java:113) - Statistics Report ASREP's: 1
INFO [main] 2005-11-07 07:56:23,195 (KDC.java:121) - /pktcbl/mtaAsRepSent: 10
INFO [main] 2005-11-07 07:56:23,195 (KDC.java:121) - /pktcbl/DHKeygenTotalTime: 1043
INFO [main] 2005-11-07 07:56:23,196 (KDC.java:121) - /pktcbl/mtaAsReqRecvd: 10
INFO [main] 2005-11-07 07:56:23,197 (KDC.java:121) - /pktcbl/DHKeygenNumOps: 20
INFO [main] 2005-11-07 07:56:23,197 (KDC.java:121) - /pktcbl/total: 60
DPE Log Sample Output–Motorola MTA
dpe.cisco.com: 2007 02 07 07:56:24 EST: %BAC-DPE-6-4178: Adding Replay Packet: []
dpe.cisco.com: 2007 02 07 07:56:24 EST: %BAC-PKTSNMP-6-0764: [System Description for MTA: <<HW_REV: 1.0, VENDOR: Motorola Corporation, BOOTR: 8.1, SW_REV: SBV5120-2.9.0.1-SCM21-SHPC, MODEL: SBV5120>>]
dpe.cisco.com: 2007 02 07 07:56:24 EST: %BAC-PKTSNMP-6-0764: [##MTA-15 SNMPv3 INFORM Received From 10.10.1.2.]
dpe.cisco.com: 2007 02 07 07:56:24 EST: %BAC-DPE-6-0688: Received key material update for device [1,6,01:11:82:61:5e:30]
dpe.cisco.com: 2007 02 07 07:56:24 EST: %BAC-PKTSNMP-6-0764: [##MTA-19 SNMPv3 SET Sent to 10.10.1.2]
dpe.cisco.com: 2007 02 07 07:56:24 EST: %BAC-TFTP-6-0310: Finished handling [read] request from [10.10.1.2:1190] for [bpr0106001182615e300001]
dpe.cisco.com: 2007 02 07 07:56:25 EST: %BAC-PKTSNMP-6-0764: [##MTA-25 SNMP Provisioning State INFORM Received from 10.10.1.2. Value: 1]
Example 2
The following example features excerpts from the KDC and DPE log files for the Linksys CM2P2 MTA provisioned in the secondary CISCO1.COM realm:
KDC Log Sample Output–Linksys MTA
INFO [Thread-8] 2007-02-07 08:00:10,664 (DHHelper.java:114) - Time to create DH key pair(ms): 49
INFO [Thread-8] 2007-02-07 08:00:10,759 (DHHelper.java:114) - Time to create DH key pair(ms): 49
INFO [Thread-8] 2007-02-07 08:00:10,817 (DHHelper.java:150) - Time to create shared secret: 57 ms.
INFO [Thread-8] 2007-02-07 08:00:10,819 (PKAsReqMsg.java:104) - ##MTA-9a Unconfirmed AS Request: 1391094112 Received from /10.10.1.5
INFO [Thread-8] 2007-02-07 08:00:10,828 (KRBProperties.java:612) - Replacing property: 'minimum ps backoff' Old Value:'150' New Value: '150'
INFO [Thread-8] 2007-02-07 08:00:10,860 (KDCMessageHandler.java:257) - AS-REQ contains PKINIT - QA Tag.
INFO [Thread-8] 2007-02-07 08:00:10,862 (KDCMessageHandler.java:279) - PK Request from MTA received. Client is MTA - QA Tag
INFO [Thread-8] 2007-02-07 08:00:10,901 (KDCMessageHandler.java:208) - ##MTA-9b KDC Reply AS-REP Sent to /10.10.1.5:3679 Time(ms): 296
WARN [main] 2007-02-07 08:00:13,383 (KDC.java:113) - Statistics Report ASREP's: 1
INFO [main] 2007-02-07 08:00:13,384 (KDC.java:121) - /pktcbl/mtaAsRepSent: 11
INFO [main] 2007-02-07 08:00:13,384 (KDC.java:121) - /pktcbl/DHKeygenTotalTime: 1141
DPE Log Sample Output–Linksys MTA
dpe.cisco.com: 2007 02 07 08:00:10 EST: %BAC-DPE-6-4112: Adding Replay Packet: []
dpe.cisco.com: 2007 02 07 08:00:12 EST: %BAC-DPE-6-4178: Adding Replay Packet: []
dpe.cisco.com: 2007 02 07 08:00:12 EST: %BAC-PKTSNMP-6-0764: [System Description for MTA: Linksys Cable Modem with 2 Phone Ports (CM2P2) <<HW_REV: 2.0, VENDOR: Linksys, BOOTR: 2.1.6V, SW_REV: 2.0.3.3.11-1102, MODEL: CM2P2>>]
dpe.cisco.com: 2007 02 07 08:00:12 EST: %BAC-PKTSNMP-6-0764: [##MTA-15 SNMPv3 INFORM Received From 10.10.1.5.]
dpe.cisco.com: 2007 02 07 08:00:12 EST: %BAC-DPE-6-0688: Received key material update for device [1,6,00:0f:68:f9:42:f6]
dpe.cisco.com: 2007 02 07 08:00:12 EST: %BAC-PKTSNMP-6-0764: [##MTA-19 SNMPv3 SET Sent to 10.10.1.5]
dpe.cisco.com: 2007 02 07 08:00:18 EST: %BAC-TFTP-6-0310: Finished handling [read] request from [10.10.1.5:1032] for [bpr0106000f68f942f60001]
dpe.cisco.com: 2007 02 07 08:00:18 EST: %BAC-PKTSNMP-6-0764: [##MTA-25 SNMP Provisioning State INFORM Received from 10.10.1.5. Value: 1]
Example 3
The following example features excerpts from the KDC and DPE log files for the SA WebStar DPX 2203 MTA provisioned in the secondary CISCO2.COM realm:
KDC Log Sample Output–SA MTA
INFO [Thread-6] 2007-02-07 08:01:31,556 (DHHelper.java:114) - Time to create DH key pair(ms): 49
INFO [Thread-6] 2007-02-07 08:01:31,652 (DHHelper.java:114) - Time to create DH key pair(ms): 50
INFO [Thread-6] 2007-02-07 08:01:31,711 (DHHelper.java:150) - Time to create shared secret: 57 ms.
INFO [Thread-6] 2007-02-07 08:01:31,715 (PKAsReqMsg.java:104) - ##MTA-9a Unconfirmed AS Request: 575634000 Received from /10.10.1.50
INFO [Thread-6] 2007-02-07 08:01:31,727 (KRBProperties.java:612) - Replacing property: 'minimum ps backoff' Old Value:'150' New Value: '150'
INFO [Thread-6] 2007-02-07 08:01:31,752 (KDCMessageHandler.java:257) - AS-REQ contains PKINIT - QA Tag.
INFO [Thread-6] 2007-02-07 08:01:31,753 (KDCMessageHandler.java:279) - PK Request from MTA received. Client is MTA - QA Tag
INFO [Thread-6] 2007-02-07 08:01:31,792 (KDCMessageHandler.java:208) - ##MTA-9b KDC Reply AS-REP Sent to /10.10.1.50:3679 Time(ms): 292
WARN [main] 2007-02-07 08:01:33,423 (KDC.java:113) - Statistics Report ASREP's: 1
INFO [main] 2007-02-07 08:01:33,424 (KDC.java:121) - /pktcbl/mtaAsRepSent: 12
INFO [main] 2007-02-07 08:01:33,425 (KDC.java:121) - /pktcbl/DHKeygenTotalTime: 1240
INFO [main] 2007-02-07 08:01:33,425 (KDC.java:121) - /pktcbl/mtaAsReqRecvd: 12
INFO [main] 2007-02-07 08:01:33,426 (KDC.java:121) - /pktcbl/DHKeygenNumOps: 24
INFO [main] 2007-02-07 08:01:33,426 (KDC.java:121) - /pktcbl/total: 72
DPE Log Sample Output–SA MTA
dpe.cisco.com: 2007 02 07 08:01:31 EST: %BAC-DPE-6-4112: Adding Replay Packet: []
dpe.cisco.com: 2007 02 07 08:01:33 EST: %BAC-DPE-6-4178: Adding Replay Packet: []
dpe.cisco.com: 2007 02 07 08:01:33 EST: %BAC-PKTSNMP-6-0764: [System Description for MTA: S-A WebSTAR DPX2200 Series DOCSIS E-MTA Ethernet+USB (2)Lines VOIP <<HW_REV: 2.0, VENDOR: S-A, BOOTR: 2.1.6b, SW_REV: v1.0.1r1133-0324, MODEL: DPX2203>>]
dpe.cisco.com: 2007 02 07 08:01:33 EST: %BAC-PKTSNMP-6-0764: [##MTA-15 SNMPv3 INFORM Received From 10.10.1.50.]
dpe.cisco.com: 2007 02 07 08:01:33 EST: %BAC-DPE-6-0688: Received key material update for device [1,6,00:0f:24:d8:6e:f5]
dpe.cisco.com: 2007 02 07 08:01:33 EST: %BAC-PKTSNMP-6-0764: [##MTA-19 SNMPv3 SET Sent to 10.10.1.50]
dpe.cisco.com: 2007 02 07 08:01:38 EST: %BAC-TFTP-6-0310: Finished handling [read] request from [10.10.1.50:1037] for [bpr0106000f24d86ef50001]
dpe.cisco.com: 2007 02 07 08:01:39 EST: %BAC-PKTSNMP-6-0764: [##MTA-25 SNMP Provisioning State INFORM Received from 10.10.1.50. Value: 1]
|