You are here

Bad CoS driving me crazy

18 posts / 0 new
Last post
gasparmenendez
Bad CoS driving me crazy

Hi folks,
I'm trying to set up a new Policy in my CNR. I already created the file for the policy (10 Mbps) but the CM doesn't register with that policy. Here's the file for 10 Mbps:

Network Access Control:on
SNMP MIB Object(docsDevFilterLLCStatus.1):1.3.6.1.2.1.69.1.6.2.1.2.1, Integer, 4
SNMP MIB Object(docsDevFilterLLCIfIndex.1):1.3.6.1.2.1.69.1.6.2.1.3.1, Integer, 0
SNMP MIB Object(docsDevFilterLLCProtocolType.1):1.3.6.1.2.1.69.1.6.2.1.4.1, Integer, 1
SNMP MIB Object(docsDevFilterLLCProtocol.1):1.3.6.1.2.1.69.1.6.2.1.5.1, Integer, 2048
SNMP MIB Object(docsDevFilterLLCStatus.2):1.3.6.1.2.1.69.1.6.2.1.2.2, Integer, 4
SNMP MIB Object(docsDevFilterLLCIfIndex.2):1.3.6.1.2.1.69.1.6.2.1.3.2, Integer, 0
SNMP MIB Object(docsDevFilterLLCProtocolType.2):1.3.6.1.2.1.69.1.6.2.1.4.2, Integer, 1
SNMP MIB Object(docsDevFilterLLCProtocol.2):1.3.6.1.2.1.69.1.6.2.1.5.2, Integer, 2054
SNMP MIB Object(docsDevFilterIpStatus.1):1.3.6.1.2.1.69.1.6.4.1.2.1, Integer, 4
SNMP MIB Object(docsDevFilterIpControl.1):1.3.6.1.2.1.69.1.6.4.1.3.1, Integer, 1
SNMP MIB Object(docsDevFilterIpIfIndex.1):1.3.6.1.2.1.69.1.6.4.1.4.1, Integer, 0
SNMP MIB Object(docsDevFilterIpDirection.1):1.3.6.1.2.1.69.1.6.4.1.5.1, Integer, 3
SNMP MIB Object(docsDevFilterIpBroadcast.1):1.3.6.1.2.1.69.1.6.4.1.6.1, Integer, 2
SNMP MIB Object(docsDevFilterIpProtocol.1):1.3.6.1.2.1.69.1.6.4.1.11.1, Integer, 17
SNMP MIB Object(docsDevFilterIpSourcePortLow.1):1.3.6.1.2.1.69.1.6.4.1.12.1, Integer, 0
SNMP MIB Object(docsDevFilterIpSourcePortHigh.1):1.3.6.1.2.1.69.1.6.4.1.13.1, Integer, 65535
SNMP MIB Object(docsDevFilterIpDestPortLow.1):1.3.6.1.2.1.69.1.6.4.1.14.1, Integer, 137
SNMP MIB Object(docsDevFilterIpDestPortHigh.1):1.3.6.1.2.1.69.1.6.4.1.15.1, Integer, 139
SNMP MIB Object(docsDevFilterIpStatus.2):1.3.6.1.2.1.69.1.6.4.1.2.2, Integer, 4
SNMP MIB Object(docsDevFilterIpControl.2):1.3.6.1.2.1.69.1.6.4.1.3.2, Integer, 1
SNMP MIB Object(docsDevFilterIpIfIndex.2):1.3.6.1.2.1.69.1.6.4.1.4.2, Integer, 0
SNMP MIB Object(docsDevFilterIpDirection.2):1.3.6.1.2.1.69.1.6.4.1.5.2, Integer, 3
SNMP MIB Object(docsDevFilterIpBroadcast.2):1.3.6.1.2.1.69.1.6.4.1.6.2, Integer, 2
SNMP MIB Object(docsDevFilterIpProtocol.2):1.3.6.1.2.1.69.1.6.4.1.11.2, Integer, 6
SNMP MIB Object(docsDevFilterIpSourcePortLow.2):1.3.6.1.2.1.69.1.6.4.1.12.2, Integer, 0
SNMP MIB Object(docsDevFilterIpSourcePortHigh.2):1.3.6.1.2.1.69.1.6.4.1.13.2, Integer, 65535
SNMP MIB Object(docsDevFilterIpDestPortLow.2):1.3.6.1.2.1.69.1.6.4.1.14.2, Integer, 137
SNMP MIB Object(docsDevFilterIpDestPortHigh.2):1.3.6.1.2.1.69.1.6.4.1.15.2, Integer, 139
SNMP MIB Object(docsDevFilterIpStatus.3):1.3.6.1.2.1.69.1.6.4.1.2.3, Integer, 4
SNMP MIB Object(docsDevFilterIpControl.3):1.3.6.1.2.1.69.1.6.4.1.3.3, Integer, 1
SNMP MIB Object(docsDevFilterIpIfIndex.3):1.3.6.1.2.1.69.1.6.4.1.4.3, Integer, 0
SNMP MIB Object(docsDevFilterIpDirection.3):1.3.6.1.2.1.69.1.6.4.1.5.3, Integer, 3
SNMP MIB Object(docsDevFilterIpBroadcast.3):1.3.6.1.2.1.69.1.6.4.1.6.3, Integer, 2
SNMP MIB Object(docsDevFilterIpProtocol.3):1.3.6.1.2.1.69.1.6.4.1.11.3, Integer, 17
SNMP MIB Object(docsDevFilterIpSourcePortLow.3):1.3.6.1.2.1.69.1.6.4.1.12.3, Integer, 2301
SNMP MIB Object(docsDevFilterIpSourcePortHigh.3):1.3.6.1.2.1.69.1.6.4.1.13.3, Integer, 2301
SNMP MIB Object(docsDevFilterIpDestPortLow.3):1.3.6.1.2.1.69.1.6.4.1.14.3, Integer, 2301
SNMP MIB Object(docsDevFilterIpDestPortHigh.3):1.3.6.1.2.1.69.1.6.4.1.15.3, Integer, 2301
SNMP MIB Object(docsDevFilterIpStatus.4):1.3.6.1.2.1.69.1.6.4.1.2.4, Integer, 4
SNMP MIB Object(docsDevFilterIpControl.4):1.3.6.1.2.1.69.1.6.4.1.3.4, Integer, 1
SNMP MIB Object(docsDevFilterIpIfIndex.4):1.3.6.1.2.1.69.1.6.4.1.4.4, Integer, 1
SNMP MIB Object(docsDevFilterIpDirection.4):1.3.6.1.2.1.69.1.6.4.1.5.4, Integer, 2
SNMP MIB Object(docsDevFilterIpBroadcast.4):1.3.6.1.2.1.69.1.6.4.1.6.4, Integer, 2
SNMP MIB Object(docsDevFilterIpProtocol.4):1.3.6.1.2.1.69.1.6.4.1.11.4, Integer, 17
SNMP MIB Object(docsDevFilterIpSourcePortLow.4):1.3.6.1.2.1.69.1.6.4.1.12.4, Integer, 0
SNMP MIB Object(docsDevFilterIpSourcePortHigh.4):1.3.6.1.2.1.69.1.6.4.1.13.4, Integer, 65535
SNMP MIB Object(docsDevFilterIpDestPortLow.4):1.3.6.1.2.1.69.1.6.4.1.14.4, Integer, 69
SNMP MIB Object(docsDevFilterIpDestPortHigh.4):1.3.6.1.2.1.69.1.6.4.1.15.4, Integer, 69
SNMP MIB Object(docsDevFilterLLCUnmatchedAction.0):1.3.6.1.2.1.69.1.6.1.0, Integer, 1
SNMP MIB Object(docsDevFilterIpDefault.0):1.3.6.1.2.1.69.1.6.3.0, Integer, 2
Baseline Privacy Configuration Settings
Authorize Wait Timeout:10
Reauthorize Wait Timeout:10
Authorization Grace Time:600
Operational Wait Timeout:10
Rekey Wait Timeout:10
TEK Grace Time:600
Authorize Reject Wait Timeout:60
SA Map Wait Timeout:1
SA Map Max Retries:4
Maximum Number of CPEs:5
Upstream Service Flow Encodings
Service Flow Reference:1
Quality of Service Parameter Set:provisioned admitted active
Traffic Priority:4
Upstream Maximum Sustained Traffic Rate:256000
Maximum Traffic Burst:3400
Maximum Concatenated Burst:7500
Downstream Service Flow Encodings
Service Flow Reference:101
Quality of Service Parameter Set:provisioned admitted active
Traffic Priority:4
Downstream Maximum Sustained Traffic Rate:10240000
Maximum Traffic Burst:3400
Maximum Number of Classifiers:20
Privacy Enable:on

I just open a working policy's file (1 Mbps) and changed the values to 10 Mbps. The CM stays at rejected (C)....

What I'm doing wrong?? Can anybody helpme please?
Thanks in advance. BR.

Killa200
BPI

Did you re-apply the BPI key to the config before saving it? I use Excentis for writing configs, and if I do not apply the BPI key before saving the config, it writes it without the key, and the modems will come online in reject due to that.

One of the reasons behind reject (C) is: The CM has been disabled because of a security violation.

gasparmenendez
Thanks for your reply

Thanks for your reply Killa200...
sorry for the question but what is the BPI key??? I'm new to DOCSIS and I'm barely starting.... I used Excentis to create the policy file too and once I have it created I just save it, I don't know nothing about BP, can tell me please??
Thanks in advance.
BR.

Killa200
BPI

Your config shows that you have a Baseline Privacy setup (BPI). BPI provides encryption of user data over DOCSIS, and at this point is really something you should never consider NOT running.

In your CMTS there is going to be a cable shared secret line that is present on all your cable interfaces where BPI is enabled.

You either:
A) Need to know the unencrypted version of this password (you can't just copy and paste what you see in the config, as it is pre-encrypted)
B) If it is a type 7 password, run it through a simple password cracker and get the unencrypted version (tons of them online, search for them on google)
C) Abandon that password if you don't know it or can't get it. Make a new password, write it into the CMTS config on all interfaces, and add it to your modem config files under Edit-> Shared Secret in Excentis.

wittmann
BPI and Shared Secret are independent

@Killa200: For my knowledge the Shared Secret and the BPI settings have nothing together? These settings are independently from each other!

Btw. on Cisco CMTS a wrong or missing Shared Secret is indicated by reject(m).

Killa200
The shared secret attached to

The shared secret attached to the cable interface must match the shared secret that is included into the cable config, so that the modem can come online in BPI enabled mode.

I was trying to make sure that if he had made new configs as suggested, that the bpi key made it into the config.

wittmann
That's not correct

Killa200: That's not correct. The shared secret, by Cisco CMTS configured on each MAC Domain (interface cable x/x/x) and on other Vendors as a global configuration is for validating the content of particular TLVs which the cable modem receives due the configuration boot file. The cable modem receives the configuration boot files and generate the Registration Request (REG-REQ or REG-REQ-MP) Message to the CMTS and this REG-REQ message includes these TLVs and the shared secret (TLV6 - CM Message Integrity Check and TLV7 - CMTS Message Integrity Check) and the CMTS can check if the creator of the configuration boot file is the right source because he knows the shared secret as well the CMTS do. This process has NOTHING to do with the BPI or BPI+ process which is done due the BPKM Handshake!

So there is no "BPI Key" in the configuration boot file at all. The only thing which could match at least with a "BPI key" is the Manufacturer CVC for a Secure Software Download (SSD) of a new cable modem firmware.

The BPI settings which you are saw in the example was the settings for some BPI time outs aso. Those settings are neccessary to overwrite some standard settings from the CMTS side if you want.

Killa200
Then what is the purpose of

Then what is the purpose of the shared secret menu setting on Excentis? And why is it that if you do not input your boi key into this meno when making a config, your modems using the config will come up in the reject stage on the CMTS?

wittmann
Shared Secret != BPI Key

First: Shared Secret is not a BPI Key. Don't use the wording BPI Key for the Shared Secret.

Second: I recommend this site (one of many): https://apps.cablelabs.com/specification/CM-SP-MULPIv3.0
Download the latest version: CM-SP-MULPIv3.0-I30-170111

This chapter will explain in detail the purpose of the Shared Secret:

Annex D.2 Configuration Verification
Annex D.2.1 CMTS MIC Calculation

The Shared Secret under the Menu Edit from the Excentis DOCSIS Config File Editor is for the Shared Secret which MUST be identical with the Shared Secret which is configured at the CMTS.

wittmann
Remove Maximum Number of Classifiers:20

Remove the Entry for "Maximum Number of Classifiers:20".
This TLV doesn't belong into the cable modem configuration boot file.

gasparmenendez
sorry wittmann, your solution

sorry wittmann, your solution didn't work...Any more ideas please??

wittmann
CMTS Vendor?

Hi, which CMTS vendor did you use?

wittmann
Just for testing...

Just for testing, remove the "Maximum Concatenated Burst:7500" on the upstream service flow and use 3044 for the "Maximum Traffic Burst" for US and DS service flow.

gasparmenendez
ok I'll try that and get back

ok I'll try that and get back to you...

but just a comment: I have 4 policies working (1, 2, 3 and 4 Mbps) and the files are exactly the same that 10 Mbps, I just changed the value of Downstream Maximum Sustained Traffic Rate...

wittmann
That's weird.

Hi, that's weird.

If you use a Cisco CMTS you can also debug the registration with this commands:

debug cable mac-address hhhh.hhhh.hhhh verbose
debug cable registration
debug cable tlv
terminal monitor

To deactivate the debug and output use:

terminal no monitor
undebug all

gasparmenendez
sorry I forgot to tell you

sorry I forgot to tell you that I'm using Cisco ubr7246vxr with UBR-MC28U cards...

gasparmenendez
it worked my friend!!! thank

it worked my friend!!! thank you very much....

and thanks to Killa200 too.

BR.

wittmann
Fine

nice to read. Have fun with DOCSIS! ;)

docsis