Table of Contents
Advertisement
Chapter 2
Cisco CMTS Configuration Commands
Release
12.2(15)BC2
12.3(9a)BC
Usage Guidelines
The cable source-verify command helps to prevent the spoofing of IP addresses by CMs or their CPE
devices by verifying that the upstream packets coming from each CM are known to be associated with
the IP address in that packet. Packets with IP addresses that do not match those associated with the CM
are dropped.
In order to protect the Cisco CMTS from denial of service attacks, Cisco IOS Release 12.3(9a)BC adds
the option of using a per SID basis for deriving lease queries from CPE devices. This release also
introduces a global rate limit for lease queries initiated by downstream traffic. These enhancements
reduce the CPU utilization of DHCP Receive and ISR processes when the Cisco CMTS is configured
with the cable source-verify dhcp and no cable arp commands.
In current Cisco IOS Release 12.1 EC and 12.2 BC software images, the Cisco CMTS can crash with a
Caution
"bus error exception" when the cable source-verify command is configured on a cable interface, and the
routing configuration of that interface is being changed while traffic is passing through the interface. To
avoid this problem, temporarily disable this feature (using no cable source-verify) on the interface
before you configure the routing parameters. Then after you have finished the routing configuration,
reenable the feature using the cable source-verify command. Alternatively, you can also change the
routing parameters when the interface is not passing traffic (such as when the interface is shut down).
Caution
In Cisco IOS Release 12.2(15)BC1 and earlier releases, you cannot use the cable source-verify
command on a Cisco uBR-MC16U/X, Cisco uBR-MC28U/X, or Cisco uBR-MC5X20S/U cable
interface line card that is using an MPLS/VPN configuration when you are also using duplicate or
overlapping IP address ranges for CPE devices on different cable interfaces/subinterfaces. To use the
cable source-verify command, you must assign unique IP addresses for each cable interface or
sub-interface. This is being tracked as caveat CSCed53355.
If you notice that CMs are going offline and their IP addresses later appear as PCs or CPE devices behind
Tip
other CMs on other cable interface downstreams, consider using the cable source-verify command.
The Cisco CMTS maintains a database that links the MAC and IP addresses of known CPE devices with
the CMs that are providing network access for those CPE devices. The CMTS typically populates this
database with information obtained by examining the Dynamic Host Configuration Protocol (DHCP)
packets sent between the CPE devices and the DHCP server. Other IP traffic provides information about
which CMs service which CPE devices.
After the cable source-verify command is issued, every IP upstream packet is examined. If the IP and
MAC addresses of the CPE device are already associated with a known, online CM, it is allowed through.
If not, the source IP address is examined to determine if it belongs to the cable network. If so, and if the
dhcp option is not used, the packet is allowed through.
OL-1581-08
Modification
Support for verifying CMs and CPE devices that are on a different subnet
than the cable interface was enhanced to use Reverse Path Forwarding
(RFP).
Cisco IOS Release 12.3(9a)BC adds the option of using a per SID basis for
deriving lease queries from CPE devices. This release also introduces a
global rate limit for lease queries initiated by downstream traffic.
Cisco Broadband Cable Command Reference Guide
cable source-verify
2-223
Advertisement
Table of Contents
