Configuring DOCSIS
This section describes the tasks that you must perform when configuring Prime Cable Provisioning to support the DOCSIS technologies.
Note |
See Technology Option Support, for information on DOCSIS options supported by this Prime Cable Provisioning release. |
DOCSIS Workflow
Prime Cable Provisioning supports these versions of the DOCSIS specifications: 1.0, 1.1, 2.0, 3.0, and 3.1.
To successfully configure Prime Cable Provisioning for DOCSIS operations, you must configure the components as described in Configuring Prime Cable Provisioning Components, in addition to those described in this section.
The following table identifies the workflow to follow when configuring Prime Cable Provisioning to support DOCSIS.
Task |
Refer to... |
|
---|---|---|
Step 1 |
Configure the RDU |
|
a. Configure all provisioned DHCP Criteria. |
||
b. Configure provisioned Class of Service. |
||
c. Configure the promiscuous mode of operation. |
||
Step 2 |
Configure the DPE |
|
a. Enable the TFTP service. |
The service tftp 1..1 ipv4 | ipv6 enabled true command described in the Cisco Prime Cable Provisioning 6.1.3 DPE CLI Reference Guide. |
|
b. Optionally, enable the ToD service. |
The service tod 1..1 ipv4 | ipv6 enabled true command described in the Cisco Prime Cable Provisioning 6.1.3 DPE CLI Reference Guide. |
|
Step 3 |
Configure Cisco Prime Network Registrar |
|
Configure client classes/selection tags to match those added for the provisioned DOCSIS modem DHCP Criteria. |
DOCSIS Shared Secret
Prime Cable Provisioning lets you define a different DOCSIS shared secret (DSS) for each cable modem termination system (CMTS). In this way, a compromised shared secret affects only a limited number of CMTS, instead of every CMTS in the deployment.
Although the DSS can be set for each DPE, you should set it on a provisioning-group basis. Also, ensure that it matches what has been configured for the CMTS in that provisioning group.
Caution |
Configuring multiple DSS within one provisioning group could, under some conditions, result in degraded CMTS performance. However, this factor has virtually no effect on Prime Cable Provisioning. |
You can enter the shared secret as a clear text string or as an IOS-encrypted string. When entered in clear text, the DSS is encrypted to suit IOS version 12.2BC.
You can also set the DSS from the RDU using the Admin UI or the API. In this case, the DSS is entered, stored at the RDU, and passed to all DPEs in clear text. Consequently, before a DSS entered this way is stored on the DPE, it is encrypted.
If you set the DSS directly at the DPE using the dpe docsis shared-secret command from the CLI, this DSS takes precedence over the one set from the RDU.
Resetting the DOCSIS Shared Secret
You can reset the DSS if the security of the DSS is compromised or to simply change the shared secret for administrative purposes.
To reset the DSS, run the show running-config command from the CMTS CLI, then copy and paste the DOCSIS shared secret from the configuration that appears into the DPE configuration. In this way, you can copy the configuration that you enter in a Cisco CMTS into the DPE CLI.
Note |
To change the shared secret as described, the CMTS must be running a software version later than version 12.2BC. |
Note |
For details about the commands mentioned above, and the specific security privileges to run these commands, see the Cisco Prime Cable Provisioning 6.1.3 DPE CLI Reference Guide. |
To change the DSS:
Procedure
Step 1 |
Identify the provisioning group on which you need to reset the DOCSIS shared secret. |
Step 2 |
Examine the list of DPEs and CMTS associated with the provisioning group. |
Step 3 |
Change the primary DSS on the CMTS. |
Step 4 |
Change the compromised DSS on the CMTS to the secondary DSS. This change is required to allow cable modems to continue to register until all the DOCSIS configuration files are successfully changed to use the new DSS. |
Step 5 |
Determine which DPEs were affected and change the DSS on each accordingly. |
Step 6 |
Confirm that the DOCSIS configuration files are using the new DSS and then remove the compromised secondary shared secret from the CMTS configuration. |
Extended CMTS MIC Shared Secret
Prime Cable Provisioning lets you define a different Extended CMTS MIC (EMIC) shared secret for each cable modem termination system (CMTS) for EMIC calculation.
The CMTS must support a configuration for the shared secret for EMIC calculation to differ from the shared secret for pre-3.0 DOCSIS CMTS MIC calculation. In the absence of such configuration, the CMTS MUST use the same shared secret for Extended CMTS MIC Digest calculation as for pre-3.0 DOCSIS CMTS MIC digest calculation.
In this way, a compromised shared secret affects only a limited number of CMTS, instead of every CMTS in the deployment.
Similar to DSS, EMIC DOCSIS shared secret can be set for each DPE, you should set it on a provisioning-group basis. Also, ensure that it matches what has been configured for the CMTS in that provisioning group.
Caution |
Configuring multiple EMIC DOCSIS Shared Secret within one provisioning group could, under some conditions, result in degraded CMTS performance. However, this factor has virtually no effect on Prime Cable Provisioning. |
You can enter the shared secret as a clear text string or as an IOS-encrypted string. When entered in clear text, the EMIC shared secret is encrypted to suit IOS version 12.2BC.
You can also set the EMIC Shared Secret from the RDU using the Admin UI or the API. In this case, the DOCSIS shared secret is entered, stored at the RDU, and passed to all DPEs in clear text. Consequently, before an Extended MIC shared secret entered this way is stored on the DPE, it is encrypted.
If you set the Extended MIC shared secret directly at the DPE using the dpe docsis emic shared-secret command from the CLI, this Extended MIC shared secret takes precedence over the one set from the RDU.
Resetting the Extended EMIC Shared Secret
You can reset the Extended MIC shared secret if the security of the EMIC shared secret is compromised or to simply change the shared secret for administrative purposes.
To reset the DSS, run the show running-config command from the CMTS CLI, then copy and paste the EMIC shared secret from the configuration that appears into the DPE configuration. In this way, you can copy the configuration that you enter in a Cisco CMTS into the DPE CLI.
Note |
To change the shared secret as described, the CMTS must be running a software version later than version 12.2(11)CX. |
Note |
For details about the commands mentioned above, and the specific security privileges to run these commands, see the Cisco Prime Cable Provisioning 6.1.3 DPE CLI Reference Guide. |
To change the Extended MIC shared secret:
Procedure
Step 1 |
Identify the provisioning group on which you need to reset the EMIC shared secret. |
Step 2 |
Examine the list of DPEs and CMTS associated with the provisioning group. |
Step 3 |
Change the primary EMIC shared secret on the CMTS. |
Step 4 |
Change the compromised EMIC shared secret on the CMTS to the secondary EMIC shared secret. This change is required to allow cable modems to continue to register until all the DOCSIS configuration files are successfully changed to use the new DSS. |
Step 5 |
Determine which DPEs were affected and change the EMIC shared secret on each accordingly. |
Step 6 |
Confirm that the DOCSIS configuration files are using the new EMIC shared secret and then remove the compromised secondary shared secret from the CMTS configuration. |