Cisco SR2016T-NA Reference Manual page 239

Chapter 2 Cisco CMTS Configuration Commands
cable source-verify leasequery-filter downstream
To control the number of Dynamic Host Configuration Protocol (DHCP) LEASEQUERY request
messages that are sent for unknown IP addresses on all cable downstream interfaces on the Cisco Cable
Modem Termination System (CMTS) router, use the cable source-verify leasequery-filter
downstream command in global configuration mode. To stop the filtering of DHCP lease queries, use
the no form of this command.
Syntax Description
threshold
interval
Defaults Filtering of DHCP lease queries is disabled.
Command Modes
Global configuration
Command History Release
12.2(15)BC1d,
12.2(15)BC2b
Usage Guidelines When the cable source-verify dhcp and no cable arp commands are configured on a cable interface,
the Cisco CMTS router sends a DHCP LEASEQUERY request to the DHCP server to verify unknown
IP addresses that are found in packets to and from customer premises equipment (CPE) devices that are
using the cable modems on the cable interface. The DHCP server returns a DHCP ACK message with
the MAC address of the CPE device that has been assigned this IP address, if any. The router can then
verify that this CPE device is authorized to use this IP address, which prevents users from assigning
unauthorized IP addresses to their CPE devices.
Problems can occur, though, when viruses, denial of service (DoS) attacks, and theft-of-service attacks
scan ranges of IP addresses, in an attempt to find unused addresses. This type of activity can generate a
large volume of DHCP LEASEQUERY requests, which can result in high CPU utilization and a lack of
available bandwidth for other customers.
To prevent such a large volume of LEASEQUERY requests on all downstreams in the Cisco CMTS
router, use the cable source-verify leasequery-filter downstream command. After configuring this
command, the Cisco CMTS allows only a certain number of DHCP LEASEQUERY requests in the
downstream direction within each interval time period.
For example, the cable source-verify leasequery-filter downstream 5 10 command configures the
router so that it allows a maximum of 5 DHCP LEASEQUERY requests every 10 seconds for each SID
on the downstream direction. This command applies to all downstream cable interfaces in the router.
OL-1581-08
cable source-verify leasequery-filter downstream threshold interval
no cable source-verify leasequery-filter downstream
Maximum number of DHCP lease queries allowed per SID for each interval
period. The valid range is 0 to 255 lease queries.
Time period, in seconds, over which lease queries should be monitored. The
valid range is 1 to 10 seconds.
Modification
This command was introduced for the Cisco uBR7100 series,
Cisco uBR7246VXR, and Cisco uBR10012 universal broadband routers.
cable source-verify leasequery-filter downstream
Cisco Broadband Cable Command Reference Guide
2-227