Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
DOC-3007-01
Document Revision 06.04.03
July 2014
© 2014 Casa Systems, Inc.
All rights reserved. Licensed software products are owned by Casa Systems or its suppliers and are protected
by United States copyright laws and international treaty provisions.
The information regarding the product in this manual is subject to change without notice. All statements,
information, and recommendations in this manual are believed to be accurate but are presented without
warranty of any kind, express of implied. Users must take full responsibility for their application of the product.
In no event shall Casa or its suppliers be liable for any indirect, special, consequential, or incidental damages,
including, without limitation, lost profits or loss or damage to data arising out of the use or inability to use this
manual, even if Casa or its suppliers have been advised of the possibility of such damages.
iii
Contents
Preface
About this guide ................................................................................................... vii
Revision history.............................................................................................. vii
Contacting Casa ..................................................................................................viii
Corporate facility ............................................................................................viii
Technical Support ..........................................................................................viii
Technical documentation ...............................................................................viii
Conventions used in Casa documentation ........................................................... ix
Typographical conventions ............................................................................. ix
Acronyms ......................................................................................................... x
Adding cable modems to the restricted load balancing group .................. 1-12 .
Solution 2 — Create execution rule to enable dynamic load balancing .... 1-24 .
Solution 4 — Configure Open Shortest Path First (OSPF) instances ......... 2-6 .
Solution 5 — Configure the multicast group QOS and encryption profiles . 3-6 .
casa802tapStreamEntry ..............................................................................4-6 .
pktcESTapStreamEntry ..............................................................................4-10 .
pktcESTapStreamSourceLength ..........................................................4-13
pktcESTapStreamTosByte ....................................................................4-13
pktcESTapStreamTosByteMask ...........................................................4-14
pktcESTapStreamFlowId ......................................................................4-14
pktcESTapStreamProtocol ...................................................................4-14
pktcESTapStreamDestL4PortMin .........................................................4-14
pktcESTapStreamDestL4PortMax ........................................................4-15
pktcESTapStreamSourceL4PortMin .....................................................4-15
pktcESTapStreamSourceL4PortMax ....................................................4-15
pktcESTapStreamVRF .........................................................................4-16
pktcESTapStreamStatus .......................................................................4-16
Using the CableLabs generic stream table ..................................................... 4-17 .
pktcEScTapMediationContentId ...........................................................4-18
pktcEScTapMediationDestAddressType ..............................................4-18
pktcEScTapMediationDestAddress ......................................................4-18
pktcEScTapMediationDestPort .............................................................4-18
pktcEScTapMediationSrcInterface .......................................................4-19
pktcEScTapMediationDscp ..................................................................4-19
pktcEScTapMediationTimeout ..............................................................4-19
pktcEScTapMediationTransport ...........................................................4-19
pktcEScTapMediationNotificationEnable ..............................................4-20
pktcEScTapMediationStatus .................................................................4-20
L2/L3 Lawful intercept configuration example ................................................. 4-20 .
Preface
Revision history
• 06.00.03 — Initial release of the Casa Systems – CMTS Network Solutions Guide.
• 06.01.02 — Revised for Casa Release 6.1.2.
• 06.01.02_A — August 2012. Revised Chapter 4, “Monitoring traffic with Lawful
Intercept applications”
• 06.01.03 — December 2012. Added Chapter 1, “CMTS operations overview”
Contacting Casa
Corporate facility
Casa Systems, Inc.
100 Old River Road
Andover, MA 01810
Tel.: 978-688-6706
World Wide Web: www.casa-systems.com
Technical Support
In the United States: Tel: 978-699-3045
E-mail: support@casa-systems.com
Technical documentation
Casa Systems provides the following documentation set in PDF format, viewable
using Adobe Reader 5.0 or later. These PDF files are available from the Casa FTP site
at ftp://support.casa-systems.com.
• Casa Systems – C1G CMTS Hardware Installation Guide
• Casa Systems – C1G CMTS Quick Installation
• Casa Systems – C1N CMTS Hardware Installation Guide
• Casa Systems – C2200 CMTS Hardware Guide
• Casa Systems – C2200 CMTS Quick Installation
• Casa Systems – C3200 CMTS Quick Installation
• Casa Systems – C3200 CMTS Hardware Guide
• Casa Systems – C10G/C10200 CMTS Quick Installation
Note: Casa Systems provides updates to the manuals on a regular basis. Log
on to the Casa Systems Web site at www.casa-systems.com for the latest files
in PDF format. Select customer login and enter your username and
password. If you do not have a Casa-assigned username and password, send
e-mail to support@casa-systems.com.
Boldface font Commands and keywords are in Type abc, then press [ENTER]
boldface.
Italic font Emphasized terminology is in italics. burst profile
Acronyms
Casa Systems manuals contain the following industry-standard and product-specific
acronyms:
AAA Authentication, Authorization, Accounting
Topic Page
Topic Page
Static load balancing takes place when a cable modem sends its initial ranging request
message to the CMTS. For DOCSIS 1.0 1.1 and 2.0 modems, the CMTS responds
with a ranging response (RNG-RSP) message that includes either a Downstream
Frequency Override or an Upstream Channel ID Override field that instructs the cable
modem which channels it should use. For DOCSIS 3.0 modems, when a cable modem
sends its registration request (REG-REQ) messages, the CMTS responds with a
registration response (REG-RSP) message to instruct the cable modem to select the
channels.
Dynamic load balancing moves cable modems among upstream and downstream
channels within the same service group after their initial difference between two
interfaces exceeds a defined percentage. The CMTS will use downstream and
upstream dynamic channel change messages (DCC) to move CMs with single
Note: For DOCSIS and EuroDOCSIS 3.0 modems, the dynamic load
balancing software generates a downstream channel set with a minimum load
to fit the modem‘s receive channel profile (RCP). This prevents rejection of the
new channel set so that load balancing is not canceled when the assigned
modem is under load.
The CMTS does not move modems to disconnected (idle) downstream channels
where there are no registered online cable modems.
By default, the upstream channel has precedence in load balancing across MAC
domains, where the lowest loaded (least busy) upstream channel is selected within the
service group. Then, the lowest loaded downstream channel is selected within the
MAC domain of the selected upstream channel. If the downstream precedence is
configured, then the downstream channel is selected first.
The CMTS uses downstream frequency override and the upstream channel ID
override in the ranging response message to move a modem to a different MAC
domain if needed. This applies to all DOCSIS 1.0, 1.1, 2.0 and 3.0 modems. The SID
in the ranging response message is 0x3fff.
Both channel bonding and non-channel bonding modems can participate in load
balancing. Channel bonding modems count as one CM for each of its channels.
In the following example, the CMTS generate a general load balance group with
service group FN_A and MAC domain 1. It contains downstream channels qam 0/0/0,
qam 0/0/1, qam 0/0/2, qam 0/0/3 and upstream channels upstream 4/0.1, upstream 4/
1.1, upstream 4/2.1, and upstream 4/3.1. When a general load balance group is
created, it uses load balancing parameters from pre-defined general load balance
group default settings.
The following commands are available under the general load balancing group
default-settings:
• enable
• initial-tech
• policy-id
• direct — This is the initial technique default setting. The cable modem moves
directly to another channel without performing any type of ranging.
• broadcast-ranging — The cable modem broadcasts the full initial ranging
request without going offline and performing re-registration with the CMTS.
• period-ranging — The cable modem move to a new channel, but performs
periodic ranging requests for an improved channel opportunity.
• reinitialize-mac — The cable modem MAC address is reset causing the cable
model to go offline and then re-register with the CMTS on new channel.
• unicast-ranging — The cable modem performs an initial ranging request for a
dedicated channel from the CMTS where there is no other transmission activity.
Refer to the section, “Configuring policies and rules” for further information.
Specify the group-id parameter in the number range 1 to 4294967296. This number
uniquely identifies the restricted load balancing group among other groups that you
create. The group-id must be unique within the CMTS.
Example: Specify the initial load balance technique for the restricted-group
To specify the initial technique that the CMTS uses to load balance and move cable
modems:
• direct — This is the initial technique default setting. The cable modem moves
directly to another channel without performing any type of ranging.
• broadcast-ranging — The cable modem broadcasts the full initial ranging
request without going offline and performing re-registration with the CMTS.
• period-ranging — The cable modem move to a new channel, but performs
periodic ranging requests for an improved channel opportunity.
• reinitialize-mac — The cable modem MAC address is reset causing the cable
model to go offline and then re-register with the CMTS on new channel.
• unicast-ranging — The cable modem performs an initial ranging request for a
dedicated channel from the CMTS where there is no other transmission activity.
Note: Make certain that you appropriately bind each upstream slot/
port.channel/logical channel under the interface docsis-mac configuration.
Note: Make certain that you appropriately bind each upstream slot/port/
channel under the interface docsis-mac configuration.
Specify the number parameter in the number range 1 to 4294967296. The number
uniquely identifies the configuration of this modem among other unique modems.
Use this parameter the same way as specified in the restricted load-balance group
where only modems that send a matching service-type-id string to the CMTS during
registration will be load balanced and moved to another channel. Specifying the
service-type-id for known cable modems (by MAC address) allows you to add the
service type to modems that have already registered with the CMTS (with no service-
type-id string) and are to be made available for load balancing to other channels (using
a referenced load-balance restricted-group, covered in the next section).
Use the show cable modem command to display the active cable modems and their
MAC addresses.
There are two configuration options associated with a basic load balance rule:
• enable
• suspend-load-balance
In the above example, load balancing is suspended from 4:00 a.m. to 5:00 a.m.
The threshold load parameter specifies the actual number of cable modems, or the
utilization percentage in the range 0 to 100. Load value specifies the maximum load
difference that can exist between interfaces in a group before the CMTS performs
static load balancing. Setting the load value to 0 disables static load balancing.
To specify modem load balancing with a threshold of 50 modems, enter the following
commands:
To specify the threshold for dynamic load balancing, enter the threshold load
command to specify the actual number of cable modems, or the utilization percentage
in the range 0 to 100.
In the following example, dynamic load balancing is enabled with the CMTS
applying a modem or utilization threshold of 30 before checking other load
balancing interfaces for availability.
To specify the dynamic load balance interval, specify a number in the range 10 to
3600 seconds.
CASA-CMTS(load-bal-exe-rule 1)# interval <10-3600>
The following example sets the dynamic load balancing interval to one modem every
60 seconds.
CASA-CMTS(load-bal-exe-rule 1)# interval 60
To specify upstream modem load balancing with a threshold of 50 modems, enter the
following commands:
To specify the threshold for dynamic load balancing, enter the upstream-threshold
load command to specify the actual number of cable modems, or the utilization
percentage in the range 0 to 100.
The following example sets the dynamic load balancing upstream-interval to one
modem every 60 seconds.
CASA-CMTS(load-bal-exe-rule 1)# upstream-interval 60
The load balance policy can have ONLY ONE execution rule.
Cable modems in the exclusion list are specified by MAC address, as displayed with
the show cable modem command.
Casa recommends that you use the show load balance static and the show load
balance dynamic commands at times when CMTS traffic loads tend to be higher. The
displayed information from the show load balance command will allow you to
further tune the load balancing configuration for better channel utilization so that
moving modems to other channels in the service group occurs less frequently.
4. Specify the initial technique that the CMTS uses to load balance and move
cable modems without performing any type of ranging.
CASA-CMTS(load-bal-general-default)# initial-tech direct
The interval is the minimum elapsed time (in seconds) before cable modems can
be moved to the load balancing interfaces. Only one cable modem can be moved
after each elapsed time interval.
CASA-CMTS(load-bal-exe-rule 1)# interval 60
CASA-CMTS#
(Note that the command output is shown in “list” format and not in the format
displayed by the CLI on a computer screen.)
The output shows the MAC address of the modem and the new upstream and
downstream channels to which the modem was moved. The type field shows one
of the following states:
• BAL — Balancing done by the system.
• MLT — DCC by limit replication multicast.
For older DOCSIS 1.0 modems where load balancing is not supported, run the CMTS
show cable modem command to display the D1.0 modems, and them add them to the
load balance exclusion list.
1. Execute show cable modem verbose command. Note the MAC Version field.
CASA-CMTS# show cable modem verbose
MAC Address :0013.f79e.0d6a
IP Address :10.213.1.246
CM-ID :5
Prim Sid :10
MAC Domain :3
Upstream :4/0.0/0
Downstream :0/1/0
Unusable channel list :
Timing Offset :2404
Initial Timing Offset :2404
3. Add the cable modem MAC addresses to the exclusion list; specify “both” to
prevent the modems from attempting static and dynamic load balancing.
CASA-CMTS(load-bal-exclusion-list)# mac addr 0013.f79e.0d6a mask
0000.0000.0000 both
Topic Page
0
ASA
1
C10G
2 3 4 5 6 7 8 9 10 11 12 13
CPE “A2”
US 16X4 US 16X4
SMM SMM
US 16X4 US 16X4 DS 8X8 DS 8X8 DS 8X8 DS 8X8 DS 8X8
10/100MI
10/100MI
G1 G1
G2 G2
SMM 6/2 G3
G4
G3
G4
G5 G5
G6 G6
XG2
G7
XG2
STATUS
ALARM
ACTIVE
STATUS
ALARM
ACTIVE
STATUS
ALARM
ACTIVE
STATUS
ALARM
ACTIVE
STATUS
ALARM
ACTIVE
CPE “B1”
- Data
XG1 XG1
IOIOI
IOIOI
STATUS STATUS
- Voice
ACTIVE ACTIVE
ALARM ALARM
- Streaming video/
video-on demand Cable modem “B”
servers
1 FAN TRAY HS HS OK
1 FAN TRAY HS HS OK
1 FAN TRAY HS HS OK
CPE “B2”
Distribution over
C10g redundant configuration:
- SMM slot 6, GigE port 0 cable access network to
- SMM slot 7, GigE port 0 home subscribers
- SMM slot 6, GigE port 2
- SMM slot 7, GigE port 2
- Identical static routes to routers
and IP bundle interfaces
- RIP, OSPF, RIP, BGP-4
protocols
- Unique router IDs
0
ASA
1
C10G
2 3 4 5 6 7 8 9 10 11 12 13
US 16X4 US 16X4
SMM SMM
US 16X4 US 16X4 DS 8X8 DS 8X8 DS 8X8 DS 8X8 DS 8X8
10/100MI
10/100MI
Service provider AS 11200
G0
G1
G0
G1
SMM 7/0
G2 G2
networks G3 G3
192.168.7.11 G4
G5
G6
G4
G5
G6
10.10.10.0 192.168.7.16
STATUS
ALARM
ACTIVE
STATUS
ALARM
ACTIVE
STATUS
ALARM
ACTIVE
STATUS
ALARM
ACTIVE
G7
XG2
G7
XG2
STATUS
ALARM
ACTIVE
STATUS
ALARM
ACTIVE
STATUS
ALARM
ACTIVE
STATUS
ALARM
ACTIVE
STATUS
ALARM
ACTIVE
AS 11200
IOIOI
IOIOI
STATUS STATUS
ACTIVE ACTIVE
ALARM ALARM
1 FAN TRAY HS HS OK
1 FAN TRAY HS HS OK
1 FAN TRAY HS HS OK
IP bundles:
- interface ip-bundle 1; primary and secondary IP, helper address
- interface ip-bundle 2; primary and secondary IP, helper address
Example: Create logical loopback interfaces for static and dynamic route
CASA-CMTS(config)# interface loopback 0
CASA-CMTS(conf-if-lo 0)# ip address 192.168.168.1 255.255.255.252
Example
CASA-CMTS(config)# router rip slot 7
CASA-CMTS(config-router-rip)# network 10.168.1.0/24
CASA-CMTS(config-router-rip)# network 10.168.2.0/24
CASA-CMTS(config-router-rip)# network 10.237.0.0/16
CASA-CMTS(config-router-rip)# network 192.168.6.0/24
CASA-CMTS(config-router-rip)# network 192.168.7.0/24
Topic Page
IPTV overview
Figure 3-1 illustrates a sample IPTV network showing the traffic flow from video
content sources to the end user IP television. The CMTS or CCAP in the headend
network receives television content from one or more origins, such as video servers
and connections to news and other programming sources over direct connections and
over the Internet. The IGMP multicast and QOS configurations distribute the video
streams to end subscribers based on channel selection and video-on-demand requests.
Channel selection requests from a subscriber are processed by the Internet Group
Management protocol (IGMP). When the cable headend receives a request to change
channels, it checks to ensure that the subscriber is authorized to view the requested
channel. If authorized, the subscriber is then added to the distribution list for that
channel. This limits the number of routes (multicast replication) and preserves
bandwidth for the cable network.
In an IPTV network, QOS must be maintained for reliable video streaming that is free
of delays and packet fragmentation. QOS tags that assign a high priority to streaming
video will maximize the video traffic over the available bandwidth for reliability and
best performance to the IP television. Other traffic over the connection, such as traffic
associated with computer Internet browsing should have lower priority QOS tags
assigned to the traffic as momentary delays are generally acceptable.
Example
CASA-CMTS(config)#interface docsis-mac 1
CASA-CMTS(conf-if-mac 1)# downstream 1 interface qam 0/0/0
CASA-CMTS(conf-if-mac 1)# upstream 1 interface upstream 4/0.1
Example
CASA-CMTS(config)#interface gige 1
CASA-CMTS(config-if-gige 1)#ip igmp
CASA-CMTS(config-if-gige 1)#
• ip igmp— Enables IGMP on the current GigE interface.
Example
CASA-CMTS(config)# cable igmp static-group 224.0.100.1
CASA-CMTS(conf-igmp-static-group 224.0.100.1)#qam 0/0/0
• igmp static-group — Specify the multicast IP address associated with the IGMP
static group. Optionally, specify the source IP address and dsid packet label to
apply to multicast packets in this group.
• qam 0/0/0 — The slot, port, and downstream channel associated with the IGMP
static group.
Example
CASA-CMTS(config)# multicast group config 1
CASA-CMTS(conf-grp-config 1)# source-address 0.0.0.0/0
CASA-CMTS(conf-grp-config 1)# group-address 224.0.100.1/24
CASA-CMTS(conf-grp-config 1)# qos-id 1
CASA-CMTS(conf-grp-config 1)# encryption-id 1
CASA-CMTS(conf-grp-config 1)# priority 100
CASA-CMTS(conf-grp-config 1)#
• source-address — Specifies the IP filtering address and mask associated with a
range of source IPs from which traffic is received by the multicast group. This
parameter operates with IGMP V3 only. Source address filtering is not supported
in the earlier IGMP versions.
• group-address — Specifies the IP address and mask associated with a range of
IPs to which multicast sessions are forwarded. When the CMTS or CCAP
receives traffic from a source IP, the sytem replicates the session so that all
members of multicast group receive the transmission. IPv4 multicast addresses
are in the range 224.0.0.0 to 239.255.255.255.
• qos-id — Specifies the quality of service identifier associated with sessions
forwarded to members of this multicast group. See the next section, “Solution 5
— Configure the multicast group QOS and encryption profiles.”
• encryption-id — Specifies the unique identifier associated with securing
multicast sessions to ensure that traffic is only delivered to members of the
multicast group. See the next section, “Solution 5 — Configure the multicast
group QOS and encryption profiles.”
• priority — Specifies the priority (0 to 255) of a newly-replicated multicast
session that matches multiple sessions to members of the multicast group. A
higher number indicates a higher priority.
Example
CASA-CMTS(config)# multicast group qos 1 iptv single app-id 1
Example
CASA-CMTS(config)# multicast group encryption 1 algorithm des56
Example
CASA-CMTS(config)# cable service-class 1
CASA-CMTS(conf-service-class 1)# name iptv
CASA-CMTS(conf-service-class 1)# app-id 1
CASA-CMTS(conf-service-class 1)# upstream
CASA-CMTS(conf-service-class 1)# max-traffic-burst 3044
CASA-CMTS(conf-service-class 1)# min-reserved-rate 4000000
CASA-CMTS(conf-service-class 1)# sched-type bestEffort
• name — Indicates the QOS service-class name associated with a multicast group.
• app-id — Specifies the vendor-specified application identifier that associates the
QOS settings in this service-class association with a multicast group.
• upstream — Applies the QOS settings in this service-class to upstream traffic.
• max-traffic-burst — Specifies the maximum number of bytes transmitted on the
upstream interface in the range 0 to 4294967295.
Example
CASA-CMTS(config)# application policy 1
CASA-CMTS(conf-app-policy 1)# limit replication
CASA-CMTS(conf-app-policy 1)# max iptv channel 0
CASA-CMTS(conf-app-policy 1)#
• limit replication — To conserve bandwidth, one multicast group in the same load
balance general-group is permitted to establish only one replication. For another
modem to join the multicast group, DCC or DBC must take place to move the
modem to this channel (if permitted).
If a multicast group in the general load-balance group has not yet established
multicast replication, and if the bandwidth channel utilization of the current
channel exceeds the value of the maximum channel utilization setting, a DCC or
DBC onto a low bandwidth channel is needed before establishing replication.
Modems that are no longer members of a multicast group will perform DCC or
DBC to an available channel.
• no limit replication — If a modem makes a join request to a multicast group,
then replication is established on the modem’s current channel. The default is no
limit replication.
• limit replication override — If DCC or DBC is not permitted, replication takes
place on the original primary channel, or under the following conditions:
— Replication is established on a secondary channel in the MAC domain. Note
that since D2.0 modems do support DCC or DBC, then replication is
established on the primary channel.
Example
CASA-CMTS(config)# multicast authorization profile 1
CASA-CMTS(conf-auth-file 1)# session-rule 1 deny 0.0.0.0/0
239.255.255.255/24 priority 100
Example
CASA-CMTS(config)# multicast authorization enable
CASA-CMTS(config)# multicast authorization match-profile 1
CASA-CMTS(config)# multicast authorization default-action permit
Example
CASA-CMTS(config)# multicast max channel-util 60
CASA-CMTS(config)# multicast switch over time 15
CASA-CMTS(config)# multicast load-balance initial-tech direct
Law enforcement authorities who are conducting serveillance must be familiar with
the specific CALEA-compliant intercept application in use, as well as have
knowledge of SNMP and Management Information Base (MIB) operations to
successfully monitor CMTS traffic to target cable modems via IP or MAC address.
Topic Page
Topic Page
There are three MIBs that manage and control LI at the CMTS:
• CASA-802-TAP-MIB — The Casa MIB that enables packet intercept filtering
over 802 (Layer 2) streams based on the target cable modem MAC address. The
CASA-802-TAP-MIB is used with the PKTC-EC-TAP-MIB.
• PKTC-ES-TAP-MIB — The CableLabs MIB that defines a generic stream table
that contains fields that are common to all intercept types.
• PKTC-ES-IPTAP-MIB — The CableLabs IP TAB MIB for packet intercept
filtering at routing Layer 3 based on the target cable modem IP address. The
PKTC-ES-IPTAP-MIB is used with the PKTC-ES-TAP-MIB.
In addition to the above MIBs, Casa supports an Ethernet loopback interface
configuration to handle communication with the mediation device. See the section in
this chapter, “Configuring the CMTS LI source interface.”
PC running
SNMP LI MIBs
from Casa
Internet
Target voice/data
filtering using
Casa CMTS MAC or IP address
Intercept access point Ethernet Cable
loopback interface access network
CASA SYSTEMS SYS 3 4 5
to splitter
C3000 CCASA
ASA
ALM 0 1 2
Phone
Cable modem
PC
Example
C10G-RC220(config)# interface loopback 0
C10G-RC220(config-if-lo 0)#ip address 6.7.8.9
If the device has been set for mediation 100 and stream 1, use the following command
in SNMP to change the source IP address.
Example
snmpset -v 3 -u tapuser -a MD5 -A casa3200 -l authNoPriv %cmtsip%
1.3.6.1.4.1.4491.2.2.9.1.2.1.1.2.1.16.100.1 i 2
snmpset -v 3 -u tapuser -a MD5 -A casa3200 -l authNoPriv %cmtsip%
1.3.6.1.4.1.4491.2.2.9.1.2.1.1.2.1.5.100.1 x %Saddr%
snmpset -v 3 -u tapuser -a MD5 -A casa3200 -l authNoPriv %cmtsip%
1.3.6.1.4.1.4491.2.2.9.1.2.1.1.2.1.16.100.1 i 1
If the device has been set for mediation 100, the following example walks the
loopback interface index 8000000 on loopback 0 and changes the LI packets source
interface IP (previously the LI UDP packets source IP).
Example
snmpwalk -m all -O bsq -v 2c -c private %cmtsip% 1.3.6.1.2.1.2.2.1.2
snmpset -v 3 -u tapuser -a MD5 -A casa3200 -l authNoPriv %cmtsip%
1.3.6.1.4.1.4491.2.2.9.1.1.1.1.2.1.13.100 i 2
snmpset -v 3 -u tapuser -a MD5 -A casa3200 -l authNoPriv %cmtsip%
1.3.6.1.4.1.4491.2.2.9.1.1.1.1.2.1.5.100 i 8000000
Use the CLI show running-config command with the include option to display the
source-interface.
Example
CASA-C10G(config)#show running-config | include law
lawful-intercept source-interface loopback 0
Example
CASA-CMTS(config)# lawful-intercept tid stream-id
Example
C3200(config)# snmp user - SIIUser md5 0 SIITest123 no-priv 0 -
non-volatile
C3200(config)# snmp tree-family SIIView 1.3.6.1.2.1.1.5 - include
non-volatile
C3200(config)# snmp tree-family SIIView 1.3.6.1.4.1.9.9.252 -
include non-volatile
C3200(config)# snmp tree-family SIIView 1.3.6.1.4.1.4491.1.2.2.9 -
include non-volatile
C3200(config)# snmp tree-family SIIView 1.3.6 - exclude
non-volatile
C3200(config)# snmp security usm SIIUser SIIView non-volatile
C3200(config)# snmp access SIIView - usm auth-no-priv exact SIIView
SIIView SIIView non-volatile
For example, to intercept all traffic to or from a given interface, configure an entry
that lists the interface, and use a wild-card for the remaining interfaces.
To intercept all traffic to or from a given MAC address, configure two such entries
that list the MAC address as source and destination respectively, then use a wild-card
for the remainder. To intercept one of the voices on a teleconference, extract the
multicast (destination) IP address, the source IP address, the protocol (UDP), and the
source and destination ports from the call control exchange and list all necessary
information.
The first index defines the mediation device to which the intercepted traffic will be
sent. The second index permits multiple classifiers to be used together, such as having
a MAC address as source or destination. The value of the second index is the same as
the stream's counter entry in the pktcEScTapStreamTable. Entries are added to this
table via pktc802tapStreamStatus in accordance with the RowStatus convention.
casa802tapStreamEntry
A stream entry indicates a single data stream to be intercepted to a mediation device.
Several selected data streams may go to the same application interface; many
application interfaces are supported.
Module: CASA-802-TAP-MIB
Parent: casa802tapStreamTable
First child: casa802tapStreamIndex
casa802tapStreamIndex
casa802tapStreamFields
This object displays which attributes must be tested to identify the traffic to be
intercepted. If all flagged fields match, then the packet matches.
To activate an entry at least one of the bits has to be set. The corresponding MIB
object value has no effect and need not be specified when creating the entry if the bit
is not set.
Syntax: BITS {
interface(0),
dstMacAddress(1),
srcMacAddress(2),
ethernetPid(3),
dstLlcSap(4),
srcLlcSap(5)
}
Max-access: read-create
Status: current
casa802tapStreamInterface
The ifIndex value indicates the interface over which traffic to be intercepted is
received or transmitted. The interface may be physical or virtual. All traffic on the
selected interface will be selected if this is the only parameter specified, if the
specified value is other than -1 or 0.
If the value is zero, matching traffic may be received or transmitted on any interface.
To limit the scope of traffic intercepted, use additional selection parameters. This is
most useful on non-routing platforms or on intercepts placed on other than a
subscriber interface.
It is possible in both of these cases to have the same packet selected for intersection on
both its ingress and egress interface. However, only one instance of the packet is sent
to the mediation device.
This value must be set when creating a stream entry, either to select an interface, to
select all interfaces, or to select the interface that bridging learns. Not all platforms
may implement the entire range of options. See RFC1493: Definition of Managed
Objects for Bridges.
casa802tapStreamDestinationAddress
Syntax: MacAddress
Max-access: read-create
Status: current
casa802tapStreamSourceAddress
Syntax: MacAddress
Max-access: read-create
Status: current
casa802tapStreamEthernetPid
Indicates the value of the Ethernet protocol identifier (PID) found on Ethernet traffic
or IEEE 802.2 Subnetwork Access Protocol (SNAP) traffic.
Syntax: Unsigned32
Max-access: read-create
Status: current
casa802tapStreamDestinationLlcSap
Syntax: Unsigned32
Max-access: read-create
Status: current
casa802tapStreamSourceLlcSap
Syntax: Unsigned32
Max-access: read-create
Status: current
casa802tapStreamInterceptEnable
Indicates the up or down value of the table. The table is valid in the UP state.
Syntax: INTEGER {
up(1),
down(2)
}
Max-access: read-create
Status: current
casa802tapStreamStatus
Indicates the status of this conceptual row and manages the creation, modification,
and deletion of rows in the table. The casa802tapStreamStatus must be first set to
notInService when any rows require changing.
Syntax: RowStatus
Max-access: read-create
Status: current
Because multiple taps may require the same data stream, and often the intercepted
stream is a small subset of the traffic it is possible to intercept. This basically provides
options for packet selection, only some of which might be used. As an example, to
intercept all the traffic to or from a specific interface, configure an entry that lists the
interface, and use a wild-card for the rest.
To intercept all traffic to or from a specific IP Address, configure two entries listing
the IP Address as source and destination respectively, and use a wild-card for the rest.
To intercept one of the voices on a teleconference, extract the multicast (destination)
IP address, the source IP Address, the protocol (UDP), and the source and destination
ports from the CMTS and list all necessary information.
The first index indicates the mediation device to which the intercepted traffic will be
sent. The second index allows multiple classifiers to be used together, such as having
an IP address as source or destination. The value of the second index is the same as the
stream's counter entry in the pktcEScTapStreamTable. Entries are added to this table
via pktcESTapStreamStatus per the RowStatus convention.
pktcESTapStreamEntry
A stream entry defines a single data stream to be intercepted to a mediation device.
Many selected data streams may go to the same application interface, and many
application interfaces are supported.
Module: PKTC-ES-IPTAP-MIB
Parent: pktcESTapStreamTable
First child: pktcESTapStreamInterface
pktcESTapStreamInterface
Defines the ifIndex value of the interface over which traffic to be intercepted is
received or transmitted. The interface may be physical or virtual. If it is the only
parameter specified, and it is other than -2, -1 or 0, all traffic on the selected interface
will be selected. If the value is zero, matching traffic may be received or transmitted
on any interface. To limit the scope of the traffic intercepted, use additional selection
parameters.
In both of these cases, it is possible to select the same packet for intersection on both
its ingress and egress interface. However, only one instance of the packet is sent to the
mediation device. If the value is -2, packets belonging to a Voice over IP (VoIP)
session identified by pktcESTapStreamSourceAddress, pktcESTapStreamSourceLen
and pktcESTapStreamSourceL4PortMin may be intercepted (since a specific voice
session can be identified with source IP address and UDP port number).
Other selection parameters may be not acted on, even if they are set by the mediation
device. This value must be set when creating a stream entry, either to select an
interface, to select all interfaces, or to select the interface chosen by routing. The
entire range of options may not be implemented on all platforms.
pktcESTapStreamAddrType
Syntax: InetAddressType
Max-access: read-create
Status: current
pktcESTapStreamDestinationAddress
This object is the destination address or prefix used in packet selection. This address
type is specified in pktcESTapStreamAddrType.
Syntax: InetAddress
Max-access: read-create
Status: current
pktcESTapStreamDestinationLength
This defines the length of the destination prefix. If the value is zero, all addresses will
match. This prefix length is consistent with the type specified in
pktcESTapStreamAddrType.
Syntax: InetAddressPrefixLength
Max-access: read-create
Status: current
pktcESTapStreamSourceAddress
The source address used for packet selection. This address will be of the type specified
in pktcESTapStreamAddrType.
Syntax: InetAddress
Max-access: read-create
Status: current
pktcESTapStreamSourceLength
Indicates the length of the source P\prefix. If the value is zero, all addresses will
match. This prefix length will be consistent with the type specified in
pktcESTapStreamAddrType.
Syntax: InetAddressPrefixLength
Max-access: read-create
Status: current
pktcESTapStreamTosByte
pktcESTapStreamTosByteMask
Indicates the value of the TOS byte in an IPv4 or IPv6 header is ANDed with
pktcESTapStreamTosByteMask and compared with pktcESTapStreamTosByte. If the
values are equal, the comparison is equal. If the mask is zero and the TosByte value is
zero, the result will be to always accept.
pktcESTapStreamFlowId
Indicates the flow identifier in an IPv6 header. Specifying -1 means that the flow
identifier is unused.
pktcESTapStreamProtocol
The IP protocol to match against the IPv4 protocol number or the IPv6 Next-Header
number in the packet. Specifying -1 means “any IP protocol.”.
pktcESTapStreamDestL4PortMin
Indicates the minimum value that the layer-4 destination port number in the packet
must have in order to match. This value must be equal to or less than the value
specified for this entry in pktcESTapStreamDestL4PortMax. The port number is
effectively unused if both pktcESTapStreamDestL4PortMin and
pktcESTapStreamDestL4PortMax are at their default values.
Syntax: InetPortNumber
Max-access: read-create
Status: current
pktcESTapStreamDestL4PortMax
Indicates the maximum value that the layer-4 destination port number in the packet
must have in order to match this classifier entry. This value must be equal to or greater
than the value specified for this entry in pktcESTapStreamDestL4PortMin. The port
number is effectively unused if both pktcESTapStreamDestL4PortMin and
pktcESTapStreamDestL4PortMax are at their default values.
Syntax: InetPortNumber
Max-access: read-create
Status: current
pktcESTapStreamSourceL4PortMin
Indicates the minimum value that the layer-4 destination port number in the packet
must have in order to match. This value must be equal to or less than the value
specified for this entry in pktcESTapStreamSourceL4PortMax. The port number is
effectively unused if both pktcESTapStreamSourceL4PortMin and
pktcESTapStreamSourceL4PortMax are at their default values.
Syntax: InetPortNumber
Max-access: read-create
Status: current
pktcESTapStreamSourceL4PortMax
Indicates the maximum value that the layer-4 destination port number in the packet
must have in order to match this classifier entry. This value must be equal to or greater
than the value specified for this entry in pktcESTapStreamSourceL4PortMin. The port
number is effectively unused if both pktcESTapStreamSourceL4PortMin and
pktcESTapStreamSourceL4PortMax are at their default values.
Syntax: InetPortNumber
Max-access: read-create
Status: current
pktcESTapStreamVRF
Indicates the name of a Virtual Routing and Forwarding (VRF) table comprising the
routing context of a Virtual Private Network; it is an ASCII string. The interface or set
of interfaces on which the packet might be found should be selected from the set of
interfaces in the VRF table. A string length of zero implies that global routing table be
used for selection of interfaces on which the packet might be found.
Syntax: SnmpAdminString
Max-access: read-create
Status: current
pktcESTapStreamStatus
Indicates the status of the conceptual row. It manages creation, modification, and
deletion of rows in this table. pktcESTapStreamStatus must be first set to
“notInService” before any rows can be changed.
Syntax: RowStatus
Max-access: read-create
Status: current
pktcEScTapMediationEntry
Module: PKTC-ES-TAP-MIB
Parent: pktcEScTapMediationTable
First child: pktcEScTapMediationContentId
Numerical syntax: Null
Base syntax: PktcEScTapMediationEntry
Composed syntax: PktcEScTapMediationEntry
Status: current
Max access: not-accessible
Sequences: 1: pktcEScTapMediationContentId - Integer32(2 - int, int32)
2: pktcEScTapMediationDestAddressType - InetAddressType(2 - int,
int32)
3: pktcEScTapMediationDestAddress - InetAddress(4 - octets)
4: pktcEScTapMediationDestPort - InetPortNumber(66 - gauge32)
5: pktcEScTapMediationSrcInterface - InterfaceIndexOrZero(2 - int,
int32)
6: pktcEScTapMediationDscp - PktcEScTapDscp(2 - int, int32)
7: pktcEScTapMediationTimeout - DateAndTime(4 - octets)
8: pktcEScTapMediationTransport - INTEGER(2 - int, int32)
9: pktcEScTapMediationNotificationEnable - TruthValue(2 - int, int32)
10: pktcEScTapMediationStatus - RowStatus(2 - int, int32)
Indices: 1: pktcEScTapMediationContentId
pktcEScTapMediationContentId
This entry defines a single session with an application on a mediation device. From
the intercept application, pktcEScTapMediationContentId is a session identifier. From
the mediation device it is a content identifier. The mediation device ensures these are
unique. However, the SNMP RowStatus row creation process assists with this by not
allowing it to create conflicting entries. To decrease the probability of a value
collision before creating a new entry, a value for this variable may be obtained by
reading pktcEScTapMediationNewIndex.
pktcEScTapMediationDestAddressType
Syntax: InetAddressType
Max-access: read-create
Status: current
pktcEScTapMediationDestAddress
Indicates the IP address of the network interface on the mediation device where the
intercepted traffic is sent.
Syntax: InetAddress
Max-access: read-create
Status: current
pktcEScTapMediationDestPort
This is the port number of the network interface on the mediation device where the
intercepted traffic is sent.
Syntax: InetPortNumber
Max-access: read-create
Status: current
pktcEScTapMediationSrcInterface
Defines the intercepting device interface where intercepted data is transmitted. Zero
means any interface may be used, per normal IP practice.
Syntax: InterfaceIndexOrZero
Max-access: read-create
Status: current
pktcEScTapMediationDscp
Indicates the Differentiated Services Code Point (DSCP) applied by the intercepting
device to the IP packets encapsulating the intercepted traffic.
Syntax: PktcEScTapDscp
Max-access: read-create
Status: current
pktcEScTapMediationTimeout
Indicates the time the intercept function should stop and where all related stream table
rows should be automatically deleted. This is a fail-safe method for the failure or
removal of the network manager, since the initiating network manager may be the
only device able to manage a specific intercept or be aware it exists. This object is
only effective when the value of pktcEScTapMediationStatus is “active.”
Syntax: DateAndTime
Max-access: read-create
Status: current
pktcEScTapMediationTransport
Syntax: INTEGER {
udp(1)
}
Max-access: read-create
Status: current
pktcEScTapMediationNotificationEnable
Controls the generation of any notifications or information by the MIB agent for this
table entry.
Syntax: TruthValue
Max-access: read-create
Status: current
Default: { true }
pktcEScTapMediationStatus
Defines the status of the conceptual row. It is used to manage creation, modification
and deletion of rows in this table. pktcEScTapMediationTimeout may be modified at
any time (even while the row is active). However, when the row is active, the other
writable objects may not be modified without setting its value to “notInService”.
Syntax: RowStatus
Max-access: read-create
Status: current
2. Configure the server to receive the lawful intercept packets (IP address is
192.168.3.6; receiving port is 5001):
1: pktcEScTapMediationDestAddressType.1 (integer) ipv4(1)
2: pktcEScTapMediationDestAddress.1 (octet string) C0.A8.03.06 (hex)
3: pktcEScTapMediationDestPort.1 (gauge) 5001
4: pktcEScTapMediationSrcInterface.1 (integer) 0 [0]
5: pktcEScTapMediationDscp.1 (integer) 34
6: pktcEScTapMediationTimeout.1 (octet string) 2099-1-1,0:0:0.0,+0:0
[08.33.01.01.00.00.00.00.2B.00.00 (hex)]
7: pktcEScTapMediationTransport.1 (integer) udp(1)
8: pktcEScTapMediationNotificationEnable.1 (integer) true(1)
9: pktcEScTapMediationStatus.1 (integer) active(1)
3. To intercept L3 traffic matching certain IP addresses or UDP/TCP ports,
configure pktcESTapStreamTable to intercept the cable modem
(10.230.1.101) downstream packets:
1: pktcESTapStreamInterface.1.1 (integer) 0
2: pktcESTapStreamAddrType.1.1 (integer) ipv4(1)
3: pktcESTapStreamDestinationAddress.1.1 (octet string) 0A.E6.01.65 (hex)
4: pktcESTapStreamDestinationLength.1.1 (gauge) 32
5: pktcESTapStreamSourceAddress.1.1 (octet string) 00.00.00.00 (hex)
6: pktcESTapStreamSourceLength.1.1 (gauge) 0
7: pktcESTapStreamTosByte.1.1 (integer) 0
8: pktcESTapStreamTosByteMask.1.1 (integer) 0
9: pktcESTapStreamFlowId.1.1 (integer) -1
10: pktcESTapStreamProtocol.1.1 (integer) -1
11: pktcESTapStreamDestL4PortMin.1.1 (gauge) 0
12: pktcESTapStreamDestL4PortMax.1.1 (gauge) 65535
2. Set stream entry with destination and source address (in that order)
10.190.0.0/16. This is the IP address from which the packets are intercepted
and the IP address to which the packets are forwarded. Specify the source
and destination network mask.
07 DB = 2011 (year)
05 = 5 (month: may)
0A = 10 (day)
13 = 19 (hours)
2B = 43 (minutes)
00 = second
00 = deci-seconds
!!!Filter configured:
C3200-155(diag)#show clock
Tue May 10 19:41:08 UTC 2011
C3200-155(diag)#show timezone
Timezone set to "UTC", offset from UTC is +0000
ds_es_l3_filters:
nx=00000000 pkt=84
FA=00ca0698 id=1 Cid=1 p=1 Proto=-1 dscp=0 tp=2008 dp=0 65535 sp=0
65535
TargAddrlen=32 filterAddrLen=32 192.168.0.170 mask=00000000 mtu=1500
CmtsAddrlen=32 filterAddrLen=32 10.155.1.1 mask=00000000
DAPrefixlen=0 filterAddrLen=32 0.0.0.0 mask=00000000
SAPrefixlen=0 filterAddrLen=32 0.0.0.0 mask=00000000
mtu gige0 1500
mtu gige1 1500
mtu gige2 1500
mtu gige3 1500
mtu gige4 1500
mtu gige5 1500
mtu gige6 1500
mtu gige7 1500
mtu gige8 1500
mtu gige9 1500
mtu gige10 1500
mtu gige11 1500
2. Set stream entry with destination and source address (in that order)
10.155.1.70 (CM IP) and destination and source length 32.
snmpset -v 3 -u SIIUser -a MD5 -A SIITest123 -l authNoPriv -On
192.168.0.155 1.3.6.1.4.1.4491.2.2.9.1.2.1.1.2.1.16.1.1 i 5
snmpset -v 3 -u SIIUser -a MD5 -A SIITest123 -l authNoPriv -On
192.168.0.155 1.3.6.1.4.1.4491.2.2.9.1.2.1.1.2.1.3.1.1 x
0a9b0146
snmpset -v 3 -u SIIUser -a MD5 -A SIITest123 -l authNoPriv -On
192.168.0.155 1.3.6.1.4.1.4491.2.2.9.1.2.1.1.2.1.4.1.1 u 32
snmpset -v 3 -u SIIUser -a MD5 -A SIITest123 -l authNoPriv -On
192.168.0.155 1.3.6.1.4.1.4491.2.2.9.1.2.1.1.2.1.5.1.1 x
0a9b0146
snmpset -v 3 -u SIIUser -a MD5 -A SIITest123 -l authNoPriv -On
192.168.0.155 1.3.6.1.4.1.4491.2.2.9.1.2.1.1.2.1.6.1.1 u 32
snmpset -v 3 -u SIIUser -a MD5 -A SIITest123 -l authNoPriv -On
192.168.0.155 1.3.6.1.4.1.4491.2.2.9.1.2.1.1.2.1.16.1.1 i 1
CMTS
Network Solutions Guide
DOC-3007-01
For Releases 5.4 to 6.4.3