Руководство По Проектированию для Cisco DNCS System Release 2.7 3.7 4.2
3-14
Security Recommendations for the DBDS Network in a DOCSIS Environment
4000358 Rev B
DBDS Network Security,
Continued
# 130
Background: This recommendation reduces the risk of spoofing of IP addresses by
Background: This recommendation reduces the risk of spoofing of IP addresses by
cable modems or their CPE devices. The “cable source-verify” command in the
following recommendation can be configured per cable interface on a Cisco CMTS.
This command allows the CMTS to verify that the upstream packets coming from
each cable modem are associated with that cable modem. Packets with IP addresses
that do not match those associated with the cable modem are dropped. When used
with the dhcp option, the Cisco CMTS sends a DHCP LEASEQUERY message to the
DHCP server to verify the IP address. If a valid response is received from the DHCP
server, the CMTS updates its database with the new CPE device and allows future
traffic through. If the DHCP server does not return a successful response, all traffic
from the CPE is dropped
Note:
Note:
.
This feature requires that the DHCP server support the LEASEQUERY
message. For example, the Cisco Cable
Recommendation: Configure the CMTS with the cable source-verify (dhcp) or vendor-
specific equivalent command to verify that upstream packets are associated with the
appropriate cable modem.
Network Registrar (CNR) software supports
LEASEQUERY in version 3.01(T) and later.