Modem Filters | docsis.org

You are here

Modem Filters

5 posts / 0 new
Last post
psmit
Modem Filters

Gang,

Still looking for some guidance on the best practice for filtering
rogue dhcp, netbios, and snmp activity from the CPE side of a
modem.
Saw this general approach in a config example posted by kwesibrunee
on another subject, and it sorta looks like a place to start? Mebbe? Perhaps?
Thanks for any assistance or direction.

Poge

kwesibrunee
Can't say what the best

Can't say what the best practices are, but the way I do things is block port 135-137 and 445 at the modem outbound to prevent customers from talking/infecting one another, and filter everything else at the CMTS inbound, i.e. snmp, dhcp, ports 135-137 and 445 and other known virus ports. I block netbios and 445 at both ends to prevent that traffic from utilizing network resources i.e upstream.

One thing to note about the IP filters in docsis config files, in order for a modem to make use of a new IP filter in a config file it must be rebooted, so lots of changes to your modem config for IP filter changes is going to necessitate rebooting all the modems to take advantage of the rules. Whereas ACLs on the CMTS are instantaneous.

psmit
ACL Examples?

Thanks for the response. I forgot to include your example from the other thread for reference.

SnmpMib = docsDevFilterIpStatus.1 createAndGo
SnmpMib = docsDevFilterIpControl.1 discard
SnmpMib = docsDevFilterIpIfIndex.1 0
SnmpMib = docsDevFilterIpDirection.1 both
SnmpMib = docsDevFilterIpBroadcast.1 false
SnmpMib = docsDevFilterIpSaddr.1 0.0.0.0
SnmpMib = docsDevFilterIpSmask.1 0.0.0.0
SnmpMib = docsDevFilterIpDaddr.1 0.0.0.0
SnmpMib = docsDevFilterIpDmask.1 0.0.0.0
SnmpMib = docsDevFilterIpProtocol.1 6
SnmpMib = docsDevFilterIpSourcePortLow.1 0
SnmpMib = docsDevFilterIpSourcePortHigh.1 65535
SnmpMib = docsDevFilterIpDestPortLow.1 137
SnmpMib = docsDevFilterIpDestPortHigh.1 139
SnmpMib = docsDevFilterIpStatus.2 createAndGo
SnmpMib = docsDevFilterIpControl.2 discard
SnmpMib = docsDevFilterIpIfIndex.2 0
SnmpMib = docsDevFilterIpDirection.2 both
SnmpMib = docsDevFilterIpBroadcast.2 false
SnmpMib = docsDevFilterIpSaddr.2 0.0.0.0
SnmpMib = docsDevFilterIpSmask.2 0.0.0.0
SnmpMib = docsDevFilterIpDaddr.2 0.0.0.0
SnmpMib = docsDevFilterIpDmask.2 0.0.0.0
SnmpMib = docsDevFilterIpProtocol.2 6
SnmpMib = docsDevFilterIpSourcePortLow.2 0
SnmpMib = docsDevFilterIpSourcePortHigh.2 65535
SnmpMib = docsDevFilterIpDestPortLow.2 445
SnmpMib = docsDevFilterIpDestPortHigh.2 445
SnmpMib = docsDevFilterIpDefault.0 accept

I presume additional filters are simply added in ascending numerical sequence
based upon the above pattern? (in the modem config file, that is)
And is there a generic 'IP Only' filter as well, or is that somehow accomplished
by the example above? Don't see where it would be.

I currently filter the nuisance ports on my LANcity modems in both directions
on both the ethernet and RF ports. And since my addressing scheme is static,
I also block 67-69 and 161-162 at the modem, but on the ethernet port only.
Kinda clunky, but serves the purpose. So which method would be simpler to
use for the latter in DOCSIS world? Going interface specific in the modem config,
or ACL in the CMTS?

And would you mind posting an ACL example for that particular approach?

BTW, I only have a handful of modems up and running at present, so now is
the time to try getting my config files straightened out.

Thanks for any info as always.

Poge

kwesibrunee
some comments on ip filters

some comments on ip filters on CMs

most of the line items are self explanatory however:

docsDevFilterIpIfIndex setting this to 0 applies to all interfaces, 1 applies to all cpe interfaces i.e. usb ethernet

docsDevFilterIpDirection 1 is inbound, 2 is outbound only 3 both

docsDevFilterIpDefault sets what to do when traffic does not match the defined rules you can either drop all packets that don't match or allow all packets that don't match.

adding the 67-69 and 161-162 would be trivial in the config

an example of an inbound acl on a cisco bundle would be
they are processed from top to bottom deny means drop packet permit means pass packet

! block udp traffic from anyip/port to any ip/port 137
access-list 112 deny udp any any eq netbios-ns
! block udp traffic from any ip/port 137 to any ip/any port
access-list 112 deny udp any eq netbios-ns any
! deny tcp traffic from any ip / any port to any ip/port 445
access-list 112 deny tcp any any eq 445
! deny udp traffic from any ip /any port to any ip /port 161
access-list 112 deny udp any any eq snmp
! deny udp traffic from any ip /any port to any ip /port 162
access-list 112 deny udp any any eq snmptrap
! deny udp traffic from cpe subnet on port 67 to Cpe subent on port 68
access-list 112 deny udp 192.168.112.0 0.0.7.255 eq bootpc 192.168.112.0. 0.0.7.255 eq bootps
! permit traffic from your cpe subnet to anywhere if it is not specifically blocked above
access-list 112 permit ip 192.168.112.0 0.0.7.255 any
! permit traffic from your modem subnet to anywhere if it is not specifically blocked above
access-list 112 permit ip 10.1.0.0 0.0.255.255 any
! finally drop all traffic that does not match any rule above
access-list 112 deny ip any any

Then you would apply it to your bundle interface
interface bundle 1
ip access-group 112 in

in on the cable/bundle interface == upstream traffic

you can also put an outbound acl on the bundle interface but this really belongs on your edge so that bandwidth is not wasted on transmitting between edge and cmts.

The advantage to putting the same info into the modem config file ip filters, is that the traffic is never transmtted from CM to CMTS, however CM config file maintenence becomes the issue as well as processing power of the CM (most modems only have the processing power to process 20 or so of these rules before a performance penalty)

psmit
> docsDevFilterIpIfIndex

> docsDevFilterIpIfIndex setting this to 0 applies to all interfaces, 1 applies to all cpe interfaces i.e. usb ethernet

So does 2 apply to the RF interface only?

> docsDevFilterIpDefault sets what to do when traffic does not match the defined rules

Ack.

> an example of an inbound acl on a cisco bundle would be....
> they are processed from top to bottom deny means drop packet permit means pass packet
> Then you would apply it to your bundle interface

Aside from applying to the cable bundle, I thought there was some mysterious DOCSIS ACL voodoo required for this.
Standard Cisco ACL stuff. Silly me.
Already have the nuisance stuff covered at the edge, but presume it won't hurt to replicate at the cable bundle just to keep
any peripheral chatter to a minimum. Not sure I want to filter my snmp anywhere but on the customer side of the modems
as a general rule, tho. Hafta think about the dhcp since we may go generally dhcp for most CPE assignments and remain
static on others. More config file management there, huh? Hey, now's the time when I only have some basic field trial stuff
going on with less than a dozen modems.

> The advantage to putting the same info into the modem config file ip filters, is that the traffic is never transmtted from CM
> to CMTS, however CM config file maintenence becomes the issue as well as processing power of the CM

I'll only have the minimal rules defined in the modem config files. Nothing fancy there. Frankly, I'm more concerned with the
processing power of the CMTS as I move forward with the transition from legacy to DOCSIS modems. Right now our LANcity
modems are blowing the doors off the DOCSIS modems at the same basic qos levels. Gotta find out why, but hope to start a
new thread on that subject if folks are still willing to help.

Always appreciate the assistance. Thanks to all so far. I'm getting there!

Poge

Log in or register to post comments