Cisco uBR10012 Software Configuration Manual page 51

Chapter 1 Overview of Cisco uBR10012 Universal Broadband Router Software
40-bit and 56-bit Baseline Privacy Data Encryption Standard (DES)
The Cisco uBR10012 router supports 40-bit and 56-bit encryption and decryption. When encryption and
decryption is enabled, 56-bit is the default. If necessary, administrators can force the
Cisco uBR10012 router to generate a 40-bit DES key, where the DES key that is generated and returned
masks the first 16 bits of the 56-bit key to zero in software.
Note BPI+ encryption and authentication must be supported and enabled by both the CM and CMTS. In addition,
the CM must contain a digital certificate that conforms to the DOCSIS 1.1 and BPI+ specifications.
Access Lists (Per-Modem and Per-Host)
Per-modem and per-host access lists allow the Cisco uBR10012 router to filter incoming packets from
individual hosts or cable interfaces based on the source MAC or IP address. This allows access lists to
be specified on a per-interface or a per-address basis.
You can preconfigure the filters by using the CLI, following standard Cisco IOS access list and access
group configuration procedures. You can assign these filters to a user or modem by using the CLI or
SNMP. The feature also supports traps to inform the CMTS about the online or offline status of modems.
Access Lists on the Cisco uBR10012 Router
The Parallel eXpress Forwarding (PXF) processors on the Cisco uBR10012 router provide the increased
performance of Turbo Access Control Lists (Turbo ACL) by default by automatically compiling all
access lists when access lists are configured.
You do not need to use the access-list compiled command to enable the Turbo ACL feature. To display
access lists, use the show access-lists command without specifying the compiled option.
For complete information about access lists, see the "Traffic Filtering and Firewall" volume in the Cisco
IOS Release 12.1 Security Configuration Guide at the following URL:
http://www.cisco.com/en/US/docs/ios/12_1/security/configuration/guide/scdacls.html
Authentication
DOCSIS 1.1 offers advanced authentication and security through X.509 digital certificates and Triple
Data Encryption Standard (3DES) key encryption.
Cisco IOS Firewall
The Cisco uBR10012 router support Network Address Translation (NAT) and firewall functionality.
Additional NAT documentation is available online at http://www.Cisco.com.
CM and Host Subnet Addressing
This feature enables the Cisco uBR10012 router to manipulate the GIADDR field of DHCPDISCOVER
and DHCPREQUEST packets with a Relay IP address before they are forwarded to the DHCP server.
By modifying the GIADDR field based on whether the source is a CM or a host, the
Cisco uBR10012 router provides hints to the DHCP server as to where—on which IP subnet—the server
should allocate addresses to the requesting client.
Upstream Address Verification
This feature prevents the spoofing of IP addresses. Using the CLI, administrators can determine the IP
and MAC address of a given cable interface, and the SID number that shows the IP and MAC addresses
of all devices learned in the cable interface's MAC table.
The CMTS verifies the source IP address against the MAC address for the CM. CM and PC IP addresses
are verified to ensure that SID and MAC addresses are consistent. A PC behind a cable interface is
assigned an IP address from the DHCP server. If a user on a second PC or cable interface statically
assigns the same IP address to a PC, the Cisco uBR10012 router reports this. Using customer databases,
administrators can cross-reference the spoofing CM and PC to prevent further usage.
OL-1520-05
Supported Software Features for the Cisco uBR10012 Router
Cisco uBR10012 Universal Broadband Router Software Configuration Guide
1-31