Вы находитесь на странице: 1из 45
BCC Configuration Quick Start Version 5.1 Suite 500 - 375 Water Street Vancouver, BC Canada,

BCC Configuration Quick Start

Version 5.1

BCC Configuration Quick Start Version 5.1 Suite 500 - 375 Water Street Vancouver, BC Canada, V

Suite 500 - 375 Water Street Vancouver, BC Canada, V6B 5C6

604.688.4332

CONFIDENTIALITY NOTICE

This document contains confidential and proprietary information belonging exclusively to Incognito Software Inc. The information and data embodied in this document are strictly confidential. It is supplied on the understanding that they will be held confidentially and not disclosed to third parties without the prior written consent of Incognito Software Inc.

Copyright © 2005 Incognito Software Inc. All rights reserved. Address Commander, Broadband Command Center, DNS

Copyright © 2005 Incognito Software Inc. All rights reserved. Address Commander, Broadband Command Center, DNS Commander, Enterprise Command Center, IP Commander, IP Registry Commander, Name Commander, Network Resource Commander (NRC), Registrar Commander, TFTP Commander, and the "Incognito Software Inc." logo are trademarks of Incognito Software Incorporated. All other trademarks are the property of their respective owners.

Published by:

Incognito Software Suite 500 - 375 Water Street Vancouver, BC Canada, V6B 5C6

Telephone:

(604) 688-4332

Fax:

(604) 688-4339

Web: www.incognito.com Printed in Canada No part of this publication may be reproduced, stored in a retrieval system, in any form or by any means (photocopying, electronic, mechanical, recording, or otherwise), without permission in writing

from the publisher, except by a reviewer who may quote brief passages in a review. This guide may contain dated information. Use of these materials is based on the understanding that this guide may not contain all the information, or the most current information relevant to situation or intended application. Support and update services are available from Incognito Software, by separate written agreement.

Document Last Revised: 2004-09-07

Table of Contents 1 Configuration Overview 1-1 2 TFTP Configuration   2-1 2.1 Introductio n

Table of Contents

1 Configuration Overview

1-1

2 TFTP Configuration

 

2-1

2.1

Introduction

2-1

2.2

General Preparation

2-1

2.3

Hardware Preparation

2-1

2.4

Software Installation

2-1

2.5

Starting the Services

2-2

2.6

Software Registration

2-2

2.7

TFTP Service Configuration

2-2

2.7.1 Slave TFTP Service Configuration

2-2

2.7.2 Master TFTP Service Configuration

2-2

2.7.2.1 TFTP Cluster Synchronization

2-3

2.7.2.2 Enable MULTICAST Integration

2-3

2.7.2.3 Service Notifications

2-3

2.7.2.4 OTF Configuration File Generator

2-3

2.7.2.5 Administrator Accounts

2-4

3 DHCP Configuration

 

3-1

3.1

Introduction

3-1

3.1.1

CMTS Behavior and DHCP Subnet Determination

3-1

3.2

General Preparation

3-1

3.3

Hardware Preparation

3-2

3.4

Software Installation

3-2

3.5

Starting the Services

3-2

3.6

Software Registration

3-2

3.7

DHCP General Service Configuration

3-3

3.7.1 Enable DHCP Failover

3-3

3.7.2 Enable Multicast Integration

3-3

3.7.3 Enable Time of Day Service

3-3

3.7.4 Configure System Wide Defaults

3-4

3.7.5 Configure

CM Blocking

3-4

3.7.6 Configure the MTA Voice Service Classes

3-5

3.7.7 Configure the Cable Modem Service Classes

3-5

3.7.8 Configure the Client Class Groups

3-6

3.7.9 Configure the Cable Modem Container Rule

3-6

3.7.10 Configure the MTA Container Rule

3-7

3.7.11 Configure the CPE Container Rule

3-8

3.7.12 Database Backup Scheduling

3-8

3.7.13 Service Notifications

3-9

3.7.14 SNMP Integration

3-9

3.7.15 Audit Scheduling

3-9

3.7.16 Administrator Accounts

3-9

3.8

CMTS Specific DHCP Service Configuration

3-10

3.8.1 CMTS Configuration

3-10

3.8.2 Configure the Networks

3-10

3.8.3 Adjacent Network Settings

3-11

4 MPS Configuration

 

4-1

4.1

Introduction

4-1

4.2

General Preparation

4-1

4.3

Hardware Preparation

4-1

4.4 Software Insta llation   4-1 4.5 Starting the Se rvices 4-2 4.6 Software Regist

4.4

Software Installation

 

4-1

4.5

Starting the Services

4-2

4.6

Software Registration

4-2

4.7

MPS Service Configuration

4-2

4.7.1 Basic Provisioning Behavior

4-2

4.7.2 Enabling PacketCable Security

4-3

4.7.3 Enabling Customer Care Center Integration

4-3

4.7.4 Enabling Multicast Integration

4-3

4.7.5 Client Class Groups

4-3

4.7.6 Configure the Packet Cable Service Classes

4-4

4.7.7 Database Backup Scheduling

4-4

4.7.8 Service Notifications

4-5

4.7.9 SNMP Integration

4-5

4.7.10 Administrator Accounts

4-5

5 DNS Configuration

5-1

5.1

Introduction

 

5-1

5.2

General Preparation

5-1

5.3

Hardware Preparation

5-1

5.4

Software Installation

 

5-1

5.5

Starting the Services

5-1

5.6

Software Registration

5-2

5.7

DNS Service Configuration

5-2

5.7.1 Configure the secondary DNS service

5-2

5.7.2 Dynamic DNS (DDNS)

5-2

5.7.3 Templates

 

5-3

5.7.4 DNS Lying (for self-provisioning)

5-3

5.7.5 Support Zone Transfers with the Secondary DNS Service

5-4

5.7.6 Add

Primary Domains

5-4

5.7.7 Add KDC Support (PacketCable Security)

5-4

6 KDC Configuration

6-1

6.1

Introduction

 

6-1

6.2

General Preparation

6-1

6.3

Hardware Preparation

6-1

6.4

Software Installation

 

6-1

6.5

Starting the Services

6-1

6.6

Software Registration

6-2

6.7

Service Configuration

6-2

6.7.1 Configure KDC License

6-2

6.7.2 Configure KDC Configuration File

6-2

6.7.3 Configure KDC Service Keys and Certificates

6-3

7 Appendix A: Installation Directories and Files

7-1

7.1

Solaris & Linux

 

7-1

7.1.1

Solaris & Linux Base Directory

7-1

7.1.2

Solaris & Linux Directories

7-1

7.1.3

Solaris & Linux Files

7-1

7.2

Windows

7-2

7.2.1

Windows Base Directory

7-2

7.2.2

Service Directories

7-2

7.2.3

IMC Directory

7-2

7.2.4

Files

7-2

8 Appendix B – Interoperability Testing (eMTA device list)

8-1

8.1

Motorola

8-1

8.1.1 SBV4200 VoIP Cable Modem (CG4D firmwa re) 8-1 8.1.2 SBV4200 VoIP Cabl e Modem

8.1.1

SBV4200 VoIP Cable Modem (CG4D firmware)

8-1

8.1.2

SBV4200 VoIP Cable Modem

8-2

8.1.3

SBV5120 VoIP Cable Modem

8-2

8.1.4

SBV5120E VoIP Cable Modem (Euro)

8-3

8.2 Terayon

8-4

8.2.1

TA-102X

8-4

8.3 Scientific Atlanta

8-5

8.3.1

WebStar DPX2203

8-5

8.4 Arris

8-7

8.4.1

How to install new Service Provider Root certificate

8-8

8.5 Packet Cable Secure Flow Template File

8-9

8.6 Notes

8-9

1 Configuration Overview

Broadband Command Center consists of a number of network services that work together to manage and provision DOCSIS cable modems, PacketCable MTAs, and customer premises equipment (CPE) host devices on a broadband network. These network services include:

1. DHCP

2. DNS

3. TFTP

4. Time of Day

5. MPS – Multimedia Provisioning Service, which includes a PacketCable MTA Device Provisioning Service.

The chapters following this one present a quick step-by-step configuration of the available BCC services to enable the operation of a BCC network.

We recommend you follow the chapters in the order they are listed, and follow the contents of each chapter in the order presented.

The following is the order of service component chapters in the guide, and the order configuration should proceed:

1. TFTP Configuration

2. DHCP Configuration

3. MPS Configuration

4. DNS Configuration

5. KDC Configuration

There are also two appendices that deal with specific technical issues:

Appendix A: Installation Directories and Files

Appendix B: Interoperability Testing (eMTA device list)

2 TFTP Configuration 2.1 Introduction This chapter defines the procedure for the initial configuration of

2 TFTP Configuration

2.1 Introduction

This chapter defines the procedure for the initial configuration of a single BCC TFTP failover cluster.

2.2 General Preparation

Before beginning to install and setup a BCC TFTP failover cluster, you should be sure to gather the following information and have it available:

1. The IP addresses that will be assigned to each TFTP server.

2. The IP addresses of all BCC DHCP servers that will be deployed (even if they are not currently deployed).

3. One server in the TFTP cluster must be designated as the Master TFTP service. This allows you to make configuration changes to the Master service and have them automatically propagated to the secondary services.

4. The TFTP license keys.

2.3 Hardware Preparation

Up to 255 servers can belong to a single TFTP cluster. Each server must be prepared as follows:

1. The server time has been correctly configured with the local time zone and current date and time.

2. One or more network interface cards have been correctly installed and configured with the static IP address that it will use when deployed on the network.

3. The server’s route table has been configured correctly with persistent routes to the CMTS HFC networks for each CMTS the server will service.

Additionally a management station that meets the following criteria must be prepared or available:

1. One of the following Windows operation systems are installed:

a. Win XP

b. Win 2000

c. Win NT SP6

d. Win 98 Second Edition (SE)

2.4 Software Installation

The TFTP service should be installed on each server according to the installation instructions that are provided with the service software.

Additionally the TFTP Incognito Management Console must be installed on the management station according to the installation instructions that are provided with the management software.

2.5 Starting the Services The TFTP service must be started on each server by running

2.5 Starting the Services

The TFTP service must be started on each server by running the following command with root permissions:

Solaris and Linux:

>/etc/init.d/tftpcmdrd start

Windows: services are started from the Windows Service Control Manager (SCM).

2.6 Software Registration

The TFTP service on each server must be registered with the license key provided. To register a license key:

1. Start the Incognito Management Console (IMC) on the management workstation.

2. Select the node labeled “TFTP” in the management console tree view.

3. Click the “Service Select” menu item.

4. Enter the IP address the server.

5. You will be prompted to modify the Administrator super-user account password to a secure password. Be sure you do not lose this password.

6. Click the “Service Register” menu item.

7. Enter the TFTP license key (it can be pasted and copied from other documents using control-c (copy) and control-v (paste).

8. Click the OK button.

9. Repeat steps 2 - 8 for each server.

2.7 TFTP Service Configuration

In the TFTP cluster, one TFTP server should be designated as the “Master” service, and all other TFTP services are designated as “Slave” services. General configuration changes can then be made on the Master service and automatically propagated to all Slave services. Additionally, static configuration files can be added to the Master service and automatically propagated to all Slave services. This saves time when initially configuring the services.

Note that the “Master – Slave” designation of services in a TFTP cluster has no impact on TFTP failover, load balancing or dynamic file generation.

2.7.1 Slave TFTP Service Configuration

For each slave TFTP service:

1. Select the “Service Configuration Cluster Synchronization” node in the IMC tree view.

2. Check the “Enable Failover” checkbox.

3. Uncheck the “Primary Server” checkbox.

4. Click the “Save Configuration Changes” button.

2.7.2 Master TFTP Service Configuration

2.7.2.1 TFTP CLUSTER SYNCHRONIZATION For each slave TFTP service: 1. Select the “Service Configuration Cluster

2.7.2.1 TFTP CLUSTER SYNCHRONIZATION

For each slave TFTP service:

1. Select the “Service Configuration Cluster Synchronization” node in the IMC tree view.

2. Check the “Enable Failover” checkbox.

3. Check the “Primary Server” checkbox.

4. Under the list view click the “Add” button and specific the IP address of one of the “slave” TFTP servers. Repeat for each slave TFTP server.

5. Click the “Save Configuration Changes” button.

2.7.2.2 ENABLE MULTICAST INTEGRATION

Multicast integration is required to support TFTP failover, load-balancing, dynamic DOCSIS file generation, and MPS integration.

1. Select the “Service Configuration Multicast Integration” node in the IMC tree view.

2. Note down the Multicast IP address and port. You will need to use this same Multicast IP and port in the other services.

3. Enter the full hostname of the server into the “Locally fully qualified domain name” field. For example, “tftp1.incognito.com.”

4. Enter an arbitrary port, that is not currently in use on your server into the “DHCP database synchronization port” field. For example, 9091 is likely not in use.

5. Enter an arbitrary port, that is not currently in use on your server into the “MPS database synchronization port” field. For example, 9093 is likely not in use.

6. Click the “Add” button and enter the value 1 (one) to define the multicast group the cluster belongs to.

7. Click “OK”.

8. Click the “Save Configuration Changes” button.

2.7.2.3 SERVICE NOTIFICATIONS

1. Select the “Service Configuration Service Notifications” node in the IMC tree view.

2. The Notification Methods page tab will be visible. Click the “Add” button inside the SNMP trap destination list to add the IP address of a NOC SNMP station that will monitor the TFTP cluster. Repeat for each NOC SNMP station that will monitor the TFTP cluster.

3. On this page you may also select “Email Notifications” and “Enable logging to system logs”. Enter the required information.

4. Click the “OK” button.

5. Click the “Notification Events” page tab.

6. On this page you may select which events should trigger SNMP Trap notifications. It is recommended that you select all events.

7. Click the “Save Configuration Changes” button.

2.7.2.4 OTF CONFIGURATION FILE GENERATOR

1. Select the “Service Configuration OTF Config File Generator” node in the IMC tree view.

2. Select the “CM Config File Generator” tab.

3. Check the “Ignore TLV type number of instanc es error” checkbox. This will allow

3. Check the “Ignore TLV type number of instances error” checkbox. This will allow the file generator to automatically resolve DOCSIS file setting conflicts using client class priorities, rather than logging an error and refusing to return a configuration file to a client.

4. Click the “Save Configuration Changes” button.

2.7.2.5 ADMINISTRATOR ACCOUNTS

1. Select the “Administrator Accounts” node in the IMC tree view.

2. Add an account that will be used by the MPS to upload MTA configuration files to the server. This account will require “Service Manager” access rights.

3. Select the “Add” button; enable the “Service Manager” account attribute; supply a Login name and Password for this account. Record this username and password information – you will need it to configure the MPS server.

4. Select the “OK” button.

5. Repeat these steps to add accounts with appropriate permissions for each administrator that may configure this server.

3 DHCP Configuration 3.1 Introduction This chapter defines the procedure for the initial configuration of

3 DHCP Configuration

3.1 Introduction

This chapter defines the procedure for the initial configuration of a single BCC MPS/DHCP failover cluster.

This includes all configuration that does not vary from subnet to subnet or from CMTS to CMTS.

3.1.1 CMTS Behavior and DHCP Subnet Determination

There are two distinct “gateway IP address” values associated with a device:

1. The gateway IP address inserted by a DHCP relay agent into the “giaddr” header field of each DHCP packet it forwards

2. The gateway IP address(es) sent to a client in DHCP option 3 (gateways) by the DHCP service.

On an HFC network, the CMTS is the “DHCP relay agent” and it inserts the first type of gateway IP address, the “giaddr”, into all DHCP packets it forwards.

By default, a DHCP service determines which subnet a device should belong to by the value of the giaddr field found in the client DHCP packet. On HFC networks, this is typically not sufficient for determining which subnet a device should belong to. Additionally, different CMTS’ behave differently, or can be configured to behave differently, with respect to how they select which giaddr value to insert into a DHCP packet, as follows:

1. A CMTS may insert the “primary interface” gateway address into all DHCP packets. Typically, this is the subnet intended for cable modems. Which means the DHCP service must be configured to push devices which are not cable modems onto another subnet.

2. A CMTS may insert the “primary interface” gateway address into all cable modem DHCP packets, and the first “secondary interface” gateway address into all non-cable modem DHCP packets.

3. A CMTS may be able to differentiate many different devices, and, for example, may insert one gateway address for cable modems, a different gateway address for MTAs, and another gateway address for all other devices.

The behavior of your CMTS will effect the configuration requirements for the DHCP service.

3.2 General Preparation

Before beginning to install and setup a DHCP failover cluster, you should be sure to gather the following information and have it available:

1. The IP addresses that will be assigned to each server.

2. A decision on which server will be designated as the primary server and which will be the secondary server.

3. The DHCP license keys.

3.3 Hardware Preparation Each DHCP failover cluster consists of two servers: a primary DHCP server

3.3 Hardware Preparation

Each DHCP failover cluster consists of two servers: a primary DHCP server and a secondary DHCP server. Each server must be prepared as follows:

1. The server time has been correctly configured with the local time zone and current date and time.

2. One or more network interface cards have been correctly installed and configured with the static IP address to be used when deployed on the network.

3. The server’s route table has been configured correctly with persistent routes to the CMTS HFC networks for each CMTS the server will service.

Additionally a management station that meets the following criteria must be prepared or available:

1. One of the following Windows operation systems are installed:

a. Win XP

b. Win 2000

c. Win NT SP6

d. Win 98 Second Edition (SE)

3.4 Software Installation

The DHCP service should be installed on each server according to the installation instructions that are provided with the service software.

Additionally the DHCP Incognito Management Console must be installed on the management station according to the installation instructions that are provided with the management software.

3.5 Starting the Services

The DHCP service must be started on each server by running the following command with root permissions:

Solaris and Linux:

>/etc/init.d/ipcmdrd start

Windows: services are started from the Windows Service Control Manager (SCM).

3.6 Software Registration

The DHCP service on each server must be registered with the license key provided. To register a license key:

1. Start the Incognito Management Console (IMC) on the management workstation.

2. Select the node labeled “DHCP” in the management console tree view.

3. Click the “Service Select” menu item.

4. Enter the IP address the server.

5. The default login is “administrator” with password “incognito” (no quotes).

6. You will be prompted to modify the Administrator super-user account password to a secure password. Be sure you do not lose this password.

7. Click the “Service Register” menu item. 8. Enter the DHCP license key (it can

7. Click the “Service Register” menu item.

8. Enter the DHCP license key (it can be pasted and copied from other documents using control-c (copy) and control-v (paste).

9. Click the OK button.

10. Repeat steps 2 - 8 for each server.

3.7 DHCP General Service Configuration

Only the primary DHCP service needs to be configured. This is because once failover is enabled the secondary DHCP service will be automatically synchronized with the primary DHCP service.

3.7.1

Enable DHCP Failover

1.

Connect to the primary DHCP service.

2.

Select the “Service Configuration Failover” node in the IMC tree view.

3.

Click the “Initiate Failover” button.

4.

When prompted in the wizard, enter the “Secondary server IP address” and click Next.

5.

You will be prompted to login to the secondary server. Specify the secondary DHCP service login name and password.

6.

7.

Failover will now be initiated and the DHCP services will automatically be synchronized.

3.7.2 Enable Multicast Integration

Multicast integration must be enabled to support communication between the MPS and TFTP services, including the load-balancing features these services offer.

1. Select the “Service Configuration Multicast Integration” node in the IMC tree view.

2. The Multicast IP address and port number must be the same as was earlier specified for the TFTP service.

3. Enter the full hostname of the server the DHCP service is running on. For example,

dhcp1.incognito.com.

4. In the TFTP database synchronization port field enter an arbitrary port that meets the following criteria:

a. The port is not currently in use on your server

b. The port is different than the “Database Synchronization Port” port configured on the TFTP service.

For example, 9092 is likely valid.

5. Add a multicast group that this DHCP service will belong to. It does not have to be in the same multicast group as the TFTP service.

6. Click the “Save Configuration Changes” button.

3.7.3 Enable Time of Day Service

1. Select the “Service Configuration Time of Day” node in the IMC tree view.

2. Check the “Enable the time of day service” checkbox.

3. Click the “Save Configuration Changes” button.

3.7.4 Configure System Wide Defaults 1. Select the “Rules Global Template” node in the IMC

3.7.4 Configure System Wide Defaults

1. Select the “Rules Global Template” node in the IMC tree view. This node holds system

wide defaults for DHCP options.

2. If dynamic DNS will be supported for all or most devices, ensure that the following fields are completed from the “General” tab:

a. “Enable automatic DNS updates” is checked

b. The “Dynamic DNS” field contains the IP address of the primary DNS server.

Alternatively, DDNS settings can be configured on a per subnet or client class basis by setting the above data in the Template record that you create and link to the relevant subnet rule(s) and/or client class(es).

3. From the DHCP options tab, enter the following:

a. Modify DHCP option 51 to set the CPE lease time.

b. Move DHCP option 6 (Domain (DNS) Servers) from the Available DHCP Options list to the Selected DHCP Options List, with the data set to the primary DNS server IP address. Add any additional DNS servers to this option data.

c. Add any additional DHCP options that apply to all CPE devices e.g. DHCP Option 12: Hostname may be applied here, or on the more specific templates added later.

Note that you may wish to generate a hostname for only those devices that send a hostname to DHCP (“HOST$” mask); or for every device that negotiates a lease (see the list of hostname masks available).

d. Are gateway IP addresses uniform across the network? For example, is the first address in every subnet the gateway IP address? If so, add DHCP Option 3 (Gateways) with the subnet portion of the IP address set to zeros. For example:

0.0.0.1

The zeroed out portion of the address will be filled in with a client’s subnet when the client is being provisioned. You will not need to configure anymore gateway IP addresses.

4. Click the “Apply” button to save your changes.

3.7.5 Configure CM Blocking

If you do not wish to configure the system to be able to easily block cable modems (e.g. for abuse subscribers or subscribers who have not paid their bills), then this step can be skipped.

1. Select the “DOCSIS File Settings” node in the IMC tree view.

2. Specify “Block” as the name for this DOCSIS File Setting.

3. Select (check) the DOCSIS 1.0 – [3] Network Access setting and set the value to “disabled”.

4. Select (check) the DOCSIS 1.0 – [4] Class of Service – [1] Flow Reference ID and set the value to 1.

5. Click the “Add” button.

6. Select the “Templates” node in the IMC tree view.

7. Specify “Block” as the name for this Template.

8. Select the DHCP Options tab.

9. Double-click on DHCP option 67 (Bootfile). Select “DYNFILE$” from dropdown box as the Creation

9. Double-click on DHCP option 67 (Bootfile). Select “DYNFILE$” from dropdown box as the Creation Mask Token, and then choose “Block” from the list of file settings available. Then click OK. Specify the following value for the boot file and click OK.

10. Click the Add button.

11. Select the “Client Classes” node in the IMC tree view.

12. Specify “Block” as the name for this client class.

13. Select “Block” as the template.

14. Click the Add button.

3.7.6 Configure the MTA Voice Service Classes

If you are not deploying PacketCable MTAs for voice service, this step can be skipped. For each voice (MTA) service class:

1. Select the “DOCSIS File Settings” node in the IMC tree view.

2. Specify the desired service class name as the name for this DOCSIS File Setting.

3. Select (check) the DOCSIS 1.0 – [3] Network Access setting and set the value to “enabled”.

4. Configure the upstream and downstream packet classifiers that capture voice related traffic.

5. Configure the upstream and downstream service flows for this MTA service.

6. Click the “Add” button.

7. Select the “Templates” node in the IMC tree view.

8. Specify the service class name as the name for this Template.

9. Select the DHCP Options tab.

10. Double-click on DHCP option 67 (Bootfile). Select “DYNFILE$” from dropdown box as the Creation Mask Token, and then choose the service class name you created above from the list of file settings available. Then click OK.

11. Double-click on DHCP option 122 (CableLabs Client Configuration Option).

a. Specify the IP address of the primary DHCP service (sub-code 1) and click OK.

b. Click on the “Add” button under the Option Value list view, enter the IP address of the secondary DHCP service (sub-code 2) and click OK.

12. Click the Add button.

13. Select the “Client Classes” node in the IMC tree view.

14. Specify the service name as the name for this client class.

15. Select the template with the service name as the “Template link” for this client class.

16. It is recommended that client class priorities be configured in increments of 100 so that new client classes can be inserted easily in the future. As the priority specify <the number of service classes already configured>*100.

17. Click the Add button.

3.7.7 Configure the Cable Modem Service Classes

For each data (cable modem) service class:

1. Select the “DOCSIS File Settings” node in the IMC tree view.

2. Specify the service class name as the name for this DOCSIS File Setting.

3. Select (check) the DOCSIS 1.0 – [3] Network Access setting and set the value to “enabled”.

4. Configure the upstream and downstream service flows for this data service.

5. Click the “Add” button.

6. Select the “Templates” node in the IMC tree view. 7. Specify the service class

6. Select the “Templates” node in the IMC tree view.

7. Specify the service class name as the name for this Template.

8. Select the DHCP Options tab.

9. Double-click on DHCP option 67 (Bootfile). Select “DYNFILE$” from dropdown box as the Creation Mask Token, and then choose the service class name you created above from the list of file settings available. Then click OK.

10. Click the Add button.

11. Select the “Client Classes” node in the IMC tree view.

12. Specify the service class name as the name for this client class.

13. Select the service class name as the “Template link”.

14. It is recommended that client class priorities be configured in increments of 100 so that new client classes can be inserted easily in the future. As the priority specify <the number of service classes already configured>*100.

15. Click the Add button.

3.7.8 Configure the Client Class Groups

1. Select the “Client Class Groups” node in the IMC tree view.

2. Specify “CM Service” as the name.

3. Click on the “Client Classes” tab.

4. Click on the upper-most “Add” button to bring up the dialog box containing a list of available client classes to add.

5. From the dropdown list, select the client class (e.g. gold, silver, etc) you wish to add to the group, and click “Add”. Repeat until you have all the desired client classes added.

6. When you have added the last one, make sure you click on “Add” to add it, then “Finish”.

7. Click on the bottom-most “Add” button to complete the creation of the Client Class Group.

8. Repeat the above steps for every other client class group that you wish to add. For example, if you had multiple brands of cable modems on your network, you might have a Client Class Group called “Vendors” containing Client Classes for each make & model of cable modem.

3.7.9 Configure the Cable Modem Container Rule

This is a rule which all cable modem subnets will be placed under, and which provides default DHCP option data for cable modems.

First we add the DHCP options template:

9. Select the “Templates” node in the IMC tree view.

10. Specify “CM Default Options” as the name.

11. Select the “DHCP Options” tab.

12. Move DHCP option 2 (Time Offset) from the Available DHCP Options list to the Selected DHCP Options List, with the data set to the time offset for the local time zone.

13. Move DHCP option 4 (Time Server) from the Available DHCP Options list to the Selected DHCP Options List, with the data set to the secondary DHCP server IP address. Add the primary DHCP server IP address as a second Time Server in the list. This allows the secondary server, which is otherwise inactive, to handle time requests by default, while the primary server handles DHCP requests.

14. If a log server will be deployed to capture cable modem log messages, then

14. If a log server will be deployed to capture cable modem log messages, then move DHCP option 7 (Log Server) from the Available DHCP Options list to the Selected DHCP Options List, with the data set to the log server IP address.

15. Move DHCP option 51 (Lease Time) from the Available DHCP Options list to the Selected DHCP Options List, with the data set to the lease time for cable modems.

16. Move DHCP option 66 (TFTP Server) from the Available DHCP Options list to the Selected DHCP Options List, with the data: “255.255.255.1” (no quotes). This is the TFTP cluster ID.

17. Click the Add button.

Next we add the Cable Modem container rule:

18. Select the “Rules” node in the IMC tree view.

19. Specify “CM” as the name.

20. Specify an IP address range (lower and upper limit) that will cover all subnets assigned to cable modems.

21. Specify the default subnet mask for cable modems if applicable.

22. The gateway does not need to be set.

23. Click the “Rule Criteria” tab.

24. Note that this step can be skipped if the CMTS assigns a different gateway IP address (giaddr) to cable modem DHCP packets than the one it assigns to non-cable modem DHCP packets. Otherwise, enter the following as the rule criteria:

OPTIONSTRING(60, docsis*)

25. Select “CM Default Options” as the “template link”.

26. Click the Add button.

3.7.10 Configure the MTA Container Rule

If you are not deploying PacketCable MTAs for voice service, this step can be skipped.

This is a rule which all MTA subnets will be placed under, and which provides default DHCP option data for MTAs.

First we add the DHCP options template:

1. Select the “Templates” node in the IMC tree view.

2. Specify “MTA Default Options” as the name.

3. Ensure that “Enable Automatic DNS Updates” is checked.

4. Ensure that “Inherit DNS Settings” is NOT checked.

5. In the “Dynamic DNS” field enter the IP address of the primary DNS server for the MTA domain.

6. Select the “DHCP Options” tab.

7. Move DHCP option 15 (Domain Name) from the Available DHCP Options list to the Selected

DHCP Options List, with the data set to the domain that MTAs will be assigned to.

8. Move DHCP option 122 (PacketCable VoIP (RFC 3495)) from the Available DHCP Options list to the Selected DHCP Options List. At the data prompt, enter the following data and click “OK”:

a. Sub-Code: 3 (TSP’s Provisioning Server Address)

b. Enter data as: Fully Qualified Domain Name (FQDN).

c. Data: the FQDN for the MPS servers.

9. Under the far right-hand side option value list for DHCP option 122, click the

9. Under the far right-hand side option value list for DHCP option 122, click the “Add” button. At the data prompt, enter the following data and click “OK”:

d. Sub-Code: 6 (TSP’s Kerberos Realm Name)

e. Select the Provisioning Flow Type: Secure Provisioning Flow

f. Data: <MSO’s Kerberos realm name>

10. Click the Add button.

Next we add the MTA container rule:

11. Select the “Rules” node in the IMC tree view.

12. Specify “MTA” as the name.

13. Specify an IP address range (lower and upper limit) that will cover all subnets assigned to MTAs.

14. Specify the default subnet mask for MTAs if applicable.

15. The gateway does not need to be set.

16. Click the “Rule Criteria” tab.

17. Note that this step can be skipped if the CMTS assigns a different gateway IP address (giaddr) to MTA DHCP packets than the one it assigns to non-MTA DHCP packets. Enter the following as the rule criteria:

OPTIONSTRING(60, pktc*)

18. Select “MTA Default Options” as the “template link”.

19. Click the Add button.

20. If you are prompted to create a reverse DNS zone for this rule, select “No”. Answering “yes” assumes that the DNS service is already configured – which at this point in this guide is not.

3.7.11 Configure the CPE Container Rule

This is a rule which all CPE subnets will be placed under.

1. Select the “Rules” node in the IMC tree view.

2. Specify “CPE” as the name.

3. Specify an IP address range (lower and upper limit) that will cover all subnets assigned to CPEs.

4. The gateway does not need to be set.

5. Click the “Rule Criteria” tab.

6. Note that this step can be skipped if the CMTS assigns a different gateway IP address (giaddr) to cable modem and MTA DHCP packets than the one it assigns to CPE (host) packets. Enter the following as the rule criteria:

NOT OPTIONSTRING(60, docsis*) AND NOT OPTIONSTRING(60, pktc*)

7. Click the Add button.

3.7.12 Database Backup Scheduling

1. Select the “Service Configuration Database Backup Scheduling” node in the IMC tree view.

2. Select the days and times you would like the service to automatically backup its

2. Select the days and times you would like the service to automatically backup its databases. You should create a cron job or other script that automatically moves service backups to external storage.

3. Click the “Save Configuration Changes” button.

3.7.13 Service Notifications

1. Select the “Service Configuration Service Notifications” node in the IMC tree view.

2. The Notification Methods page tab will be visible. Click the “Add” button inside the SNMP trap destination list to add the IP address of a NOC SNMP station that will monitor the TFTP cluster. Repeat for each NOC SNMP station that will monitor the TFTP cluster.

3. On this page you may also select “Email Notifications” and “Enable logging to system logs”. Enter the required information.

4. Click the “Notification Events” page tab.

5. On this page you may select which events should trigger SNMP Trap (and other) notifications. It is recommended that you select all events.

6. Click the “Save Configuration Changes” button.

3.7.14 SNMP Integration

1. Select the “Service Configuration SNMP Integration” node in the IMC tree view.

2. In the group box that is labeled “Cable modem (DOCSIS) SNMP configuration:” enter the read community and the write community for managing cable modems.

3. Click the “Save Configuration Changes” button.

3.7.15 Audit Scheduling

1. Select the “Service Configuration Audit Scheduling” node in the IMC tree view.

2. Click the “Enable audits” checkbox.

3. Select which events to audit. In order to maintain a complete IP address trail, it is recommended that the following events be audited:

a. IP address allocations

b. DHCP renews

c. DHCP releases

d. DHCP declines

e. Expired leases

f. Deleted leases

4. Click the “Save Configuration Changes” button.

3.7.16 Administrator Accounts

1. Select the “Administrator Accounts” node in the IMC tree view.

2. Add an account with the appropriate permissions for each administrator that may configure this server.

3. You should at least add an account that will be used by the MPS to configure the DHCP service. Record the account login name and password – you will need to configure it on the MPS server. This account will require the following access rights:

a. Rule (read-only) b. Template Management c. HW Mapping Management d. Static Address Management e.

a. Rule (read-only)

b. Template Management

c. HW Mapping Management

d. Static Address Management

e. Client Classes Management

f. View Leases

g. DOCSIS File Settings Management

3.8 CMTS Specific DHCP Service Configuration

This section describes how to configure the DHCP service to support a CMTS and the networks on that CMTS.

3.8.1 CMTS Configuration

In order to support dynamic DOCSIS file generation and provisioning of CPE static addresses through the MPS service, you must configure a CMTS Setting record for each CMTS as follows:

1. Click on the “CMTS Settings” node.

2. Assign a name to the CMTS.

3. Specify the “authorization key” configured on the CMTS. This is the shared secret

configured on the CMTS and used to generate the cable modem configuration file (CMTS Message Integrity Check (MIC)).

4. Specify the CMTS DOCSIS version. This is required because all cable modems behind a DOCSIS 1.0 CMTS must be put into DOCSIS 1.0 mode, even if those modems support other versions of DOCSIS.

5. In the “gateway” list specify:

a. Each gateway that the CMTS may assign to a cable modem. This is used to

determine which CMTS a cable modem is behind when a DHCP packet is received from that cable modem.

b. Each gateway that may be used for provisioning static addresses for subscriber CPE devices.

6. Click the “Add” button.

3.8.2 Configure the Networks

1. For each cable modem subnet belonging to the CMTS, add one sub-rule to the rule named “CM”, created during the DHCP failover cluster configuration (preparation) phase [2]. This can be easily done by right-clicking on the “CM” rule and clicking the “Create new … rule” menu option from the pop-up context menu. Rename the new rule and specify the appropriate subnet IP address range. No other data needs to be configured on the rule.

2. For each MTA subnet belonging to the CMTS, add one sub-rule to the rule named “MTA”, created during the DHCP failover cluster configuration (preparation) phase [2]. This can be easily done by right-clicking on the “MTA” rule and clicking the “Attach new … rule” menu option from the pop-up context menu. Rename the new rule and specify the appropriate subnet IP address range. No other data needs to be configured on the rule.

3. For each CPE (host/PC) subnet belonging to the CMTS, add one sub-rule to the rule named “CPE”, created during the DHCP failover cluster configuration (preparation) phase [2]. This can be easily done by right-clicking on the “CPE” rule and clicking the “Attach new … rule”

menu option from the pop-up context menu. Rename the new rule and specify the appropriate

menu option from the pop-up context menu. Rename the new rule and specify the appropriate subnet IP address range. No other data needs to be configured on the rule.

3.8.3 Adjacent Network Settings

If the CMTS inserts the primary interface gateway IP address into all DHCP packets, then a set of adjacent network settings must be created as follows (and the Rule Criteria must be specified as shown in section 3.7.9, 3.7.10 and 3.7.11 of this document):

1. For each cable interface on the CMTS:

a. For each secondary interface on the cable interface:

i. Click the “Service Configuration Adjacent Networks” node in the IMC tree view for the DHCP service.

ii. In the “Add Adjacent Network Entry” dialog specify the primary interface gateway and subnet mask as the first network, and the secondary interface gateway and subnet mask as the second network in the adjacent network pair.

iii. Click the “OK” button.

4 MPS Configuration 4.1 Introduction This chapter defines the procedure for the initial configuration of

4 MPS Configuration

4.1 Introduction

This chapter defines the procedure for the initial configuration of a single BCC MPS service.

4.2 General Preparation

Before beginning to install and setup an MPS service, you should be sure to gather the following information and have it available:

1. The IP address that will be assigned to each MPS server.

2. The IP addresses of the servers in the DHCP failover cluster that will be associated with the MPS service. Note that an MPS service MUST be associated with a single DHCP failover cluster. The MPS service can be co-hosted on the DHCP servers.

3. The IP addresses of the servers in the TFTP failover cluster that will be associated with the MPS service. Note that an MPS service MUST be associated with a single TFTP failover cluster. The MPS service can be co-hosted on the TFTP servers.

4. The MPS license keys.

4.3 Hardware Preparation

Each server must be prepared as follows:

1. The server time has been correctly configured with the local time zone and current date and time.

2. One or more network interface cards have been correctly installed and configured with the static IP address that it will use when deployed on the network.

3. The server’s route table has been configured correctly with persistent routes to the CMTS HFC networks for each CMTS the server will service.

Additionally a management station that meets the following criteria must be prepared or available:

1. One of the following Windows operation systems are installed:

a. Win XP

b. Win 2000

c. Win NT SP6

d. Win 98 Second Edition (SE)

4.4 Software Installation

The MPS service should be installed on each server according to the installation instructions that are provided with the service software.

Additionally the MPS Incognito Management Console must be installed on the management station according to the installation instructions that are provided with the management software.

4.5 Starting the Services The MPS service must be started on each server by running

4.5 Starting the Services

The MPS service must be started on each server by running the following command with root permissions:

Solaris and Linux:

>/etc/init.d/ mpscmdrd start

Windows: services are started from the Windows Service Control Manager (SCM).

4.6 Software Registration

The MPS service on each server must be registered with the license key provided. To register a license key:

1. Start the Incognito Management Console (IMC) on the management workstation.

2. Select the node labeled “MPS” in the management console tree view.

3. Click the “Service Select” menu item.

4. Enter the IP address the server.

5. Enter the default user “administrator” and password “incognito”. You will be prompted to modify the Administrator super-user account password to a secure password. Be sure you do not lose this password.

6. Click the “Service Register” menu item.

7. Enter the MPS license key (it can be pasted and copied from other documents using control- c (copy) and control-v (paste).

8. Click the OK button.

9. Repeat steps 2 - 8 for each server.

4.7 MPS Service Configuration

The first time you login, the “Welcome” Wizard should appear. If it does not, you can stop the MPS service, delete the contents of its data directory, and restart the MPS service in order to start it in a clean state that will force this wizard to appear at login.

The first screen introduces the wizard, click the “Next” button.

4.7.1 Basic Provisioning Behavior

1. Indicate whether MPS should be responsible for provisioning CM and MTA FQDNs. When MPS provisions an FQDN for a device it creates a Hardware Mapping/Template pair for the device that maps a specific FQDN to the device. This is disabled by default because it is generally not recommended: instead it is recommended that the DHCP service be automatically configured to generate an FQDN for the device based on a dynamic creation mask, such as assigning the device it’s MAC address as its hostname.

2. Indicate whether to provision unknown MTAs and whether to enable PacketCable security. If you are not provisioning MTAs, then both of these options should be disabled.

3. Click the “Next” button.

4.7.2 Enabling PacketCable Security If you are not deploying PacketCable MTAs for voice service with

4.7.2 Enabling PacketCable Security

If you are not deploying PacketCable MTAs for voice service with the SECURE provisioning flow, this step can be skipped.

1. If you are not using the wizard, you can configure the following data from the “Service Configuration PacketCable Security” node in the IMC tree view:

a. Enter the Kerberos realm for the service.

b. Enter the KDC and MTA Kerberos keys as hexadecimal values representing the binary keys.

c. Click “Next”

4.7.3 Enabling Customer Care Center Integration

This setup guide assumes that we are not integrating with a Customer Care Center. Selecting “No” will skip to the end of the wizard.

4.7.4 Enabling Multicast Integration

Multicast integration must be enabled to support communication between the DHCP and TFTP services, including the load-balancing feature offered by TFTP.

1.

Select the “Service Configuration Multicast Integration” node in the IMC tree view.

7.

The Multicast IP address and port number must be the same as was earlier specified for the TFTP and DHCP services.

8.

Enter the full hostname of the server the MPS service is running on. For example,

mps1.incognito.com.

9.

In the TFTP database synchronization port field enter an arbitrary port that meets the following criteria:

c. The port is not currently in use on your server

d. The port is different than the “Database Synchronization Port” configured on the TFTP service.

For example, 9095 is likely valid.

10.

Add a multicast group that this MPS service will belong to. This can be (but does not have to be) in the same multicast group as the TFTP or DHCP services.

2.

Click the “Save Configuration Changes” button.

4.7.5 Client Class Groups

1. Select the “Service Configuration Client Class Groups” node in the IMC tree view.

2. Use the “Add” button for the “CM Client Class Groups” to add the client class groups that will be available to choose client classes from when provisioning Cable Modems. For example, this could be “Quality of Service”, “Vendors”, etc. These groups will show up in the “Data Services” tab when provisioning cable modems through the “Unsubscribed Devices Cable Modems” node.

3. Use the “Add” button for the “Host Client Class Groups” to add the client

3. Use the “Add” button for the “Host Client Class Groups” to add the client class groups that will be available to choose client classes from when provisioning CPEs. These groups will show up in the “DHCP Services” tab when provisioning hosts through the “Unsubscribed Devices Hosts” node.

4. Click on “Save Configuration Changes”.

4.7.6 Configure the Packet Cable Service Classes

If you are not deploying PacketCable MTAs for voice service, this step can be skipped.

1. Select the “Service Configuration Packet Cable Service Classes” node in the IMC tree view.

2. Under the “General” tab, enter a name for this service class.

3. Select the “Members” tab.

4. The membership for this service class will control which template the MTA devices will be able to download. Membership is based on one of the following:

a. The strings for Vendor, Model, Hardware Version, Software Version and the GIADDR of the CMTS the MTA is connected through.

b. A list of MTA hardware addresses.

5. Select the “Configuration File Settings” tab.

6. Make sure the “configure settings for dynamically generated file” box is checked.

7. Click on the “Basic Packet Cable Settings Wizard” button.

a. Enter the full hostname of the Call Management system at the MSO site. For example: cms.incognito.com.

b. The default UDP port (2427) should be sufficient.

c. Enter the Kerberos realm at the MSO site.

d. Enter the Organization name, which would be the telephony service provider name

that the MSO has registered with the PacketCable Service Provider Certificate purchased through Verisign.

8. The “Configuration file contents” area of the wizard should then look similar to below:

TLV11 PKTC-MTA-MIB pktcMtaDevEnabled=true TLV11 PKTC-SIG-MIB pktcNcsEndPntConfigCallAgentId-9="CMS.INCOGNITO.COM" TLV11 PKTC-SIG-MIB pktcNcsEndPntConfigCallAgentUdpPort-9=2427 TLV11 PKTC-MTA-MIB pktcMtaDevCmsIpsecCtrl-CMS.INCOGNITO.COM=true TLV11 PKTC-MTA-MIB pktcMtaDevCmsKerbRealmName-CMS.INCOGNITO.COM="INCOGNITO.COM" TLV11 PKTC-MTA-MIB pktcMtaDevRealmOrgName-INCOGNITO.COM="Amazing Incognito Telephony System"

9. Click the “OK” button.

10. Enter any additionally required MIB data under the “Mib Modules” tree.

11. Click the “Add” button.

4.7.7 Database Backup Scheduling

1. Select the “Service Configuration Database Backup Scheduling” node in the IMC tree view.

2. Select the days and times you would like the service to automatically backup its

2. Select the days and times you would like the service to automatically backup its databases. You must create a cron job or other script that automatically moves service backups to external storage, to avoid filling the server hard drive.

3. Click the “Save Configuration Changes” button.

4.7.8 Service Notifications

1. Select the “Service Configuration Service Notifications” node in the IMC tree view.

2. The Notification Methods page tab will be visible. Click the “Add” button inside the SNMP trap destination list to add the IP address of a NOC SNMP station that will monitor the TFTP cluster. Repeat for each NOC SNMP station that will monitor the TFTP cluster.

3. On this page you may also select “Email Notifications” and “Enable logging to system logs”. Enter the required information.

4. Click the “Notification Events” page tab.

5. On this page you may select which events should trigger SNMP Trap notifications. It is recommended that you select only the following events:

a. License Exceeded

b. Service Starting

c. Service Stopping

d. Service Paused

e. Service Resumed

f. Low Diskspace

g. DHCP login failed

h. TFTP upload failed

6. Click the “Save Configuration Changes” button.

4.7.9 SNMP Integration

1. Select the “Service Configuration SNMP Integration” node in the IMC tree view.

2. In the group box that is labeled “Specify the community strings used when the service sends SNMPv2 GET and SET messages:” enter the read community name and the write community name for managing cable modems.

3. Click the “Save Configuration Changes” button.

4.7.10 Administrator Accounts

1. Select the “Administrator Accounts” node in the IMC tree view.

2. Add an account with the appropriate permissions for each administrator that may configure this server.

5 DNS Configuration 5.1 Introduction This chapter defines the procedure for the initial configuration of

5 DNS Configuration

5.1 Introduction

This chapter defines the procedure for the initial configuration of a single BCC DNS cluster.

5.2 General Preparation

Before beginning to install and setup a DNS cluster, you should be sure to gather the following information and have it available:

1. The IP addresses that will be assigned to each DNS server.

2. The IP addresses of the servers in the DHCP failover cluster, if supporting dynamic DNS.

3. The DNS license keys.

5.3 Hardware Preparation

Each server must be prepared as follows:

1. One or more network interface cards have been correctly installed and configured with the static IP address that it will use when deployed on the network.

2. The server’s route table has been configured correctly with persistent routes to the CMTS HFC networks for each CMTS the server will service.

Additionally a management station that meets the following criteria must be prepared or available:

1. One of the following Windows operation systems are installed:

a. Win XP

b. Win 2000

c. Win NT SP6

d. Win 98 Second Edition (SE)

5.4 Software Installation

The DNS service should be installed on each server according to the installation instructions that are provided with the service software.

Additionally the DNS Incognito Management Console must be installed on the management station according to the installation instructions that are provided with the management software.

5.5 Starting the Services

The DNS service must be started on each server by running the following command with root permissions:

Solaris and Linux:

>/etc/init.d/ dnscmdrd start

Windows: services are started from t he Windows Service Control Manager (SCM). 5.6 Software Registration

Windows: services are started from the Windows Service Control Manager (SCM).

5.6 Software Registration

The DNS service on each server must be registered with the license key provided. To register a license key:

1. Start the Incognito Management Console (IMC) on the management workstation.

2. Select the node labeled “DNS” in the management console tree view.

3. Click the “Service Select” menu item.

4. Enter the IP address the server.

5. Enter the default user “administrator” and password “incognito” (no quotes). You will be prompted to modify the Administrator super-user account password to a secure password. Be sure you do not lose this password.

6. Click the “Service Register” menu item.

7. Enter the DNS license key (it can be pasted and copied from other documents using control- c (copy) and control-v (paste).

8. Click the OK button.

9. Repeat steps 2 - 8 for each server.

5.7 DNS Service Configuration

5.7.1 Configure the secondary DNS service

1)

If you wish to setup a DNS that will be a secondary to your primary DNS:

1. Login into the secondary DNS service.

2. Select the “Service Configuration Transfer” node in the IMC tree view.

3. Check the “Enable zone transfers” checkbox if it is not already checked.

4. Set the “Incremental zone transfer” drop down list to “Incoming and Outgoing”.

5. Set the “Notify delay” drop down list to “60”

6. Select the “Secondary Domains” node in the IMC tree view.

7. Click on the “Notify” tab.

8. Add the IP address of the primary DNS server to the “Domain Notify Preferences” list.

9. Click the “Apply” button.

10. Save the other configuration changes that are pending with Ctrl+S.

11. Logout from the secondary DNS server.

12. You will now need to stop and restart the secondary DNS service.

The remaining steps in the following sections are all executed on the primary DNS server.

5.7.2 Dynamic DNS (DDNS)

2)

Enable dynamic DNS:

1. Select the “Service Configuration Transfer” node in the IMC tree view.

2. Set the “Allow dynamic updating (DDNS)” drop down list to “Incoming only”.

3. Check the “DDNS synchronize reverse zone” checkbox.

4. Check the “DDNS update forwarding” checkbox.

5. If you have a DNS service that you wish to act as a secondary

5. If you have a DNS service that you wish to act as a secondary for this DNS:

1. Check the “Enable zone transfers” checkbox if it is not already checked.

2. Set the “Incremental zone transfer” drop down list to “Incoming and Outgoing”.

3. Set the “Notify delay” drop down list to “60”

6. Select the “Primary Domains” node in the IMC tree view.

7. Click on the “DDNS Sources” tab.

8. Add the IP address of the DHCP service(s) to the “Dynamic DNS Sources Preferences” list.

9. Click the “Apply” button.

10. Save the configuration changes.

11. Logout from the primary DNS server.

12. You will now need to stop and restart the primary DNS service.

13. Log back into the primary DNS server through the IMC.

5.7.3 Templates

3)

In order to ensure that when domains are created, the correct nameservers are associated with the newly created domain, both the GlobalDomain Template and DefaultInAddr Templates must be configured properly.

1. Select and expand the “Domain Templates” node in the IMC tree view.

2. Select the “GlobalDomain Template”.

3. Check the “Automatically synchronize Pointer (PTR) records” checkbox.

4. Select the “Zone Properties” tab.

5. Change the “Serial Format” to be “Date Format”.

6. Select the “Resource Records” tab.

7. There should already be an NS record for the primary DNS server, which should be fully qualified. (e.g. ns1.incognito.com.). Use the “Add” button to add resource records of Type NS, with the Name left blank, putting in the name(s) of the secondary DNS server(s) in the “Host Name of the Name Server” field. Ensure that the hostname you enter is fully qualified and ends with a period. Perform this step for each secondary DNS server you have.

8. Click “Apply”

9. Select the “Default InAddr Template” node from the IMC tree view, and repeat steps 4. through 7.

5.7.4 DNS Lying (for self-provisioning)

4)

If you want to enable DNS Lying (for self provisioning support):

1. Select the “Service Configuration DNS Lying” node in the IMC tree view

2. Click the Add button

3. In the “IP Range to Lie To” field, add the subnet that will be dedicated to unknown CPE (not cable modem) devices that can self-provision.

4. In the “Resource Record Query to Lie to” box, specify an asterisk (*) in the “Name”

field. Type should be left at “A

Address”.

5. In the “Answer” box, specify the FQDN of the self-provisioning website in the “Name” field, and the IP address of the self-provisioning website in the IP address field.

6. Click the “Add” button at the bottom of the dialog box to close it.

7. Click the “Save Configuration Changes” button. 5.7.5 Support Zone Transfers wi th the Secondary

7. Click the “Save Configuration Changes” button.

5.7.5 Support Zone Transfers with the Secondary DNS Service

5)

If you have configured a secondary DNS service, you must specify the zone transfer defaults:

1. Select the “Primary Domains” node in the IMC tree view.

2. Click on the “Notify” tab.

3. Add the IP address of the secondary DNS server to the “Domain Notify Preferences” list.

4. Click the “Apply” button.

5. Click on the “Transfer” tab.

6. Add the IP address of the secondary DNS server to the “Hosts which can Request Zone Transfers” list.

7. Click the “Apply” button.

5.7.6 Add Primary Domains

6)

To add domains for cable modems, MTAs and/or CPEs:

1. Select the “Primary Domains” node in the IMC tree view.

2. Click on the “Add Primary Domain” tab, if it is not already focused.

3. Enter the “Domain name”, for example:

cablemodems.com mtas.com cpes.com

4. Choose to “Create Domain from Template” and select the “GlobalDomainTemplate.”

5. Click the Add button.

6. Select and right-click on the newly created domain that has appeared below the “Primary Domains” node (you may have to refresh the Primary Domains view to see the new domain).

7. Click on the “Generate In-Addr.Arpa” menu item from the pop-up context menu.

8. Add the subnet addresses for the subnets that devices with FQDNs in this domain may belong to, and click the “OK” button.

5.7.7 Add KDC Support (PacketCable Security)

7)

If you will be supporting PacketCable Security, configure the kerberos realm domain, KDC Server Location record and KDC Address record:

1. Follow step #5 above to add a primary for the kerberos realm being used (for example, IPFONIX.COM).

2. The kerberos realm domain (e.g. IPFONIX.COM) node should now be selected in the tree view. Click on the “Configuration” tab.

3. Click the “Add Resource Records” button.

4. From the “Type” drop down list select “SRV

5. In the “Name” field enter “_kerberos

6. In the data group box:

Service Location”.

udp.” (no quotes)

1. In the priority and weight fields enter 0.

2. In the Port field enter “88” (no quotes). 3. In the Name field enter

2. In the Port field enter “88” (no quotes).

3. In the Name field enter FQDN of the KDC service, for example:

“kdc.testlab.com.” (no quotes)

7. Select the domain that the KDC service belongs to. If the domain does not yet exit, follow step #5 above to create it.

8. Click on the “Configuration” tab.

9. Click the “Add Resource Records” button.

10. In the “Name” field enter the hostname of the KDC service (for example “kdc” (no quotes)).

11. In the IP Address field enter the IP address of the KDC service.

12. Click the “OK” button.

6 KDC Configuration 6.1 Introduction This chapter defines the procedure for the initial configuration of

6 KDC Configuration

6.1 Introduction

This chapter defines the procedure for the initial configuration of a BCC KDC service.

6.2 General Preparation

Before beginning to install and setup an KDC service, you should be sure to gather the following information and have it available:

1. The fully qualified domain name for the MPS service(s).

2. The service keys shared with the MPS service(s).

3. The KDC license keys.

6.3 Hardware Preparation

Each server must be prepared as follows:

1. The server time has been correctly configured with the local time zone and current date and time.

2. One or more network interface cards have been correctly installed and configured with the static IP address that it will use when deployed on the network.

3. The server’s route table has been configured correctly with persistent routes to the CMTS HFC networks for each CMTS the server will service.

Additionally a management station that meets the following criteria must be prepared or available:

1. One of the following Windows operation systems are installed:

a. Win XP

b. Win 2000

c. Win NT SP6

d. Win 98 Second Edition (SE)

6.4 Software Installation

The KDC service should be installed on each server according to the installation instructions that are provided with the service software.

Additionally the KDC Incognito Management Console must be installed on the management station according to the installation instructions that are provided with the management software.

6.5 Starting the Services

The KDC service must be started on each server by running the following command with root permissions:

Solaris and Linux:

>/etc/init.d/kdcwrapper start Windows: services are started from t he Windows Service Control Manager (SCM). 6.6

>/etc/init.d/kdcwrapper start

Windows: services are started from the Windows Service Control Manager (SCM).

6.6 Software Registration

Note that the KDC service has both a “license key” (for the “KDC wrapper service”) and a “license file” (for the core KDC service).

The KDC service on each server must be registered with the license key provided. To register a license key:

1. Start the Incognito Management Console (IMC) on the management workstation.

2. Select the node labeled “MPS” in the management console tree view.

3. Click the “Service Select” menu item.

4. Enter the IP address the server.

5. You will be prompted to modify the Administrator super-user account password to a secure password. Be sure you do not lose this password.

6. Click the “Service Register” menu item.

7. Enter the KDC license key (it can be pasted and copied from other documents using control- c (copy) and control-v (paste).

8. Click the OK button.

9. Repeat steps 2 - 8 for each server.

6.7 Service Configuration

6.7.1 Configure KDC License

1. Select KDC License node in KDC Wrapper IMC tree view

2. Click on Set button and point to where on disk KDC license file resides, wait until you get notification about KDC restart status (pop up window)

6.7.2 Configure KDC Configuration File

Two configuration parameters are required: interface address and FQDN.

1. Select KDC Configuration File node in KDC Wrapper IMC tree view

2. on the right hand side enter parameter pair: Parameter Name = interface address, Parameter Value = <IP address of KDC server in decimal dotted notation, e.g. 192.168.75.83>

3. enter parameter pair: Parameter Name = FQDN, Parameter Value = <fully qualified domain name for KDC, e.g. kdc.incognito.com>

4. configure any other parameters needed (for info on all configuration parameters please look at IPfonix PacketCable KDC User Guide PDF file)

5. Click on Set button, wait until you get notification about KDC restart status (pop up window)

Alternatively, if you already have KDC configuration file, kdc.ini (e.g. from previous installment of KDC

Alternatively, if you already have KDC configuration file, kdc.ini (e.g. from previous installment of KDC on the same box), you can:

1. Click on button Set Config from a File and point to where on disk kdc.ini file resides, wait until you get notification about KDC restart status (pop up window)

6.7.3 Configure KDC Service Keys and Certificates

Testing certificates are automatically installed so is KDC certificate associated private RSA key. However, for production environment, the new set of certificates are needed.

To install new set of certificates and KDC RSA private key:

1. select Keys and Certificates node in KDC Wrapper IMC tree view

2. in Certificates pane on the right hand side check all 5 boxes

3. click on Set button and point to where on the disk certificates reside, wait until you get notification about KDC restart status (pop up window)

4. click on Set button in Private RSA Key pane and point to where on disk KDC RSA private key resides, wait until you get notification about KDC restart status (pop up window)

To install Service Key:

1. select Keys and Certificates node in KDC Wrapper IMC tree view

2. from the drop down list, select Service Key Name: mtaprovsrvr, mtafqdnmap or cms mtaprovsrvr designates provisioning service key, mtafqdnmap designates MTA MAC to FQDN mapping service key, and cms designates call management service key. mtaprovsrvr and mtafqdnmap service keys must have the same value as the keys configured in MPS (see Enabling PacketCable Security in MPS configuration section).

3. enter values for all of Server FQDN, Realm, KDC Service Key, and KDC Key Version

4. click on Set button, wait until you get notification about KDC restart status (pop up window).

7 Appendix A: Installation Directories and Files 7.1 Solaris & Linux 7.1.1 Solaris & Linux

7 Appendix A: Installation Directories and Files

7.1 Solaris & Linux

7.1.1 Solaris & Linux Base Directory

The install packages will prompt you for the base directory for the installation, by default it is “/usr/local” .

7.1.2 Solaris & Linux Directories

Windows Interface Installs:

<basedir>/lib/incognito/

Service stop/start scripts:

/etc/init.d/

Service Executable:

<basedir>/sbin

CLI:

<basedir>/bin

Documentation: <basedir>/doc/incognito/

IMC Windows InstallShield:

Service data directory:

<basedir>/lib/incognito/

<basedir>/lib/<service>/data

where <service> is one of mpscmdr (MPS), ipcmdr (DHCP), tftpcmdr (TFTP), dnscmdr (DNS) or kdc

7.1.3 Solaris & Linux Files

The following service stop/start scripts are located at /etc/init.d

ipcmdrd

(DHCP)

tftpcmdrd

(TFTP)

dnscmdrd

(DNS)

mpscmdrd

(MPS)

kdcwrapper

(KDC)

CLIs are located at <basedir>/bin

ipcli

(DHCP)

dnsctl

(DNS)

mpscli

(MPS)

Windows Interface Installs are located at <basedir>/lib/incognito:

DHCPIMC_<version>.exe

TFTPIMC_<version>.exe

DNSCmdrIMC_<version>.exe

MPSCmdrIMC_<version>.exe

KDC_Wrapper_IMC_<version>.exe

Documentation (release notes, guides, etc) is located at <basedir>/doc/incognito/

7.2 Windows There are no service stop/start scripts, services are stopped and started from the

7.2 Windows

There are no service stop/start scripts, services are stopped and started from the Windows Service Control Manager (SCM), also known as the “Services” applet in the Windows “Control Panel”.

7.2.1 Windows Base Directory

The install packages will prompt you for the base directory for the installation, by default it is c:\Program Files\Incognito Software\NT.

7.2.2 Service Directories

The service directories contain the service executable, as well as the service data sub-directory. The service data directory contains the service databases, configuration file, and log files.

<basedir>/IPCmdr

(DHCP)

<basedir>/T FTPCmdr

(TFTP)

<basedir>/DNS

(DNS)

<basedir>/MPSCmdr

(MPS)

c:\kdc

(KDC)

7.2.3 IMC Directory

Client executables (Incognito Management Console (IMC), command line interfaces, IMC snap-ins, etc) and documentation are located in the IMC directory at:

<basedir>\IMC\

7.2.4 Files

Service executables are located in the base installation directory as follows

IPCmdr\dipsvc.exe

(DHCP)

TFTPCmdr\tftpsvc.exe

(TFTP)

DNS\dnssvc.exe

(DNS)

DPCmdr\mpssvc.exe

(MPS)

Command line interfaces are located in the IMC directory:

ipcli.exe

(DHCP)

dnsctl.exe

(DNS)

mpscli.exe

(MPS)

Incognito Management Console (IMC) is located in the IMC directory:

IMC.exe

IMC Snap-ins are located in the IMC directory:

ipcmd.dll

(DHCP)

tftpcmd.dll

(TFTP)

dnscmd.dll

(DNS)

mpscmd.dll

(MPS)

KDCWrapper.dll

(KDC)

8 Appendix B – Interoperability Testing (eMTA device list) This appendix provides a list of

8 Appendix B – Interoperability Testing (eMTA device list)

This appendix provides a list of embedded MTA devices, which have undergone successful interoperability testing with Multimedia Provisioning Service. Devices are sorted by vendor, for each vendor hardware, software, and boot revision is included. For each device only the most recent revision is listed, however older revisions are supported as well. In addition, for each device model, corresponding MPS template file used during testing is provided. Provided template files are sufficient for device provisioning, no voice settings (e.g. from SPM) are needed. If applicable, for each device the procedure on how to install a new Service Provider CA Root certificate is detailed.

Service Provider CA Root certificate used during interoperability testing was:

8) in domestic PacketCable Secure mode

* all devices except Arris eMTAs: IPfonix Service Provider Root

* Arris eMTAs:

testing CableLabs Service Provider Root

9) in Euro PacketCable Secure mode:

tComLabs Service Provider Root

8.1 Motorola

8.1.1 SBV4200 VoIP Cable Modem (CG4D firmware)

BTI Software Version:

Provisioning Flow Mode:

CG4D_05.4.01

Quasi-Hybrid (PacketCable w/out KDC and w/out hash setting mode)

Template file contents:

# PacketCable MTA MIB required device attributes

TLV11 PKTC-MTA-MIB pktcMtaDevEnabled[0] = 1

# pktcMtaDevSnmpEntity must be present, and must be a NULL string

TLV11 PKTC-MTA-MIB pktcMtaDevSnmpEntity[0] = ""

# These are the recommended settings for this system config with 10 ms packetization # period.

TLV11 btiTALineNomJitterBufferSizeVoice[0] = 15 TLV11 btiTALineMaxJitterBufferSizeVoice[0] = 30 TLV11 btiTALineNomJitterBufferSizeNonVoice[0] = 15 TLV11 btiTALineMaxJitterBufferSizeNonVoice[0] = 30

# set btiQosType to 1 for Single-Phase Commit Dynamic Upstream only (5.X with

# DQos-lite Disabled)

TLV11 btiQosType[0]

= undefined

#

set btiCmtsType

TLV11 btiCmtsType[0]

= motorolaRD

# set btiCallAgentMfg TLV11 btiCallAgentMfg[0] # set btiSignallingProtocol TLV11 btiSignallingProtocol[0] = undefined =

# set btiCallAgentMfg

TLV11 btiCallAgentMfg[0]

# set btiSignallingProtocol

TLV11 btiSignallingProtocol[0]

= undefined

= limitedNCS1dot0

# set btiEndpointNameBase (default: use line numbers 1 - 4)

TLV11 btiEndpointNameBase[0]

= 2

# set btiUsePiggybacking true=1 for Safari

TLV11 btiUsePiggybacking[0]

= 1

# set No Inband Signaling for Safari

TLV11 btiSignalling[0]

= noInbandSignalling

# Change the Max Waiting Delay for sending RSIPs to 10 seconds for all lines

# Do these mibs sets first so the RSIPs are not sent before changing these!

# NOTE: line 1 = [101], line 2 = [102] REPEAT TLV11 PKTC-SIG-MIB pktcNcsEndPntConfigMWD[101] = 10

# set pktcNcsEndPntConfigCallAgentId for line #1

REPEAT TLV11 PKTC-SIG-MIB pktcNcsEndPntConfigCallAgentId[101] = "ca@mps.incognito.com"

# set pktcNcsEndPntConfigCallAgentUdpPort for line #1

REPEAT TLV11 PKTC-SIG-MIB pktcNcsEndPntConfigCallAgentUdpPort[101] = 2727

#===========================================================

# START: MTA DEBUG MIB Objects

#===========================================================

TLV11 btiDebug[0]

= 0x0b 0x05 0x02 0x00 0x00 0x00 0x05

TLV11

btiTALineXgcpAdminStatus[1] = 1

TLV11

btiTALineXgcpAdminStatus[2] = 1

8.1.2 SBV4200 VoIP Cable Modem

Hardware Revision:

1.0

Software Revision:

SBV4200-07.2.06-ENG00-FATSH

Boot Revision:

1.0

Provisioning Flow Mode:

PacketCable Secure

Template File:

see PacketCable Secure Flow Template File

8.1.3 SBV5120 VoIP Cable Modem

Hardware Revision:

1.0

Software Revision:

SBV5120-2.9.1.0-SCM27-SHPC

Boot Revision:

8.2

Provisioning Flow Mode:

PacketCable Secure & Hybrid 1 and 2

Template File:

see PacketCable Secure Flow Template File

8.1.4 SBV5120E VoIP Cable Modem (Euro) Hardware Revision: 1.0 Software Revision: SBV5120E-2.9.1.0-SCM22-SHPC

8.1.4 SBV5120E VoIP Cable Modem (Euro)

Hardware Revision:

1.0

Software Revision:

SBV5120E-2.9.1.0-SCM22-SHPC

Boot Revision:

8.2

Provisioning Flow Mode:

Euro PacketCable Secure & Hybrid 1 and 2

Template File Contents:

# IETF MTA MIB required device attributes

TLV11 PKTC-IETF-MTA-MIB pktcMtaDevEnabled[0] = 1

# if this template file is used for devices in PacketCable Hybrid 1 or 2 mode,

# following line can be # commented out

TLV11 PKTC-IETF-MTA-MIB pktcMtaDevRealmName[1] = "TCOMLABS.COM"

# if this template file is used for devices in PacketCable Hybrid 1 or 2 mode,

# following line can be commented out

TLV11 PKTC-IETF-MTA-MIB pktcMtaDevRealmOrgName[1] = "cableProvider"

# if this template file is used for devices in PacketCable Hybrid 1 or 2 mode,

# following line can be commented out

TLV11 PKTC-IETF-MTA-MIB pktcMtaDevCmsKerbRealmName[1] = "TCOMLABS.COM"

TLV11 PKTC-IETF-MTA-MIB pktcMtaDevCmsFqdn[1] = "mps.incognito.com"

TLV11 PKTC-IETF-MTA-MIB pktcMtaDevCmsIpsecCtrl[1] = 2

# Change the Max Waiting Delay for sending RSIPs to 10 seconds for all lines

TLV11 PKTC-IETF-SIG-MIB

pktcNcsEndPntConfigMWD[9]

= 10

TLV11 PKTC-IETF-SIG-MIB

pktcNcsEndPntConfigMWD[10]

= 10

# Set UDP Port# for NCS Signaling

TLV11 PKTC-IETF-SIG-MIB

pktcNcsEndPntConfigCallAgentUdpPort[9]

= 2727

TLV11 PKTC-IETF-SIG-MIB

pktcNcsEndPntConfigCallAgentUdpPort[10]

= 2727

# Set Call Agent IP address for NCS Signaling

TLV11 PKTC-IETF-SIG-MIB

pktcNcsEndPntConfigCallAgentId[9]

TLV11 PKTC-IETF-SIG-MIB

pktcNcsEndPntConfigCallAgentId[10]

= "ca@mps.incognito.com"

= "ca@mps.incognito.com"

How to install new Service Provider Root certificate (SBV5120 and SBV5120E)

Telnet to CM: telnet <CM IP Address> (password is needed, most likely “mtrl”) Go to

Telnet to CM: telnet <CM IP Address> (password is needed, most likely “mtrl”) Go to MTA CONSOLE: mta_console MAIN> mta_console mta_console MTA DEBUG CONSOLE mta_console> Use iptele_dld command to download new root certificate:

mta_console> iptele_dld iptele_dld Download IP Telephony Root Certificate from TFTP server Enter the TFTP Server IP address and File Name in Following format:

<TFTP Server IP> <File Name> Example: 172.1.1.6 certificate.cer

8.2 Terayon

8.2.1

TA-102X

Hardware Revision:

9.0

Software Revision:

6.5.4.v

Boot Revision:

3.3

Provisioning Flow Mode:

PacketCable Secure

Template File:

see PacketCable Secure Flow Template File

How to install new Service Provider Root certificate

Access CM CLI by connecting hardware dongle to line port 1 or 2:

Entering CableModem CLI Starting CLI with security level: MAINTENANCE L2K ## Configure unit that on the next reboot it should go to MTA CLI:

L2K ## mta cli set 1 MTA CLI will be operated next reboot L2K ## Reboot CM:

reboot 0 In MTA CLI, go to config/sec menu:

$/admin> config $/admin:config> sec $/admin:config:sec> Use kdcRoot command to select which root certificate to use:

$/admin:config:sec> kdcRoot ? kdcRoot: Select the root X.509 cert to work with Usage: kdcRoot 0|1|2|3|4

cert

: Root cert type

0 : IPFONIX 1 : PacketCable 2 : Alopa 3 : IPCable 4 : CableLabsTest

0 : IPFONIX

1 : PacketCable

2 : Alopa

3 : IPCable

4 : CableLabsTest

8.3 Scientific Atlanta

8.3.1 WebStar DPX2203

Hardware Revision:

1.1

Software Revision:

v2.0.1r1133-0108

Boot Revision:

2.1.5

Provisioning Flow Mode:

PacketCable Secure & PacketCable w/out KDC

Template File:

see PacketCable Secure Flow Template File

How to enable telnet and install new Service Provider Root certificate

Telnet

Add the following 3 TLVs to the DOCSIS TLV Definitions database, under DOCSIS 1.0 - TLV 43 (Vendor Specific Information):

add tlvdefinition TelnetEnable parenttlvcode 43 DOCSISMAJORVERSION 1 DOCSISMINORVERSION 0 TLVCODE 106 mandatory no configurable yes

maxinstance

1 datatype binary

add tlvdefinition "Telnet Login Name" parenttlvcode 43 DOCSISMAJORVERSION 1 DOCSISMINORVERSION 0 TLVCODE 107 mandatory no configurable yes

maxinstance

1 datatype string

add tlvdefinition "Telnet Password" parenttlvcode 43 DOCSISMAJORVERSION 1 DOCSISMINORVERSION 0 TLVCODE 108 mandatory no configurable yes

maxinstance

1 datatype string

Create DOCSIS File Setting that contains above TLVs configured as follows:

TLVCODE: 43.106:1 TLVDATA: 01 (01 mean enable telnet access, 00 means disable telnet access (default))

TLVCODE: 43.107:1 TLVDATA: <login name>

TLVCODE: 43.108:1 TLVDATA: <login password>

TLVCODE: 43.8:1 TLVDATA: <first 3 bytes of MTA MAC address> Then create a client class

TLVCODE: 43.8:1 TLVDATA: <first 3 bytes of MTA MAC address>

Then create a client class for the Scientific Atlanta MTAs that contains the above

DOCSIS File Setting.

SP Root Certificate

Add the following 4 TLVs to the DHCP Service DOCSIS TLV Definitions database,under DOCSIS 1.0 - TLV 43 (Vendor Specific Information):

add tlvdefinition CertDownloadAction parenttlvcode 43 DOCSISMAJORVERSION 1 DOCSISMINORVERSION 0 TLVCODE 16 mandatory no configurable yes maxinstance 1 datatype binary

add tlvdefinition CertificateTFTP parenttlvcode 43 DOCSISMAJORVERSION 1 DOCSISMINORVERSION 0 TLVCODE 17 mandatory no configurable yes maxinstance 1 datatype ipaddress

add tlvdefinition CertificateDate parenttlvcode 43 DOCSISMAJORVERSION 1 DOCSISMINORVERSION 0 TLVCODE 18 mandatory no configurable yes maxinstance 1 datatype binary

add tlvdefinition CertificateName parenttlvcode 43 DOCSISMAJORVERSION 1 DOCSISMINORVERSION 0 TLVCODE 19 mandatory no configurable yes maxinstance 1 datatype string

Create DOCSIS File Setting that contains above TLVs configured as follows:

TLVCODE: 43.16:1 TLVDATA: 16

(note the above 16 is in hex, in decimal this is value 22, and it tells what cert(s) to download, it means "download the service provider root cert")

TLVCODE: 43.17:1 TLVDATA: <IP address of the TFTP service>

TLVCODE: 43.18:1 TLVDATA: 04091d00

(the above is the download date in format YY.MM.DD.HH, 4 bytes in hex, if the cert that MTA currently

has was downloaded after this date, the MTA will not download it date: 04.09.29.00, meaning 2004 September 29, :00)

gain. So we just set it to today's

TLVCODE: 43.19:1 TLVDATA: <certificate file name, must be less than 31 characters!>

TLVCODE: 43.8:1 TLVDATA: <first 3 bytes of MTA MAC address>

Note: 43.8 only needs to be set once, so if both the telnet and the

Note: 43.8 only needs to be set once, so if both the telnet and the cert 43 TLVs are you only need this 43.8 value once.

to be set,

Then create a client class for the Scientific Atlanta MTAs that contains the above

DOCSIS File Setting.

And reboot the CM.

How to switch to PacketCable w/out KDC provisioning mode

Add the following TLVs to the DHCP Service DOCSIS TLV Definitions database, under DOCSIS 1.0 - TLV 43 (Vendor Specific Information):

add tlvdefinition Provisioning Mode parenttlvcode 43 DOCSISMAJORVERSION 1 DOCSISMINORVERSION 0 TLVCODE 25 mandatory no configurable yes maxinstance 1 datatype binary Create DOCSIS File Setting that contains above TLV configured as follows:

TLVCODE: 43.25:1 TLVDATA: 03

(value 3 means " Dual File Provisioning using both DOCSIS and MTA config files without Kerberos Security. MTA config file specified in SNMP set from provisioning server.")

Then create a client class for the Scientific Atlanta MTAs that contains the above

DOCSIS File Setting and reboot the CM.

8.4 Arris

Touchstone Telephony Modem TM402P

Hardware Revision:

07

Software Revision:

TS.04.01.04.031504

Boot Revision:

4.02

Provisioning Flow Mode:

PacketCable Secure & PacketCable w/out KDC

Template File Contents:

TLV11 PKTC-MTA-MIB pktcMtaDevEnabled=1

TLV11 PKTC-SIG-MIB pktcNcsEndPntConfigCallAgentId-9 = "MPS.INCOGNITO.COM"

TLV11 PKTC-SIG-MIB pktcNcsEndPntConfigCallAgentId-10 = "MPS.INCOGNITO.COM"

TLV11 PKTC-SIG-MIB pktcNcsEndPntConfigCallAgentUdpPort-9 = 2727

TLV11 PKTC-SIG-MIB pktcNcsEndPntConfigCallAgentUdpPort-10 = 2727

TLV11 PKTC-MTA-MIB pktcMtaDevCmsIpsecCtrl-MPS.INCOGNITO.COM = 1

# if this template file is used for devices in PacketCable w/out KDC provisioning mode,

# if this template file is used for devices in PacketCable w/out KDC provisioning mode,

# following line can be commented out

TLV11 PKTC-MTA-MIB pktcMtaDevCmsKerbRealmName-MPS.INCOGNITO.COM = "IPFONIX.COM"

# if this template file is used for devices in PacketCable w/out KDC provisioning mode,

# following line can be commented out

TLV11 PKTC-MTA-MIB pktcMtaDevRealmOrgName-IPFONIX.COM = "CableLabs, Inc."

TLV11 PKTC-SIG-MIB pktcSigDefNcsReceiveUdpPort = 2427

REPEAT TLV11 ifAdminStatus-9 = 1

8.4.1 How to install new Service Provider Root certificate

Arris device embeds 2 root certificates: official CableLabs Service Provider Root certificate and testing CableLabs Service Provider Root certificate. Default is use official root certificate. Testing SP hierarchy is available for download at http://www.cablelabs.com/certqual/security, however KDC certificate is not provided so one should generate KDC certificate by itself (e.g. using OpenSSL). Private key of either Service Provider or Local System certificate can be used for KDC certificate signing and this key is provided together with hierarchy.

Realm name in KDC certificate generated and used during interoperability testing was set to IPFONIX.COM (note above template config line pktcMtaDevRealmOrgName-IPFONIX.COM). To use either testing CableLabs SP hierarchy or to install new root certificate onto device create DOCSIS File Setting with following 3 SNMP MIB Object TLVs:

TLV 11

< OID = 1.3.6.1.4.1.4115.10.1.29.1.1 > (ppCfgMtaDevSPTestRootCertServer)

< Value Type = IP Address >

< Object Value = TFTP Server IP address used for downloading root certificate >

TLV 11

< OID = 1.3.6.1.4.1.4115.10.1.29.1.2 > (ppCfgMtaDevSPTestRootCertFilename)

< Value Type = Octet String >

< Display as ASCII Text >

< Object Value = the file name of root certificate to be downloaded >

TLV 11

< OID = 1.3.6.1.4.1.4115.10.1.29.1.3 > (ppCfgMtaDevSPTestRootCertAdminStatus)

< Value Type = Integer >

< Object Value = 1 if want to use embedded test root certificate >, or

< Object Value = 2 if want to download/install new root certificate >

Then create a client class for the Arris MTAs that contains the above DOCSIS File Setting. And reboot the CM.

How to switch to PacketCable w/out KDC provisioning mode Create DOCSIS File Setting with following

How to switch to PacketCable w/out KDC provisioning mode

Create DOCSIS File Setting with following SNMP MIB Object TLV:

TLV 11

< OID = 1.3.6.1.4.1.4115.1.3.1.1.2.3.2 > (ArrisCmDevProvMethodIndicator)

< Value Type = Integer >

< Object Value = 2 >

Then create a client class for the Arris MTAs that contains the above DOCSIS File Setting and reboot the CM.

8.5 Packet Cable Secure Flow Template File

TLV11 PKTC-MTA-MIB pktcMtaDevEnabled = 1

# if this template file is used for devices in PacketCable Hybrid 1 or 2 or w/out KDC

# provisioning mode, following line can be commented out

TLV11 PKTC-MTA-MIB pktcMtaDevRealmOrgName-IPFONIX.COM = "Really Amazing Telephone Company"

TLV11 PKTC-SIG-MIB pktcNcsEndPntConfigCallAgentId-9 = "CMS.INCOGNITO.COM"

TLV11 PKTC-SIG-MIB pktcNcsEndPntConfigCallAgentId-10 = "CMS.INCOGNITO.COM"

# if this template file is used for devices in PacketCable Hybrid 1 or 2 or w/out KDC

# provisioning mode, following line can be commented out

TLV11 PKTC-MTA-MIB pktcMtaDevCmsKerbRealmName-CMS.INCOGNITO.COM = "IPFONIX.COM"

TLV11 PKTC-MTA-MIB pktcMtaDevCmsIpsecCtrl-CMS.INCOGNITO.COM = 1

TLV11 PKTC-SIG-MIB pktcNcsEndPntConfigCallAgentUdpPort-9 = 2727

TLV11 PKTC-SIG-MIB pktcNcsEndPntConfigCallAgentUdpPort-10 = 2727

8.6 Notes

1. Some call agents seem to require UDP port for the CMS object (pktcNcsEndPntConfigCallAgentUdpPort) to be set to default value of 2727 (e.g. CedarPoint Safari CMS), whereas others (e.g. Nuera) use 2427.

2. Some CMS (e.g. Nuera) require MTA UDP receive port for NCS (pktcSigDefNcsReceiveUdpPort) to be set, e.g. in template file TLV11 pktcSigDefNcsReceiveUdpPort = 2427

3. Terayon and Arris eMTA devices require Call Management Server Name object (pktcNcsEndPntConfigCallAgentId) to be set in upper case letters and without ‘@’ character in the name. According to PacketCable Provisioning spec, this value must be FQDN, which allows lower case letters.