1-29
Cisco uBR10012 Universal Broadband Router Software Configuration Guide
OL-1520-08
Chapter1 Overview of CiscouBR10012 Universal Broadband Router Software Supported Software Features for the CiscouBR10012 Router
40-bit and 56-bit Baseline Privacy Data Encryption Standard (DES)
The CiscouBR10012router supports 40-bit and 56-bit encryption and decryption. When encryption and
decryption is enabled, 56-bit is the default. If necessary, administrators can force the
CiscouBR10012router to generate a 40-bit DES key, where the DES key that is generated and returned
masks the first 16 bits of the 56-bit key to zero in software.
Note BPI+ encryption and authentication must be supported and enabled by both the CM and CMTS. In addition,
the CM must contain a digital certificate that conforms to the DOCSIS 1.1 and BPI+ specifications.
Access Lists (Per-Modem and Per-Host)
Per-modem and per-host access lists allow the CiscouBR10012router to filter incoming packets from
individual hosts or cableinterfaces based on the source MAC or IP address. This allows access lists to
be specified on a per-interface or a per-address basis.
You can preconfigure the filters by using the CLI, following standard Cisco IOS access list and access
group configuration procedures. You can assign these filters to a user or modem by using the CLI or
SNMP. The feature also supports traps to inform the CMTS about the online or offline status of modems.
Access Lists on the Cisco uBR10012 Router
The Parallel eXpress Forwarding (PXF) processors on the Cisco uBR10012 router provide the increased
performance of Turbo Access Control Lists (Turbo ACL) by default by automatically compiling all
access lists when access lists are configured.
You do not need to use the access-list compiled command to enable the Turbo ACL feature. To display
access lists, use the show access-lists command without specifying the compiled option.
For complete information about access lists, see the "Traffic Filtering and Firewall" volume in the Cisco
IOS Release 12.1 Security Configuration Guide at the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/scprt3/index.htm
Authentication
DOCSIS 1.1 offers advanced authentication and security through X.509 digital certificates and Triple
Data Encryption Standard (3DES) key encryption.
Cisco IOS Firewall
The CiscouBR10012router support Network Address Translation (NAT) and firewall functionality.
Additional NAT documentation is available online at http://www.Cisco.com.
CM and Host Subnet Addressing
This feature enables the CiscouBR10012router to manipulate the GIADDR field of DHCPDISCOVER
and DHCPREQUEST packets with a Relay IP address before they are forwarded to the DHCP server.
By modifying the GIADDR field based on whether the source is a CM or a host, the
CiscouBR10012router provides hints to the DHCP server as to whereon which IP subnetthe server
should allocate addresses to the requesting client.
Upstream Address Verification
This feature prevents the spoofing of IP addresses. Using the CLI, administrators can determine the IP
and MAC address of a given cableinterface, and the SID number that shows the IP and MAC addresses
of all devices learned in the cableinterfaces MAC table.
The CMTS verifies the source IP address against the MAC address for the CM. CM and PC IP addresses
are verified to ensure that SID and MAC addresses are consistent. A PC behind a cableinterface is
assigned an IP address from the DHCP server. If a user on a second PC or cableinterface statically
assigns the same IP address to a PC, the CiscouBR10012router reports this. Using customer databases,
administrators can cross-reference the spoofing CM and PC to prevent further usage.