Table of Contents
Advertisement
Chapter 2
Cisco CMTS Configuration Commands
MAC Address
0010.9507.01db 144.205.151.130 C5/1/0/U5 online(pt)
0080.37b8.e99b 144.205.151.131 C5/1/0/U5 online
0002.fdfa.12ef 144.205.151.232 C6/1/0/U0 online(pt)
0002.fdfa.137d 144.205.151.160 C6/1/0/U0 !online
0003.e38f.e9ab 144.205.151.237 C6/1/0/U0 !online
Router#
Tip
When the reject option is used, the CMTS refuses to allow CMs to come online if they fail the
•
CMTS MIC validity check. These cable modems appear with a MAC state of "reject(m)" in the
displays generated by the show cable modem command. After a short timeout period, the CM
attempts to reregister with the CMTS. The CM must register with a valid DOCSIS configuration file
before being allowed to come online. When the CM does come online, the CMTS prints a warning
message on the console and marks the cable modem in the show cable modem command with an
exclamation point (!), so that this situation can be investigated.
Cisco recommends that you initially use the mark option, so that potential problems are identified
Tip
without immediately interfering with users' ability to come online. After you identify and resolve these
initial problems, reconfigure the cable interfaces with the reject or lock option to block problem cable
modems that attempt to come online without a valid shared secret.
Note
To account for possible network problems, such as loss of packets and congestion, the Cisco CMTS will
allow a cable modem to attempt to register twice before marking it as having failed the Dynamic Shared
Secret authentication checks.
Filename Encryption
By default, the cable dynamic-secret command encrypts the original filename for a DOCSIS
configuration file when the Cisco CMTS transmits the file to the CM. This filename changes in a semi-
random manner, making it difficult for users to predict the filename for the file that should be
downloaded to the CM.
This does mean, however, that the filenames specified in the DHCP HELLO and ACK messages are
different, and that the filenames on the CM and on the TFTP server are different. This could interfere
with custom network management applications and scripts. If this is the case, you can disable the
automatic filename encryption by adding the nocrypt option to the command.
The nocrypt option does slightly decrease the security provided by this feature, so this possibility should
be weighed against the ability to more conveniently manage the network.
Interaction with the TFTP Enforce Feature
The cable tftp-enforce command provides another layer of protection against theft-of-service attacks by
requiring cable modems to download a DOCSIS configuration file through the CMTS cable interface
before being allowed to register. When the cable tftp-enforce command is used with the cable dynamic-
secret command, the TFTP enforce checks are done before the dynamic shared-secret checks. If a cable
modem fails to download a DOCSIS configuration file through the CMTS, it is not allowed to register,
regardless of the dynamic shared-secret checks.
OL-1581-08
IP Address
You can also manually clear the lock on a CM by using the
I/F
MAC
Prim RxPwr
State
Sid
1
2
13
16
3
Cisco Broadband Cable Command Reference Guide
cable dynamic-secret
Timing
Num BPI
(db)
Offset
CPE Enb
0.25
938
1
-0.25
1268
0
-0.25
1920
1
-0.50
1920
1
-0.50
1926
1
clear cable modem lock
command.
N
N
N
N
N
2-75
Advertisement
Table of Contents
