Access lists for modems | docsis.org

You are here

Access lists for modems

5 posts / 0 new
Last post
omadon
Access lists for modems

Is it possible to define access-list in modem config that would restrict traffic to certain ip addresses and ports.

Example: cable customer has virus or worm and I set him config that he can only use www for virus/widows updates.

If not, what is the best way to achieve this.

Thanks

Anonymous (not verified)
Access lists for modems

Hmm, there is at least three ways to complete your task
1. Using Access-Lists on your CMTS. (see CMTS Docs)
2. Using Filter Groups on your CMTS. It something like ACL but more flexible and less popular. (see CMTS Docs)
3. (Those what you ask). You can use IP&LLC filters. For example I`ve created simple IP filter for blocking any traffic from client ports 135-139 (netbios traffic)

11 (SNMP IP FILTER) = 1.3.6.1.2.1.69.1.6.4.1.2.1 %integer = 4 //Status;4=Create and Go
11 (SNMP IP FILTER) = 1.3.6.1.2.1.69.1.6.4.1.3.1 %integer = 1 //Filter Index=1
11 (SNMP IP FILTER) = 1.3.6.1.2.1.69.1.6.4.1.5.1 %integer = 3 //Direction;3=both
11 (SNMP IP FILTER) = 1.3.6.1.2.1.69.1.6.4.1.6.1 %integer = 2 //is broadcast;2=false
11 (SNMP IP FILTER) = 1.3.6.1.2.1.69.1.6.4.1.7.1 %ipaddr = 192.168.50.0 //source address
11 (SNMP IP FILTER) = 1.3.6.1.2.1.69.1.6.4.1.8.1 %ipaddr = 255.255.255.0 //source mask
11 (SNMP IP FILTER) = 1.3.6.1.2.1.69.1.6.4.1.11.1 %integer = 256 //protocol type; 256=any
11 (SNMP IP FILTER) = 1.3.6.1.2.1.69.1.6.4.1.12.1 %integer = 135 //source port low
11 (SNMP IP FILTER) = 1.3.6.1.2.1.69.1.6.4.1.13.1 %integer = 139 // source port high

omadon
Access lists for modems

I created filter groups but I can't find option to add in modem configuration to tell modem wich filter group to use.

One more thing option 1 and 2 will block packets when they reach CMTS and option 3 will block packets on modem. Is this correct or not?

omadon
Access lists for modems
Anonymous (not verified)
Access lists for modems

Quote:
I created filter groups but I can't find option to add in modem configuration to tell modem wich filter group to use.

37 (Sub Mgmt Filter Groups) = 00 00 00 00 00 00 00 00

quotation from docsis specefication:
bytes 1,2: docsSubMgtSubFilterDownstream group
bytes 3,4: docsSubMgtSubFilterUpstream group
bytes 5,6: docsSubMgtCmFilterDownstream group
bytes 7,8: docsSubMgtCmFilterUpstream group

The Subscriber Management MIB allows filter groups to be assigned to a CM and CPE attached to that CM. These include two CM filter groups, upstream and downstream, and two CPE filter groups, upstream and downstream. These four filter groups are encoded in the configuration file in a single TLV as follows: