I’ve had a few questions thrown at me from people asking about the NPE-G2 processing engine for the VXR chassis.   One engineer had been asking for new MC-28U blades but his boss overrode him, and got a NPE-G2 instead.   The CMTS was loaded with four MC-16S blades, and a NPE-G1.   The NPE-G2 would have bought them the increased horsepower of the G2, as well as switched them from GBIC to SFP ports but other than that nothing else really.   They loaded the box up and booted it into IOS, only problem was the linecards weren’t being recognized.   When they tried to load the old IOS, and it simply refused to load it.   So they were stuck and had to back out and go back to the NPE-G1.   He asked me about that and after some searching I saw the NPE-G2 is only compatible with the 12.2.S code train.  The “Monet” adds plenty of new features and is a big departure from the BC code train.   Unfortunately one of the caveats of the Monet aka the S code train, is that it drops support for anything besides the newer MC-16U/X, MC-28U/X and brand new blade for the 7225VXR the E-28U.   So be aware of this if you want to upgrade your VXR, and if you do… you’re probably better off getting a U/X based blade!   Remember, the U/X blades have NPE-G1’s onboard, and when replacing C/S blades you should notice a 10+% drop in CPU utilization on your NPE.

Document link on the G2

docsisdude

The forum is now active but understand it is a work in progress at this time. Please feel free to go and join up. Registration is free and will allow you to post to the forums.

forum link http://docsishelp.do.funpic.de/board

Regards,

DOCSIS-Paul

We are now working on adding a forum to this blog to allow for more real-time DOCSIS support and we hope to build a community of DOCSIS Engineers to help each other out. At this time we are building the forums from a free hosting site in Germany (sorry ad supported) but if the idea takes off we may buy hosting some where. Once it goes live please stop by and post a quick hello so we get an idea of the number of people interesting in this idea.

Thanks,

DOCSIS-Paul

This post was made after docsisdude spent some time doing a password recovery on a BSR and could not find any documentation for the BSR online.... Sound familiar???

One of the best things about Cisco is how well they document things.   I don't know how many times I've gone to www.cisco.com and found exactly what I was looking for.   Sometimes it can take a little longer than I had hoped, but that's only because they have so much documentation to sift through.   You often have to be pretty specific when doing the search, and when you find something good…. Bookmark it.   Stuff like load balancing configs, RFSW setup, CWDM SFPs, the list is endless.   Like all websites Cisco moves things around, so don't get angry when you get dead linked to the apologetic Cisco page not found error.   This brings up an interesting point.   On one hand Cisco has gone to the infinite degree to document EVERYTHING.   This has pros and cons as having all that info often makes finding things difficult.   The other side of the coin is that the other vendors often have very little as far as public documentation.   I know you can't really expect that from everyone, but it can slow you down when you don't have that PDF you need or are learning on a new box.   Either way it would be helpful if the other vendors could put more info up.   It also wouldn't hurt if Cisco trimmed some of the documentation, or removed that eight year doc about DOCSIS1.0 ;)

docsisdude

(this post was made by "DOCSIS_Dude"

Well now I am in a new job but still in the DOCSIS CMTS work area. Due to my new position I will not be able to continue posting to this BLOG. Now this is not the end of this BLOG as I will have a few other DOCSIS Engineers take over with posts and updates. Sorry to have to leave this way but I have taken a very good job and feel in my new position I do not want to risk any kind of perceived conflicts. So from this point on any post to this BLOG will be made by other DOCSIS Engineers. When a post is made it will state the posters online name. Thanks for all your support and feel free to e-mail me any questions to slimjim100(at)gmail.com.

Thanks,

Slimjim100

DOCSIS Engineer Must Read Book

PacketCable Implementation

Jeff Riddel CCIE#12798

Since I recently talked with Jeff and I own this book I figured I would share my thought of the book with you. I highly recommend this book for any DOCSIS Engineer working in a Packetcable Voice network. Even if you plan on deploying a SIP or third party voice service this book will be your new bible. With over 1100 pages of true technical information with many charts, graphs, & diagrams to help explain the flow of data this book will help bring all the complexity to a understandable level. Lets face it there is not a good single source of information out there to support DOCSIS engineers in there jobs but I think with this book you get the full view. Anyway I highly recommend it and make sure to jet over to Cisco Press or Amazon and read the description. This is also a Safari book so online access for 45 days comes with the book too.

Links for the book:

Cisco Press

Amazon

BlackHat 2008 DC

Last week I was in DC for BlackHat 2008. I had a great time and seen some interesting talks on security, Hacking, Pen-testing, Networking, and much more. I have to say my favorite talk was from Felix "FX" Lindner titled "Developments in Cisco IOS Forensics. I would highly recommend you to visit his site and read the white paper he released (found here) on his companies site "Recurity Labs". Slides and presentations from BlackHat should be on there site soon for download. In other news I have heard of routers getting hijacked due to poor ACL's and SNMP traffic being sent over public networks in plain-text. It is important to keep your router locked down and protected. If your router got accessed and changed by an unauthorized person the first thing they might do is to lock you out. I have heard of reports where this is happened to a large multi-site company and they where blackmailed for money to get access back to there routers. With networks expanding over many miles, cities,  and countries it's important to keep you network safe. In the case of this reported company,  the cost of sending people out to password recover the routers was a lot more than the blackmailer's offer so the company paid them and then locked down the devices after they regained access. This could of been avoided and the skills needed to lock down a router is not CCIE level stuff! just using ACL's and a understanding of how the network is designed can prevent this kind of attack. Other issues with "unauthorized access" is even if you can regain access it's best to reload the IOS and review you config's. I say this since I have learned from Felix's presentation at BlackHat that some attackers load non-Cisco patches to the IOS. If an unauthorized IOS patch was made to your devices it is very difficult to identify the malicious code. With infected IOS code your routers you risk them becoming members of bot-nets, reset unexpectedly, or relay/hide unwanted traffic or tunnels. My recommendation is to only trust IOS code you get directly from Cisco. In the end of the day it does pay to keep you Cisco contracts up to date so when you need that clean IOS fix your CCO login can save the day.

References in this post:

http://www.blackhat.com/html/bh-dc-08/bh-dc-08-speakers.html#FX

www.recurity-labs.com

www.cisco.com 

Motorola DOCSIS 3.0 Ultra-Broadband Site Online

http://business.motorola.com/ultrabroadbandsolutions/home.html

Click on the pictures to enlarge them

It’s good to see Motorola releasing technical information to the web without the forced login. It looks like they still have plans for both I-CMTS & M-CMTS to support the MSO’s with there DOCSIS 3.0 rollout. It would be nice to see more whitepapers listed and maybe some CLI guides too. One of the issues I have had in the past with Motorola’s Broadband Products is that there is no real public documentation available (just marketing stuff). Where Cisco has way too much available and can cause an informational overload or confuse an engineer because features in one version of IOS might not work in another. Anyway check out Moto’s site and let me know what you think. DOCSIS 3.0 is coming and the big boys are getting ready to test the waters (some already are now) are you ready to jump in?

When the 10K meets an older Acterna DSAM….

+

Recently during an ISO upgrade I found (well a fellow engineer I work with found) that the older Acterna (now JDSU) DSAM meters failed BPI registration. It was interesting because all the modems on the CMTS worked fine and other meters did not have this issue. Well after a lot of trouble shooting from myself and other engineers it was found that the newer JDSU meters did not have the same issue. In the end it was that the older meters did not have a valid self signed Certificate and they had to be upgraded via JDSU TAC. Now the prior IOS was 12.3(17b)BC and we upgraded to 12.3(21a)BC and noticed the issue. So just as a warning to other Engineers you may want to test your older Acterna meters if you upgrade your IOS. If they do not pass BPI/BPI+ just call JDSU and have them add valid certs to the meters. This can be done via hooking the DSAM up to an Ethernet connect with a public IP for the JDSU TAC to access the meter. Basically your meter is fine and even if you have the BPI fail issue your meter can still work fine with all your normal RF testing and you could just use a modem to test DOCSIS with till you upgrade the meter.

February 7 2008 (9:00AM By Slimjim100)

Cisco 10012uBR CMTS: Wiring the Beast…

Installing a new Cisco 10k can be a pain in it’s own but with the micro (MCX) RF cabling and the DIY cable kits your frustration can peak out. I wanted to make a post with links and info on wiring the Cisco 10K for those that may of not had the fun of this special experience.

What cable set did I order or do I need?

Here are some of the choices:

• Dual-shielded cables
• Quad-shielded cables

Now when you order your cable you will hopefully get the 10 color kit but some time you will end up with the 5 color kit which is harder to get use too.

This is a picture from Cisco’s site of the 10 color cable

The back of the 10K with line cards looks like this:

Here is a picture of how the cable connects to the 10K

Now for the recommended wiring of the cable kits:

10 color cable kits

5 color cable kits

All information in this post is from Cisco’s website and the full document can be found here: http://www.cisco.com/univercd/cc/td/doc/product/cable/ubr10k/ubr10012/frus/ubrmc520.htm

This post in PDF Here

(Note this article was written 3 months ago and since there has been rumor that some vendors have a sub $100[in bulk] DOCSIS 3.0 modem)

Is DOCSIS 3.0 Really Here?

Author: Brian Wilson

CISSP, CCNA, CCSE, CCAI, MCP, JNCIA, Network+, Security+

Slimjim100@slimjim100.com

Co-Author: Owen Parsons

CCNA, CCCS, A+, Network+, NCTI Senior Master Technician

docsisdude@gmail.com

So you’re an MSO with a DOCSIS network and want to know when you can start moving to DOCSIS 3.0 to gain all the new bells and whistles to include bandwidth, IPv6, & advanced security. DOCSIS 3.0 has the ability to give you over 100+Mbps to the customer, new security features, and support for IPv6 so you can save the internet’s IP resources. A rather important question remains, are there any vendors already selling DOCSIS 3.0 networks and devices? The answer is not the quick “yes” a vendor’s PowerPoint presentation may lead you to believe.

The most profound issue with DOCSIS 3.0 revolves around the modems themselves. There are no true DOCSIS 3.0 modems on the market at this time. All of the vendors have a 3.0(D)ownsteam only modems. This just gives you the downstream channel bonding, but does not have the upstream channel bonding IPv6, or the security features that makes DOCSIS 3.0 so enticing. The other issue that arises is “do the modems they’re selling today, have the ability to be upgraded to full DOCSIS 3.0”? Well in a short the answer is “no” they will not.   The reason for this lack of upgrade ability is the Broadcom chipset supporting the 256-bit AES encryption and the additional upstream tuners are not available today. This chipset is needed to implement the security functions required in the DOCSIS 3.0 specification.   At this point the chips are not 100% ready or at least not in mass production. So no matter how bad you want to get your network to DOCSIS 3.0 you are faced with the lack of true DOCSIS 3.0 modems. If you do decide on using Pre-DOCSIS 3.0 downstream only modems you need to make sure the modems you buy are not proprietary and bound to a specific brand of CMTS. If that is the case you would be in a predicament if you ever choose to switch CMTS vendors. Not only would this cause a headache for your customers, but it would create an unnecessary capital investment as you would have to forklift all the proprietary modems and replace them with newer 100% DOCSIS 3.0 modems.

With these new DOCSIS 3.0  modems slated to cost multiple hundreds of dollars each, this would be an unwelcome PO in your accounting department. So choose your modem carefully and make sure they can be upgraded or you may be regretting your decision to arrive early at the DOCSIS 3.0 party. Another large obstacle will be the price of the modem. Currently you can buy DOCSIS 2.0 modems in bulk for roughly $40.00USD. These newer DOCSIS 3.0 modems are rumored to initially cost anywhere from $100-$250 each. With a DOCSIS 3.0 modem costing that much it is prohibitively expensive to put one in every home. It’s very likely that these modems won’t make it to the residential customer anytime soon. The DOCSIS model is built around standards so nothing is going to stop a power user from going to their local WalMart or BestBuy and paying $250.00USD for a new DOCSIS 3.0 modem. On the other hand, not many users have that kind of money to spend on a modem and there is little justification for stores to even carry them. Why as a consumer would you pay hundreds of dollars more for a modem when the old modem works and is basically free in comparison.

So the question is, how do you transition from your current DOCSIS 1.x/DOCSIS 2.0 network to a full 3.0 network? I don’t see the move to DOCSIS 3.0 happening nearly as fast as the industry is buzzing and it will most likely start with business customer first. These business customers have a more attractive ROI and can justify the capital being spent on them.  Once the efficiency of manufacturing gets in place these modems will cost less, but the raw cost of multiple tuners and brand new chips will always make them more expensive than a DOCSIS 2.0 modem. The true cost breakthroughs will come when the raw materials come down in cost. Single chips that can replace multiple tuners, more chips being produced thus further lowering the initial cost to the manufacturer. This is years away but once it happens the cost per modem will drop, also an MSO’s ability to negotiate pricing and buy in bulk will further expedite this process.

I think once the modems are around $60.00 wholesale you will see the MSO’s stocking up on them and installing them in residential “power user” homes. The cable industry is in a period of growth with many new technologies providing never before seen opportunities. If they want to party it’s going to cost them billions to get to the next level, but when they do get there the customer experience will be amazing. Hopefully we will catch up with many of the Asian MSO’s and be able to make a 100+Mbps just a simple mouse click away.

The 3 Major Players

DOCSIS 3.0

Pros:

• IPv6

• Bandwidth (Downstream 100mbps+ & Upstream 50+mbps)

• 256 bit AES encryption

• SNMP v3

• Channel Bonding (Upstream & Downstream)

• IPDR

• Support IGMPv3

• Multicast QoS

• Improved ability to monitor DOCSIS devices

Cons:

• Availability

• Complexity

• Cost

• Number of vendors

• Having to replace parts of network

• RF bandwidth needed

• RF plant conditions to support higher QAMs

• 2-4 DS carriers have to be adjacent to each other

• Only one of the bonded channels has the MAC/scheduling info inside it

• VoIP Protection currently only on one downstream (not in the edge QAM)

References:

Many vendor presentations (Cisco, Motorola, Bigband, Arris)

Cablelabs listed public specs (www.cablelabs.com)

Google (www.google.com)

Link to this Article in PDF Here

Review: uCertify Network+ PrepKit

By Brian Wilson

CISSP, CCAI, CCNA, CCSE, JNCIA, Security+, Network+, MCP

Slimjim100@slimjim100.com

       This is a review on uCertify’s Network+ Prepkit available over at www.ucertify.com. The uCertify Prepkit is a quick download from their site. Once you install it on your computer, you have access to the demo version which gives you some practice questions and limited use of the Prepkit. Upon buying the full Prepkit, you will be sent a license key that will unlock all the questions and features. Now you can get started learning. Some of the major advantages with the Network+ Prepkit is the fact that it is more than just a simple study guide.

Inside the Prepkit you will find:

• Diagnostic test

• 7 large Practice tests

• Final exam, an Adaptive test

• Ability to create custom tests

• Interactive quiz with 154 questions

• Study notes

• Flash cards

• Articles

• Ability to track your Progress

I recently reviewed the Security+ PrepKit from uCertify and was asked to review the Network+ Guide also. I decided this time I would put it to the test by getting 2 free copies of the PrepKit and having some associates try their hands at the actual CompTIA Network+ Exam. I figured the only real way to test the quality of the PrepKit was to put it to use with 2 people that I knew wanted to study for the CompTIA exam. I recruited the 2 subjects and asked that they only use the uCertify PrepKit to study for there exams. Now I already felt impressed about uCertify’s guides (based on my recent review of the Security+ guide), but it was now time to see how it would fair in a live test.

The 2 subjects sat for the exam and both passed with decent scores. I do want to add that both of the test subjects had over 3 years of networking experience. With their experience and the uCertify Network+ PrepKit, they were able to pass the exam and attain the CompTIA Network+ certifications. I would also like to note that this was the first IT Certification that either of the two candidates had ever attempted. With the proof on the table, I have to endorse the uCertify Network+ PrepKit as it has proven itself to be the right study guide to pass the Network+ Exam.

This Review uCertify Network+ in PDF

BTW if you would like to buy any of the Prepkits from uCertify use this discount code "BRISON" for 10% off! Thanks for reading my review and look forward as I plan on reviewing uCertify's Network+ PrepKit very soon.

January 3 2008 (10:00PM)   

Update (4 January 2008 By Slimjim100)

Time to stop the attach of the MAC Clones

First… Happy New Year!!! I have been busy lately chatting with other DOCSIS engineers and assisting/brainstorming with them on newer ways to ID and prevent modem cloning (theft of service). I am sure all DOCSIS Engineers out there know about the different cable modem hacking sites and have there own little ways of minimize the impact of these criminal services. Now not to get on a soap box since I think Hacking in it’s real form is a good thing but using advanced knowledge to assist others to break the law and steel in not cool at all.  Anyway to the point While talking with one Engineer friend in particular I found his method to work around flaws in the CMTS’s he has to deal with a great idea. Now if your in a Cisco, Motorola, or an Arris CMTS world you are good to go because they actually enforce BPI+ but some of the other bastard CMTS’s (no longer made or supported models) might not implicitly apply DOCSIS 1.1 standards and this can lead to crackers abusing flaws in DOCSIS 1.0’s BPI. I will explain in a later post the neat trick my friend did to reduce cloning and theft but I would like to cover some of the basics to reduce theft of service.

DOCSIS 1.0

• Configure network to only allow TFTP from Authorized server to avoid rouge config files.
• Set modem filter to only allow HFC interface to pull TFTP from your servers.
• Set your SNMP access to only respond to your management network from source IP’s on the HFC interface of the modem (not the CPE address space).
• Monitor your devices via SNMP and make sure you track the config file names to the correct MAC addresses.
• Test all DOCSIS devices to make sure they respond to SNMP (if they fail to respond block the MAC via an ACL)

DOCSIS 1.1

• Do all of the above steps listed.
• If possible and all devices are DOCSIS 1.1 or above (no DOCSIS 1.0 modems) use the CMTS’s vendor command to “Enforce BPI+” and “TFTP Source Verify” (this will not let hacked firmware force the modem to DOCSIS 1.0 BPI).
• Make sure to upgrade all modem firmware to a ECN RFI 02030 load and maintain few version load to make rouge modem identification easier.
• Enable and setup “Cable Shared Secret” on your DOCSIS interfaces of the CMTS (change your shared secret often if not monthly).
• If using a Cisco CMTS enable “Dynamic Shared Secret” so that a dynamic secret key is established at the time the config file is requested.

There are many other methods of preventing hack, cracked, modified, & cloned modems from steeling service on your network. It is important to try to force BPI+ (DOCSIS 1.1) if possible on your Network. With BPI+ the modems certificates and keys are linked to it’s MAC address so a clone can not match the key value. When the keys fail you will see the cloned modems in a state of Reject(pk), Reject(kek) or Reject(tek) keep in mind that there is other reasons for a failed BPI+ modem to not come online and if you have a large number of modems in Reject(pk) first check to make sure the CA root-cert is installed (Cisco the cert should be 996 sized cert if the root-cert is 958 you have a corrupted or incorrect root-cert) and a working NTP server is configure as the encryption for BPI+ like any encryption is time sensitive. Other benefits to BPI+ is the fact that the data transmitted from the modems is encrypted so RF sniffing will be unable to recompile your customers data and assist to protect there privacy and reduce you liability for there privacy getting breached.

Last but not least you should have scripts available to detect cloned modems and ACL’s to block devices not running BPI+. This will eliminate most if not all theft of service on your network and also improve your paying customer experience.

Other non MSO direct ways to prevent theft of service is to push the vendors to remove all diagnostic ports and access from the modems internal motherboards and to sign the boot code of the mode to a chipset SN number so if the boot code was changed the modem would no longer work. This is a very good idea and with the cost of DOCSIS 2.0 modems so cheap it would be worth the modem costing a few dollars more is it prevented the chances of hacked modems on the plant.

I would say the very last step is to go down hard on cable theft of service and make sure to prosecute as this will make an example and be a deterrent for others not to try to modify there DOCSIS devices to steel service.

If you have any other idea on how to prevent and stop theft of service please feel free to e-mail also feel free to contact me for questions and comments you may have.

slimjim100(at)slimjim100.com

Update (4 January 2008) 

Cisco IOS Release 12.3(21)BC introduces a DOCSIS 1.1-compliant and above security enhancement that helps to eliminate denial-of-service (DOS) attacks that are caused by cloned cable modems. 

commands:

Router# cable privacy bpi-plus-enforce

More info linked below:

http://