Table of Contents
Advertisement
Chapter 2
Cisco CMTS Configuration Commands
cable source-verify
Using the leasetimer Option
The leasetimer option adds another level of verification by activating a timer that periodically examines
the lease times for the IP addresses for known CPE devices. If the CMTS discovers that the DHCP lease
for a CPE device has expired, it removes that IP address from its database, preventing the CPE device
from communicating until it makes another DHCP request. This prevents users from treating DHCP-
assigned addresses as static addresses, as well as from using IP addresses that were previously assigned
to other devices.
Note
The leasetimer option is active only if you have also specified the cable source-verify dhcp command
for the cable interface. If the dhcp option is not used, the leasetimer option has no effect. In addition,
the leasetimer option can be configured only on an interface, not a subinterface. Applying it to a master
interface automatically applies it to all subinterfaces.
The leasetimer option allows you to configure how often the timer checks the lease times, so as to
specify the maximum amount of time a CPE device can use an IP address that was previously assigned
by the DHCP server but whose lease time has since expired. The time period can range from 1 minute
to 240 minutes (4 hours), with a grace period of 2 minutes to allow a PC enough time to make a DHCP
request to renew the IP address. To turn off the timer, so that the CMTS no longer checks the lease times,
issue the cable source-verify command without the dhcp option, or turn off the feature entirely with the
no cable source-verify command.
In some circumstances, spoofing can still occur even after the cable source-verify command is used, due
Tip
to the behavior of the ARP protocol. For additional security, consider blocking ARP requests to the CMs
using the
no cable arp
and
no cable proxy-arp
commands. For more details, see the Cisco Tech Note
at the following URL:
http://www.cisco.com/warp/public/109/source_verify.html
Using Multiple Subnets
In Cisco IOS Release 12.2(15)BC2 and later releases, the cable source-verify command can verify IP
addresses that are on a different subnet than what is being used on the cable interface only if you also
enable Reverse Path Forwarding (RPF) checks by configuring the following commands:
Router(config)# ip cef
Router(config)# interface cable interface
Router(config-if)# ip verify unicast source reachable-via rx
Router(config-if)#
Examples
The following example shows how to turn on CM upstream verification and configures the Cisco CMTS
router to send DHCP LEASEQUERIES to verify unknown source IP addresses in upstream data packets:
Router# configure terminal
Router#(config) interface c4/0
Router(config-if)# cable source-verify dhcp
Router(config-if)#
The following example shows how to enable the leasetimer feature so that every two hours, the CMTS
checks the IP addresses in the CPE database for that particular interface for expired lease times:
Router# configure terminal
Router#(config) interface c1/0
Router(config-if)# cable source-verify dhcp
Router(config-if)# cable source-verify leasetimer 120
Router(config-if)#
Cisco Broadband Cable Command Reference Guide
2-225
OL-1581-08
Advertisement
Table of Contents
