Table of Contents
Advertisement
cable dynamic-secret
configuration file fails to pass the original or secondary shared secret verification checks, the cable
modem is not allowed to register, and the Dynamic Shared Secret feature is not invoked for that
particular cable modem.
The Cisco uBR7100 series router does not support the Dynamic Shared Secret feature when running in
Note
MxU bridging mode.
The original filename for the DOCSIS configuration file is automatically encrypted by default to prevent
unauthorized parties from obtaining any useful information from the filename, or from attempting to
replace the original file with their own. This encryption can be disabled, using the nocrypt option, so
that DOCSIS configuration files are sent using their original filenames.
Note
Do not use the cable dynamic-secret command along with the ip tftp-source command in Cisco IOS
Release 12.2(15)BC1, because this could result in certain models of CMs not being able to come online
but instead be stuck in the init(o) state. This restriction is removed in Cisco IOS Release 12.2(15)BC2
and later releases.
Modes of Operation
The cable dynamic-secret command offers three different possible responses to cable modems that fail
the CMTS MIC verification check:
When the mark option is used, the CMTS allows CMs to come online even if they fail the CMTS
•
MIC validity check. However, the CMTS also prints a warning message on the console and marks
the cable modem in the show cable modem command with an exclamation point (!), so that this
situation can be investigated. The following message is displayed on the console when such a CM
registers with the Cisco CMTS:
06:53:57: %UBR7200-4-CMMARKED: Cable Modem 00ff.ffee.ddcc in C3/0 attempted theft of
service
When the lock option is used, the CMTS assigns a restrictive QoS configuration to CMs that fail the
•
CMTS MIC validity check. If an optional lock-qos profile is specified, the CMTS assigns this profile
to the CM while it is locked.
If the lock-qos profile is not specified, the CMTS uses a special QoS configuration that limits the
network access for these CMs by restricting their downstream and upstream service flows to a
maximum rate of 10 kbps. (If you do not specify the lock-qos profile, you must also allow cable
modems to create QoS profiles, using the cable qos permission command. If you do not do this and
use the lock option without specifying a particular QoS profile, locked cable modems will not be
allowed to register until the lock clears or expires.)
If a customer resets their CM, the CM will reregister but still uses the restricted QoS profile. A
locked CM continues with the restricted QoS profile until it goes offline and remains offline for at
least 24 hours, at which point it is allowed to reregister with a valid DOCSIS configuration file. This
option frustrates users who are repeatedly registering with the CMTS in an attempt to guess the
shared secret, or to determine the details of the Dynamic Shared Secret security system.
In addition, the following message is displayed on the console when a CM is locked.
06:53:57: %UBR7200-4-CMLOCKED: Cable Modem 00ff.ffee.ddcc in C3/0 attempted theft of
service
Locked cable modems are shown with an exclamation point (!) in the show cable modem displays:
Router# show cable modem
Cisco Broadband Cable Command Reference Guide
2-74
Chapter 2
Cisco CMTS Configuration Commands
OL-1581-08
Advertisement
Table of Contents
