Problems can occur when viruses, denial of service (DoS) attacks, and theft-of-service attacks begin scanning a range of IP
addresses, in an attempt to find unused addresses. When the Cisco CMTS router is verifying unknown IP addresses, this type
of scanning generates a large volume of DHCP leasequeries, which can result in the following problems:
-
High CPU utilization on the Cisco CMTS router PRE card.
-
High utilization on the DHCP servers, resulting in a slow response time or no response at all.
-
Packets can be dropped by the Cisco CMTS router or DHCP server (or configured alternate server).
-
Lack of available bandwidth for other customers on the cable interface.
To prevent such a large volume of leasequery requests on cable interfaces, you can enable filtering of these requests on upstream
interfaces, downstream interfaces, or both. When the Cable DHCP Leasequery feature is enabled, the Cisco CMTS allows only
a certain number of DHCP leasequery requests for each service ID (SID) on an interface within the configured interval time
period. If an SID generates more Leasequeries than the maximum, the router drops the excess number of requests until the next
interval period begins.
You can configure both the number of allowable DHCP leasequery requests and the interval time period, so as to match the capabilities
of your DHCP server (or configured alternate server) and cable network.
To configure the Cisco CMTS router to send DHCP leasequery requests to the DHCP server, use the cable
source-verify
dhcp and
no
cable
arp
commands. Unknown IP addresses that are found in packets for customer premises equipment (CPE) devices that use the cable
modems on the cable interface are verified. The DHCP server returns a DHCP ACK message with the DHCP relay information and
lease information of the CPE device that has been assigned this IP address, if any.
When cable
source-verify
dhcp
and no
cable
arp commands are configured, DHCP leasequery is sent for downstream packets to verify unknown IP addresses within the IP address
range configured on the cable bundle interface.
For DHCP leasequery to work in the downstream direction, the Cisco Network Registrar (CNR) should be made aware of the DHCP
Option 82. This is required to make the CMTS map the CPE IP address to the correct CM. To do this, configure the ip
dhcp
relay
information
option command on the bundle interface to insert service class relay agent option into the DHCP DISCOVER messages. When the configuration
is in place, during DHCP DISCOVER the values of DHCP Option 82 is cached by the CNR and is returned to the CMTS on any subsequent
DHCP leasequery for that IP address.
To configure the Cisco CMTS router to divert DHCP leasequery requests to a server other than the DHCP server, use the cable
source-verify
dhcp
server
ipaddress
and
no
cable
arp commands.
The Cisco CMTS supports two types of DHCP leasequery implementation, Cisco standard compliant DHCP leasequery and RFC 4388
standard compliant DHCP leasequery. These two standards differ mostly in the identifiers used to query or respond to the DHCP
Server. You can choose between these two implementations depending on which standard is supported on your DHCP Server.
Use the ip
dhcp
compatibility
lease-query
client {cisco | standard } command to configure the Cisco CMTS in either Cisco mode or RFC 4388 standard mode.