Cisco Systems uBR7200 manual Docsis Baseline Privacy, Upstream Address Verification, MC-529

Page 11

Configuring Headend Broadband Access Router Features

Security Features

DOCSIS Baseline Privacy

The Cisco uBR7200 series routers support DOCSIS baseline privacy (BPI). When BPI is enabled, the Cisco uBR7200 series generates Traffic Encryption Keys (TEKs) for each applicable SID. The router uses the keys to encrypt downstream data and decrypt upstream traffic from two-way cable modems.

The Cisco uBR7200 series supports both 40-bit and 56-bit encryption/decryption. When BPI is enabled, 56-bit encryption/decryption is the default. A configuration command allows an administrator to manually force the Cisco uBR7200 series to generate a 40-bit DES key, where the DES key that is generated and returned masks the first 16 bits of the 56-bit key to 0 in software.

Note Both the Cisco uBR7200 series universal broadband router and the cable modem must contain software and be configured to support encryption/decryption.

The Cisco uBR7200 series router generates keys for unicast, broadcast, and multicast operation as appropriate. Keys are refreshed periodically and have a default lifetime of 12 hours.

Cable Modem and Multicast Authentication Using RADIUS

As an enhancement to baseline privacy, Cisco uBR7200 series universal broadband routers can be configured for cable modem and multicast authentication using the RADIUS protocol, an access server authentication, authorization, and accounting (AAA) protocol originally developed by Livingston, Inc. The Cisco uBR7200 series also supports additional vendor-proprietary RADIUS attributes.

When a cable modem comes online or when an access request is sent through a multicast data stream, the Cisco uBR7200 series sends relevant information to RADIUS servers for cable modem/host authentication. This feature can be configured on a per-interface basis.

An IETF draft standard, RFC 2138, defines the RADIUS protocol. RFC 2139 defines the corresponding RADIUS accounting protocol. Additional RFC drafts define vendor-proprietary attributes and MIBs that can be used with a Simple Network Management Protocol (SNMP) manager.

Upstream Address Verification

Upstream address verification prevents the spoofing of IP addresses by comparing the source IP address with the MAC address of the cable modem, thus verifying that each upstream data packet comes from the cable modem known to be associated with the source IP address in the packet. The cable source-verify[dhcp] cable interface command specifies that DHCP lease query requests are sent to verify any unknown source IP address found in upstream data packets. This feature requires a DHCP server that supports the LEASEQUERY message type.

Note Cisco Network Registrar (CNR) supports the LEASEQUERY message type in software release 3.01(T) and later.

Cisco IOS Multiservice Applications Configuration Guide

MC-529

Page 10 Page 12
Image 11
Page 10 Page 12
Contents MC-519 Configuring Headend Broadband Access Router FeaturesMC-520 Headend OverviewTopology of a Typical Broadband Network Voice over IP Services MC-523 Telco ReturnTOD MC-524MC-525 QoS FeaturesService Class Profiles Multiple Service IDsMC-526 TAG/NetFlow SwitchingQoS Profile Enforcement MC-527 Tag SwitchingNetflow Switching Committed Access Rate CAR Security FeaturesWeighted Random Early Detection Weighted Fair QueueingMC-529 Cable Modem and Multicast Authentication Using RadiusDocsis Baseline Privacy Upstream Address VerificationMC-530 Traffic Shaping FeaturesOperations and Provisioning Features Dynamic RangingCPE Limitation Downstream Channel ID ConfigurationBurst Profile Configuration Downstream Frequency OverrideSpectrum Management MC-533 Headend Broadband Access Router Configuration PrerequisitesMC-534 Headend Broadband Access Router Configuration TasksActivating the Downstream Carrier Configuring the Downstream Cable InterfaceCMTS01# configure terminal CMTS01config# interface cable 6/0MC-536 Setting the Downstream Center FrequencyTroubleshooting Tips Verifying the Downstream CarrierMC-537 CMTS01config-if#cable downstream frequencyVerifying the Downstream Center Frequency MC-538 Setting the Downstream Channel IDSetting the Downstream Mpeg Framing Format Annex B Verifying the Downstream Channel IDMC-539 Setting the Downstream ModulationVerifying the Downstream Mpeg Framing Format Verifying the Downstream ModulationMC-540 Setting the Downstream Interleave DepthCMTS01config-if#cable downstream interleave-depth Verifying the Downstream Interleave DepthMC-541 Setting the Downstream Helper AddressVerifying the Downstream Helper Address MC-542 Setting Downstream Rate LimitingMC-543 Configuring the Upstream Cable InterfaceVerifying Downstream Rate Limiting MC-544 Setting the Upstream FrequencyCMTS01# show controllers cable 6/0 u0 Verifying the Upstream FrequencyMC-545 Channel-width width Setting the Upstream Channel WidthVerifying Upstream Channel Width MC-546MC-547 Setting the Upstream Input Power LevelMC-548 Verifying the Upstream Input Power LevelActivating Upstream Admission Control Verifying Upstream Admission ControlMC-549 Activating Upstream FECMC-550 Router# more systemrunning-configSpecifying Upstream Minislot Size Verifying Upstream FECMC-551 Activating the Upstream ScramblerVerifying Upstream Minislot Size MC-552 CMTS01config-if#cable upstream usport scramblerCMTS01# more systemrunning-config Verifying the Upstream ScramblerMC-553 Activating Upstream Differential EncodingActivating Upstream Rate Limiting Verifying Upstream Differential EncodingMC-554 CMTS01config-if#no cable upstream usport rate-limitVerifying Upstream Rate Limiting MC-555 Activating Upstream Frequency AdjustmentFrequency-adjust averaging percentage MC-556 Activating Upstream Power AdjustmentVerifying Upstream Frequency Adjustment Continue seconds Activating Upstream Timing AdjustmentVerifying Upstream Power Adjustment MC-557MC-558 Verifying Upstream Timing AdjustmentActivating the Upstream Ports MC-559 Setting Upstream Backoff ValuesVerifying the Upstream Ports Data-backoff automatic CMTS01config-if#cable upstream usport rangeMC-560 Data-backoff start endMC-561 Configuring and Activating Baseline PrivacyVerifying Upstream Data Backoff Automatic MC-562 Configuring KEK PrivacyCMTS01config-if#cable privacy kek grace-time MC-563 Configuring TEK PrivacyVerifying KEK Privacy Verifying TEK PrivacyMC-564 Configuring and Activating Frequency AgilityActivating Baseline Privacy Verifying Baseline PrivacyMC-565 Combiner GroupsMC-566 Frequency Management PolicyMC-567 Determining the Upstream Ports Assigned to a Combiner GroupMC-568 Configuring and Activating Spectrum GroupsCreating Spectrum Groups Verifying Spectrum GroupsMC-569 Command PurposeMC-570 MC-571 Verifying Spectrum Group ConfigurationVerifying Frequency Hopping MC-572 Configuring Spectrum Group CharacteristicsThreshold percent Verifying Spectrum Group CharacteristicsCMTS01config# cable spectrum-group groupnum hop MC-573Verifying Spectrum Group and Upstream Port Assignments Activating IP Address Resolution ProtocolAssigning the Spectrum Group and the Upstream Ports Activating Cable ARP RequestsMC-575 Activating Host-to-Host Communication Proxy ARPVerifying ARP Requests Verifying Cable Proxy ARP Requests Configuring Dhcp OptionsActivating Cable Proxy ARP Requests Activating Cable Relay AgentMC-577 Activating Dhcp giaddrVerifying Dhcp giaddr Activation Verifying ToD Service Setting Service OptionsSetting Optional IP Parameters Configuring ToD ServiceMC-579 Activating IP Multicast EchoActivating IP Broadcast Echo Verifying IP Multicast EchoMC-580 Configuring Cable ProfilesConfiguring Cable Modulation Profiles Verifying IP Broadcast EchoMC-581 Number profileMC-582 Configuring QoS ProfilesVerifying Cable Modulation Profiles MC-583 Verifying QoS ProfilesMC-584 Setting QoS PermissionEnforcing a QoS Profile Assignment Verifying QoS PermissionMC-585 Managing Cable Modems on the HFC NetworkVerifying a QoS Profile Assignment Verifying Sync Message Interval Configuring Sync Message IntervalConfiguring Telco Return Activating Cable Modem AuthenticationMC-587 Verifying Cable Modem AuthenticationActivating Cable Modem Upstream Address Verification MC-588 CMTS01config-if#cable source-verify dhcpActivating Cable Modem Insertion Interval Verifying Cable Modem Upstream Address VerificationMC-589 CMTS01config-if#cable insertion-interval automaticVerifying Cable Modem Insertion Interval MC-590 Configuring Cable Modem Registration TimeoutVerifying the Maximum Number of Hosts MC-591 Clearing and Resetting Cable ModemsVerifying Registration Timeout MC-592 Verifying Cable Modem Clearing and ResettingClearing Cable Modem Counters MC-593 Using Ping DocsisVerifying that Cable Modem Counters are Cleared Verifying Ping DocsisMC-594 Spectrum Management Configuration ExampleMC-595 Virtual Private Network Configuration ExampleMC-596 MC-597 Ip http server Ip http authentication local No cdp runMC-598 VoIP Configuration ExampleIp subnet-zero No ip domain-lookup MC-599MC-600 Telco Return Configuration ExampleMC-601 Cable telco-return enableCable Reg QoS Profile Enforcement Configuration ExampleCable Modem all reset MC-602MC-603 Troubleshooting Using Cable Flap ListsSetting Cable Flap List Aging CMTS01config# cable flap-list aging daysVerifying Cable Flap List Insertion Time Setting Cable Flap List Insertion TimeSetting Cable Flap List Power Adjustment Threshold Verifying Cable Flap List AgingVerifying Cable Flap List Miss Threshold Setting Cable Flap List Miss ThresholdVerifying Cable Flap List Power Adjustment Threshold CMTS01config# cable flap-list miss-threshold missesMC-606 Setting Cable Flap List SizeClearing Cable Flap List Verifying Cable Flap List Size
Related manuals
Manual 88 pages 21.59 Kb
Top Page Image Contents