|
Table Of Contents
Upgrading Using the Existing Cisco IOS Software Image
Upgrading Using the Existing BootFlash Software Image
Sample DOCSIS 1.0 Configuration File for Certificate and Image Upgrade
Sample DOCSIS 1.1 Configuration File with BPI+ Enabled (Normal Operations)
Sample DOCSIS 1.1 Configuration File for Secure Software Download
Sample Configuration File for Upgrading the Cisco IOS Software Image Using the BootFlash
Sample Configuration File for Upgrading the BPI+ Certificates Using the BootFlash
Upgrading the DOCSIS Certificates in Cisco uBR905/uBR925 Cable Access Routers and CVA122 Cable Voice Adapters
May 17, 2004
78-14971-01 Rev. C0Feature History
Release Modification12.2(15)CZ
This feature was introduced on the Cisco uBR905/uBR925 cable access routers and Cisco CVA122 Cable Voice Adapters.
This document describes how to use the certificate upgrade CD-ROM (p/n UBR/CVA-CERT-UPG) to upgrade the DOCSIS Baseline Privacy Interface Plus (BPI+) certificates in the Cisco uBR905 and Cisco uBR925 cable access routers, and in the Cisco CVA122 Cable Voice Adapters. This document contains the following major sections:
• Overview
Note Before proceeding with the instructions in this document, be sure to read the following documents that describe how to configure cable modems and prepare your cable network for DOCSIS 1.1 operation:
Migrating Simple Data over Cable Services to DOCSIS 1.1 at the following URL:
http://www.cisco.com/warp/public/109/migrating_to_docsis11_22030_1.shtml
DOCSIS 1.1 for Cisco uBR905/uBR925 Cable Access Routers and Cisco CVA122 Cable Voice Adapters at the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122limit/122cz/index.htm
Overview
The Cisco uBR905/uBR925 cable access routers and Cisco CVA122 Cable Voice Adapters support DOCSIS 1.1 operations when running Cisco IOS Release 12.2(15)CZ. For full DOCSIS 1.1 support, the routers must contain valid DOCSIS certificates in non-volatile memory.
Some routers were produced when the DOCSIS 1.1 specification was still being finalized, and the certificates in these routers do not conform to the requirements in the final specification. Cisco has produced valid certificates for these routers, which can be downloaded to the routers using the procedures given in this document.
The upgrade procedure performs the following steps:
1. A DOCSIS configuration file is created that specifies that the router should load a new software image and upgrade the certificates. The DOCSIS configuration file and certificates are loaded on a TFTP server that is accessible to the router.
2. The router is reloaded and downloads the new DOCSIS configuration file, which forces the router to download the appropriate Cisco IOS Release 12.2(15)CZ software image. The router ignores the commands to upgrade the certificates at this point because the software images previous to Cisco IOS Release 12.2(15)CZ do not support them.
3. The router reloads and boots the Release 12.2(15)CZ image. When the router downloads the new DOCSIS configuration file again, it executes the commands to upgrade the certificates. After the router downloads the new certificates, it reloads a second time.
4. The router reboots with the Release 12.2(15)CZ image and valid DOCSIS 1.1 certificates. At this point, it can download a new configuration file that specifies normal operations.
This procedure can be used to upgrade all Cisco uBR905/uBR925 cable access routers and Cisco CVA122 Cable Voice Adapters for DOCSIS 1.1 operations. If the router already has a valid certificate, it will ignore the commands to upgrade the certificate and will download only the Cisco IOS Release 12.2(15)CZ software image for DOCSIS 1.1 support.
Note This procedure updates only the public BPI+ certificates on the router. It does not change the private keys, which are written in a protected memory area that cannot be read or changed by users.
Restrictions
The Cisco uBR905 and Cisco uBR925 cable access routers and Cisco CVA122 cable voice adapters must be running Cisco IOS Release 12.2(15)CZ (or later) to support DOCSIS 1.1. The CMTS must also support the DOCSIS 1.1 feature set.
Related Documents
The following documents describe the DOCSIS 1.1 feature and how to configure the router for its feature set:
• DOCSIS 1.1 for Cisco uBR905/uBR925 Cable Access Routers and Cisco CVA122 Cable Voice Adapters
• Migrating Simple Data over Cable Services to DOCSIS 1.1
The following documents describe the hardware of the Cisco uBR905 and Cisco uBR925 cable access routers and Cisco CVA122 cable voice adapters, as well as general software configuration:
• Cisco uBR905 Hardware Installation Guide
• Cisco uBR925 Hardware Installation Guide
• Cisco uBR905/uBR925 Software Configuration Guide
• Cisco uBR905 Cable Access Router Subscriber Setup Quick Start Card
• Cisco uBR925 Cable Access Router Subscriber Setup Quick Start Card
• Cisco uBR925 Quick Start User Guide
• Cisco CVA122 Cable Voice Adapter User Guide
• Cisco CVA122 Cable Voice Adapter Hardware Installation Guide
• Cisco CVA122 Cable Voice Adapter Features
• Cisco CVA122 Cable Voice Adapter Subscriber Setup Quick Start Card
• Cisco Broadband Cable Command Reference Guide
• Classifying VoIP Signaling and Media with DSCP for QoS
Supported Platforms
•Cisco uBR905 cable access router
•Cisco uBR925 cable access router
•Cisco CVA122 cable voice adapter
Determining Platform Support Through Cisco Feature Navigator
Cisco IOS software is packaged in feature sets that are supported on specific platforms. To get updated information regarding platform support for this feature, access Cisco Feature Navigator. Cisco Feature Navigator dynamically updates the list of supported platforms as new platform support is added for the feature.
Cisco Feature Navigator is a web-based tool that enables you to quickly determine which Cisco IOS software images support a specific set of features and which features are supported in a specific Cisco IOS image. You can search by feature or release. Under the release section, you can compare releases side by side to display both the features unique to each software release and the features in common.
To access Cisco Feature Navigator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:
Cisco Feature Navigator is updated regularly when major Cisco IOS software releases and technology releases occur. For the most current information, go to the Cisco Feature Navigator home page at the following URL:
Availability of Cisco IOS Software Images
Platform support for particular Cisco IOS software releases is dependent on the availability of the software images for those platforms. Software images for some platforms may be deferred, delayed, or changed without prior notice. For updated information about platform support and availability of software images for each Cisco IOS software release, refer to the online release notes or, if supported, Cisco Feature Navigator.
Prerequisites
You must meet the following prerequisites to be able to upgrade the Cisco IOS software image and DOCSIS certificates on the Cisco uBR905 and Cisco uBR925 cable access routers and Cisco CVA122 Cable Voice Adapters:
•Cisco DOCSIS 1.1 Cable Modem Certificate Upgrade CD-ROM (part number UBR/CVA-CERT-UPG). This one CD-ROM works with the Cisco uBR905 and Cisco uBR925 cable access routers and Cisco CVA122 Cable Voice Adapters.
•Cisco IOS Release 12.2(15)CZ or later release.
•TFTP Server that is accessible to the Cisco uBR905 and Cisco uBR925 cable access routers and Cisco CVA122 Cable Voice Adapters.
•If you are using a Windows PC as the TFTP server, you must also have a utility such as WinZip, which will allow you to extract files from Unix-version TAR archive files.
•DOCSIS 1.0 and 1.1 Configuration File Editor—You can use the Cisco Broadband Configurator tool (release 4.0 or later) for this purpose. A demonstration version of the Cisco Broadband Configurator tool is available on Cisco.com at the following URL:
http://www.cisco.com/cgi-bin/tablebuild.pl/cbc40-demo
Note You must login as a registered user of CCO to access this link.
•DOCSIS 1.1 Cable Modem Termination System (CMTS).
Configuration Tasks
See the following sections for configuration tasks for upgrading both the Cisco IOS software image and DOCSIS 1.1 certificates (if needed) on the Cisco uBR905/uBR925 cable access routers and Cisco CVA122 Cable Voice Adapters. Each task in the list is identified as either required or optional.
Typical users who need to upgrade a large number of cable modems that are already at customers' sites or are still in a distribution center, should use the following set of procedures, which are in the "Upgrading Using the Existing Cisco IOS Software Image" section. These procedures perform the upgrade using the existing Cisco IOS software image that is on the cable access routers and should be used in most cases:
• Upgrading a DOCSIS 1.0 Cable Modem to a DOCSIS 1.1 Image and Certificates (Required)
• Upgrading a DOCSIS 1.1 Cable Modem to a DOCSIS 1.1 Image and Certificates (Required)
• Downgrading the CM to DOCSIS 1.0 After Upgrading the Certificates (Optional)
If you need to upgrade a small number of cable modems or have a few problem cable modems that you could not successfully upgrade using the procedures given above, use the following procedure. This method also performs the upgrade but uses the existing Cisco IOS bootflash software image that is on the routers:
• Upgrading Using the Existing BootFlash Software Image
Caution It is also possible to upgrade the Cisco IOS software by setting the configuration register to 0x00 and booting the router into the ROM monitor (ROMMON). However, this method is not recommended because it requires manually connecting a terminal to the router's console port and downloading the software image using the X-Modem protocol. Also, this MUST NEVER be done on the Cisco CVA122 Cable Voice Adapters because these routers do not have a console port. You will not be able to recover the Cisco CVA122 if you boot it into the ROM monitor, and instead will have to return it to the factory for repair or replacement.
Upgrading Using the Existing Cisco IOS Software Image
Most users who need to upgrade a large number of cable modems that are already at customers' sites or are still in a distribution center, should use the following set of procedures. You should typically use these procedures unless otherwise instructed by Cisco TAC or field engineer.
• Upgrading a DOCSIS 1.0 Cable Modem to a DOCSIS 1.1 Image and Certificates (Required)
• Upgrading a DOCSIS 1.1 Cable Modem to a DOCSIS 1.1 Image and Certificates (Required)
• Downgrading the CM to DOCSIS 1.0 After Upgrading the Certificates (Optional)
Upgrading a DOCSIS 1.0 Cable Modem to a DOCSIS 1.1 Image and Certificates (Required)
To upgrade the Cisco IOS software image and DOCSIS 1.1 certificates on a Cisco uBR905/uBR925 cable access router or Cisco CVA122 Cable Voice Adapter that is currently running DOCSIS 1.0 or DOCSIS 1.0+ software, use the following procedures:
• Copy the Certificates and Cisco IOS Software Image to a TFTP Server (Required)
• Create a DOCSIS 1.0 Configuration File for the Certificate and Software Upgrade (Required)
• Upgrade the Cisco IOS Software Image and Certificates (Required)
• Reload the CM for Normal DOCSIS 1.1 Operations (Optional)
Completing these procedures will upgrade the Cisco IOS software image to Cisco IOS Release 12.2(15)CZ and will upgrade the router's DOCSIS certificate if the current certificate is invalid.
Tip If you are not planning to upgrade to DOCSIS 1.1, you do not need to perform this procedure because the DOCSIS 1.0 BPI security procedures do not require a DOCSIS certificate.
Copy the Certificates and Cisco IOS Software Image to a TFTP Server (Required)
Use the following procedure to copy the Cisco IOS software image and new DOCSIS 1.1 certificates to the TFTP server used by the cable modems.
Step 1 Copy the Cisco IOS Release 12.2(15)CZ software images to the TFTP server for the cable modems. Typically, they should be put into the same directory that contains the other Cisco IOS software images.
For a DOCSIS 1.0 software download, you must use a software image that is not digitally signed.
Note The Cisco uBR905/uBR925 cable access routers and Cisco CVA122 Cable Voice Adapters will not upgrade the software image unless the Cisco IOS Release 12.2(15)CZ software image filename is different than the filename of the software image that the router is currently running. An easy way to ensure this is by adding "12215CZ" to the filename (for example, cva120-k9y5-mz.12215CZ.bin or ubr925-k9y5-mz.12215CZ.bin).
Step 2 Copy the file containing the new certificates to a subdirectory on the TFTP server. For example, if you are using a Solaris workstation as your TFTP server, and the TFTP files are kept in the /tftpboot directory, you could copy the certificates from the distribution CD-ROM with the following shell command:
tftpserver% cp -rf /dev/cdrom/bpicerts.tar /tftpboot
Step 3 Extract the new certificates to the TFTP directory. The exact commands will vary depending on your workstation or PC. For example, if you are using a Solaris workstation as your TFTP server, you could give the following commands:
tftpserver% cd /tftpboot
tftpserver% tar xvf bpicerts.tar
tftpserver%
If using a Windows PC, use a utility such as WinZip to extract the certificates from the TAR file.
Note The files will be automatically extracted to the "bpi-certs" subdirectory. Do not rename the certificates because the upgrade procedure requires the main part of the filename to be the cable modem's MAC address (six hexadecimal digits separated by hyphens) and the extension to be ".cer" (for example, 00-05-89-AB-CD-EF.cer).
Step 4 Make sure the certificate subdirectory and certificates are accessible to all users. For example, on a Solaris workstation, you would give the following shell commands:
tftpserver% chmod a+rx /tftpboot/bpi-certs
tftpserver% chmod a+r /tftpboot/bpi-certs/*
Continue to the next section to create the DOCSIS configuration file that is needed to perform the software image and certificate upgrade.
Create a DOCSIS 1.0 Configuration File for the Certificate and Software Upgrade (Required)
You must create a DOCSIS 1.0 configuration file that instructs the Cisco uBR905/uBR925 cable access router or Cisco CVA122 Cable Voice Adapter to download the new Cisco IOS Release 12.2(15)CZ software image and to upgrade the DOCSIS certificates. This information is contained in the following configuration file options:
•Software Upgrade Filename (Option 9)—Specifies the filename and path for the software image on the TFTP server. This must specify a software image that has not been digitally signed because digitally signed images can be loaded only by a cable modem that is already running a DOCSIS 1.1 software image.
•Vendor Cisco Systems Specific Info Block (option 43, suboption 131)—Specifies the Cisco IOS commands that upgrade the DOCSIS certificates in the Cisco uBR905/uBR925 cable access router or Cisco CVA122 Cable Voice Adapter. These commands are the following:
–upgrade-bpkm-cert tftp-server ip-address—Specifies the IP address for the TFTP server to be used for the software and certificate downloads.
–upgrade-bpkm-cert directory-path directory-path—Specifies the directory on the TFTP server that contains the new DOCSIS certificates that should be downloaded. Each certificate in this directory must have a filename that consists of the cable modem's MAC address (six hexadecimal digits separated by hyphens) and an extension of ".cer" (for example, 00-05-89-AB-CD-EF.cer).
–upgrade-bpkm-cert start-upgrade—Begins downloading the new certificate from the specified path on the specified TFTP server.
For a sample DOCSIS 1.0 configuration file, see the "Sample DOCSIS 1.0 Configuration File for Certificate and Image Upgrade" section. This configuration file is also available in binary form as the cfg10upg.cm file on the distribution CD-ROM.
You must modify this configuration file with the following information that is specific to your network:
•Filename for the Cisco IOS Release 12.2(15)CZ software image
•IP address for the TFTP server
•Directory path for the certificate upgrades
•IP address for a SYSLOG event server (optional but strongly recommended)
You can modify this file with your network-specific information using any DOCSIS 1.0 configuration file editor, such as the Cisco Broadband Configurator Tool (release 4.0 or later).
Upgrade the Cisco IOS Software Image and Certificates (Required)
After you have copied the software images and new certificates to the TFTP server, and have created the required DOCSIS configuration files, perform the upgrade using the following procedure:
Step 1 Copy the DOCSIS 1.0 configuration file (for example, the cfg10upg.cm file) to your TFTP server.
Step 2 Configure your DOCSIS cable provisioning software (such as a DHCP server or Cisco Network Registrar) so that it sends the DOCSIS 1.0 configuration file as the DHCP bootfile during the initial provisioning.
Step 3 Restart one or all cable modems. If you are using a Cisco CMTS platform, you can do this by using the clear cable modem mac-address reset command to reset an individual cable modem or by using the clear cable modem all reset command to reset all cable modems. On a Cisco CMTS, you can also restart all cable modems on a particular cable interface by using the shutdown and no shutdown commands on the interface.
When each Cisco uBR905/uBR925 cable access router or Cisco CVA122 Cable Voice Adapter is restarted, it downloads the DOCSIS 1.0 configuration file, which forces the router to download the Cisco IOS Release 12.2(15)CZ software image. The router then reloads and boots the Release 12.2(15)CZ image.
The router then downloads the DOCSIS 1.0 configuration file again and executes the commands to upgrade the certificates. As it upgrades the certificates, it reports the progress to the SYSLOG event server.
After the router downloads the new certificates, it reloads a second time and router reboots with the Release 12.2(15)CZ image and valid DOCSIS 1.1 certificates. The router then downloads the DOCSIS 1.0 configuration file a third time and begins operating as a DOCSIS 1.0 cable modem.
Note When the router reboots this third time, it again tries to execute the certificate upgrade commands that are in the DOCSIS 1.0 configuration file. However, because the router now has a valid certificate, it aborts the process and begins normal operations. (The SYSLOG event server will show that a second certificate upgrade process started but then was aborted.)
Reload the CM for Normal DOCSIS 1.1 Operations (Optional)
To test whether the Cisco uBR905/uBR925 cable access router or Cisco CVA122 Cable Voice Adapter has been successfully upgraded, you can create a DOCSIS 1.1 configuration file that enables BPI+ authentication and encryption. See the "Sample DOCSIS 1.1 Configuration File with BPI+ Enabled (Normal Operations)" section for a sample file that you can use as a template for use and testing. This configuration file is also available in binary form as the cfg11ope.cm file on the distribution CD-ROM.
Replace the DOCSIS 1.0 configuration file with the DOCSIS 1.1 configuration file you have created and reload one or all of the cable modems to begin DOCSIS 1.1 operations.
Upgrading a DOCSIS 1.1 Cable Modem to a DOCSIS 1.1 Image and Certificates (Required)
If you have already upgraded a Cisco uBR905/uBR925 cable access router or Cisco CVA122 Cable Voice Adapter to Cisco IOS Release 12.2(15)CZ, the router must use the DOCSIS 1.1 secure software download feature to upgrade its software image. To upgrade a Cisco uBR905/uBR925 cable access router or Cisco CVA122 Cable Voice Adapter that is currently running DOCSIS 1.1 software, use the following procedures:
• Copy the Certificates and Cisco IOS Software Image to a TFTP Server (Required)
• Create a DOCSIS 1.1 Configuration File for the Certificate and Software Upgrade (Required)
• Upgrade the Cisco IOS Software Image and Certificates (Required)
• Reload the CM for Normal DOCSIS 1.1 Operations (Optional)
Completing these procedures will upgrade the Cisco IOS software image to Cisco IOS Release 12.2(15)CZ and will upgrade the router's DOCSIS certificate if the current certificate is invalid.
Copy the Certificates and Cisco IOS Software Image to a TFTP Server (Required)
Use the following procedure to copy the Cisco IOS software image and new DOCSIS 1.1 certificates to the TFTP server used by the cable modems.
Step 1 Copy the Cisco IOS Release 12.2(15)CZ software images to the TFTP server for the cable modems. Typically, they should be put into the same directory that contains the other Cisco IOS software images.
For a DOCSIS secure software download, you must use a digitally-signed software image, which includes "cvc" as part of the filename.
Note The Cisco uBR905/uBR925 cable access routers and Cisco CVA122 Cable Voice Adapters will not upgrade the software image unless the Cisco IOS Release 12.2(15)CZ software image filename is different than the filename of the software image that the router is currently running. An easy way to ensure this is by adding "12215CZ" to the filename (for example, cva120-k9y5-mz.12215CZ.bin or ubr925cvc-k9y5-mz.12215CZ.bin).
Step 2 Copy the file containing the new certificates to a subdirectory on the TFTP server. For example, if you are using a Solaris workstation as your TFTP server, and the TFTP files are kept in the /tftpboot directory, you could copy the certificates from the distribution CD-ROM with the following shell command:
tftpserver% cp -rf /dev/cdrom/bpicerts.tar /tftpboot
Step 3 Extract the new certificates to the TFTP directory. The exact commands will vary depending on your workstation or PC. For example, if you are using a Solaris workstation as your TFTP server, you could give the following commands:
tftpserver% cd /tftpboot
tftpserver% tar xvf bpicerts.tar
tftpserver%
If using a Windows PC, use a utility such as WinZip to extract the certificates from the TAR file.
Note The files will be automatically extracted to the "bpi-certs" subdirectory. Do not rename the certificates because the upgrade procedure requires the main part of the filename to be the cable modem's MAC address (six hexadecimal digits separated by hyphens) and the extension to be ".cer" (for example, 00-05-89-AB-CD-EF.cer).
Step 4 Make sure the certificate subdirectory and certificates are accessible to all users. For example, on a Solaris workstation, you would give the following shell commands:
tftpserver% chmod a+rx /tftpboot/bpi-certs
tftpserver% chmod a+r /tftpboot/bpi-certs/*
Continue to the next section to create the DOCSIS configuration file that is needed to perform the software image and certificate upgrade.
Create a DOCSIS 1.1 Configuration File for the Certificate and Software Upgrade (Required)
You must create a DOCSIS 1.1 configuration file that instructs the Cisco uBR905/uBR925 cable access router or Cisco CVA122 Cable Voice Adapter to download the new Cisco IOS Release 12.2(15)CZ software image and to upgrade the DOCSIS certificates. This information is contained in the following configuration file options:
•Software Upgrade Filename (Option 9)—Specifies the filename and path for the software image on the TFTP server. To support a secure software download, you must specify a software image that has been digitally signed (includes "cvc" as part of the software filename).
Note If the router is currently using the desired Cisco IOS Release 12.2(15)CZ software image, you do not need to specify the Software Upgrade Filename. However, it does no harm to specify the software image because the router does not download the software unless the specified software image is named differently than the image the router is currently running.
•Vendor Cisco Systems Specific Info Block (option 43, suboption 131)—Specifies the Cisco IOS commands that upgrade the DOCSIS certificates in the Cisco uBR905/uBR925 cable access router or Cisco CVA122 Cable Voice Adapter. These commands are the following:
–upgrade-bpkm-cert tftp-server ip-address—Specifies the IP address for the TFTP server to be used for the software and certificate downloads.
–upgrade-bpkm-cert directory-path directory-path—Specifies the directory on the TFTP server that contains the new DOCSIS certificates that should be downloaded. Each certificate in this directory must have a filename that consists of the cable modem's MAC address (six hexadecimal digits separated by hyphens) and an extension of ".cer" (for example, 00-05-89-AB-CD-EF.cer).
–upgrade-bpkm-cert start-upgrade—Begins downloading the new certificate from the specified path on the specified TFTP server.
•Privacy Enable (Option 29)—Enables or disables BPI+ authentication and encryption. You must disable BPI+ because the router does not have the digital certificates required for BPI+ authentication and encryption.
•Manufacturer CVC (Option 32)—Specifies the Code Verification Certificate (CVC) that Cisco Systems used to digitally sign the Cisco IOS software image. The router uses this CVC to verify the software image that is downloaded using DOCSIS secure software download.
For a sample DOCSIS 1.1 configuration file, see the "Sample DOCSIS 1.1 Configuration File for Secure Software Download" section.
You must also modify this configuration file with the following information that is specific to your network:
•Filename for the Cisco IOS Release 12.2(15)CZ software image
•IP address for the TFTP server
•Directory path for the certificate upgrades
•IP address for a SYSLOG event server (optional but strongly recommended)
You can modify this file with your network-specific information using any DOCSIS 1.0 configuration file editor, such as the Cisco Broadband Configurator Tool (release 4.0 or later).
Upgrade the Cisco IOS Software Image and Certificates (Required)
After you have copied the software images and new certificates to the TFTP server, and have created the required DOCSIS configuration files, perform the upgrade using the following procedure:
Step 1 Copy the DOCSIS 1.1 configuration file to your TFTP server.
Step 2 Configure your DOCSIS cable provisioning software (such as a DHCP server or Cisco Network Registrar) so that it sends the DOCSIS 1.1 configuration file as the DHCP bootfile during the initial provisioning.
Step 3 Restart one or all cable modems. If you are using a Cisco CMTS platform, you can do this by using the clear cable modem mac-address reset command to reset an individual cable modem or by using the clear cable modem all reset command to reset all cable modems. On a Cisco CMTS, you can also restart all cable modems on a particular cable interface by using the shutdown and no shutdown commands on the interface.
When each Cisco uBR905/uBR925 cable access router or Cisco CVA122 Cable Voice Adapter is restarted, it downloads the DOCSIS 1.1 configuration file, which forces the router to download the Cisco IOS Release 12.2(15)CZ software image using the DOCSIS secure software download. The router then reloads and boots the Release 12.2(15)CZ image.
The router then downloads the DOCSIS 1.1 configuration file again and executes the commands to upgrade the certificates. As it upgrades the certificates, it reports the progress to the SYSLOG event server.
After the router downloads the new certificates, it reloads a second time and router reboots with the Release 12.2(15)CZ image and valid DOCSIS 1.1 certificates. The router then downloads the DOCSIS 1.1 configuration file a third time and begins operating as a DOCSIS 1.1 cable modem.
Note When the router reboots this third time, it again tries to execute the certificate upgrade commands that are in the DOCSIS 1.0 configuration file. However, because the router now has a valid certificate, it aborts the process and begins normal operations. (The SYSLOG event server will show that a second certificate upgrade process started but then was aborted.)
Reload the CM for Normal DOCSIS 1.1 Operations (Optional)
To test whether the Cisco uBR905/uBR925 cable access router or Cisco CVA122 Cable Voice Adapter has been successfully upgraded, you can create a DOCSIS 1.1 configuration file that enables BPI+ authentication and encryption. See the "Sample DOCSIS 1.1 Configuration File with BPI+ Enabled (Normal Operations)" section for a sample file that you can use as a template for testing. This configuration file is also available in binary form as the cfg11ope.cm file on the distribution CD-ROM.
Replace the DOCSIS 1.1 configuration file you used for the upgrade with the DOCSIS 1.1 configuration file you have created and reload one or all of the cable modems to begin normal DOCSIS 1.1 operations.
Downgrading the CM to DOCSIS 1.0 After Upgrading the Certificates (Optional)
After you have upgraded a Cisco uBR905/uBR925 cable access router or Cisco CVA122 Cable Voice Adapter to Cisco IOS Release 12.2(15)CZ, the router must use the DOCSIS 1.1 secure software download feature to change its software image. However, if the router contains a DOCSIS 1.0 bootflash, you can avoid using the secure software download by manually downloading the older image.
If, for some reason, you would like to downgrade the router to an earlier, DOCSIS 1.0 or 1.0+ software image, use one of the following procedures, depending on the version of bootflash that the router is currently using.
• Downgrading with a DOCSIS 1.0 Bootflash (without Secure Software Download)
• Downgrading with a DOCSIS 1.1 Bootflash (with Secure Software Download)
Downgrading with a DOCSIS 1.0 Bootflash (without Secure Software Download)
If the Cisco uBR905/uBR925 cable access router or Cisco CVA122 Cable Voice Adapter contains a DOCSIS 1.0 version of bootflash, you can avoid using the secure software download feature by erasing the current Cisco IOS image and manually loading the older image. To do so, use the following procedure:
Step 1 Copy the desired Cisco IOS software release to the TFTP server. This must be a software image that has NOT been digitally signed.
Step 2 Use a console connection (if available) or Telnet to log into the router. Enter Privileged Exec mode by using the enable command and entering the enable password:
Router> enable
Password: <password>
Router#
Note If you are still using the cfg10upg.cm file, the default Telnet password is lab.
Step 3 Use the dir command to list the contents of the router's bootflash:
Router# dir bootflash:
Directory of bootflash:/
1 -rw- 2170804 Feb 01 2002 05:32:29 ubr925-k8boot-mz.122-4.T.bin
7471104 bytes total (5300236 bytes free)
Router#
If possible, use the filename to determine the Cisco IOS version of the bootflash code. For example, the above lines show that the bootflash was from Cisco IOS Release 12.2(4)T, which is a DOCSIS 1.0 release.
If the bootflash filename indicates a software release before Cisco IOS Release 12.2(15)CZ, then proceed to the next step. If this is not the case or if you cannot determine the software release, you must use the instructions given in the "Downgrading with a DOCSIS 1.1 Bootflash (with Secure Software Download)" section.
Step 4 Verify that you have connectivity with the TFTP server by using the ping ip-address command, where ip-address is the IP address of the TFTP server:
Router# ping 10.10.172.1
Sending 5, 100-byte ICMP Echos to 10.10.172.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Router#
Step 5 Use the copy tftp command to erase the current Cisco IOS software image and download the older software version to the router's flash:
Router# copy tftp flash
Address or name of remote host []? 10.10.172.1
Source filename []? ubr925-k8v6y5-122-8T-mz
Destination filename [ubr925-k8v6y5-122-8T-mz]?
Accessing tftp://10.10.172.1/ubr925-k8v6y5-122-8T-mz...
Erase flash: before copying? [confirm] Y
Erasing the flash filesystem will remove all files! Continue? [confirm] Y
Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erased
Erase of flash: complete
Loading ubr925-k8v6y5-122-8T-mz from 10.10.172.1 (via cable-modem0): !!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[OK - 3755588/7511040 bytes]
Verifying checksum... OK (0xD65F)
3755588 bytes copied in 99.254 secs (37935 bytes/sec)
Router#
Step 6 After the download has completed, use the reload command to restart the router with the new software image:
Router# reload
Proceed with reload? [confirm] Y
133.CABLEMODEM.CISCO: 01:05:23: %SYS-5-RELOAD: Reload requested
System Bootstrap, Version 12.2(4)T, RELEASE SOFTWARE (fc1)
Copyright (c) 2001 by cisco Systems, Inc.
Downgrading with a DOCSIS 1.1 Bootflash (with Secure Software Download)
If the Cisco uBR905/uBR925 cable access router or Cisco CVA122 Cable Voice Adapter was shipped with Cisco IOS Release 12.2(15)CZ, then both its bootflash image and Cisco IOS software image support DOCSIS 1.1. In this situation, the router must use the DOCSIS 1.1 secure software download procedure to upgrade the software image. To do so, use the following procedure:
Step 1 Copy the desired Cisco IOS software release to the TFTP server. This must be a software image that has been digitally signed (with "cvc" as part of the software image filename). If your desired software release is not available in a digitally signed version, contact your Cisco representative for assistance.
Step 2 Create a DOCSIS 1.1 configuration file that specifies the older software image filename for the Software Upgrade Filename (Option 9). For a sample DOCSIS 1.1 configuration file, see the "Sample DOCSIS 1.1 Configuration File for Secure Software Download" section.
If you are using this file as a template, make the following changes:
•Change Software Upgrade Filename (Option 9) to specify the filename and path for the software image on the TFTP server. To support a secure software download, you must specify a software image that has been digitally signed (with "cvc" as part of the software image filename).
•Change TFTP Server IP (Option 21) to specify the IP address for the TFTP server that contains the software to be downloaded.
•Remove the four upgrade-bpkm-cert commands that appear as IOS Config Commands (Option 43, suboption 131).
Step 3 Copy the modified DOCSIS 1.1 configuration file to your TFTP server.
Step 4 Configure your DOCSIS cable provisioning software (such as a DHCP server or Cisco Network Registrar) so that it sends the modified DOCSIS 1.1 configuration file as the DHCP bootfile during the initial provisioning.
Step 5 Restart one or all cable modems. If you are using a Cisco CMTS platform, you can do this by using the clear cable modem mac-address reset command to reset an individual cable modem or by using the clear cable modem all reset command to reset all cable modems. On a Cisco CMTS, you can also restart all cable modems on a particular cable interface by using the shutdown and no shutdown commands on the interface.
When each Cisco uBR905/uBR925 cable access router or Cisco CVA122 Cable Voice Adapter is restarted, it downloads the DOCSIS 1.1 configuration file, which forces the router to download the DOCSIS 1.0 software image using the DOCSIS secure software download. The router then reloads and boots the DOCSIS 1.0 image. For normal DOCSIS 1.0 operations, you will have to reconfigure the DOCSIS cable provisioning software so that it uses the original DOCSIS 1.0 configuration files for each router.
Upgrading Using the Existing BootFlash Software Image
You can upgrade both the Cisco IOS software image and the BPI+ certificates by using the bootflash image that is onboard the router. You typically will need to use this method only in the following situations:
•You have a small number of cable modems that need to be upgraded in a lab or test setting, or that are still in a distribution center. In this situation, using the bootflash software image procedure can be more convenient than changing the production servers.
•You had previously loaded a DOCSIS 1.1 Cisco IOS software image on the router, without also upgrading the BPI+ certificates, or you were able to successfully download the DOCSIS 1.1 software image but not the BPI+ certificates, due to connectivity problems with the TFTP server or network. In these situations, attempting to upgrade using the Cisco IOS software image will require performing a secure software download, which cannot succeed because you do not have a valid CVC certificate in the router.
•You were not able to successfully download the DOCSIS 1.1 software image, and therefore have no valid Cisco IOS software image on the router. In this case, the router will automatically boot into the bootflash software image.
•You attempted to upgrade the router with a secure software download and the procedure failed, typically because you did not use a digitally-signed software image, or because the CVC specified in the DOCSIS configuration file did not match the signature on the software image. Using the bootflash software image can bypass the secure software download procedure.
If none of these situations apply to you, you should first use the procedures given in the "Upgrading Using the Existing Cisco IOS Software Image" section, unless you have been instructed otherwise by a Cisco TAC or field service engineer.
Note This procedure assumes that the router contains the original bootflash software image that was installed on the router at the factory. If you have manually upgraded the bootflash software image to a version that supports DOCSIS 1.1 operations, and if the BPI+ certificates are invalid, then the only way to upgrade the Cisco IOS software image is to log in to the router's console and use the copy tftp: flash: command to copy the DOCSIS 1.1 Cisco IOS software image from a TFTP server to the router.
To upgrade the Cisco IOS software image and BPI+ certificates on the Cisco uBR905 and Cisco uBR925 cable access routers or the Cisco CVA122 Cable Voice Adapter, use the following set of procedures:
• Copy the Certificates and Cisco IOS Software Image to a TFTP Server (Required)
• Create a DOCSIS 1.0 Configuration File for the Software Upgrade (Required)
• Upgrade the Cisco IOS Software Image (Required)
• Create a DOCSIS 1.0 Configuration File for the BPI+ Certificates Required)
• Upgrade the BPI+ Certificates (Required)
• Reload the CM for Normal DOCSIS 1.1 Operations (Optional)
Completing these procedures will upgrade the Cisco IOS software image to Cisco IOS Release 12.2(15)CZ and will upgrade the router's DOCSIS certificate if the current certificate is invalid.
Copy the Certificates and Cisco IOS Software Image to a TFTP Server (Required)
Use the following procedure to copy the Cisco IOS software image and new DOCSIS 1.1 certificates to the TFTP server used by the cable modems.
Step 1 Copy the Cisco IOS Release 12.2(15)CZ software images to the TFTP server for the cable modems. Typically, they should be put into the same directory that contains the other Cisco IOS software images.
For a DOCSIS 1.0 software download, you must use a software image that is not digitally signed.
Note The Cisco uBR905/uBR925 cable access routers and Cisco CVA122 Cable Voice Adapters will not upgrade the software image unless the Cisco IOS Release 12.2(15)CZ software image filename is different than the filename of the software image that the router is currently running. An easy way to ensure this is by adding "12215CZ" to the filename (for example, cva120-k9y5-mz.12215CZ.bin or ubr925-k9y5-mz.12215CZ.bin).
Step 2 Copy the file containing the new certificates to a subdirectory on the TFTP server. For example, if you are using a Solaris workstation as your TFTP server, and the TFTP files are kept in the /tftpboot directory, you could copy the certificates from the distribution CD-ROM with the following shell command:
tftpserver% cp -rf /dev/cdrom/bpicerts.tar /tftpboot
Step 3 Uncompress and extract the new certificates to the TFTP directory. The exact commands will vary depending on your workstation or PC. For example, if you are using a Solaris workstation as your TFTP server, you could give the following commands:
tftpserver% cd /tftpboot
tftpserver% tar xvf bpicerts.tar
tftpserver%
If using a Windows PC, use a utility such as WinZip to extract the certificates from the TAR file.
Note The files will be automatically extracted to the "bpi-certs" subdirectory. Do not rename the certificates because the upgrade procedure requires the main part of the filename to be the cable modem's MAC address (six hexadecimal digits separated by hyphens) and the extension to be ".cer" (for example, 00-05-89-AB-CD-EF.cer).
Step 4 Make sure the certificate subdirectory and certificates are accessible to all users. For example, on a Solaris workstation, you would give the following shell commands:
tftpserver% chmod a+rx /tftpboot/bpi-certs
tftpserver% chmod a+r /tftpboot/bpi-certs/*
Continue to the next section to create the DOCSIS configuration file that is needed to perform the software image upgrade.
Create a DOCSIS 1.0 Configuration File for the Software Upgrade (Required)
You must create a DOCSIS 1.0 configuration file that instructs the Cisco uBR905/uBR925 cable access router or Cisco CVA122 Cable Voice Adapter to download the new Cisco IOS Release 12.2(15)CZ software image. This information is contained in the following configuration file options:
•Software Upgrade Filename (Option 9)—Specifies the filename and path for the software image on the TFTP server. This must specify a software image that has not been digitally signed because digitally signed images can be loaded only by a cable modem that is already running a DOCSIS 1.1 software image.
•Vendor Cisco Systems Specific Info Block (option 43, suboption 131)—Specifies the Cisco IOS command that instructs the router to boot its bootflash software image instead of the Cisco IOS software image:
–config-register 0x0001
For a sample DOCSIS 1.0 configuration file, see the "Sample Configuration File for Upgrading the Cisco IOS Software Image Using the BootFlash" section. You must modify this configuration file with the following information that is specific to your network:
•Filename for the Cisco IOS Release 12.2(15)CZ software image
•IP address for the TFTP server
•IP address for a SYSLOG event server (optional but strongly recommended)
You can modify this file with your network-specific information using any DOCSIS 1.0 configuration file editor, such as the Cisco Broadband Configurator Tool (release 4.0 or later).
Upgrade the Cisco IOS Software Image (Required)
After you have copied the software images and new certificates to the TFTP server, and have created the required DOCSIS configuration files, upgrade the Cisco IOS software using the following procedure:
Step 1 Copy the DOCSIS 1.0 configuration file (for example, the cfg10upg.cm file) to your TFTP server.
Step 2 Configure your DOCSIS cable provisioning software (such as a DHCP server or Cisco Network Registrar) so that it sends the DOCSIS 1.0 configuration file as the DHCP bootfile during the initial provisioning.
Step 3 Restart one or all cable modems. If you are using a Cisco CMTS platform, you can do this by using the clear cable modem mac-address reset command to reset an individual cable modem or by using the clear cable modem all reset command to reset all cable modems. On a Cisco CMTS, you can also restart all cable modems on a particular cable interface by using the shutdown and no shutdown commands on the interface.
When each Cisco uBR905/uBR925 cable access router or Cisco CVA122 Cable Voice Adapter is restarted, it downloads the DOCSIS 1.0 configuration file, which forces the router to boot into its bootflash software image. The router then downloads the Cisco IOS Release 12.2(15)CZ software image.
Create a DOCSIS 1.0 Configuration File for the BPI+ Certificates Required)
You must create a second DOCSIS 1.0 configuration file that instructs the Cisco uBR905/uBR925 cable access router or Cisco CVA122 Cable Voice Adapter to download the new BPI+ certificates. This information is contained in the following configuration file options:
•Vendor Cisco Systems Specific Info Block (option 43, suboption 131)—Specifies the Cisco IOS commands that upgrade the DOCSIS certificates in the Cisco uBR905/uBR925 cable access router or Cisco CVA122 Cable Voice Adapter. These commands are the following:
–config-register 0x2102—Instructs the router to boot the Cisco IOS software image, which is the normal procedure. and is required for upgrading the certificates.
–upgrade-bpkm-cert tftp-server ip-address—Specifies the IP address for the TFTP server to be used for the software and certificate downloads.
–upgrade-bpkm-cert directory-path directory-path—Specifies the directory on the TFTP server that contains the new DOCSIS certificates that should be downloaded. Each certificate in this directory must have a filename that consists of the cable modem's MAC address (six hexadecimal digits separated by hyphens) and an extension of ".cer" (for example, 00-05-89-AB-CD-EF.cer).
–upgrade-bpkm-cert start-upgrade—Begins downloading the new certificate from the specified path on the specified TFTP server.
For a sample DOCSIS 1.0 configuration file, see the "Sample Configuration File for Upgrading the BPI+ Certificates Using the BootFlash" section. You must modify this configuration file with the following information that is specific to your network:
•IP address for the TFTP server
•Directory path for the certificate upgrades
•IP address for a SYSLOG event server (optional but strongly recommended)
You can modify this file with your network-specific information using any DOCSIS 1.0 configuration file editor, such as the Cisco Broadband Configurator Tool (release 4.0 or later).
Upgrade the BPI+ Certificates (Required)
After you have copied the software images and new certificates to the TFTP server, and have created the required DOCSIS configuration files, perform the upgrade using the following procedure:
Step 1 Copy the second DOCSIS 1.0 configuration file (for example, the cfg10upg.cm file) to your TFTP server.
Step 2 Configure your DOCSIS cable provisioning software (such as a DHCP server or Cisco Network Registrar) so that it sends the second DOCSIS 1.0 configuration file as the DHCP bootfile during the initial provisioning.
Step 3 Restart one or all cable modems. If you are using a Cisco CMTS platform, you can do this by using the clear cable modem mac-address reset command to reset an individual cable modem or by using the clear cable modem all reset command to reset all cable modems. On a Cisco CMTS, you can also restart all cable modems on a particular cable interface by using the shutdown and no shutdown commands on the interface.
When each Cisco uBR905/uBR925 cable access router or Cisco CVA122 Cable Voice Adapter is restarted, it downloads the DOCSIS 1.0 configuration file, which forces the router to boot the Cisco IOS Release 12.2(15)CZ software image. The router then executes the commands to upgrade the certificates. As it upgrades the certificates, it reports the progress to the SYSLOG event server.
After the router downloads the new certificates, it reloads again time and router reboots with the Release 12.2(15)CZ image and valid DOCSIS 1.1 certificates. The router can then begin normal operations.
Note When the router reboots this last time, it again tries to execute the certificate upgrade commands that are in the DOCSIS 1.0 configuration file. However, because the router now has a valid certificate, it aborts the process and begins normal operations. (The SYSLOG event server will show that a second certificate upgrade process started but then was aborted.)
Reload the CM for Normal DOCSIS 1.1 Operations (Optional)
To test whether the Cisco uBR905/uBR925 cable access router or Cisco CVA122 Cable Voice Adapter has been successfully upgraded, you can create a DOCSIS 1.1 configuration file that enables BPI+ authentication and encryption. See the "Sample DOCSIS 1.1 Configuration File with BPI+ Enabled (Normal Operations)" section for a sample file that you can use as a template for use and testing. This configuration file is also available in binary form as the cfg11ope.cm file on the distribution CD-ROM.
Replace the DOCSIS 1.0 configuration file with the DOCSIS 1.1 configuration file you have created and reload one or all of the cable modems to begin DOCSIS 1.1 operations.
Configuration Examples
This section provides the following configuration examples that can be used when upgrading the Cisco IOS software image and BPI+ upgrade certificates, using the procedures given in the "Upgrading Using the Existing Cisco IOS Software Image" section:
• Sample DOCSIS 1.0 Configuration File for Certificate and Image Upgrade
• Sample DOCSIS 1.1 Configuration File with BPI+ Enabled (Normal Operations)
• Sample DOCSIS 1.1 Configuration File for Secure Software Download
If you are using the procedure given in the "Upgrading Using the Existing BootFlash Software Image" section, use the following configuration examples instead:
• Sample Configuration File for Upgrading the Cisco IOS Software Image Using the BootFlash
• Sample Configuration File for Upgrading the BPI+ Certificates Using the BootFlash
Tip To use a sample configuration, copy it into a text file and make the indicated changes. Then use a DOCSIS configuration editor, such as the Cisco Broadband Configurator tool (release 4.0 or later), to convert the text into a binary DOCSIS configuration file. Each sample configuration is also available as a binary file on the Distribution CD-ROM, which you can load into the DOCSIS configuration editor, and use the tool's menus to modify the required fields.
Sample DOCSIS 1.0 Configuration File for Certificate and Image Upgrade
The following example shows a sample DOCSIS 1.0 configuration file that will instruct the router to download the Cisco IOS Release 12.2(15)CZ software image and to upgrade its DOCSIS 1.1 certificates. You must change the following parts of this sample configuration to match your local network's configuration:
•Software Upgrade Filename (option 9)—Specify the filename for the Cisco IOS Release 12.2(15)CZ software image, as it exists on the TFTP server. You must specify a filename for a software image that is NOT digitally signed (the filename ends with "mz").
•SNMP docsDevEvSyslog.0 (option 11)—Specify the IP address for your system's Syslog server (optional, but strongly recommended).
•TFTP Server IP (option 21)—Specify the IP address for the TFTP server for the cable modems.
•IOS Config Command (option 43, suboption 131)—Specify the IP address for the TFTP server for the upgrade-bpkm-cert tftp-server command. This typically will be the same IP address as the one you specified for the Software Upgrade Filename (option 9), above.
•IOS Config Command (option 43, suboption 131)—Specify the directory path on the TFTP server for the DOCSIS certificates for the upgrade-bpkm-cert directory-path command. This should be the same directory path that you created in the procedure in the "Copy the Certificates and Cisco IOS Software Image to a TFTP Server (Required)" section.
You can optionally change the Class of Service Encodings Block (option 4) and Maximum Number of CPE (option 18) values, if desired.
03 (Net Access Control) = 1
04 (Class of Service Encodings Block)
S01 (Class ID) = 5
S02 (Max DS rate) = 10000000
S03 (Max US rate) = 2000000
S06 (Max US transmit rate) = 1522
09 (Software Upgrade Filename) = iosimages/cva120-k8y5-12215cz-mz
##--->Modify the path and filename for an unsigned software image
11 (SNMP MIB Object) = docsDevEvSyslog.0 (IP Address) = 10.0.0.23
##-------------------------------------->Modify Syslog IP address
11 (SNMP MIB Object) = docsDevEvReporting.1 (Octet String) = 0xe0
11 (SNMP MIB Object) = docsDevEvReporting.2 (Octet String) = 0xe0
11 (SNMP MIB Object) = docsDevEvReporting.3 (Octet String) = 0xe0
11 (SNMP MIB Object) = docsDevEvReporting.4 (Octet String) = 0xe0
11 (SNMP MIB Object) = docsDevEvReporting.5 (Octet String) = 0xe0
11 (SNMP MIB Object) = docsDevEvReporting.6 (Octet String) = 0xe0
11 (SNMP MIB Object) = docsDevEvReporting.7 (Octet String) = 0xe0
11 (SNMP MIB Object) = docsDevSwAdminStatus.0 (Integer) = 2
18 (Maximum Number of CPE) = 4
21 (TFTP Server IP) = 10.0.0.100
##------------>Modify TFTP Server IP address
43 (Vendor Cisco Systems Specific Info Block)
S131 (IOS Config Command) = upgrade-bpkm-cert tftp-server 1.0.0.100
##----------------------------------------->Modify TFTP Server IP address
S131 (IOS Config Command) = upgrade-bpkm-cert directory-path bpi-certs
##-------------------------->Modify Subdirectory path for DOCSIS certificates
S131 (IOS Config Command) = upgrade-bpkm-cert start-upgrade
S131 (IOS Config Command) = enable password lab
S131 (IOS Config Command) = line vty 0 4
S131 (IOS Config Command) = password lab
S131 (IOS Config Command) = end
Tip This file is available in binary form as the cfg10upg.cm file on the distribution CD-ROM.
Sample DOCSIS 1.1 Configuration File with BPI+ Enabled (Normal Operations)
The following example shows a sample DOCSIS 1.1 configuration file that can be used to enable normal DOCSIS 1.1 operations after you have upgraded the router to the new software image and DOCSIS certificates. You can change the upstream and downstream service flows as desired to match the design of your network.
Note You can replace this DOCSIS configuration file with any DOCSIS 1.1 configuration file that supports your cable network.
03 (Net Access Control) = 1
17 (Baseline Privacy Block)
S01 (Authorize Wait Timeout) = 10
S02 (Reauthorize Wait Timeout) = 10
S03 (Authorize Grace Timeout) = 300
S04 (Operational Wait Timeout) = 1
S05 (Rekey Wait Timeout) = 1
S06 (TEK Grace Time) = 300
S07 (Authorize Reject Wait Timeout)= 60
18 (Maximum Number of CPE) = 4
24 (Upstream Service Flow Block)
S01 (Flow Reference) = 1
S06 (QoS Parameter Set Type) = 7
S07 (Traffic Priority) = 4
S08 (Max Sustained Traffic Rate) = 250000
S09 (Max Traffic Burst) = 2000
S10 (Max Reserved Traffic Rate) = 0
S11 (Assumed Min Reserved Rate Packet Size) = 0
S15 (Service Flow Scheduling Type) = 2
24 (Upstream Service Flow Block)
S01 (Flow Reference) = 2
S06 (QoS Parameter Set Type) = 7
S07 (Traffic Priority) = 1
S08 (Max Sustained Traffic Rate) = 256000
S09 (Max Traffic Burst) = 2000
S10 (Max Reserved Traffic Rate) = 0
S11 (Assumed Min Reserved Rate Packet Size) = 0
S12 (Timeout for Active QoS Parameters) = 0
S13 (Timeout for Admitted QoS Parameters) = 0
S15 (Service Flow Scheduling Type) = 2
25 (Downstream Service Flow Block)
S01 (Flow Reference) = 3
S06 (QoS Parameter Set Type) = 7
S07 (Traffic Priority) = 1
S08 (Max Sustained Traffic Rate) = 10000000
S09 (Max Traffic Burst) = 2000
S10 (Max Reserved Traffic Rate) = 0
S11 (Assumed Min Reserved Rate Packet Size) = 0
S12 (Timeout for Active QoS Parameters) = 0
S13 (Timeout for Admitted QoS Parameters) = 0
25 (Downstream Service Flow Block)
S01 (Flow Reference) = 4
S06 (QoS Parameter Set Type) = 7
S07 (Traffic Priority) = 3
S08 (Max Sustained Traffic Rate) = 10000000
S09 (Max Traffic Burst) = 2000
S10 (Max Reserved Traffic Rate) = 0
S11 (Assumed Min Reserved Rate Packet Size) = 0
28 (Max Number of Classifiers) = 4
29 (Privacy Enable) = Yes
43 (Vendor Cisco Systems Specific Info Block)
S131 (IOS Config Command) = enable password lab
S131 (IOS Config Command) = line vty 0 4
S131 (IOS Config Command) = password lab
S131 (IOS Config Command) = end
Tip This file is available in binary form as the cfg11ope.cm file on the distribution CD-ROM.
Sample DOCSIS 1.1 Configuration File for Secure Software Download
If you have already upgraded a Cisco uBR905/uBR925 cable access router or Cisco CVA122 Cable Voice Adapter to Cisco IOS Release 12.2(15)CZ, or another version of DOCSIS 1.1 software, you must use a DOCSIS 1.1 configuration file when booting. The following example shows a sample DOCSIS 1.1 configuration file that will instruct a DOCSIS 1.1 CM to use DOCSIS secure software download to download the Cisco IOS Release 12.2(15)CZ software image. This configuration file also contains the commands needed to upgrade the DOCSIS 1.1 certificates.
This configuration file is similar to the DOCSIS 1.0 configuration file shown in the "Sample DOCSIS 1.0 Configuration File for Certificate and Image Upgrade" section, except for the following:
•BPI+ encryption is disabled. This is required because the router does not have the digital certificates required for BPI+ authentication and encryption.
•Option 32, Manufacturer CVC, is specified. The router uses this CVC to verify the software image that is downloaded using DOCSIS secure software download.
You must change the following parts of this sample configuration to match your local network's configuration:
•Software Upgrade Filename (option 9)—Specify the filename for the Cisco IOS Release 12.2(15)CZ software image, as it exists on the TFTP server. You must specify a filename for a software image that is digitally signed (the filename includes "cvc" as part of the software image filename).
Note If the router is currently using the desired Cisco IOS Release 12.2(15)CZ software image, you do not need to specify the Software Upgrade Filename. However, it does no harm to specify the software image because the router does not download the software unless the specified software image is named differently than the image the router is currently running.
•SNMP docsDevEvSyslog.0 (option 11)—Specify the IP address for your system's Syslog server (optional, but strongly recommended).
•TFTP Server IP (option 21)—Specify the IP address for the TFTP server for the cable modems.
•IOS Config Command (option 43, suboption 131)—Specify the IP address for the TFTP server for the upgrade-bpkm-cert tftp-server command. This typically is the same IP address as the one you specified for the Software Upgrade Filename (option 9), above.
•IOS Config Command (option 43, suboption 131)—Specify the directory path on the TFTP server for the DOCSIS certificates for the upgrade-bpkm-cert directory-path command. This should be the same directory path that you created in the procedure in the "Copy the Certificates and Cisco IOS Software Image to a TFTP Server (Required)" section.
You can optionally change the Upstream and Downstream Service Flow Block (options 24 and 25) and Maximum Number of CPE (option 18) values, if desired.
03 (Net Access Control) = 1
09 (Software Upgrade Filename) = iosimages/cva120cvc-k8o3v9y5-mz
##------>Modify the path and filename for a signed software image
11 (SNMP MIB Object) = docsDevEvSyslog.0 (IP Address) = 10.0.0.23
##-------------------------------------->Modify Syslog IP address
11 (SNMP MIB Object) = docsDevEvReporting.1 (Octet String) = 0xe0
11 (SNMP MIB Object) = docsDevEvReporting.2 (Octet String) = 0xe0
11 (SNMP MIB Object) = docsDevEvReporting.3 (Octet String) = 0xe0
11 (SNMP MIB Object) = docsDevEvReporting.4 (Octet String) = 0xe0
11 (SNMP MIB Object) = docsDevEvReporting.5 (Octet String) = 0xe0
11 (SNMP MIB Object) = docsDevEvReporting.6 (Octet String) = 0xe0
11 (SNMP MIB Object) = docsDevEvReporting.7 (Octet String) = 0xe0
11 (SNMP MIB Object) = docsDevSwAdminStatus.0 (Integer) = 2
18 (Maximum Number of CPE) = 4
21 (TFTP Server IP) = 10.0.0.100
##------------>Modify TFTP Server IP address
24 (Upstream Service Flow Block)
S01 (Flow Reference) = 1
S06 (QoS Parameter Set Type) = 7
S08 (Max Sustained Traffic Rate) = 2500000
25 (Downstream Service Flow Block)
S01 (Flow Reference) = 2
S06 (QoS Parameter Set Type) = 7
S08 (Max Sustained Traffic Rate) = 4000000
29 (Privacy Enable) = No
32 (Manufacturer CVC) = ./ciscoCVC.der
43 (Vendor Cisco Systems Specific Info Block)
S131 (IOS Config Command) = upgrade-bpkm-cert tftp-server 1.0.0.100
##----------------------------------------->Modify TFTP Server IP address
S131 (IOS Config Command) = upgrade-bpkm-cert directory-path bpi-certs
##-------------------------->Modify Subdirectory path for DOCSIS certificates
S131 (IOS Config Command) = upgrade-bpkm-cert start-upgrade
S131 (IOS Config Command) = enable password cisco
S131 (IOS Config Command) = line vty 0 4
S131 (IOS Config Command) = password cisco
S131 (IOS Config Command) = end
Sample Configuration File for Upgrading the Cisco IOS Software Image Using the BootFlash
The following example shows a sample DOCSIS 1.0 configuration file that will instruct the router to boot into the bootflash software image and then download the Cisco IOS Release 12.2(15)CZ software image. You must change the following parts of this sample configuration to match your local network's configuration:
•Software Upgrade Filename (option 9)—Specify the filename for the Cisco IOS Release 12.2(15)CZ software image, as it exists on the TFTP server. You must specify a filename for a software image that is NOT digitally signed (the filename ends with "mz").
•SNMP docsDevEvSyslog.0 (option 11)—Specify the IP address for your system's Syslog server (optional, but strongly recommended).
•TFTP Server IP (option 21)—Specify the IP address for the TFTP server for the cable modems.
You can optionally change the Class of Service Encodings Block (option 4) and Maximum Number of CPE (option 18) values, if desired.
03 (Net Access Control) = 1
04 (Class of Service Encodings Block)
S01 (Class ID) = 5
S02 (Max DS rate) = 10000000
S03 (Max US rate) = 2000000
S06 (Max US transmit rate) = 1522
09 (Software Upgrade Filename) = iosimages/cva120-k8y5-12215cz-mz
##--->Modify the path and filename for an unsigned software image
11 (SNMP MIB Object) = docsDevEvSyslog.0 (IP Address) = 10.0.0.23
##-------------------------------------->Modify Syslog IP address
11 (SNMP MIB Object) = docsDevEvReporting.1 (Octet String) = 0xe0
11 (SNMP MIB Object) = docsDevEvReporting.2 (Octet String) = 0xe0
11 (SNMP MIB Object) = docsDevEvReporting.3 (Octet String) = 0xe0
11 (SNMP MIB Object) = docsDevEvReporting.4 (Octet String) = 0xe0
11 (SNMP MIB Object) = docsDevEvReporting.5 (Octet String) = 0xe0
11 (SNMP MIB Object) = docsDevEvReporting.6 (Octet String) = 0xe0
11 (SNMP MIB Object) = docsDevEvReporting.7 (Octet String) = 0xe0
11 (SNMP MIB Object) = docsDevSwAdminStatus.0 (Integer) = 2
18 (Maximum Number of CPE) = 4
21 (TFTP Server IP) = 10.0.0.100
##------------>Modify TFTP Server IP address
43 (Vendor Cisco Systems Specific Info Block)
S131 (IOS Config Command) = config-register 0x0001
##----------------------------------------->Boot the Bootflash Software Image
S131 (IOS Config Command) = enable password lab
S131 (IOS Config Command) = line vty 0 4
S131 (IOS Config Command) = password lab
S131 (IOS Config Command) = end
Tip This file is not available on the distribution CD-ROM but can be obtained by using a DOCSIS configuration editor to modify the cfg10upg.cm file that is on the CD-ROM.
Sample Configuration File for Upgrading the BPI+ Certificates Using the BootFlash
The following example shows a sample DOCSIS 1.0 configuration file that will instruct the router to boot the Cisco IOS Release 12.2(15)CZ software image and then download the BPI+ certificates, if needed. You must change the following parts of this sample configuration to match your local network's configuration:
•SNMP docsDevEvSyslog.0 (option 11)—Specify the IP address for your system's Syslog server (optional, but strongly recommended).
•TFTP Server IP (option 21)—Specify the IP address for the TFTP server for the cable modems.
•IOS Config Command (option 43, suboption 131)—Specify the IP address for the TFTP server for the upgrade-bpkm-cert tftp-server command. This typically will be the same IP address as the one you specified for the Software Upgrade Filename (option 9), above.
•IOS Config Command (option 43, suboption 131)—Specify the directory path on the TFTP server for the DOCSIS certificates for the upgrade-bpkm-cert directory-path command. This should be the same directory path that you created in the procedure in the "Copy the Certificates and Cisco IOS Software Image to a TFTP Server (Required)" section.
You can optionally change the Class of Service Encodings Block (option 4) and Maximum Number of CPE (option 18) values, if desired.
03 (Net Access Control) = 1
04 (Class of Service Encodings Block)
S01 (Class ID) = 5
S02 (Max DS rate) = 10000000
S03 (Max US rate) = 2000000
S06 (Max US transmit rate) = 1522
11 (SNMP MIB Object) = docsDevEvSyslog.0 (IP Address) = 10.0.0.23
##-------------------------------------->Modify Syslog IP address
11 (SNMP MIB Object) = docsDevEvReporting.1 (Octet String) = 0xe0
11 (SNMP MIB Object) = docsDevEvReporting.2 (Octet String) = 0xe0
11 (SNMP MIB Object) = docsDevEvReporting.3 (Octet String) = 0xe0
11 (SNMP MIB Object) = docsDevEvReporting.4 (Octet String) = 0xe0
11 (SNMP MIB Object) = docsDevEvReporting.5 (Octet String) = 0xe0
11 (SNMP MIB Object) = docsDevEvReporting.6 (Octet String) = 0xe0
11 (SNMP MIB Object) = docsDevEvReporting.7 (Octet String) = 0xe0
11 (SNMP MIB Object) = docsDevSwAdminStatus.0 (Integer) = 2
18 (Maximum Number of CPE) = 4
21 (TFTP Server IP) = 10.0.0.100
##------------>Modify TFTP Server IP address
43 (Vendor Cisco Systems Specific Info Block)
S131 (IOS Config Command) = config-register 0x2102
##----------------------------------------->Boot the Cisco IOS Software Image
S131 (IOS Config Command) = upgrade-bpkm-cert tftp-server 1.0.0.100
##----------------------------------------->Modify TFTP Server IP address
S131 (IOS Config Command) = upgrade-bpkm-cert directory-path bpi-certs
##-------------------------->Modify Subdirectory path for DOCSIS certificates
S131 (IOS Config Command) = upgrade-bpkm-cert start-upgrade
S131 (IOS Config Command) = enable password lab
S131 (IOS Config Command) = line vty 0 4
S131 (IOS Config Command) = password lab
S131 (IOS Config Command) = end
Tip This file is not available on the distribution CD-ROM but can be obtained by using a DOCSIS configuration editor to modify the cfg10upg.cm file that is on the CD-ROM.
Posted: Fri May 28 11:40:09 PDT 2004
All contents are Copyright © 1992--2004 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.