PowerKEY VOD

PowerKEY Video On Demand refers to video content that is chosen by the subscriber and streamed specifically to the subscriber. The content is encrypted using PowerKEY conditional access through a video session that is created on the Cisco cBR-8 specifically for each request.

Contents

Information About PowerKEY VOD

PowerKEY Video On Demand is used in a Cisco cable environment to provide edge-encrypted video-on-demand movies and other content to subscribers. The subscriber selects the content via an on-screen selection and the set-top box (STB) notifies the head-end of the request. The head-end equipment receives the request from the STB and triggers the Session Resource Manager (SRM) to create an encrypted video session on the Cisco cBR-8. At the same time, the video streamer is triggered to begin streaming the content in a UDP stream to the Cisco cBR-8. The Cisco cBR-8 receives an unscrambled video content, encrypts it using PowerKEY, combines the scrambled stream with other content destined for the RF carrier, and transmits the RF signal from the RF port.

PowerKEY VOD allows the operator to provide secure, encrypted video streams to a particular subscriber over the RF plant.

Overview of PowerKEY VOD

PowerKEY VOD allows the operator to provide secure, encrypted video streams to a particular subscriber over the RF plant.

How to Configure PowerKEY VOD

Configuring the Encryption Type on the Line Card

The Cisco IOS-XE Release 16.5.1 supports PowerKey and PME encryption CA systems, but allows only one encryption type to be installed on the line card. There are two levels in the CA system. The lower level scrambler, which encrypts the actual data streams and the upper level conditional access system, which handles how the control words are transferred from the encrypting device to the decrypting device. 

To specify the type of encryption used to scramble the data streams, complete the following procedure: 

configure terminal 
cable video 
encryption  
linecard slot/bay ca-system [pme | powerkey] scrambler scrambler-type  
exit

PowerKey currently supports DES and Privacy Mode Encryption (PME) supports DVS-042 type of encryption, as given in the following table:

Table 1. Supported Encryption Types and Scrambler Modes

Encryption Type

Scrambler Mode

PME DVS-042
PKEY DES

Verifying the Encryption Configuration

To verify the encryption type of a line card, use the show cable video encryption linecard command as shown in the example below: 

show cable video encryption linecard 7/0  
Line card: 7/0
CA System       Scrambler
================================
powerkey        des

Configuring the Encrypted Virtual Carrier Groups

For the sessions to be encrypted on the Cisco cBR-8, the Virtual Carrier Groups (VCGs) must be specified as encrypt and the line card must be configured as encrypted. In this way, the operator can choose the carriers on the line card that support encryption and other carriers that support only clear or pre-encrypted sessions. Each encrypted carrier consumes an encrypted carrier license.

For the VCG to be used in a Logical Edge Device (LED) that is configured with the GQI protocol, each RF carrier must be assigned with an output port number. The LED must be configured with the Generic QAM Interface (GQI) protocol in order to support session-based operation.


Note

For PowerKEY VOD, you have to specify the session-based operation.

To configure the VCG, complete the following procedure: 

configure terminal 
cable video 
virtual-carrier-group vcg-name 
rf-channel channel range tsid tsid range output-port-number port num range 
virtual-edge-input ip-address [vrf] vrf name input-port-number number 
encrypt  
exit

Verifying the Encrypted Virtual Carrier Groups Configuration

To verify the encrypted VCGs configuration, use the show cable video virtual-carrier-group name command as shown in the example below: 

show cable video virtual-carrier-group name vod-grp

Configuring the Service Distribution Groups and Binding

The Service Distribution Group (SDG) is a collection of one or more RF ports and defines the physical slot/bay/port to be used in a video service. After you configure an SDG, you can bind a VCG to an SDG. The binding connects the carriers defined in the VCG to the physical port listed in the SDG. After binding, a path from the Virtual Edge Input (VEI) is mapped to the RF ports.

To configure the SDGs and binding, complete the following procedure: 

configure terminal 
cable video 
service-distribution-group sdg name id sdg number 
onid onid for port 
rf-port integrated-cable slot/bay/port 
exit  
bind-vcg  
vcg vcg-name sdg sdg-name 
end

Configuring the Logical Edge Device and GQI Protocol

The PowerKEY VOD feature on the Cisco cBR-8 is directed by an external Session Resource Manager (SRM) that creates video sessions in response to a subscriber selecting VOD content to watch on the set top box. You must configure a Logical Edge Device (LED) supporting the GQI protocol on the Cisco cBR-8 to support the PowerKEY VOD.

The LED is configured with the GQI protocol as the LED communicates with an external SRM using the GQI protocol. The GQI protocol supports the creation and deletion of sessions on the carriers owned by this LED.


Tip

Use the following command to get the chassis MAC address: 

Router#show diag all eeprom detail | include MAC 
Chassis MAC Address : 54a2.740e.2000
MAC Address block size : 1024

Using the Chassis MAC as a basis, increment the least significant number to give a unique identifier (mac-address) for each LED. This number needs to be unique with respect to the GQI server and does not really relate to a true MAC address. Thus, the number is irrelevant, but needs to be unique.

To configure the Logical Edge Device and GQI Protocol, complete the following procedure: 

configure terminal 
cable video 
logical-edge-device led name id led number 
protocol gqi 
mgmt-ip management ip address 
mac-address mac address from this chassis range 
server ip address of srm 
virtual-edge-input-ip ip addr for content [vrf] vrf name input-port-number num 
vcg virtual edge qam name (may be multiple vcgs in an LED) 
active n 
end

Verifying the PowerKEY VOD Configuration

The PowerKEY encrypted VOD LED is active and communicates with the external SRM device after configuring the encryption type on the line card, VCGs, binding of SDGs, and LED with GQI protocol are completed.

To verify the Logical Edge Device configuration, use the show cable video logical-edge-device name led name command (or) show cable video logical-edge-device id led number command as shown in the example below: 


show cable video logical-edge-device name pkvodled  
Logical Edge Device: pkvodled
Id: 1
Protocol: GQI
Service State: Active
Discovery State: Disable
Management IP: 1.23.2.10
MAC Address: 54a2.740d.dc99
Number of Servers: 1
Server 1: 1.200.3.75
Reset Interval: 8
Keepalive Interval: 10    Retry Count:3
Number of Virtual Carrier Groups: 1
Number of Share Virtual Edge Input: 1
Number of Physical Qams: 20
Number of Sessions: 0
No Reserve PID Range

Virtual Edge Input:
Input Port   VEI               Slot/Bay     Bundle       Gateway         
ID           IP                             ID           IP              
-----------------------------------------------------------------
1            174.10.2.1          7/0          -            -

Verify the following:

  • The service state of the LED should be active and the other fields must be same as the configured values.

  • The connection to the remote SRM should be displayed to ensure that there is a valid network connection to the SRM.

  • Execute the show cable video gqi connections command. The following is the sample output when the connection is not established to the SRM : 

    
LED Management Server     Connection    Version Event   Reset      Encryption     
ID  IP         IP         Status                Pending Indication Discovery      
---------------------------------------------------------------------------------
1   1.23.2.10  1.200.3.75 Not Connected  0      0       Not Sent   Not Sent

    The following is the sample output when the connection is established to the SRM: 

    
LED Management Server     Connection    Version Event   Reset      Encryption     
ID  IP         IP         Status                Pending Indication Discovery      
---------------------------------------------------------------------------------
1   1.23.2.10  1.200.3.75 Not Connected 2       0       ACKED      ACKED

    Once the connection is established, the SRM may create encrypted sessions on the carriers of the LED.

  • To view the encrypted sessions, use the show cable video session logical-edge-device id led name summary command as shown in the example below: 

    
show cable video session logical-edge-device id  1summary  
Video Session Summary:

Active    : 1        Init      : 0         Idle      : 0
Off       : 0        Blocked   : 0         PSI-Ready : 1
UDP       : 1        ASM       : 0         SSM       : 0
Remap     : 1        Data      : 0         Passthru  : 0
Total Sessions: 1

  • The individual session information can be displayed for the entire LED, for a particular port or line card. The details of a single session may be displayed by specifying a session-id or session-name. To display all the sessions on the LED, use the show cable video session logical-edge-device name led name command as shown in the example below: 

    
show cable video session logical-edge-device name pkvodled 
Total Sessions = 1

Session Output Streaming Session Destination UDP   Output  Input      Output Input   
Id      Port   Type      Type                Port  Program State      State  Bitrate 
-------------------------------------------------------------------------------------
1048576 1      Remap     UDP    174.101.1.1  4915  1       ACTIVE-PSI ON     732788  

Output  Encrypt  Encrypt    Session
Bitrate Type     Status     Name
-----------------------------------
1715446 PowerKey Encrypted  0x0000000000001

    If the session is encrypted and transmitted properly, the session is displayed as shown in the above example. The input state is "ACTIVE-PSI". The output state is "ON". For PowerKEY encrypted sessions, the Encrypt Type will be "PowerKey" and the Encrypt Status will be "Encrypted".

    If the session is created as a clear session, then the Encrypt Type will be "CLEAR" and the Encrypt Status will be "-".

    If the GQI connection is not in connected state or if the sessions are not in the proper states then, troubleshoot the connection. For more information, see Troubleshooting Tips.

Troubleshooting Tips

GQI Connection

GQI connection problems can be the result of a problem in the network, such as a problem in the external SRM device, or in the Cisco cBR-8 configuration. The first problem is beyond the scope of this document, however to verify the Cisco cBR-8 configuration, the management interface port must be configured properly and be active (not shutdown).

Session Input State

  • If a session's input state is "OFF" or another state that is not "ACTIVE_PSI" then the problem is related to content receiving on the Cisco cBR-8. This could be a problem elsewhere in the head-end network or with the video streaming device. The Virtual Edge Input address specified in the LED should match the destination IP address used by the streaming device.

    To display the LED, use the following command:

    show cable video logical-edge-device id led number

  • The Virtual Edge Inputs are listed in the output. Check the streaming device to ensure the destination IP address matches the appropriate VEI. Additionally, verify whether the UDP port of the video content from the streamer matches the UDP port shown in the session display on the Cisco cBR-8, using the following command:

    show cable video session logical-edge-device id led number

  • The TenGigabitEthernet port where the VEI address is routed must not be in the shutdown state. To check the appropriate interface, use the following command:

    show interface TenGigabitEthernet slot/bay/port

Session Output State

  • If a session's input state is "Active-PSI" and the output state is not "OFF", then the problem is related to the physical port channel configuration. The output of the show logical edge device command also shows all the carriers and their Admin and Operation state.

    To display the carriers and their state, use the following command:

    show cable video scg logical-edge-device id number 

    show cable video logical-edge-device id number
Integrated Physical Admin Operational TSID ONID Output VCG   SDG  Encryption  
Cable      QAM ID   State State                 Port   ID    ID   Capable     
-----------------------------------------------------------------------------
8/0/0:0    0        ON    UP           1   100   1     1    1     powerkey         
8/0/0:1    1        ON    UP           2   100   2     1    1     powerkey
8/0/0:2    2        ON    UP           3   100   3     1    1     powerkey
8/0/0:3    3        ON    UP           4   100   4     1    1     powerkey

  • If the output port corresponding to the session does not show "ON" for Admin State and an Operational State as "UP", then there is a problem with the configuration.To display the output port details, use the following command:

    show cable video output-port output port number

Session Encrypt Status

  • If an encrypted GQI session has an Output State or Encrypt Status of "Pending", it means there is a problem with the PowerKEY encryption of the session, or it is possible the encryption on the session is just getting ready to start. First the session command should be executed over a few seconds to ensure that the session was not transitioning from Pending to Active. If the state is Pending, then there is a problem with the encryption.

    To troubleshoot this problem the operator can check the Scrambling Control Group (SCG) that corresponds to this session. Using the session id from the session display, the SCG ID can be found using the following command:

    show cable video scg logical-edge-device idled number 

    
LED 1 has 8137 SCGs on 128 carriers
 
SCG ID     Session ID  LED   TSID  ONID
------------------------------------------
68157683   1048819     1     1     100  
68157684   1048820     1     1     100

    To verify the SCG ID of the session, use the following command:

    show cable video scg logical-edge-device id led number | inc session id 

    
68157684   1048820     1     1     100

    To verfiy the SCG session information, use the following command:

    show cable video scg id SCG id 

    
SCGid: 68157684
Status: SUCCESS
TSID:    1 
ONID:  100 
Nominal CP: 550

    If the Status does not show SUCCESS, then there must be a problem with the Encrypted Key exchange between the Cisco cBR-8 and SRM.

Configuration Examples

This section provides configuration examples for the PowerKEY VOD feature:

Example: Configuring Encryption Type on the Line Card

The following example shows how to create a management IP interface: 

configure terminal 
cable video 
encryption  
linecard 7/0 ca-system powerkey  scrambler des 
exit

Example: Configuring Encrypted Virtual Carrier Groups

The following example shows how to configure the QAM channels from 64 to 158. These channels are encryption capable once the VCG is successfully bound to a Service Distribution Group. The sessions created on these QAM carriers are encrypted using the scrambler installed on the line card. 

configure terminal 
cable video 
virtual-carrier-group vod-group 
rf-channel 64-158 tsid 64-158 output-port-number 64-158 
virtual-edge-input-ip14.1.1.1 input-port-number 1 
virtual-edge-input-ip14.2.1.1 vrf Video-VOD-Vrfinput-port-number 2 
encrypt  
exit

Example: Configuring Service Distribution Groups and Binding

The following example shows how to configure the service distribution groups and binding: 

configure terminal 
cable video 
logical-edge-device pkvodled id 1 
protocol gqi 
mgmt-ip 1.20.2.10 
mac-address 54ab.6409.dc99 
server 1.200.3.75 
virtual-edge-input-ip 174.10.2.1 input-port-number 1 
virtual-edge-input-ip 174.11.2.1 vrf Video-VOD-Vrfinput-port-number 2 
vcg vod-grp 
active n 
end

Feature Information for PowerKEY VOD

Use Cisco Feature Navigator to find information about the platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to the www.cisco.com/go/cfn link. An account on the Cisco.com page is not required.


Note

The following table lists the software release in which a given feature is introduced. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Table 2. Feature Information for PowerKEY VOD

Feature Name

Releases

Feature Information

PowerKEY VOD

Cisco IOS XE Everest 16.6.1

This feature was integrated on the Cisco cBR Series Converged Broadband Routers.