Cisco DNCS System Release 2.7 3.7 4.2 Guía De Diseño
4000358 Rev B
Security Recommendations for the DBDS Network in a DOCSIS Environment
3-3
Recommendations on IP Address Assignment
Introduction
This section provides recommendations for assigning IP addresses to end-user
devices. This section also describes the data paths that must be made secure in the
DBDS.
IP Addresses for Servers
Depending on your network architecture, you can assign either private or public
addresses to your servers. The interface that terminates end-user traffic may use a
public IP address. Any interfaces connected to a LAN dedicated to inter-server
traffic and administrative traffic may use private IP addresses.
If the cable service provider uses an external Internet Service Provider for high speed
If the cable service provider uses an external Internet Service Provider for high speed
data (HSD) service, then the proxy server needs to communicate with the Internet
service provider server for user authentication purposes. If the cable service provider
is the Internet service provider, then no such server communication is required.
The DHCP server scopes are provisioned with IP address blocks from the private
The DHCP server scopes are provisioned with IP address blocks from the private
network space plus any Internet service provider public IP addresses. If the cable
service provider is also the Internet service provider, the DHCP server scopes are
provisioned with the cable service provider’s public IP address block.
IP Addresses for End-User Equipment
For security reasons, Cisco strongly recommends that IP addresses for DHCT CPE be
assigned from subnets that are separate (distinct) from those used for other end-user
devices IP addresses. In other words, no single subnet should be used to assign IP
addresses for DHCT CPE and any other type of device at the same time. It is
recommended that the cable service provider segregate IP addresses for stand-alone
cable modems from IP addresses for integrated cable modems. For examples of IP
addresses for end-user equipment, refer to Assigning Network Blocks to a CMTS
Cable Interface Card in Chapter 2 of this guide.
Note: Chapter 2 assumes that no unsubscribed PC CPE category exists, but this
Note: Chapter 2 assumes that no unsubscribed PC CPE category exists, but this
chapter considers this category from a security standpoint.