cm.cmts interaction
TRANSCRIPT
MOTOROLA and the Stylized M Logo are registered in the US Patent & Trademark Office. All other product or service names are the property of their respective owners. © Motorola, Inc. 2003.
Revision 2.0 – Last Update October 2003
CM/CMTS Interaction
Module 4
Module 4, Page 2
Introduction In the last module, we looked at the CMTS configurations necessary to provide data services. We will now look at cable modem/CMTS interactions. Specifically, we will examine the ranging and registration process.
Importance We need to baseline expected performance before we can isolate issues (the first step in troubleshooting) on the CMTS.
Lesson Overview We will look at a sample configuration, ranging and registration.
Introduction
Module 4, Page 3
Objectives Upon successful completion of this module, you will be able to perform the following tasks:Describe the DOCSIS-specified ranging and registration process
List the necessary OSS services required
Successfully range and register a cable modem on the BSR64000
Be able to use the CLI tools to isolate break-points
» Troubleshoot registration problems
Objectives
Module 4, Page 4
Scan for downstream channel and sync with the CMTS
Obtain the transmit parameters (from UCD message) Perform ranging Establish IP connectivity Establish time of day Transfer operational parameters Perform registration
Tuning
Ranging
Connection
Configuration
Registration
Maintenance
CMTS/CM Interaction
Module 4, Page 5
Show cable modem command From the Privileged EXEC mode
show cable modem [<mac> | <i.p. address> hosts]• Can specify detail | offline | registered | unregistered | summary as
arguments
MOT> en
MOT# sh cable modem
cm->mac: 0030.ebff.033
Interface Upstream Prim Connect Timing Rec Ip Address Mac Address
IfIndex Sid State Offset Power
Cable 0/0 4 1 online(pk) 1239 109 10.200.220.2 0030.ebff.f03
cm->mac: 0050.f112.2563
Cable 0/0 4 2 online(pt) 1228 116 10.200.220.3 0050.f112.2563
Total cable modems reg: 2
Total cable modems other state: 0
Viewing Ranging and Registration
Module 4, Page 6
Tuning
Ranging
Connection
Configuration
Registration
Maintenance
CM Listens for CMTS downstream transmission
CM searches for a downstream data channel
Synchronize with QAM
Synchronize with FEC and MPEG
Cable Modem Tuning
Module 4, Page 7
STD/IRC Channels >6-134
HRC Channels >6-134
447 8 9 10 101
Analog5 @ 1 sec
Digital TV2 sec DOCSIS
11 108
Sample Downstream Tuning
MOT# show cable modem
Total cable modems reg: 0
Total cable modems other state: 0
Module 4, Page 8
Tuning
Ranging
Connection
Configuration
Registration
Maintenance
Periodically transmitted by CMTSSYNC message contains time stamp that exactly identifies when the CMTS transmitted the SYNCCM to synchronize its time-based reference clock so that its transmission on the upstream will fall into the correct mini-slots
Monitor for SYNC Messages
SYNC
Module 4, Page 9
Tuning
Ranging
Connection
Configuration
Registration
Maintenance
Monitor for UCD message Periodically transmitted by CMTS UCDs define characteristics of the upstream channel:
» mini-slot size
» upstream channel ID
» downstream channel ID
» burst descriptor
Obtain Upstream Parameters
UCD
Module 4, Page 10
UCDs One set per upstream channel Describe general upstream channel characteristics:
» Center frequency» Channel width» Mini-slot size» Upstream channel ID» Downstream channel ID » Burst descriptor
• Describes each burst type:– Initial maintenance– Request– Request/data– Periodic maintenance– Short data– Long data
Defined at CMTS in form of Modulation Profiles
Upstream Channel Descriptors
Module 4, Page 11
Modulation Profiles
Viewing Modulation Profiles From the Privileged EXEC mode
show cable modulation-profile [<1-16>]
MOT> en
MOT# sh cable modulation-profile 1
Profile 1
Intvl FEC FEC Burst Guard MOD Scrambl Scrambl Diff Preambl Last
usage err len len time type seed encode length code-
code corre mod word
reque 0 16 2 8 qpsk scrambl 0x152 no-dif 64 fixed
initi 5 34 0 48 qpsk scrambl 0x152 no-dif 128 fixed
stati 5 34 0 48 qpsk scrambl 0x152 no-dif 128 fixed
short 5 78 8 8 16qam scrambl 0x152 no-dif 144 short
long 10 235 0 8 16qam scrambl 0x152 no-dif 160 short
Module 4, Page 12
Downstream Transmission Format
MPEG Packet Format
MPEG Header4 bytes
pointer_field1 byte
DOCSIS MAC Frame #1up to 183 bytes
MPEG Header4 bytes
MPEG Header4 bytes
pointer_field1 byte
Cont. of Frame #1184 bytes
stuff_bytes0 or more
Tail of Frame #1n bytes
stuffbytes
Frame #2m bytes
DOCSIS Payload183-184 bytes
MPEG Header4 bytes
pointer_field0-1 byte
MPEG Framing for Large DOCSIS MAC Frame
Module 4, Page 13
DOCSIS MAC
Minislot =power of two (4,8…,32) multiple of 25 ms (max=800ms) 4 ticks/minislot, 64 symbols per minislot in 3.2 MHz channel
» 32 bytes/minislot in 16 QAM
» 16 Bytes/minislot in QPSK
MAP must: be bounded by a limit of 240 information elements (each IE = 4 bytes) not describe more than 4096 minislots into the future, (25.6 ms,
51.2ms…,3.276s)
Not more than 255 minislots per CM per MAP Concatenation of multiple upstream packet is allowed for higher
bandwidth efficiency Service Flow ID (SFID) and service ID (SID)
Identification and Class of Service Management, support data flows, mapping to CMTS-NSI QoS
Module 4, Page 14
MAPs
The upstream time is allocated to modems in the MAP message MAP is variable length, typically 5-15 ms
CMTS sends separate MAP messages for each upstream channel Set of all MAPs for a channel covers all minislots
For each BW grant, contains: SID Burst type Grant length
MAP contains US Channel ID and configuration count Allows dynamic UCD changes
Module 4, Page 15
MAPs (cont.)
Received from the CMTS on the Downstream channel The MAP MAC message describes the permitted use of the
upstream channel
MAP MAP
Request/Contention
Slots
Reserved Slots
Maintenance
Reserved Slots
Maintenance
Request/Contention
Slots
Maintenance
Maint.Maint.
2nd Upstream Channel
Module 4, Page 16
Upstream and Downstream TDM
Allocation Maps periodically broadcast on a downstream channel Contention Slots (CSs) for CMs sending requests
» CSs are subject to competition/contention Data Slots (DSs) for data frames of individual CMs
» DSs are dedicated to individual CMs ACK, Maintenance messages
Upstream channels divided into stream of mini-slots
MAP
SYNC
SYNC
UCD
UCD
MAP
SYNC
Request/Contention
Slots
Reserved Slots
Pr.1
Maintenance
Reserved Slots
Maintenance
Request/Contention
Slots
Maintenance
D/S
U/S Pr.2 Pr.3Pr.4
Maint.Maint.
2nd Upstream Channel
Module 4, Page 17
Upstream Burst Transmission
DOCSISPayload
PMDOverhead
PMDOverhead
Preamble0-1024bits
(0-128Bytes)
FEC Parity18-255 Bytes
GuardBand
Ramp-Up Ramp-Down
Zero-Fillif
necessary
MiniSlotBoundary
of nextBurst
Preamble
Integer Numberof Minislots
MiniSlotBoundary of
previous Burst
MAC Header 6 Bytes+ EHDR
Data PDU 18-1518Bytes
HeaderCheck Seq.
(HCS) 2 Bytes
Destination6 Bytes
Length2 Bytes
Extended MACHeader (EHDR)
0-240 Bytes
CRC4 Bytes
User Data0-1500 Bytes
Source6 Bytes
Length2 Bytes
MAC_Par1 Byte
FC1 Byte
Variable Packet Length
Module 4, Page 18
Upstream MAC Operation
Each CM scans the map for available slots
Send request in a contention slot in a contention mode
» Contention resolution algorithm is similar to Ethernet• Binary exponential back off mechanism
Sends data frames in dedicated DS
Piggybacking
» A request carried in the extended header of the next outgoing data frame
» Bypassing the request contention process Scheduling requests at CMTS vendor-specific
CSs and DSs
Inte
rva
l 1
Inte
rva
l 2
Inte
rva
l n
Nu
ll I
E
AC
K 1
AC
K n
ACKs and Pending
… …
Module 4, Page 19
Delivery of an Upstream Frame
A CM sends a request in a contention slot of 1st Map Assuming no contention
If Data Granted in 2nd Map CM sends a data frame in granted DS’s of 2nd Map
Map
1
Req
ues
t Map
2
Dat
a F
ram
e Common
Timing
Reference
t1
t2 t4
t3 t5 t6 t7 t9
t8 t10
t11
Reserved Slots
Initial Maintenance
Request/ Contention Slots
Request/ Contention Slots
Reserved Slots
Initial Maintenance
Reserved Slots
Request/ Contention Slots
Reserved Slots
Map1 Map2
CM
CMTS
Upstream Frame Delay
Module 4, Page 20
Issues in Upstream Scheduling
Map frequency/depth Faster - less frame delay/lower efficiency Slower - longer frame delay/more efficient
Slot Ratio - CSs to DSs in a map
Only one request outstanding per Service ID More CSs - less contention, potential waste of bandwidth Fewer CSs - longer request access delay, waste of DSs Ideal Case where number of CSs serves number of requests
» Estimate the number of requests during a map interval
Mini-slot placement
Request/Contention
Slots
Reserved Slots
Maintenance
Reserved Slots
Maintenance
Request/Contention
Slots
Maintenance
minislots
map
Module 4, Page 21
Map Frequency
Map frequency affects mean scheduling delay D and channel utilization
Upstream Frame Delay = contention delay + scheduling Delay Contention Delay
» Request contention and backoff
Scheduling Delay» Scheduling requests at CMTS
Module 4, Page 22
Scheduling Delay and Utilization Approximation Example
CMTS immediately schedules a map after receiving a request
D is the Delay C is the sum of all system constants Bup is the upstream channel bandwidth
Assuming that all frames have the same size LC = 0.3 msL = 300 bytesBup= 2.5 Mbps
With maximum MTUC = 0.3 msL = 1500 bytesBup= 2.5 Mbps
upBL
CD
285.013.
30025000
1
1
1
CLBup
up
667.013.
150025000
1
1
1
CLBup
up
Module 4, Page 23
Downstream Signal Profile
Upstream Bandwidth Allocation Map (MAP) includes: Initial Maintenance Interval (broadcast interval) with start and end of
connection opportunity
Module 4, Page 24
Tuning
Ranging
Connection
Configuration
Registration
Maintenance
Adjusts for location in cable plantPower levelsTiming OffsetFrequency Offset
CM uses Ranging Request (RNG-REQ) message
Assumes SID of 0
Ranging
Module 4, Page 25
Range Request Format
Module 4, Page 26
Range Response Format
Module 4, Page 27
Tuning
Ranging
Connection
Configuration
Registration
Maintenance
CMTS receives initial Ranging Request from CMCMTS responds with unicast Ranging Response (RNG-RSP)
Assigns a temporary SID and allocates bandwidth to this SID Adjust power level, timing offset, and frequency adjustment Sets downstream and upstream channels
CMTS begins Admission Control
Auto Adjustments
Module 4, Page 28
Tuning
Ranging
Connection
Configuration
Registration
Maintenance
CMTS allocates a Temporary SIDAdds CM to Forwarding TablesCMTS sends MAP with Station Maintenance opportunity for that SID
CM ranges with new settingsCMTS sends RNG-RSP
Indicates success or failure of Admission
Admission Control
RNG-RSP
RNG-REQ
Module 4, Page 29
Collisions
Initial Ranging a shared opportunity Possibility of collisions Binary exponential backoff algorithm for when cms collide
» CMTS will give them a backoff start and end time to wait until they try again
• specified in the MAPS for their upstream channels
• Ensures that CMs that collide during initial ranging are randomized enough in their wait times before they try initial ranging again
– Less of a chance of them colliding again
Module 4, Page 30
MOT#MOT# show cable modem
Total cable modems reg: 0
Total cable modems other state: 0
MOT# show cable modem
Total cable modems reg: 0
Total cable modems other state: 0
MOT# show cable modem
Total cable modems reg: 0
Total cable modems other state: 0
MOT# show cable modem
cm->mac: 0030.ebff.033
Interface Upstream Prim Connect Timing Rec Ip Address Mac Address
IfIndex Sid State Offset Power
Cable 0/0 4 1 ranging 1239 109 0.0.0.0 0030.ebff.f03
Total cable modems reg: 0
Total cable modems other state: 1
MOT# show cable modem
cm->mac: 0030.ebff.033
Interface Upstream Prim Connect Timing Rec Ip Address Mac Address
IfIndex Sid State Offset Power
Cable 0/0 4 1 init(r1)1239 109 0.0.0.0 0030.ebff.f03
Total cable modems reg: 0
Total cable modems other state: 1
Tuning & Initial Ranging Summary
UCD
SYNC
MAP
Rng-Req
Rng-Rsp
Module 4, Page 31
Using Debugging for Troubleshooting Ranging
From the Privileged EXEC modedebug cable x/y <options including range and register> Asynchronously indicates receipt of
» RNG-REQ
» REG-REQ Sending of
» RNG-RSP
» REG-RSP
no debug cable x/y <options including range and register> Stops ranging/registration debug
MOT> en
MOT# debug cable 3/0 range
Cable range debugging is turned on for slot 3
[01/07-07:46:43- 03:CMTSMAC]-D-0x011648b9 CMAC: Received RNG-REQ From 0004.bdcd.29ba
…
Module 4, Page 32
Timing Offset
CMs range by transmitting at a known time in an initial ranging region Region is wide enough for closest & farthest CMs to range CMTS measures the difference from the expected time
CMTS sends the CM an offset to normalize the CM to zero distance from the CMTS
CM1 assignedtime offset t1from CMTS
CM2 assignedtime offset t2from CMTS
RangingRegion
ClosestCM
FarthestCM
move to zero distance from CMTS
move to zero distance from CMTS
DuringRanging
Module 4, Page 33
Power Offset
29-8 20-4 14-8 11-8
Higher Lower Due to attenuation
Downstream
Upstream
Module 4, Page 34
Tuning
Ranging
Connection
Configuration
Registration
Maintenance
After the modem has successfully ranged it must register with the CMTS for network connectivity
DHCP is used to provide for the following:
IP address Lease time Gateway address File server and file name Time of day server and offset
IP Connectivity
Module 4, Page 35
Client-side view of IP address allocation process
Initialization
Selection
Request
Binding
Rebinding
Renewing
IP Address Allocation with DHCP
Module 4, Page 36
Sample Network Architecture
RegionalWAN/MAN
Local Headend
Local Headend
OC-3/OC12 POS
DOCSIS 1.0/1.1 HFC Networks
DHCP
Server
LDAP
Server
Web
Cache
Regional Headend
VOD/AOD
Server
DHCP
Server
LDAP
Server
Web
Cache
Regional Head End
Video
Server
10/100Ethernet
Distribution Hub
Distribution Hub= Legacy CMTS
= First-Generation DOCSIS CMTS
Module 4, Page 37
Sample Network Architectural Overview Detail
DHCP Server
ToD Server
TFTP Server
WAN Scopes
Policies/Options
CM Cfg File
CM Cfg File
CM Cfg FileLayer 3Network
Sw
itch
Layer 2Network
Layer 3Network
(hostfunctions
only)
Layer 3Network
Layer 3Network
DHCP on a network that is directlyconnected to the BSR64000
Module 4, Page 38
Sample Network Architectural Overview Detail (cont.)
DHCP Server
ToD Server
TFTP Server
WAN
Scopes
Policies/Options
CM Cfg File
CM Cfg File
CM Cfg FileLayer 3Network
Sw
itch
Layer 2Network
Layer 3Network
(hostfunctions
only)
Layer 3Network
DHCP on a network that is notdirectly connected to the BSR64000
Module 4, Page 39
Debugging DHCP
Debugging DHCP/TFTP-Related Behaviors From the Privileged EXEC mode
debug ip udp [dhcp]• Allows for watching source/destination of DHCP/UDP messages
– Output to console triggered by receipt of message on port 67 or 68 (DHCP)
no debug ip udp [dhcp]
» Stops ip udp (dhcp) debug
undebug all
» Stops all debug
MOT> en
MOT# debug ip udp dhcp
UDP DHCP Debugging is turned on
…
Module 4, Page 40
Initialization – Simple Network
DHCP Server
Scopes
Policies/Options
Sw
itch
Initialization DHCPDISCOVER Message sent as broadcast
» Contains MAC and hostname BSR64000 inserts CMTS r/f interface IP address in DHCP GIADDR field Reframed and sent unicast to cable helper specified address
(1)
DHCPDISCOVERBroadcast MAC addressTo 255.255.255.255 to
BootP UDP port 67
(2)
Inserts CMTS IP address in GIADDR fieldCMTS reframes DHCPDISCOVER
as unicast to cable helperBootP UDP port 67
MOT# show cable modem
Interface Upstream Prim Connect Timing Rec Ip Address Mac Address
IfIndex Sid State Offset Power
Cable 0/0 4 1 dhcp(d) 1239 109 0.0.0.0 0030.ebff.f03
…
Module 4, Page 41
Configure Helper Parameters Cable Helper Address
» Tells BSR64000 where to forward DHCP Client Messages
» Best Practice to use this on cable interfaces From the Interface Configuration EXEC mode
[no] cable helper-address <ip address> [cable modem | host]
MOT> en
MOT# config
MOT(config)# int cable 5/0
MOT(config-if)# cable helper-address 192.168.100.100 cable modem
MOT(config-if)# cable helper-address 192.168.101.100 host
Configuring Cable Helper
Module 4, Page 42
Configure Helper Parameters IP Helper Address
» Tells BSR64000 where to forward broadcasts received on configured interface
» Forwards: Trivial File Transfer Protocol (TFTP) (port 69), Domain Naming System (port 53), Time service (port 37), NetBIOS Name Server (port 137), NetBIOS Datagram Server (port 138), Boot Protocol (BOOTP) client and server datagrams (ports 67 and 68)
» Best Practice to use on all interfaces other than cable• Except to provide more (redundant) DHCP servers for CMTS interfaces
– Should be used with ip forward protocol command to limit to DHCP only From the Interface Configuration EXEC mode
[no] ip helper-address <ip address>
MOT> en
MOT# config
MOT(config)# int cable 5/0
MOT(config-if)# ip helper-address 192.168.100.100
Configuring IP Helper
Module 4, Page 43
IP Forward Protocol
From the Global Configuration EXEC mode[no] ip forward-protocol udp [<0-65535> | bootpc | bootps | domain | netbois-
dgm | netbios-ns | tacacs | tftp | time]
» Remove all protocols other than bootpc and bootps
MOT(config)# ip forward-protocol udp ?
<0-65535> Port number
bootpc Bootstrap Protocol (BOOTP) client (68)
bootps Bootstrap Protocol (BOOTP) server (67)
domain Domain Name Service (DNS, 53)
netbios-dgm NetBios datagram service (138)
netbios-ns NetBios name service (137)
tacacs TAC Access Control System (49)
tftp Trivial File Transfer Protocol (69)
time Time (37)
<cr>
MOT(config)# no ip forward-protocol udp domain
Module 4, Page 44
Initialization – Complex Network
DHCP Server
WAN
Scopes
Policies/Options
Sw
itch
(1)
DHCPDISCOVERBroadcast MAC addressTo 255.255.255.255 to
BootP UDP port 67
(2)
CMTS reframes DHCPDISCOVER as unicastto cable helper cable modemBootP UDP port 67
MOT# show cable modem
Interface Upstream Prim Connect Timing Rec Ip Address Mac Address
IfIndex Sid State Offset Power
Cable 0/0 4 1 dhcp(d) 1239 109 0.0.0.0 0030.ebff.f03
…
If DHCP Server not on network directly connected to BSR64000 ip dhcp relay information option should be set BSR64000 inserts CMTS IP address in DHCP GIADDR field
» Sets DHCP option-82(3)
Forwarded like any other unicast traffic on BootP UDP port 67GIADDR field left untouched by all routersin path
Module 4, Page 45
DHCP Relay Agents
Relay Agents Routers between CMTS and DHCP server
» By design, insert receiving interface network in GIADDR field
[no] ip dhcp relay information option
» Tells relay agents to not alter GIADDR inserted by CMTS
MOT> en
MOT# config
MOT(config)# int cable 5/0
MOT(config-if)# ip dhcp relay information option
Module 4, Page 46
Selection
Selection DHCPOFFER Sent Broadcast Server MAC and IP Client IP and Subnet mask Lease duration
DHCP Server
Scopes
Policies/Options
Sw
itch
(1)
DHCPOFFERServer MAC and IP address
Lease with IP address,Subnet mask and duration
Sent to GIADDR
MOT# show cable modem
Interface Upstream Prim Connect Timing Rec Ip Address Mac Address
IfIndex Sid State Offset Power
Cable 0/0 4 1 dhcp(o) 1239 109 192.168.5.5 0030.ebff.f03
…
(2)
CMTS forwards offer to CMCreates entry mapping SID to MAC to IP Address in memory (DHCP Snooping)
Module 4, Page 47
Request
Request DHCPREQUEST Sent unicast to server IP address Requests options
» Configuration file, etc.
DHCP Server
Scopes
Policies/Options
Sw
itch
(1)
DHCPREQUESTServer IP address
Request for optionsMOT# show cable modem
Interface Upstream Prim Connect Timing Rec Ip Address Mac Address
IfIndex Sid State Offset Power
Cable 0/0 4 1 dhcp(r) 1239 109 192.168.5.5 0030.ebff.f03
…
Module 4, Page 48
Requested Information
The following parameters will be requested by the Cable Modem (CM) from the DHCP server
IP address of the CM IP address of the TFTP Server (for DOCSIS Configuration file) IP address of the DHCP Relay Agent (if the DCHP server resides on a
different network than the CM) TFTP/DOCSIS Configuration file name Subnet Mask to be used by the CM Time offset of the CM from Universal Coordinated Time (UTC) Default IP Gateway Time of Day Server IP address SYSLOG Server IP address
Module 4, Page 49
Binding
Binding DHCPACK DHCP lease information sent Requested options sent
DHCP Server
Scopes
Policies/Options
Sw
itch
(1)
DHCPACKLease informationOptions requested
MOT# show cable modem
Interface Upstream Prim Connect Timing Rec Ip Address Mac Address
IfIndex Sid State Offset Power
Cable 0/0 4 1 dhcp(a) 1239 109 192.168.5.5 0030.ebff.f03
…
Module 4, Page 50
CMTS
CM
DHCP Server
IP Address GatewayTFTP ServerToD ServerConfig File Name
Tuning
Ranging
Connection
Configuration
Registration
Maintenance
Discover
Offer
Request
Response
DHCP Summary
Module 4, Page 51
Tuning
Ranging
Connection
Configuration
Registration
Maintenance
Internet Time Protocol (ITP) RFC 868
UDP and TCP requests on port 37 32-bit value defining the number of
seconds since 00:00 (midnight January 1, 1900 GMT)
Time-of-Day
ToD-RSP
ToD-REQ
ToD Server
LAN/WAN
ToD-RSP
ToD-REQ
Module 4, Page 52
Tuning
Ranging
Connection
Configuration
Registration
Maintenance
After the modem has acquired an IP address, it must be given some basic configuration information
The configuration file name and location provided during the DHCP process Server address is specified in the option 66 field of the
DHCP response Bootfile name is specified in the option 67 field
Configuration
TFTP-RSP
TFTP-REQ
TFTP Server
LAN/WAN
TFTP-RSP
TFTP-REQ
TFTP-ACK
TFTP-ACK
Module 4, Page 53
Cable Modem Configuration Files
The following settings MUST be included in the configuration file: Network Access Configuration Setting Class of Service Configuration Setting
The following settings are optional: Downstream Frequency Upstream Channel ID Vendor ID Baseline Privacy Software Upgrade filename SNMP Write-Access Control SNMP MIB Object Software Server IP Address CPE Ethernet MAC Address Maximum Number of CPE’s (32 Max) SNMP IP Address (if applicable) Telephone Settings (if applicable) Vendor-Specific Configuration (if applicable)
Module 4, Page 54
Protection From Theft of Service – Cable Modem Uncapping
Necessary to keep hackers from obtaining cable modem configuration file
With this file, they could uncap their cable modems
» Raise guaranteed bandwidth This is prevented by implementing Access Lists
Module 4, Page 55
Standard Checks source address Generally permits or denies
entire protocol suite
Extended Checks source and destination
address Generally permits or denies
specific protocols
What are Access Lists?
OutgoingPacket
C4/0
E3/0Incoming
Packet
Access List Processes
Permit?
Source
Inbound or Outbound
Module 4, Page 56
Access List Applications
Permit or deny packets moving through the router
» Through specific interfaces Permit or deny telnet access to or from the router
» Without access lists, all packets could be transmitted onto all parts of your network
» We can use access lists to block traffic from CPEs to OSS network
» Keep users away from TFTP server (CM Cfg File)
Telnet Access
Transmission of Packets on an Interface
Module 4, Page 57
Outbound Access Lists
Inbound
Interface
Packets
• If no access list statement matches, then discard the packet.
• Notify Sender
N
Y
Packet Discard Bucket
ChooseInterface
Routing
Table
Entry
?N
Y
TestAccess ListStatements
Permit
?
Y
Access
List
?
Discard PacketN
Outbound
Interfaces
Packet
Packet
E 4/0
E 5/0
Module 4, Page 58
Testing Packets with Standard Access Lists
SourceAddress
Segment(for Example, TCP Header)
DataPacket(IP Header)
Frame Header
Deny Permit
UseAccess
List Statements1-99
Module 4, Page 59
A List of Tests: Deny or Permit
Packets to Interface(s)in the Access Group
Packet Discard Bucket
Y
Interface(s)
Destination
Deny
Y
MatchFirstTest
?
Permit
N
Deny PermitMatchNext
Test(s)?
DenyMatchLastTest
?
YY
N
YYPermit
Implicit Deny
If No Match,Deny AllDeny
N
Module 4, Page 60
Standard IP Access List Configuration
Create access-list
– Global Configuration EXEC
– Test criteria
– Permit or deny
access-list <access-list number> [permit | deny] <source> <mask>
MOT (config)# access-list 1 deny 172.16.4.0 0.0.0.255
MOT (config)# access-list 1 permit any any
…
Assign access-lists to interfaces
– Interface EXEC
ip access-group <access-list number> [in | out]
MOT (config-if)# ip access-group 1 out
…
Standard Access Lists are numbered 1-99
Module 4, Page 61
Standard IP Access List Example
ToD Server
TFTP Server
WAN
CM Cfg File
CM Cfg File
CM Cfg File
Sw
itch
172.16.4.1 255.255.255.0201.55.4.1 255.255.255.0 secondary
172.16.4.2 255.255.255.0
201.55.4.2 255.255.255.0 MOT (config)# access-list 1 permit 172.16.4.0 0.0.0.255
MOT (config)# interface eth 4/0
MOT (config-if)# ip access-group 1 out
DHCP Server (cpe)
E 1/0
E 2/0
E 4/0
DHCP Server (cm) Policies/Options
Scopes
(Implicit deny any)
172.16.3.1255.255.255.0
Module 4, Page 62
Standard vs. Extended Access Lists
Standard Filters based on source Permits or denies entire TCP/IP protocol suite Valid range is 1 through 99
Extended Filters based on source and destination Specifies a specific IP protocol and port number Valid range is 100 through 199
Module 4, Page 63
Testing Packets with Extended Access Lists
DestinationAddress
SourceAddress
Protocol
PortNumber
Segment(for Example, TCP Header)
DataPacket(IP Header)
Frame Header
UseAccess
List Statements1-99 or 100-199 to
Test thePacket Deny Permit
Module 4, Page 64
Extended IP Access List Configuration
Create access-list
– Global Configuration EXEC
– Test criteria
– Permit or deny
access-list <access-list number> [permit | deny] protocol <source> <mask> <destination> <mask> <port>
MOT (config)# access-list 101 deny udp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 69
MOT (config)# access-list 1 permit any any
…
Assign access-lists to interfaces
– Interface EXEC
ip access-group <access-list number> [in | out]
MOT (config-if)# ip access-group 101 out
…
Extended Access Lists are numbered 100-199
Module 4, Page 65
Extended IP Access List Example
ToD Server
TFTP Server
WAN
CM Cfg File
CM Cfg File
CM Cfg File
Sw
itch
172.16.4.1 255.255.255.0201.55.4.1 255.255.255.0 secondary
172.16.4.2 255.255.255.0
201.55.4.2 255.255.255.0
MOT (config)# access-list 101 deny udp 201.55.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 69
MOT (config)# access-list 101 permit any anyMOT (config)# interface eth 4/0MOT (config-if)# ip access-group 1 out
E 2/0
E 4/0
Policies/Options
Scopes
DHCP Server (cm) DHCP Server
172.16.3.1255.255.255.0
Module 4, Page 66
Verifying Access Lists
Check what access lists applied to an interface Ingoing and outgoing
show ip interface <interface-type> <interface-identifier>
mot#show ip int e 4/0ethernet 4/0 is up, line protocol is up Internet address is 192.168.120.1/24 Broadcast address is 255.255.255.255 MTU 1500 bytes Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is 101 Outgoing qos list is not set Policy routing is disabled Proxy ARP is disabled Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are always sent …
Module 4, Page 67
Examining Access Lists
From Privileged EXECshow ip access-list <access-list number>
show access-lists <access-list number>
mot#show access-lists mot#show ip access-lists
Extended IP access list 101 deny icmp host 192.168.120.2 host 200.20.20.1 echo permit ip any any …
Module 4, Page 68
Examining Access Lists (cont.)
From Privileged EXECshow ip filters
mot#sh ip filters AP = Access List Permit, AD = Access List Deny, II = Ip Ingress, TE = Ip Tunnel Egress, TL = Ip Tunnel Loopback, IR = ICMP Redirect, IU = ICMP Unreachable, TN = Ip Tunnel, PP = Policy Route Permit, PD = Policy Route Deny, QS = Qos, SM = Send To SrmDest Ip Address Src Ip Address Pro SP DP DS In If Out If FT QId--------------- --------------- --- ----- ----- -- --------- --------- -- ---200.20.20.1 192.168.120.2 icm - - 0 eth 4/0 - - SM - any any ip - - 0 eth 4/0 - - AP - any any ip - - 0 eth 4/0 - - AD - …
Module 4, Page 69
Examining Access List Usage
From Privileged EXECshow ip traffic
mot# show ip traffic…IP statistics: Rcvd: 3611 total, 2634 local destination
0 format errors, 0 checksum errors, 0 bad hop count 0 unknown protocol, 0 not a gateway 0 security failures, 0 bad options, 0 with options
Opts: 0 end, 0 nop, 0 basic security, 0 loose source route 0 timestamp, 0 extended security, 0 record route 0 streamID, 0 strict source route, 0 alert, 0 cipso 0 policy-based routing forward, 0 other
Frags: 0 reassembled, 0 timeouts, 0 couldn't reassemble 0 fragmented, 0 couldn't fragment
Bcast: 2 received, 0 sent Mcast: 2363 control pkt received, 1602 control pkt sent 0 datat pkt received, 0 data pkt sent Sent: 3285 generated, 113 forwarded Drop: 0 encapsulation failed, 0 unresolved, 0 no adjacency
0 Mcast In Drop, 0 Mcast Out Drop 0 no route, 0 unicast RPF, 0 forced drop 5 acces-list inbound, 0 access-list outbound 0 policy-based routing drop
…
Module 4, Page 70
Host Authorization Overview
Provides CPE IP address security by implementing an authorized ARP cache on a per CMTS basis
Binds CPEs to a particular cable modem MAC address and PSID and stores entries in the host authorization table on every CMTS
Host authorization table is populated by gleaning DHCP packet information or by operator configured entries via the CLI or SNMP
Implements similar functionality to the Cisco uBR’s “cable source-verify” feature
Module 4, Page 71
Host Authorization Key Features
Prevents IP address spoofing and ARP cache poisoning Uses a CAM operation on the CMTS FPGA for fast performance in the
upstream and downstream data paths As of release 2.2.1 up to 252 IP addresses can be authorized to the
same MAC address The “cable host auth range” command allows up to 16 ranges of IP
addresses to be excluded from host authorization; Note that operator configured entries always override entries in the range
Operator configured CLI and SNMP entries are persistent across a system reload as of release 1.3.1
Module 4, Page 72
A CAM search of the ARP caches is performed on the source IP address of every non-DHCP packet from a CPE
Based on the result of the search there are three possibilities: ARP entry is not found; packet is dropped and a downstream ARP is
sent for the source IP address and a filter entry is placed in the ARP table to prevent ARP flooding
ARP entry is found, but the PSID from the packet does not match the entry; Drop the packet and send a downstream ARP request but do not create a filter entry
ARP is found and the source IP and PSID match so forward the packet
Host Authorization Forwarding Operation
Module 4, Page 73
Host Authorization ARP Operation
All ARP packets from a CPE are verified against the host authorization table
The authorization process is as follows: If source IP address is in an excluded range and it is not in the host
authorization table skip the authorization process and continue to process the ARP packet; As a result CPEs in the excluded range will not have host authorization entries
Verify the CPE ARP packet is coming from the correct cable modem using the source HW address and SID
Verify the source IP and source HW addresses against the host authorization table
If no entry exists in the host authorization table perform DLQ
Module 4, Page 74
DHCP Lease Query Overview
Allows the BSR to obtain DHCP lease information for CPEs directly from the DHCP server
Secure mechanism for getting CPE lease information when it is not in the host authorization table
Host authorization must be enabled for DLQ to work Similar to host authorization it is implemented on a per CMTS basis
Module 4, Page 75
DHCP Lease Query Features
Implements a new DHCP message type between the relay agent and the DHCP server
CMTS maintains a new “unauthorized” table that keeps track of pending queries
Resolved queries are inserted into the host authorization table
Module 4, Page 76
DHCP Lease Query Operation
When processing an ARP packet and a host auth entry does not exist:
Send a DLQ packet to the server Add entry to unauthorized table Wait for response Receive DHCP active packet and add the CPE to the host auth
table
Module 4, Page 77
Useful CLI Commands
CMTS interface config mode:host authorization ondhcpleasequery authorization onhost authorization <cm mac> <cpe | cpr> <cpe mac> <cpe ip>
Global config mode:cable host authorization range <start ip> <end ip>
Enable mode:show host authorization [slot num | summary]show host authorization <cpe> <static | leased>show host unauthorized cpeshow cable modem <mac> <cpe | host>show cable host <mac | ip>
Module 4, Page 78
Tuning
Ranging
Connection
Configuration
Registration
Maintenance
The modem only comes online after it has registered with the CMTS
Reports that all configuration parameters received and applied
Registration
Module 4, Page 79
CM generates a Registration Request (REG-REQ) Includes configuration parameters received from TFTP configuration
file: Downstream frequency, Upstream channel ID Network access configuration settings Class of Service Modem Capabilities
HFC
CMTS
Cable Modem
REG-REQ
Registration (cont.)
REG-REQ
Module 4, Page 80
Registration (cont.)
CMTS MIC
CM MIC
Things theCMTS needsto know about
Filters, e.g.
Tuning
Ranging
Connection
Configuration
Registration
Maintenance
Module 4, Page 81
CMTS Checks CM’s MAC address and authentication signature Assigns a permanent SID Provides bandwidth for CM requested Class of Service Modifies forwarding table to allow full user data if the modem requested
Network Access Sends REG-RSP to CM
» CM can pass unencrypted data
REG-RSP
HFC
Registration (cont.)
Cable Modem
REG-RSP
CMTS
Module 4, Page 82
Cable Bundling
Network Cable Subnet Bundling Pooling of Network Resources Binding of CMTS Modules
» Sharing of I.P. address• Saving of costly I.P. addresses
Increases Manageability
» Saves from having to individually configure CMTS Modules Forwarding Table grows exponentially
» Need to• Increase ARP age out timer
• Refrain from clearing ARP-Cache
Module 4, Page 83
Cable Bundling Concept
Master/slave Relationship.
Referenced by Master CMTS-id Configurable from local Cable Interface
Master CMTS Slave CMTS Slave CMTS
.............
.............
Module 4, Page 84
Configuring Cable Bundling
Slave CMTS:cable bundle <bundle-id>
Master CMTScable bundle <bundle-id> [master]
MOT> en
MOT# config
MOT(config)# int cable 3/0
MOT(config-if)# ip address 192.168.69.1 255.255.255.0
MOT(config-if)# cable bundle 100 master
MOT> en
MOT# config
MOT(config)# int cable 11/0
MOT(config-if)# cable bundle 100
Module 4, Page 85
Virtual Cable Bundling
Configured same way as physical cable bundling Cable bundle master is set to Loopback Interface
» Will never go down as long as chassis is up and running
MOT> en
MOT# config
MOT(config)# int loopback 1
MOT(config-if)# ip address 192.168.69.1 255.255.255.0
MOT(config-if)# cable bundle 100 master
Module 4, Page 86
Checking Cable Bundling
Check running-configuration Master
MOT# sh runinterface cable 3/0 ip address 172.16.110.1 255.255.255.0 ip address 10.10.39.1 255.255.255.0 secondary ip helper-address 10.20.40.12 no shutdown cable bundle 100 master no cable downstream 0 shutdown cable upstream 0 map-interval 2000 cable upstream 0 physical-delay 600 no cable upstream 0 shutdown no cable upstream 1 shutdown no cable upstream 2 shutdown no cable upstream 3 shutdown ip dhcp relay information option…
Module 4, Page 87
Checking Cable Bundling (cont.)
Check running-configuration Slave
MOT# sh runinterface cable 12/0 no shutdown cable bundle 100 no cable downstream 0 shutdown no cable upstream 0 shutdown no cable upstream 1 shutdown cable upstream 2 shutdown cable upstream 3 shutdown ip dhcp relay information option …
Module 4, Page 88
Checking Cable Bundling (cont.)
Check ARP Tableshow arp
Check Forwarding Tables All
show ip forwarding
» For a specific bundle
show cable bundle <bundle-id> forwarding-table
Module 4, Page 89
Baseline Privacy Interface (BPI)
Optionally follows modem registration Provides user data privacy by encrypting traffic flows, upstream and
downstream Provides cable operators basic protection from theft of service Mechanisms for:
authentication: CM to CMTS and CMTS to CM key distribution: traffic keys and lifetimes data encryption applied to Sid's
56 bit DES Encryption
Module 4, Page 90
Baseline Privacy Plus (BPI+) Interface
Provides stronger crypto mechanisms Support of future upgrade of crypto capabilities Strong authentication Dynamic security associations
Module 4, Page 91
BPI/BPI+ Service Goals
Encrypt the data/voice between the CMTS and the MTA/CM. Goals are
» Privacy• From CM/MTA to CMTS only
» Protection from Theft of Service
HFC CMTSER
CMTSERMTAMTA CMCM
BPI/BPI+
Module 4, Page 92
If CM is configured for Baseline Privacy in the modem TFTP configuration file:
CM sends Authorization Request
» Public key, MAC address, and SID’s CMTS responds with an Authorization Response
» Authorization Key (encrypted KEK)
» Key Sequence number and Lifetimes
» List of SID’s• For each requested Class of Service
HFC
CMTS
Cable Modem
REG-REQ
BPI Security Association
Auth-REQ
Auth-RSP
Module 4, Page 93
CM requests Key Request for each SID CMTS responds with DES encrypted TEK for each SID CM can now pass encrypted data
REG-RSP
HFC
BPI Security Association (cont.)
Cable Modem
CMTS
KEY-REQ
TEK
Module 4, Page 94
BPI/BPI+ Divergence
DOCSIS 1.0 (BPI) does not have a secure mechanism to authenticate the CM
DOCSIS 1.1 (BPI+) adds strong authentication of the CM through the use of X.509 digital certificates
Additional service goal of preventing large-scale theft of service Each CM issued a unique digital certificate that is verified through the
DOCSIS root certificate authority
Module 4, Page 95
DOCSIS Trust Hierarchy
Digital Certificates only useful if trustworthy Assigning of digital certificates must be secure proccess
Module 4, Page 96
If CM is configured for Baseline Privacy in the modem TFTP configuration file:
CM sends Authorization Request CM-ID, CM-Certificate, Security-Capability,
Primary SAID CMTS responds with an Authorization Response
» Auth-key, Key-Lifetime, Key-Sequence_Number, one or more SA-Descriptors
HFC
CMTS
Cable Modem
REG-REQ
BPI+ Security Association
Auth-REQ
Auth-RSP
Module 4, Page 97
CM requests Key Request for each SID CMTS responds with DES encrypted TEK for each SID CM can now pass encrypted data
REG-RSP
HFC
BPI+ Security Association (cont.)
Cable Modem
CMTS
KEY-REQ
TEK
Module 4, Page 98
Dynamic Security Associations
Useful for encrypting traffic flows that are dynamic or temporal Multicast Traffic
SA-MAP mechanism allows CM to learn of encrypted traffic flows and it’s security association
Currently applied to multicast downstream flow Interoperates with DOCSIS 1.1. IGMP management mechanism which
triggers the establishment of dynamic SAs
Module 4, Page 99
IGMP/SA-MAP Example
CPE CM CMTS
Set Multicast MAC FilterSet Multicast MAC Filter
Start TEK FSMStart TEK FSM
Decrypt MulticastDecrypt Multicast
Determine SAIDDetermine SAID
Encrypt MulticastEncrypt Multicast
IGMP MR (Join) IGMP MR (Join)
SA-MAP Request
SA-MAP Reply
Key Req/Reply
Multicast Data Multicast DataEncryptedMulticast Data
Module 4, Page 100
Periodic ranging Periodic loop delay, power, equalization At least every 30 seconds
Periodic Maintenance
Tuning
Ranging
Connection
Configuration
Registration
Maintenance
HFC
CMTS
Cable Modem RNG-RSP
RNG-REQ
Module 4, Page 101
Resetting Cable Modems
Resetting cable modems From the Privileged EXEC mode
clear cable modem [<mac> | <i.p. address> reset] [all reset]
MOT> en
MOT# sh cable modem
cm->mac: 0030.ebff.033
Interface Upstream Prim Connect Timing Rec Ip Address Mac Address
IfIndex Sid State Offset Power
Cable 0/0 4 1 online(pk) 1239 109 10.200.220.2 0030.ebff.f03
Total cable modems reg: 2
Total cable modems other state: 0
MOT#
MOT# clear cable modem 0030.ebff.f03 reset
MOT#