2-225
Cisco Broadband Cable Command Reference Guide
OL-1581-08
Chapter 2 Cisco CMTS Configuration Commands
cable source-verify
Using the leasetimer Option
The
leasetimer
option adds another level of verification by activating a timer that periodically examines
the lease times for the IP addresses for known CPE devices. If the CMTS discovers that the DHCP lease
for a CPE device has expired, it removes that IP address from its database, preventing the CPE device
from communicating until it makes another DHCP request. This prevents users from treating DHCP-
assigned addresses as static addresses, as well as from using IP addresses that were previously assigned
to other devices.
Note
The
leasetimer
option is active only if you have also specified the
cable source-verify dhcp
command
for the cable interface. If the
dhcp
option is not used, the leasetimer option has no effect. In addition,
the
leasetimer
option can be configured only on an interface, not a subinterface. Applying it to a master
interface automatically applies it to all subinterfaces.
The
leasetimer
option allows you to configure how often the timer checks the lease times, so as to
specify the maximum amount of time a CPE device can use an IP address that was previously assigned
by the DHCP server but whose lease time has since expired. The time period can range from 1 minute
to 240 minutes (4 hours), with a grace period of 2 minutes to allow a PC enough time to make a DHCP
request to renew the IP address. To turn off the timer, so that the CMTS no longer checks the lease times,
issue the
cable source-verify
command without the
dhcp
option, or turn off the feature entirely with the
no cable source-verify
command.
Tip
In some circumstances, spoofing can still occur even after the
cable source-verify
command is used, due
to the behavior of the ARP protocol. For additional security, consider blocking ARP requests to the CMs
using the
no cable arp
and
no cable proxy-arp
commands. For more details, see the Cisco Tech Note
at the following URL:
http://www.cisco.com/warp/public/109/source_verify.html
Using Multiple Subnets
In Cisco IOS Release 12.2(15)BC2 and later releases, the
cable source-verify
command can verify IP
addresses that are on a different subnet than what is being used on the cable interface only if you also
enable Reverse Path Forwarding (RPF) checks by configuring the following commands:
Router(config)#
ip cef
Router(config)#
interface cable
interface
Router(config-if)#
ip verify unicast source reachable-via rx
Router(config-if)#
Examples
The following example shows how to turn on CM upstream verification and configures the Cisco CMTS
router to send DHCP LEASEQUERIES to verify unknown source IP addresses in upstream data packets:
Router#
configure terminal
Router#(config)
interface c4/0
Router(config-if)#
cable source-verify dhcp
Router(config-if)#
The following example shows how to enable the
leasetimer
feature so that every two hours, the CMTS
checks the IP addresses in the CPE database for that particular interface for expired lease times:
Router#
configure terminal
Router#(config)
interface c1/0
Router(config-if)#
cable source-verify dhcp
Router(config-if)#
cable source-verify leasetimer 120
Router(config-if)#