Table of Contents
Advertisement
cable source-verify
Using the dhcp Option
If the dhcp option is used, all packets with unknown IP addresses within the cable network are dropped,
but the Cisco CMTS sends a DHCP LEASEQUERY message to the DHCP server to verify the
IP address. If a valid response is received from the DHCP server, the CMTS updates its database with
the new CPE device and allows future traffic through. If the DHCP server does not return a successful
response, all traffic from the CPE is dropped.
In Cisco IOS Release 12.2(15)BC1 and later releases, the dhcp option extends the verification to CPE
devices that had been online using a valid IP address but then were reconfigured by the user with an
unused static IP address. With Cisco IOS Release 12.2(15)BC1 and later, CPE devices are not allowed
online when they are using static IP addresses that have not been allocated by the DHCP server. If you
are using the dhcp option, the CPE device must use an IP address that has been assigned by the DHCP
server.
You can expect to see a temporary spike in CPU usage after initially enabling the cable source-verify
Tip
dhcp command, because the router must send a DHCP LEASEQUERY request for every unknown CPE
IP address. CPU usage drops after the router has verified and learned all of the CPE IP addresses that
are currently online. (This same situation also occurs after giving the
of the need to verify CPE IP addresses.)
The dhcp option automatically blocks all statically-assigned IP addresses unless the DHCP server has
Note
been configured to recognize those addresses and respond with the appropriate LEASEQUERY
response.
The cable source-verify command by itself prevents someone from stealing another customer's IP
address. The cable source-verify dhcp command adds another level of security by refusing access to
any CPE device with an IP address that has not been assigned by the DHCP server.
This dhcp option requires that the DHCP server support the LEASEQUERY message. The
Note
Cisco Network Registrar (CNR) supports LEASEQUERY in version 3.01(T) and above. The
LEASEQUERY message is currently defined in an IETF draft, which is dated October, 2003 and
available at the following URL:
http://www.ietf.org/internet-drafts/draft-ietf-dhc-leasequery-06.txt
Do not enable the local DHCP server on the Cisco CMTS and configure local DHCP address pools, using
Caution
the ip dhcp pool command, when you are also enabling the cable source-verify dhcp command,
because the DHCP server on the Cisco CMTS can intercept the LEASEQUERY messages and prevent
them from reaching the external DHCP server. This in turn prevents address validation from succeeding
because the DHCP server on the Cisco CMTS does not support LEASEQUERY messages.
Tip
The cable source-verify command is similar in function to the ip verify unicast reverse-path
command, which is used on other interfaces, except that the cable source-verify command is optimized
for cable interfaces.
Cisco Broadband Cable Command Reference Guide
2-224
Chapter 2
Cisco CMTS Configuration Commands
no cable arp
command, because
OL-1581-08
Advertisement
Table of Contents
