-
Cisco IOS CMTS Cable Software Configuration Guide, Release 12.2SC
- Part 1: Cisco CMTS Router Basics
- Part 2: Advanced Mode DOCSIS Set-Top Gateway
-
Part 3: Cable Interface: Downstream and Upstream Features
-
Configuring Downstream Cable Interface Features on the Cisco CMTS Routers
-
Configuring Upstream Cable Interface Features on the Cisco CMTS Routers
-
CM Steering on the Cisco CMTS Routers
-
DOCSIS 2.0 A-TDMA Modulation Profiles for the Cisco CMTS Routers
-
DOCSIS 3.0 Downstream Bonding for Bronze Certification
-
Dynamic Bandwidth Sharing on the Cisco CMTS Router
-
IGMP-Triggered VDOC Broadcast Support on the Cisco CMTS Routers
-
Load Balancing and Dynamic Channel Change on the Cisco CMTS Routers
-
RSVP-Based Video on Demand Support Over DOCSIS
-
M-CMTS DEPI Control Plane
-
S-CDMA and Logical Channel Support on the Cisco CMTS Routers
-
Spectrum Management and Advanced Spectrum Management for the Cisco CMTS Routers
-
Support for Extended Frequency Ranges
-
Upstream Channel Bonding
-
Upstream Scheduler Mode for the Cisco CMTS Routers
-
Wideband Modem Resiliency
-
- Part 4: Cable Interface: Security Features
- Part 5: Cable Monitoring Features
- Part 6: Cisco CMTS Router Services
- Part 7: High Availability Features
-
Part 8: Layer 2 and VPN Features
-
Cisco uBR7200 Series MPLS VPN Cable Enhancements
-
EtherChannel on the Cisco CMTS Routers
-
Generic Routing Encapsulation on the Cisco CMTS Routers
-
L2VPN Support Over Cable
-
MPLS Pseudowire for Cable L2VPN
-
Point-to-Point Protocol over Ethernet Support on the Cisco CMTS Routers
-
Service Flow Mapping to MPLS-VPN on the Cisco CMTS Routers
-
Transparent LAN Service over Cable
-
- Part 9: Layer 3 and Interface Bundle Features
- Part 10: PacketCable and PacketCable Multimedia Features
- Part 11: QoS Features
-
Part 12: Traffic Management and Other Management Features
-
Control Point Discovery for the Cisco CMTS Routers
-
IPDR Streaming Protocol on the Cisco CMTS Routers
-
Managing Cable Modems on the Hybrid Fiber-Coaxial Network
-
Maximum CPE or Host Parameters for the Cisco CMTS Routers
-
PXF Divert Rate Limit Enhancement on the Cisco CMTS Routers
-
Subscriber Management Packet Filtering for DOCSIS 2.0
-
Subscriber Traffic Management for the Cisco CMTS Routers
-
Usage Based Billing for the Cisco CMTS Routers
-
-
Part 13: Troubleshooting on the Cisco CMTS Routers
-
Cable IPC Statistics Collection Tool
-
Cisco CMTS Static CPE Override
-
Flap List Troubleshooting for the Cisco CMTS Routers
-
GOLD Health Monitoring for the Cisco UBR10012 Universal Broadband Router
-
Resolving Common Image Installation Problems
-
SEA Health Monitoring for the Cisco UBR10012 Routers
-
Troubleshooting the System
-
- Part 14: Appendix A
- Part 15: Appendix B
-
Glossary
Table Of Contents
Filtering Cable DHCP Lease Queries
Prerequisites for Filtering Cable DHCP Lease Queries
Restrictions for Filtering Cable DHCP Lease Queries
Information About Filtering Cable DHCP Lease Queries
How to Configure Filtering Cable DHCP LEASEQUERY Requests
Enabling DHCP LEASEQUERY Filtering on Downstreams
Enabling DHCP LEASEQUERY Filtering on Upstreams
How to Configure the DHCP MAC Address Exclusion List for the cable-source verify dhcp Command
Configuration Examples for Filtering Cable DHCP Lease Queries
Filtering Cable DHCP Lease Queries
Document Revision History
02/13/2006
OL-2818-06
Added Document Revision History table. Incorporated Cisco IOS Release 12.3(17a)BC enhancements.
This document describes the Dynamic Host Configuration Protocol (DHCP) LEASEQUERY filter feature, which enables the Cisco Cable Modem Termination System (CMTS) router to filter excessive numbers of DHCP LEASEQUERY messages on either the upstream or the downstream cable interface, or both.
Feature History for Filtering Cable DHCP Lease Queries
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•
Prerequisites for Filtering Cable DHCP Lease Queries
•
•
•
•
•
Prerequisites for Filtering Cable DHCP Lease Queries
•
•
To divert DHCP lease queries to a server other than the DHCP server, you must use the cable source-verify dhcp server ipaddress command and the no cable arp command before the Cisco CMTS router can begin filtering DHCP lease queries. Only one alternate server may be configured.
Restrictions for Filtering Cable DHCP Lease Queries
•
•
•
•
Information About Filtering Cable DHCP Lease Queries
To configure the Cisco CMTS router to send DHCP LEASEQUERY requests to the DHCP server, use the cable source-verify dhcp and no cable arp commands. Unknown IP addresses that are found in packets for customer premises equipment (CPE) devices that use the cable modems on the cable interface will be verified. The DHCP server returns a DHCP ACK message with the MAC address of the CPE device that has been assigned this IP address, if any.
To configure the Cisco CMTS router to divert DHCP LEASEQUERY requests to a server other than the DHCP server, use the cable source-verify dhcp server ipaddress and no cable arp commands.
Regardless of which server is configured, the router can then use this information to verify that this CPE device is authorized to use this IP address. This prevents users from assigning unauthorized IP addresses to their CPE devices, without interfering with valid traffic on the upstream or downstream.
Problems can occur, though, when viruses, denial of service (DoS) attacks, and theft-of-service attacks begin scanning a range of IP addresses, in an attempt to find unused addresses. When the Cisco CMTS router is verifying unknown IP addresses, this type of scanning generates a large volume of DHCP lease queries, which can result in the following problems:
•
•
•
•
To prevent such a large volume of LEASEQUERY requests on cable interfaces, you can enable filtering of these requests on upstream interfaces, downstream interfaces, or both. When this feature is enabled, the Cisco CMTS allows only a certain number of DHCP LEASEQUERY requests for each service ID (SID) on an interface within the configured interval time period. If a SID generates more lease queries than the maximum, the router drops the excess number of requests until the next interval period begins.
You can configure both the number of allowable DHCP LEASEQUERY requests and the interval time period, so as to match the capabilities of your DHCP server (or configured alternate server) and cable network.
How to Configure Filtering Cable DHCP LEASEQUERY Requests
Use the following procedures to configure the filtering of DHCP LEASEQUERY requests on both the downstreams and upstreams of a cable interface:
•
•
Enabling DHCP LEASEQUERY Filtering on Downstreams
Use the following procedure to start filtering DHCP lease queries on all downstreams in a Cisco CMTS router.
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Enabling DHCP LEASEQUERY Filtering on Upstreams
Use the following procedure to start filtering DHCP lease queries on all upstreams on a particular cable interface.
SUMMARY STEPS
1.
2.
3.
or
interface cable x/y/z4.
5.
DETAILED STEPS
Step 1
enable
Example:Router> enable
Enables privileged EXEC mode. Enter your password if prompted.
Step 2
configure terminal
Example:Router# configure terminal
Enters global configuration mode.
Step 3
interface cable x/y
orinterface cable x/y/z
Example:Router(config)# interface cable 5/1
Router(config-if)#
Enters interface configuration mode for the specified cable interface.
Step 4
cable source-verify leasequery-filter upstream threshold interval
Example:Router(config-if)# cable source-verify leasequery-filter upstream 2 5
Router(config-if)#
Enables leasequery filtering on all upstreams on the specified cable interface, using the specified threshold and interval values:
•
•
Note
Step 5
end
Example:Router(config-if)# end
Exits interface configuration mode and returns to privileged EXEC mode.
How to Configure the DHCP MAC Address Exclusion List for the cable-source verify dhcp Command
Cisco IOS Release 12.3(13)BC introduces the ability to exclude trusted MAC addresses from standard DHCP source verification checks, as supported in previous Cisco IOS releases for the Cisco CMTS. This feature enables packets from trusted MAC addresses to pass when otherwise packets would be rejected with standard DHCP source verification. This feature overrides the cable source-verify command on the Cisco CMTS for the specified MAC address, yet maintains overall support for standard and enabled DHCP source verification processes. This feature is supported on Performance Routing Engine 1 (PRE1) and PRE2 modules on the Cisco uBR10012 router chassis.
To enable packets from trusted source MAC addresses in DHCP, use the cable trust command in global configuration mode. To remove a trusted MAC address from the MAC exclusion list, use the no form of this command. Removing a MAC address from the exclusion list subjects all packets from that source to standard DHCP source verification.
cable trust mac-address
no cable trust mac-address
Syntax Description
mac-address
The MAC address of a trusted DHCP source, and from which packets will not be subject to standard DHCP source verification.
Usage Guidelines
This command and capability are only supported in circumstances in which the Cable Source Verify feature is first enabled on the Cisco CMTS.
When this feature is enabled in addition to cable source verify, a packet's source must belong to the MAC Exclude list on the Cisco CMTS. If the packet succeeds this exclusionary check, then the source IP address is verified against Address Resolution Protocol (ARP) tables as per normal and previously supported source verification checks. The service ID (SID) and the source IP address of the packet must match those in the ARP host database on the Cisco CMTS. If the packet check succeeds, the packet is allowed to pass. Rejected packets are discarded in either of these two checks.
Any trusted source MAC address in the optional exclusion list may be removed at any time. Removal of a MAC address returns previously trusted packets to non-trusted status, and subjects all packets to standard source verification checks on the Cisco CMTS.
Note
For additional information about the enhanced Cable Source Verify DHCP feature, and general guidelines for its use, refer to the following documents on Cisco.com:
•
http://www.cisco.com/en/US/docs/ios/12_0t/12_0t7/feature/guide/sourcver.html
•
http://www.cisco.com/en/US/docs/cable/cmts/feature/cblsrcvy.html
•
http://www.cisco.com/en/US/docs/ios/cable/command/reference/cbl_book.html
•
http://www.cisco.com/en/US/tech/tk86/tk803/technologies_tech_note09186a00800a7828.shtml
Configuration Examples for Filtering Cable DHCP Lease Queries
This section provides the following examples of how to configure the DHCP lease query filtering feature:
DHCP Downstream and Upstream DHCP LEASEQUERY Filtering Configuration on an Individual Cable Interface: Example
The following example shows an excerpt from a typical configuration of a cable interface that is configured for filtering DHCP LEASEQUERY requests on both its upstream and downstream interfaces:
Note
!cable source-verify leasequery-filter downstream 5 20!interface Cable8/1/0...cable source-verify dhcpcable source-verify leasequery-filter upstream 1 5no cable arp...Additional References
The following sections provide references related to the DHCP LEASEQUERY filtering feature.
Related Documents
CMTS Command Reference
Cisco IOS CMTS Cable Command Reference Guide, at the following URL:
http://www.cisco.com/en/US/docs/ios/cable/command/reference/cbl_book.htmlCisco IOS Release 12.2 Command Reference
Cisco IOS Release 12.2 Configuration Guides and Command References, at the following URL:
http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/fsecur_r.html
Standards
Data-over-Cable Service Interface Specifications Radio Frequency Interface Specification, version 1.1 (http://www.cablemodem.com)
MIBs
RFCs
Technical Assistance
Command Reference
The following commands are introduced or modified in the feature or features documented in this module. For information about these commands, see the Cisco IOS Cable Command Reference at http://www.cisco.com/en/US/docs/ios/cable/command/reference/cbl_book.html. For information about all Cisco IOS commands, go to the Command Lookup Tool at http://tools.cisco.com/Support/CLILookup or to the Cisco IOS Master Commands List.
•
•
•
CCDE, CCSI, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Stackpower, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0903R)
© 2009 Cisco Systems, Inc. All rights reserved.
