MOTOROLA and the Stylized M Logo are registered in the US Patent & Trademark Office. All other product or service names are the property of their respective owners. © Motorola, Inc. 2003.

Revision 2.0 – Last Update October 2003

CM/CMTS Interaction

Module 4

Module 4, Page 2

Introduction In the last module, we looked at the CMTS configurations necessary to provide data services. We will now look at cable modem/CMTS interactions. Specifically, we will examine the ranging and registration process.

Importance We need to baseline expected performance before we can isolate issues (the first step in troubleshooting) on the CMTS.

Lesson Overview We will look at a sample configuration, ranging and registration.

Introduction

Module 4, Page 3

Objectives Upon successful completion of this module, you will be able to perform the following tasks:Describe the DOCSIS-specified ranging and registration process

List the necessary OSS services required

Successfully range and register a cable modem on the BSR64000

Be able to use the CLI tools to isolate break-points

» Troubleshoot registration problems

Objectives

Module 4, Page 4

Scan for downstream channel and sync with the CMTS

Obtain the transmit parameters (from UCD message) Perform ranging Establish IP connectivity Establish time of day Transfer operational parameters Perform registration

Tuning

Ranging

Connection

Configuration

Registration

Maintenance

CMTS/CM Interaction

Module 4, Page 5

Show cable modem command From the Privileged EXEC mode

show cable modem [<mac> | <i.p. address> hosts]• Can specify detail | offline | registered | unregistered | summary as

arguments

MOT> en

MOT# sh cable modem

cm->mac: 0030.ebff.033

Interface Upstream Prim Connect Timing Rec Ip Address Mac Address

IfIndex Sid State Offset Power

Cable 0/0 4 1 online(pk) 1239 109 10.200.220.2 0030.ebff.f03

cm->mac: 0050.f112.2563

Cable 0/0 4 2 online(pt) 1228 116 10.200.220.3 0050.f112.2563

Total cable modems reg: 2

Total cable modems other state: 0

Viewing Ranging and Registration

Module 4, Page 6

Tuning

Ranging

Connection

Configuration

Registration

Maintenance

CM Listens for CMTS downstream transmission

CM searches for a downstream data channel

Synchronize with QAM

Synchronize with FEC and MPEG

Cable Modem Tuning

Module 4, Page 7

STD/IRC Channels >6-134

HRC Channels >6-134

447 8 9 10 101

Analog5 @ 1 sec

Digital TV2 sec DOCSIS

11 108

Sample Downstream Tuning

MOT# show cable modem

Total cable modems reg: 0

Total cable modems other state: 0

Module 4, Page 8

Tuning

Ranging

Connection

Configuration

Registration

Maintenance

Periodically transmitted by CMTSSYNC message contains time stamp that exactly identifies when the CMTS transmitted the SYNCCM to synchronize its time-based reference clock so that its transmission on the upstream will fall into the correct mini-slots

Monitor for SYNC Messages

SYNC

Module 4, Page 9

Tuning

Ranging

Connection

Configuration

Registration

Maintenance

Monitor for UCD message Periodically transmitted by CMTS UCDs define characteristics of the upstream channel:

» mini-slot size

» upstream channel ID

» downstream channel ID

» burst descriptor

Obtain Upstream Parameters

UCD

Module 4, Page 10

UCDs One set per upstream channel Describe general upstream channel characteristics:

» Center frequency» Channel width» Mini-slot size» Upstream channel ID» Downstream channel ID » Burst descriptor

• Describes each burst type:– Initial maintenance– Request– Request/data– Periodic maintenance– Short data– Long data

Defined at CMTS in form of Modulation Profiles

Upstream Channel Descriptors

Module 4, Page 11

Modulation Profiles

Viewing Modulation Profiles From the Privileged EXEC mode

show cable modulation-profile [<1-16>]

MOT> en

MOT# sh cable modulation-profile 1

Profile 1

Intvl FEC FEC Burst Guard MOD Scrambl Scrambl Diff Preambl Last

usage err len len time type seed encode length code-

code corre mod word

reque 0 16 2 8 qpsk scrambl 0x152 no-dif 64 fixed

initi 5 34 0 48 qpsk scrambl 0x152 no-dif 128 fixed

stati 5 34 0 48 qpsk scrambl 0x152 no-dif 128 fixed

short 5 78 8 8 16qam scrambl 0x152 no-dif 144 short

long 10 235 0 8 16qam scrambl 0x152 no-dif 160 short

Module 4, Page 12

Downstream Transmission Format

MPEG Packet Format

MPEG Header4 bytes

pointer_field1 byte

DOCSIS MAC Frame #1up to 183 bytes

MPEG Header4 bytes

MPEG Header4 bytes

pointer_field1 byte

Cont. of Frame #1184 bytes

stuff_bytes0 or more

Tail of Frame #1n bytes

stuffbytes

Frame #2m bytes

DOCSIS Payload183-184 bytes

MPEG Header4 bytes

pointer_field0-1 byte

MPEG Framing for Large DOCSIS MAC Frame

Module 4, Page 13

DOCSIS MAC

Minislot =power of two (4,8…,32) multiple of 25 ms (max=800ms) 4 ticks/minislot, 64 symbols per minislot in 3.2 MHz channel

» 32 bytes/minislot in 16 QAM

» 16 Bytes/minislot in QPSK

MAP must: be bounded by a limit of 240 information elements (each IE = 4 bytes) not describe more than 4096 minislots into the future, (25.6 ms,

51.2ms…,3.276s)

Not more than 255 minislots per CM per MAP Concatenation of multiple upstream packet is allowed for higher

bandwidth efficiency Service Flow ID (SFID) and service ID (SID)

Identification and Class of Service Management, support data flows, mapping to CMTS-NSI QoS

Module 4, Page 14

MAPs

The upstream time is allocated to modems in the MAP message MAP is variable length, typically 5-15 ms

CMTS sends separate MAP messages for each upstream channel Set of all MAPs for a channel covers all minislots

For each BW grant, contains: SID Burst type Grant length

MAP contains US Channel ID and configuration count Allows dynamic UCD changes

Module 4, Page 15

MAPs (cont.)

Received from the CMTS on the Downstream channel The MAP MAC message describes the permitted use of the

upstream channel

MAP MAP

Request/Contention

Slots

Reserved Slots

Maintenance

Reserved Slots

Maintenance

Request/Contention

Slots

Maintenance

Maint.Maint.

2nd Upstream Channel

Module 4, Page 16

Upstream and Downstream TDM

Allocation Maps periodically broadcast on a downstream channel Contention Slots (CSs) for CMs sending requests

» CSs are subject to competition/contention Data Slots (DSs) for data frames of individual CMs

» DSs are dedicated to individual CMs ACK, Maintenance messages

Upstream channels divided into stream of mini-slots

MAP

SYNC

SYNC

UCD

UCD

MAP

SYNC

Request/Contention

Slots

Reserved Slots

Pr.1

Maintenance

Reserved Slots

Maintenance

Request/Contention

Slots

Maintenance

D/S

U/S Pr.2 Pr.3Pr.4

Maint.Maint.

2nd Upstream Channel

Module 4, Page 17

Upstream Burst Transmission

DOCSISPayload

PMDOverhead

PMDOverhead

Preamble0-1024bits

(0-128Bytes)

FEC Parity18-255 Bytes

GuardBand

Ramp-Up Ramp-Down

Zero-Fillif

necessary

MiniSlotBoundary

of nextBurst

Preamble

Integer Numberof Minislots

MiniSlotBoundary of

previous Burst

MAC Header 6 Bytes+ EHDR

Data PDU 18-1518Bytes

HeaderCheck Seq.

(HCS) 2 Bytes

Destination6 Bytes

Length2 Bytes

Extended MACHeader (EHDR)

0-240 Bytes

CRC4 Bytes

User Data0-1500 Bytes

Source6 Bytes

Length2 Bytes

MAC_Par1 Byte

FC1 Byte

Variable Packet Length

Module 4, Page 18

Upstream MAC Operation

Each CM scans the map for available slots

Send request in a contention slot in a contention mode

» Contention resolution algorithm is similar to Ethernet• Binary exponential back off mechanism

Sends data frames in dedicated DS

Piggybacking

» A request carried in the extended header of the next outgoing data frame

» Bypassing the request contention process Scheduling requests at CMTS vendor-specific

CSs and DSs

Inte

rva

l 1

Inte

rva

l 2

Inte

rva

l n

Nu

ll I

E

AC

K 1

AC

K n

ACKs and Pending

… …

Module 4, Page 19

Delivery of an Upstream Frame

A CM sends a request in a contention slot of 1st Map Assuming no contention

If Data Granted in 2nd Map CM sends a data frame in granted DS’s of 2nd Map

Map

1

Req

ues

t Map

2

Dat

a F

ram

e Common

Timing

Reference

t1

t2 t4

t3 t5 t6 t7 t9

t8 t10

t11

Reserved Slots

Initial Maintenance

Request/ Contention Slots

Request/ Contention Slots

Reserved Slots

Initial Maintenance

Reserved Slots

Request/ Contention Slots

Reserved Slots

Map1 Map2

CM

CMTS

Upstream Frame Delay

Module 4, Page 20

Issues in Upstream Scheduling

Map frequency/depth Faster - less frame delay/lower efficiency Slower - longer frame delay/more efficient

Slot Ratio - CSs to DSs in a map

Only one request outstanding per Service ID More CSs - less contention, potential waste of bandwidth Fewer CSs - longer request access delay, waste of DSs Ideal Case where number of CSs serves number of requests

» Estimate the number of requests during a map interval

Mini-slot placement

Request/Contention

Slots

Reserved Slots

Maintenance

Reserved Slots

Maintenance

Request/Contention

Slots

Maintenance

minislots

map

Module 4, Page 21

Map Frequency

Map frequency affects mean scheduling delay D and channel utilization

Upstream Frame Delay = contention delay + scheduling Delay Contention Delay

» Request contention and backoff

Scheduling Delay» Scheduling requests at CMTS

Module 4, Page 22

Scheduling Delay and Utilization Approximation Example

CMTS immediately schedules a map after receiving a request

D is the Delay C is the sum of all system constants Bup is the upstream channel bandwidth

Assuming that all frames have the same size LC = 0.3 msL = 300 bytesBup= 2.5 Mbps

With maximum MTUC = 0.3 msL = 1500 bytesBup= 2.5 Mbps

upBL

CD

285.013.

30025000

1

1

1

CLBup

up

667.013.

150025000

1

1

1

CLBup

up

Module 4, Page 23

Downstream Signal Profile

Upstream Bandwidth Allocation Map (MAP) includes: Initial Maintenance Interval (broadcast interval) with start and end of

connection opportunity

Module 4, Page 24

Tuning

Ranging

Connection

Configuration

Registration

Maintenance

Adjusts for location in cable plantPower levelsTiming OffsetFrequency Offset

CM uses Ranging Request (RNG-REQ) message

Assumes SID of 0

Ranging

Module 4, Page 25

Range Request Format

Module 4, Page 26

Range Response Format

Module 4, Page 27

Tuning

Ranging

Connection

Configuration

Registration

Maintenance

CMTS receives initial Ranging Request from CMCMTS responds with unicast Ranging Response (RNG-RSP)

Assigns a temporary SID and allocates bandwidth to this SID Adjust power level, timing offset, and frequency adjustment Sets downstream and upstream channels

CMTS begins Admission Control

Auto Adjustments

Module 4, Page 28

Tuning

Ranging

Connection

Configuration

Registration

Maintenance

CMTS allocates a Temporary SIDAdds CM to Forwarding TablesCMTS sends MAP with Station Maintenance opportunity for that SID

CM ranges with new settingsCMTS sends RNG-RSP

Indicates success or failure of Admission

Admission Control

RNG-RSP

RNG-REQ

Module 4, Page 29

Collisions

Initial Ranging a shared opportunity Possibility of collisions Binary exponential backoff algorithm for when cms collide

» CMTS will give them a backoff start and end time to wait until they try again

• specified in the MAPS for their upstream channels

• Ensures that CMs that collide during initial ranging are randomized enough in their wait times before they try initial ranging again

– Less of a chance of them colliding again

Module 4, Page 30

MOT#MOT# show cable modem

Total cable modems reg: 0

Total cable modems other state: 0

MOT# show cable modem

Total cable modems reg: 0

Total cable modems other state: 0

MOT# show cable modem

Total cable modems reg: 0

Total cable modems other state: 0

MOT# show cable modem

cm->mac: 0030.ebff.033

Interface Upstream Prim Connect Timing Rec Ip Address Mac Address

IfIndex Sid State Offset Power

Cable 0/0 4 1 ranging 1239 109 0.0.0.0 0030.ebff.f03

Total cable modems reg: 0

Total cable modems other state: 1

MOT# show cable modem

cm->mac: 0030.ebff.033

Interface Upstream Prim Connect Timing Rec Ip Address Mac Address

IfIndex Sid State Offset Power

Cable 0/0 4 1 init(r1)1239 109 0.0.0.0 0030.ebff.f03

Total cable modems reg: 0

Total cable modems other state: 1

Tuning & Initial Ranging Summary

UCD

SYNC

MAP

Rng-Req

Rng-Rsp

Module 4, Page 31

Using Debugging for Troubleshooting Ranging

From the Privileged EXEC modedebug cable x/y <options including range and register> Asynchronously indicates receipt of

» RNG-REQ

» REG-REQ Sending of

» RNG-RSP

» REG-RSP

no debug cable x/y <options including range and register> Stops ranging/registration debug

MOT> en

MOT# debug cable 3/0 range

Cable range debugging is turned on for slot 3

[01/07-07:46:43- 03:CMTSMAC]-D-0x011648b9 CMAC: Received RNG-REQ From 0004.bdcd.29ba

…

Module 4, Page 32

Timing Offset

CMs range by transmitting at a known time in an initial ranging region Region is wide enough for closest & farthest CMs to range CMTS measures the difference from the expected time

CMTS sends the CM an offset to normalize the CM to zero distance from the CMTS

CM1 assignedtime offset t1from CMTS

CM2 assignedtime offset t2from CMTS

RangingRegion

ClosestCM

FarthestCM

move to zero distance from CMTS

move to zero distance from CMTS

DuringRanging

Module 4, Page 33

Power Offset

29-8 20-4 14-8 11-8

Higher Lower Due to attenuation

Downstream

Upstream

Module 4, Page 34

Tuning

Ranging

Connection

Configuration

Registration

Maintenance

After the modem has successfully ranged it must register with the CMTS for network connectivity

DHCP is used to provide for the following:

IP address Lease time Gateway address File server and file name Time of day server and offset

IP Connectivity

Module 4, Page 35

Client-side view of IP address allocation process

Initialization

Selection

Request

Binding

Rebinding

Renewing

IP Address Allocation with DHCP

Module 4, Page 36

Sample Network Architecture

RegionalWAN/MAN

Local Headend

Local Headend

OC-3/OC12 POS

DOCSIS 1.0/1.1 HFC Networks

DHCP

Server

LDAP

Server

Web

Cache

Regional Headend

VOD/AOD

Server

DHCP

Server

LDAP

Server

Web

Cache

Regional Head End

Video

Server

10/100Ethernet

Distribution Hub

Distribution Hub= Legacy CMTS

= First-Generation DOCSIS CMTS

Module 4, Page 37

Sample Network Architectural Overview Detail

DHCP Server

ToD Server

TFTP Server

WAN Scopes

Policies/Options

CM Cfg File

CM Cfg File

CM Cfg FileLayer 3Network

Sw

itch

Layer 2Network

Layer 3Network

(hostfunctions

only)

Layer 3Network

Layer 3Network

DHCP on a network that is directlyconnected to the BSR64000

Module 4, Page 38

Sample Network Architectural Overview Detail (cont.)

DHCP Server

ToD Server

TFTP Server

WAN

Scopes

Policies/Options

CM Cfg File

CM Cfg File

CM Cfg FileLayer 3Network

Sw

itch

Layer 2Network

Layer 3Network

(hostfunctions

only)

Layer 3Network

DHCP on a network that is notdirectly connected to the BSR64000

Module 4, Page 39

Debugging DHCP

Debugging DHCP/TFTP-Related Behaviors From the Privileged EXEC mode

debug ip udp [dhcp]• Allows for watching source/destination of DHCP/UDP messages

– Output to console triggered by receipt of message on port 67 or 68 (DHCP)

no debug ip udp [dhcp]

» Stops ip udp (dhcp) debug

undebug all

» Stops all debug

MOT> en

MOT# debug ip udp dhcp

UDP DHCP Debugging is turned on

…

Module 4, Page 40

Initialization – Simple Network

DHCP Server

Scopes

Policies/Options

Sw

itch

Initialization DHCPDISCOVER Message sent as broadcast

» Contains MAC and hostname BSR64000 inserts CMTS r/f interface IP address in DHCP GIADDR field Reframed and sent unicast to cable helper specified address

(1)

DHCPDISCOVERBroadcast MAC addressTo 255.255.255.255 to

BootP UDP port 67

(2)

Inserts CMTS IP address in GIADDR fieldCMTS reframes DHCPDISCOVER

as unicast to cable helperBootP UDP port 67

MOT# show cable modem

Interface Upstream Prim Connect Timing Rec Ip Address Mac Address

IfIndex Sid State Offset Power

Cable 0/0 4 1 dhcp(d) 1239 109 0.0.0.0 0030.ebff.f03

…

Module 4, Page 41

Configure Helper Parameters Cable Helper Address

» Tells BSR64000 where to forward DHCP Client Messages

» Best Practice to use this on cable interfaces From the Interface Configuration EXEC mode

[no] cable helper-address <ip address> [cable modem | host]

MOT> en

MOT# config

MOT(config)# int cable 5/0

MOT(config-if)# cable helper-address 192.168.100.100 cable modem

MOT(config-if)# cable helper-address 192.168.101.100 host

Configuring Cable Helper

Module 4, Page 42

Configure Helper Parameters IP Helper Address

» Tells BSR64000 where to forward broadcasts received on configured interface

» Forwards: Trivial File Transfer Protocol (TFTP) (port 69), Domain Naming System (port 53), Time service (port 37), NetBIOS Name Server (port 137), NetBIOS Datagram Server (port 138), Boot Protocol (BOOTP) client and server datagrams (ports 67 and 68)

» Best Practice to use on all interfaces other than cable• Except to provide more (redundant) DHCP servers for CMTS interfaces

– Should be used with ip forward protocol command to limit to DHCP only From the Interface Configuration EXEC mode

[no] ip helper-address <ip address>

MOT> en

MOT# config

MOT(config)# int cable 5/0

MOT(config-if)# ip helper-address 192.168.100.100

Configuring IP Helper

Module 4, Page 43

IP Forward Protocol

From the Global Configuration EXEC mode[no] ip forward-protocol udp [<0-65535> | bootpc | bootps | domain | netbois-

dgm | netbios-ns | tacacs | tftp | time]

» Remove all protocols other than bootpc and bootps

MOT(config)# ip forward-protocol udp ?

<0-65535> Port number

bootpc Bootstrap Protocol (BOOTP) client (68)

bootps Bootstrap Protocol (BOOTP) server (67)

domain Domain Name Service (DNS, 53)

netbios-dgm NetBios datagram service (138)

netbios-ns NetBios name service (137)

tacacs TAC Access Control System (49)

tftp Trivial File Transfer Protocol (69)

time Time (37)

<cr>

MOT(config)# no ip forward-protocol udp domain

Module 4, Page 44

Initialization – Complex Network

DHCP Server

WAN

Scopes

Policies/Options

Sw

itch

(1)

DHCPDISCOVERBroadcast MAC addressTo 255.255.255.255 to

BootP UDP port 67

(2)

CMTS reframes DHCPDISCOVER as unicastto cable helper cable modemBootP UDP port 67

MOT# show cable modem

Interface Upstream Prim Connect Timing Rec Ip Address Mac Address

IfIndex Sid State Offset Power

Cable 0/0 4 1 dhcp(d) 1239 109 0.0.0.0 0030.ebff.f03

…

If DHCP Server not on network directly connected to BSR64000 ip dhcp relay information option should be set BSR64000 inserts CMTS IP address in DHCP GIADDR field

» Sets DHCP option-82(3)

Forwarded like any other unicast traffic on BootP UDP port 67GIADDR field left untouched by all routersin path

Module 4, Page 45

DHCP Relay Agents

Relay Agents Routers between CMTS and DHCP server

» By design, insert receiving interface network in GIADDR field

[no] ip dhcp relay information option

» Tells relay agents to not alter GIADDR inserted by CMTS

MOT> en

MOT# config

MOT(config)# int cable 5/0

MOT(config-if)# ip dhcp relay information option

Module 4, Page 46

Selection

Selection DHCPOFFER Sent Broadcast Server MAC and IP Client IP and Subnet mask Lease duration

DHCP Server

Scopes

Policies/Options

Sw

itch

(1)

DHCPOFFERServer MAC and IP address

Lease with IP address,Subnet mask and duration

Sent to GIADDR

MOT# show cable modem

Interface Upstream Prim Connect Timing Rec Ip Address Mac Address

IfIndex Sid State Offset Power

Cable 0/0 4 1 dhcp(o) 1239 109 192.168.5.5 0030.ebff.f03

…

(2)

CMTS forwards offer to CMCreates entry mapping SID to MAC to IP Address in memory (DHCP Snooping)

Module 4, Page 47

Request

Request DHCPREQUEST Sent unicast to server IP address Requests options

» Configuration file, etc.

DHCP Server

Scopes

Policies/Options

Sw

itch

(1)

DHCPREQUESTServer IP address

Request for optionsMOT# show cable modem

Interface Upstream Prim Connect Timing Rec Ip Address Mac Address

IfIndex Sid State Offset Power

Cable 0/0 4 1 dhcp(r) 1239 109 192.168.5.5 0030.ebff.f03

…

Module 4, Page 48

Requested Information

The following parameters will be requested by the Cable Modem (CM) from the DHCP server

IP address of the CM IP address of the TFTP Server (for DOCSIS Configuration file) IP address of the DHCP Relay Agent (if the DCHP server resides on a

different network than the CM) TFTP/DOCSIS Configuration file name Subnet Mask to be used by the CM Time offset of the CM from Universal Coordinated Time (UTC) Default IP Gateway Time of Day Server IP address SYSLOG Server IP address

Module 4, Page 49

Binding

Binding DHCPACK DHCP lease information sent Requested options sent

DHCP Server

Scopes

Policies/Options

Sw

itch

(1)

DHCPACKLease informationOptions requested

MOT# show cable modem

Interface Upstream Prim Connect Timing Rec Ip Address Mac Address

IfIndex Sid State Offset Power

Cable 0/0 4 1 dhcp(a) 1239 109 192.168.5.5 0030.ebff.f03

…

Module 4, Page 50

CMTS

CM

DHCP Server

IP Address GatewayTFTP ServerToD ServerConfig File Name

Tuning

Ranging

Connection

Configuration

Registration

Maintenance

Discover

Offer

Request

Response

DHCP Summary

Module 4, Page 51

Tuning

Ranging

Connection

Configuration

Registration

Maintenance

Internet Time Protocol (ITP) RFC 868

UDP and TCP requests on port 37 32-bit value defining the number of

seconds since 00:00 (midnight January 1, 1900 GMT)

Time-of-Day

ToD-RSP

ToD-REQ

ToD Server

LAN/WAN

ToD-RSP

ToD-REQ

Module 4, Page 52

Tuning

Ranging

Connection

Configuration

Registration

Maintenance

After the modem has acquired an IP address, it must be given some basic configuration information

The configuration file name and location provided during the DHCP process Server address is specified in the option 66 field of the

DHCP response Bootfile name is specified in the option 67 field

Configuration

TFTP-RSP

TFTP-REQ

TFTP Server

LAN/WAN

TFTP-RSP

TFTP-REQ

TFTP-ACK

TFTP-ACK

Module 4, Page 53

Cable Modem Configuration Files

The following settings MUST be included in the configuration file: Network Access Configuration Setting Class of Service Configuration Setting

The following settings are optional: Downstream Frequency Upstream Channel ID Vendor ID Baseline Privacy Software Upgrade filename SNMP Write-Access Control SNMP MIB Object Software Server IP Address CPE Ethernet MAC Address Maximum Number of CPE’s (32 Max) SNMP IP Address (if applicable) Telephone Settings (if applicable) Vendor-Specific Configuration (if applicable)

Module 4, Page 54

Protection From Theft of Service – Cable Modem Uncapping

Necessary to keep hackers from obtaining cable modem configuration file

With this file, they could uncap their cable modems

» Raise guaranteed bandwidth This is prevented by implementing Access Lists

Module 4, Page 55

Standard Checks source address Generally permits or denies

entire protocol suite

Extended Checks source and destination

address Generally permits or denies

specific protocols

What are Access Lists?

OutgoingPacket

C4/0

E3/0Incoming

Packet

Access List Processes

Permit?

Source

Inbound or Outbound

Module 4, Page 56

Access List Applications

Permit or deny packets moving through the router

» Through specific interfaces Permit or deny telnet access to or from the router

» Without access lists, all packets could be transmitted onto all parts of your network

» We can use access lists to block traffic from CPEs to OSS network

» Keep users away from TFTP server (CM Cfg File)

Telnet Access

Transmission of Packets on an Interface

Module 4, Page 57

Outbound Access Lists

Inbound

Interface

Packets

• If no access list statement matches, then discard the packet.

• Notify Sender

N

Y

Packet Discard Bucket

ChooseInterface

Routing

Table

Entry

?N

Y

TestAccess ListStatements

Permit

?

Y

Access

List

?

Discard PacketN

Outbound

Interfaces

Packet

Packet

E 4/0

E 5/0

Module 4, Page 58

Testing Packets with Standard Access Lists

SourceAddress

Segment(for Example, TCP Header)

DataPacket(IP Header)

Frame Header

Deny Permit

UseAccess

List Statements1-99

Module 4, Page 59

A List of Tests: Deny or Permit

Packets to Interface(s)in the Access Group

Packet Discard Bucket

Y

Interface(s)

Destination

Deny

Y

MatchFirstTest

?

Permit

N

Deny PermitMatchNext

Test(s)?

DenyMatchLastTest

?

YY

N

YYPermit

Implicit Deny

If No Match,Deny AllDeny

N

Module 4, Page 60

Standard IP Access List Configuration

Create access-list

– Global Configuration EXEC

– Test criteria

– Permit or deny

access-list <access-list number> [permit | deny] <source> <mask>

MOT (config)# access-list 1 deny 172.16.4.0 0.0.0.255

MOT (config)# access-list 1 permit any any

…

Assign access-lists to interfaces

– Interface EXEC

ip access-group <access-list number> [in | out]

MOT (config-if)# ip access-group 1 out

…

Standard Access Lists are numbered 1-99

Module 4, Page 61

Standard IP Access List Example

ToD Server

TFTP Server

WAN

CM Cfg File

CM Cfg File

CM Cfg File

Sw

itch

172.16.4.1 255.255.255.0201.55.4.1 255.255.255.0 secondary

172.16.4.2 255.255.255.0

201.55.4.2 255.255.255.0 MOT (config)# access-list 1 permit 172.16.4.0 0.0.0.255

MOT (config)# interface eth 4/0

MOT (config-if)# ip access-group 1 out

DHCP Server (cpe)

E 1/0

E 2/0

E 4/0

DHCP Server (cm) Policies/Options

Scopes

(Implicit deny any)

172.16.3.1255.255.255.0

Module 4, Page 62

Standard vs. Extended Access Lists

Standard Filters based on source Permits or denies entire TCP/IP protocol suite Valid range is 1 through 99

Extended Filters based on source and destination Specifies a specific IP protocol and port number Valid range is 100 through 199

Module 4, Page 63

Testing Packets with Extended Access Lists

DestinationAddress

SourceAddress

Protocol

PortNumber

Segment(for Example, TCP Header)

DataPacket(IP Header)

Frame Header

UseAccess

List Statements1-99 or 100-199 to

Test thePacket Deny Permit

Module 4, Page 64

Extended IP Access List Configuration

Create access-list

– Global Configuration EXEC

– Test criteria

– Permit or deny

access-list <access-list number> [permit | deny] protocol <source> <mask> <destination> <mask> <port>

MOT (config)# access-list 101 deny udp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 69

MOT (config)# access-list 1 permit any any

…

Assign access-lists to interfaces

– Interface EXEC

ip access-group <access-list number> [in | out]

MOT (config-if)# ip access-group 101 out

…

Extended Access Lists are numbered 100-199

Module 4, Page 65

Extended IP Access List Example

ToD Server

TFTP Server

WAN

CM Cfg File

CM Cfg File

CM Cfg File

Sw

itch

172.16.4.1 255.255.255.0201.55.4.1 255.255.255.0 secondary

172.16.4.2 255.255.255.0

201.55.4.2 255.255.255.0

MOT (config)# access-list 101 deny udp 201.55.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 69

MOT (config)# access-list 101 permit any anyMOT (config)# interface eth 4/0MOT (config-if)# ip access-group 1 out

E 2/0

E 4/0

Policies/Options

Scopes

DHCP Server (cm) DHCP Server

172.16.3.1255.255.255.0

Module 4, Page 66

Verifying Access Lists

Check what access lists applied to an interface Ingoing and outgoing

show ip interface <interface-type> <interface-identifier>

mot#show ip int e 4/0ethernet 4/0 is up, line protocol is up Internet address is 192.168.120.1/24 Broadcast address is 255.255.255.255 MTU 1500 bytes Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is 101 Outgoing qos list is not set Policy routing is disabled Proxy ARP is disabled Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are always sent …

Module 4, Page 67

Examining Access Lists

From Privileged EXECshow ip access-list <access-list number>

show access-lists <access-list number>

mot#show access-lists mot#show ip access-lists

Extended IP access list 101 deny icmp host 192.168.120.2 host 200.20.20.1 echo permit ip any any …

Module 4, Page 68

Examining Access Lists (cont.)

From Privileged EXECshow ip filters

mot#sh ip filters AP = Access List Permit, AD = Access List Deny, II = Ip Ingress, TE = Ip Tunnel Egress, TL = Ip Tunnel Loopback, IR = ICMP Redirect, IU = ICMP Unreachable, TN = Ip Tunnel, PP = Policy Route Permit, PD = Policy Route Deny, QS = Qos, SM = Send To SrmDest Ip Address Src Ip Address Pro SP DP DS In If Out If FT QId--------------- --------------- --- ----- ----- -- --------- --------- -- ---200.20.20.1 192.168.120.2 icm - - 0 eth 4/0 - - SM - any any ip - - 0 eth 4/0 - - AP - any any ip - - 0 eth 4/0 - - AD - …

Module 4, Page 69

Examining Access List Usage

From Privileged EXECshow ip traffic

mot# show ip traffic…IP statistics: Rcvd: 3611 total, 2634 local destination

0 format errors, 0 checksum errors, 0 bad hop count 0 unknown protocol, 0 not a gateway 0 security failures, 0 bad options, 0 with options

Opts: 0 end, 0 nop, 0 basic security, 0 loose source route 0 timestamp, 0 extended security, 0 record route 0 streamID, 0 strict source route, 0 alert, 0 cipso 0 policy-based routing forward, 0 other

Frags: 0 reassembled, 0 timeouts, 0 couldn't reassemble 0 fragmented, 0 couldn't fragment

Bcast: 2 received, 0 sent Mcast: 2363 control pkt received, 1602 control pkt sent 0 datat pkt received, 0 data pkt sent Sent: 3285 generated, 113 forwarded Drop: 0 encapsulation failed, 0 unresolved, 0 no adjacency

0 Mcast In Drop, 0 Mcast Out Drop 0 no route, 0 unicast RPF, 0 forced drop 5 acces-list inbound, 0 access-list outbound 0 policy-based routing drop

…

Module 4, Page 70

Host Authorization Overview

Provides CPE IP address security by implementing an authorized ARP cache on a per CMTS basis

Binds CPEs to a particular cable modem MAC address and PSID and stores entries in the host authorization table on every CMTS

Host authorization table is populated by gleaning DHCP packet information or by operator configured entries via the CLI or SNMP

Implements similar functionality to the Cisco uBR’s “cable source-verify” feature

Module 4, Page 71

Host Authorization Key Features

Prevents IP address spoofing and ARP cache poisoning Uses a CAM operation on the CMTS FPGA for fast performance in the

upstream and downstream data paths As of release 2.2.1 up to 252 IP addresses can be authorized to the

same MAC address The “cable host auth range” command allows up to 16 ranges of IP

addresses to be excluded from host authorization; Note that operator configured entries always override entries in the range

Operator configured CLI and SNMP entries are persistent across a system reload as of release 1.3.1

Module 4, Page 72

A CAM search of the ARP caches is performed on the source IP address of every non-DHCP packet from a CPE

Based on the result of the search there are three possibilities: ARP entry is not found; packet is dropped and a downstream ARP is

sent for the source IP address and a filter entry is placed in the ARP table to prevent ARP flooding

ARP entry is found, but the PSID from the packet does not match the entry; Drop the packet and send a downstream ARP request but do not create a filter entry

ARP is found and the source IP and PSID match so forward the packet

Host Authorization Forwarding Operation

Module 4, Page 73

Host Authorization ARP Operation

All ARP packets from a CPE are verified against the host authorization table

The authorization process is as follows: If source IP address is in an excluded range and it is not in the host

authorization table skip the authorization process and continue to process the ARP packet; As a result CPEs in the excluded range will not have host authorization entries

Verify the CPE ARP packet is coming from the correct cable modem using the source HW address and SID

Verify the source IP and source HW addresses against the host authorization table

If no entry exists in the host authorization table perform DLQ

Module 4, Page 74

DHCP Lease Query Overview

Allows the BSR to obtain DHCP lease information for CPEs directly from the DHCP server

Secure mechanism for getting CPE lease information when it is not in the host authorization table

Host authorization must be enabled for DLQ to work Similar to host authorization it is implemented on a per CMTS basis

Module 4, Page 75

DHCP Lease Query Features

Implements a new DHCP message type between the relay agent and the DHCP server

CMTS maintains a new “unauthorized” table that keeps track of pending queries

Resolved queries are inserted into the host authorization table

Module 4, Page 76

DHCP Lease Query Operation

When processing an ARP packet and a host auth entry does not exist:

Send a DLQ packet to the server Add entry to unauthorized table Wait for response Receive DHCP active packet and add the CPE to the host auth

table

Module 4, Page 77

Useful CLI Commands

CMTS interface config mode:host authorization ondhcpleasequery authorization onhost authorization <cm mac> <cpe | cpr> <cpe mac> <cpe ip>

Global config mode:cable host authorization range <start ip> <end ip>

Enable mode:show host authorization [slot num | summary]show host authorization <cpe> <static | leased>show host unauthorized cpeshow cable modem <mac> <cpe | host>show cable host <mac | ip>

Module 4, Page 78

Tuning

Ranging

Connection

Configuration

Registration

Maintenance

The modem only comes online after it has registered with the CMTS

Reports that all configuration parameters received and applied

Registration

Module 4, Page 79

CM generates a Registration Request (REG-REQ) Includes configuration parameters received from TFTP configuration

file: Downstream frequency, Upstream channel ID Network access configuration settings Class of Service Modem Capabilities

HFC

CMTS

Cable Modem

REG-REQ

Registration (cont.)

REG-REQ

Module 4, Page 80

Registration (cont.)

CMTS MIC

CM MIC

Things theCMTS needsto know about

Filters, e.g.

Tuning

Ranging

Connection

Configuration

Registration

Maintenance

Module 4, Page 81

CMTS Checks CM’s MAC address and authentication signature Assigns a permanent SID Provides bandwidth for CM requested Class of Service Modifies forwarding table to allow full user data if the modem requested

Network Access Sends REG-RSP to CM

» CM can pass unencrypted data

REG-RSP

HFC

Registration (cont.)

Cable Modem

REG-RSP

CMTS

Module 4, Page 82

Cable Bundling

Network Cable Subnet Bundling Pooling of Network Resources Binding of CMTS Modules

» Sharing of I.P. address• Saving of costly I.P. addresses

Increases Manageability

» Saves from having to individually configure CMTS Modules Forwarding Table grows exponentially

» Need to• Increase ARP age out timer

• Refrain from clearing ARP-Cache

Module 4, Page 83

Cable Bundling Concept

Master/slave Relationship.

Referenced by Master CMTS-id Configurable from local Cable Interface

Master CMTS Slave CMTS Slave CMTS

.............

.............

Module 4, Page 84

Configuring Cable Bundling

Slave CMTS:cable bundle <bundle-id>

Master CMTScable bundle <bundle-id> [master]

MOT> en

MOT# config

MOT(config)# int cable 3/0

MOT(config-if)# ip address 192.168.69.1 255.255.255.0

MOT(config-if)# cable bundle 100 master

MOT> en

MOT# config

MOT(config)# int cable 11/0

MOT(config-if)# cable bundle 100

Module 4, Page 85

Virtual Cable Bundling

Configured same way as physical cable bundling Cable bundle master is set to Loopback Interface

» Will never go down as long as chassis is up and running

MOT> en

MOT# config

MOT(config)# int loopback 1

MOT(config-if)# ip address 192.168.69.1 255.255.255.0

MOT(config-if)# cable bundle 100 master

Module 4, Page 86

Checking Cable Bundling

Check running-configuration Master

MOT# sh runinterface cable 3/0 ip address 172.16.110.1 255.255.255.0 ip address 10.10.39.1 255.255.255.0 secondary ip helper-address 10.20.40.12 no shutdown cable bundle 100 master no cable downstream 0 shutdown cable upstream 0 map-interval 2000 cable upstream 0 physical-delay 600 no cable upstream 0 shutdown no cable upstream 1 shutdown no cable upstream 2 shutdown no cable upstream 3 shutdown ip dhcp relay information option…

Module 4, Page 87

Checking Cable Bundling (cont.)

Check running-configuration Slave

MOT# sh runinterface cable 12/0 no shutdown cable bundle 100 no cable downstream 0 shutdown no cable upstream 0 shutdown no cable upstream 1 shutdown cable upstream 2 shutdown cable upstream 3 shutdown ip dhcp relay information option …

Module 4, Page 88

Checking Cable Bundling (cont.)

Check ARP Tableshow arp

Check Forwarding Tables All

show ip forwarding

» For a specific bundle

show cable bundle <bundle-id> forwarding-table

Module 4, Page 89

Baseline Privacy Interface (BPI)

Optionally follows modem registration Provides user data privacy by encrypting traffic flows, upstream and

downstream Provides cable operators basic protection from theft of service Mechanisms for:

authentication: CM to CMTS and CMTS to CM key distribution: traffic keys and lifetimes data encryption applied to Sid's

56 bit DES Encryption

Module 4, Page 90

Baseline Privacy Plus (BPI+) Interface

Provides stronger crypto mechanisms Support of future upgrade of crypto capabilities Strong authentication Dynamic security associations

Module 4, Page 91

BPI/BPI+ Service Goals

Encrypt the data/voice between the CMTS and the MTA/CM. Goals are

» Privacy• From CM/MTA to CMTS only

» Protection from Theft of Service

HFC CMTSER

CMTSERMTAMTA CMCM

BPI/BPI+

Module 4, Page 92

If CM is configured for Baseline Privacy in the modem TFTP configuration file:

CM sends Authorization Request

» Public key, MAC address, and SID’s CMTS responds with an Authorization Response

» Authorization Key (encrypted KEK)

» Key Sequence number and Lifetimes

» List of SID’s• For each requested Class of Service

HFC

CMTS

Cable Modem

REG-REQ

BPI Security Association

Auth-REQ

Auth-RSP

Module 4, Page 93

CM requests Key Request for each SID CMTS responds with DES encrypted TEK for each SID CM can now pass encrypted data

REG-RSP

HFC

BPI Security Association (cont.)

Cable Modem

CMTS

KEY-REQ

TEK

Module 4, Page 94

BPI/BPI+ Divergence

DOCSIS 1.0 (BPI) does not have a secure mechanism to authenticate the CM

DOCSIS 1.1 (BPI+) adds strong authentication of the CM through the use of X.509 digital certificates

Additional service goal of preventing large-scale theft of service Each CM issued a unique digital certificate that is verified through the

DOCSIS root certificate authority

Module 4, Page 95

DOCSIS Trust Hierarchy

Digital Certificates only useful if trustworthy Assigning of digital certificates must be secure proccess

Module 4, Page 96

If CM is configured for Baseline Privacy in the modem TFTP configuration file:

CM sends Authorization Request CM-ID, CM-Certificate, Security-Capability,

Primary SAID CMTS responds with an Authorization Response

» Auth-key, Key-Lifetime, Key-Sequence_Number, one or more SA-Descriptors

HFC

CMTS

Cable Modem

REG-REQ

BPI+ Security Association

Auth-REQ

Auth-RSP

Module 4, Page 97

CM requests Key Request for each SID CMTS responds with DES encrypted TEK for each SID CM can now pass encrypted data

REG-RSP

HFC

BPI+ Security Association (cont.)

Cable Modem

CMTS

KEY-REQ

TEK

Module 4, Page 98

Dynamic Security Associations

Useful for encrypting traffic flows that are dynamic or temporal Multicast Traffic

SA-MAP mechanism allows CM to learn of encrypted traffic flows and it’s security association

Currently applied to multicast downstream flow Interoperates with DOCSIS 1.1. IGMP management mechanism which

triggers the establishment of dynamic SAs

Module 4, Page 99

IGMP/SA-MAP Example

CPE CM CMTS

Set Multicast MAC FilterSet Multicast MAC Filter

Start TEK FSMStart TEK FSM

Decrypt MulticastDecrypt Multicast

Determine SAIDDetermine SAID

Encrypt MulticastEncrypt Multicast

IGMP MR (Join) IGMP MR (Join)

SA-MAP Request

SA-MAP Reply

Key Req/Reply

Multicast Data Multicast DataEncryptedMulticast Data

Module 4, Page 100

Periodic ranging Periodic loop delay, power, equalization At least every 30 seconds

Periodic Maintenance

Tuning

Ranging

Connection

Configuration

Registration

Maintenance

HFC

CMTS

Cable Modem RNG-RSP

RNG-REQ

Module 4, Page 101

Resetting Cable Modems

Resetting cable modems From the Privileged EXEC mode

clear cable modem [<mac> | <i.p. address> reset] [all reset]

MOT> en

MOT# sh cable modem

cm->mac: 0030.ebff.033

Interface Upstream Prim Connect Timing Rec Ip Address Mac Address

IfIndex Sid State Offset Power

Cable 0/0 4 1 online(pk) 1239 109 10.200.220.2 0030.ebff.f03

Total cable modems reg: 2

Total cable modems other state: 0

MOT#

MOT# clear cable modem 0030.ebff.f03 reset

MOT#