|
|
This feature adds support for access lists on a per-modem and per-host basis. This allows devices receiving packets from cable modems or individual hosts based to filter these packets based on the sending modem or host.
You can pre-configure the filters by using the Command Line Interface (CLI) following standard IOS access list and access group configuration. You can assign these filters to a user or modem by using the CLI or Simple Network Management Protocol (SNMP).
This feature also supports traps to inform the user management system about the status of modems (that is, going offline or coming online).
The filtering capability of this feature allows users to control the type of traffic, on a device-by-device or user-by-user basis, that each user can send up stream.
The uBR7200 series routers are the only platforms supported by this feature.
You must configure the uBR7200 series router with either an MC11 or MC16 line card.
This feature supports the Cisco DOCSIS Extensions MIB. For descriptions of supported MIBs and how to use MIBs, see Cisco's MIB web site on CCO at the following URL: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.
No RFCs are supported by this feature.
Perform the following tasks to configure access lists:
:
| Step | Command | Purpose | ||
|---|---|---|---|---|
| Router# access-list acl deny macaddr | ipaddr log | Sets up the access list 1 for a specific address. | ||
| Router # access-list acl permit any log | Sets up the access list 2. |
:
| Step | Command | Purpose | ||
|---|---|---|---|---|
| Router# cable {modem | host | device} access-group acl
| Assigns the specified access group number to the specified device. | ||
| Router# cable {modem | host | device} access-group acl
| Repeat access group assignment for all other devices. |
:
| Step | Command | Purpose | ||
|---|---|---|---|---|
| Router# show cable {modem | host | device} access-group
| Displays the address, device type and access-group number for the specified device. | ||
| Router# show cable {modem | host | device} access-group
| Repeat show cable command for all other devices. |
| Command | Purpose |
|---|---|
Router# show cable command | Displays information on access group assignments for the selected cable modem or host. |
The following example configures a standard IP access list.
router# access-list 1 deny 171.69.30.22 log router# access-list 2 permit any log ! End of config terminal
! In exec mode assign access-list 1 to the MAC of the cable modem. router# cable modem 0000.0000.0001 access-group 1 ! In exec mode assign access-list 2 to MAC address of PC. router# cable modem 0080.c76b.9ac2 access-group 2
router# show cable modem access-group MAC address Type Access-group 0000.0000.0001 modem 1 router# show cable device access-group MAC address Type Access-group 0000.0000.0001 modem 1 0080.c76b.9ac2 host 2 ! Ping from PC to host 171.69.30.22 passes.
! Setup extended access-list to allow pings to a specific host and deny others. router# access-list 101 permit icmp host 171.69.225.108 host 171.69.30.22 log
! Setup host filter based on the IP address of the PC. router# cab host 171.69.225.108 acc 101 router# sh cab host acc MAC address Type Access-group 0000.2427.33ba host 0080.c76b.9ac2 host 101 0080.c7bb.eb3d host router# ping 171.69.30.22 Reply from 171.69.30.22: bytes=32 time=10ms TTL=247 Reply from 171.69.30.22: bytes=32 time=10ms TTL=247 Reply from 171.69.30.22: bytes=32 time=10ms TTL=247 Reply from 171.69.30.22: bytes=32 time=10ms TTL=247 Nov 19 18:41:15.091: %SEC-6-IPACCESSLOGDP: list 101 permitted icmp 171.69.225.108 -> 171.69.30.22 (8/0), 4 packets ! Setup modem filter based on the IP address of the modem. router# cable modem 10.128.100.101 acc 1
This section documents new or modified commands. All other commands used with this feature are documented in the Cisco IOS Release 11.3 command references.
To attach an access list to a host or modem, use the cable EXEC command. Use the no form of this command to remove the access group.
cable {modem | host | device} {macaddr | ip-addr} access-group acl
modem | Specifies that the type of device is a cable modem. |
host | Specifies that the type of device is a customer premises equipment (CPE) system that is connected to the cable modem. |
device | Specifies that the filter is to be attached to the device at the specified address---regardless of its type (modem or CPE). |
macaddr | Specifies the unique MAC address of the device. |
ipaddr | Specifies the current IP address of the device. |
acl | Specifies the name or number of the access list assigned to the specified modem or CPE. The access list defines the per-cable or per-CPE filter requirements implemented in the cable modem termination system (CMTS) rather than at the cable modem. |
No default behavior or values.
EXEC
| Release | Modification |
|---|---|
11.3(8)NA | This command was first introduced. |
The following example assigns access-list 1 to the MAC of the cable modem:
router# cable modem 000.000.0001 access-group 1
| Command | Description |
Displays the access group assigned to a cable modem or host. |
To display the access group assigned to a cable modem or host, use the show cable EXEC command.
show cable {modem | host | device} {macaddr | ip-addr} access-group
modem | Specifies that the type of device is a cable modem. |
host | Specifies that the type of device is a customer premises equipment (CPE) system that is connected to the cable modem. |
device | Specifies that the filter is to be attached to the device at the specified address---regardless of its type (modem or CPE). If you do not specify an address, output is for all modems and CPEs. |
macaddr | (Optional) Specifies the unique MAC address of the device. |
ipaddr | (Optional) Specifies the current IP address of the device. |
No default behavior or values.
EXEC
| Release | Modification |
|---|---|
11.3 XA | This command was first introduced. |
11.3(8)NA | The host, device, and access-group keywords were added. |
This command displays information for the specified modem or CPE system or all systems (modem or CPE) if you do not specify an address.
The following example is output from the show cable access-group command for the cable modem at MAC address 0000.0000.0001 assigned to access group 1:
router# show cable modem 000.000.0001 access-group 1 MAC address Type Access-group 0000.0000.0001 modem 1
| Field | Description |
|---|---|
MAC address | The MAC address of the device. |
Type | Identifies the device as a cable modem or host (CPE system) that is connected to the cable modem. |
Access-group | Identifies the access-group number or name. |
| Command | Description |
Attaches an access list to a host or modem. |
Posted: Fri Feb 26 18:13:17 PST 1999
Copyright 1989-1999©Cisco Systems Inc.