Professional Documents
Culture Documents
1)Basics
Ourfirstfilewilljustallownetworkaccesandlimitdownload/uploadspeeds:
Main { NetworkAccess 1; GlobalPrivacyEnable 0; UsServiceFlow { UsServiceFlowRef 1; QosParamSetType 7; TrafficPriority 3; MaxRateSustained 128000; } DsServiceFlow { DsServiceFlowRef 2; QosParamSetType 7; TrafficPriority 3; MaxRateSustained 1000000; } } /* enables packet forwarding */ /* disables BPI(encryption) */ /* creates an upstream service flow */ /* /* /* /* SF number */ activates SF */ sets medium priority */ max upstream transfer rate - 128kb/s */
/* creates an downstream service flow */ /* /* /* /* SF number */ activates SF */ sets medium priority */ max downstream transfer rate - 1Mb/s */
Reader'scomment:PleasenotethatDs/UsServiceRefnumbersmustbeuniqueincablemodemconfig. OnCiscoCMwithsameDsandUsServiceFlowRefwillendupwithreject(c)status.
3)Addingadvancedparameters
DsPacketClass { ClassifierRef 2; ServiceFlowRef 4; RulePriority 3; ActivationState 1; IpPacketClassifier { IpTos 0x0808ff; } } UsServiceFlow { UsServiceFlowRef 1; QosParamSetType 7; TrafficPriority 3; MaxRateSustained 128000; } DsServiceFlow { DsServiceFlowRef 2; QosParamSetType 7; TrafficPriority 3; MaxRateSustained 1000000; } DsServiceFlow { DsServiceFlowRef 4; QosParamSetType 7; TrafficPriority 3; MaxRateSustained 2000000; } }
/* /* /* /*
Classifier number */ forwards packets using SF #4 */ Low priority classifier */ enables classifier */
/* /* /* /*
/* /* /* /*
/* /* /* /*
4)GlobalParametersexplained
Description
Values
MaxCPE
CpeMacAddress
SpecifiesMACaddressofacomputer/device. NumberofCpeMacAddresscommandsmustbe lessorequalMaxCPE.Usefullwhenyoudon't MACaddressofonedevice wantthemodemtolearnAccesspoint'sIP address Maximumnumberofadmittedandactive upstreamclassifiers,thatmodemisallowedto have EnablesDOCSIS2.0 AllowstoenterTLVsunsupportedbyprogram SpecifiesfirmwarefilenameonTFTPserver. SpecifiesTFTPserverIPaddress SpecifiesOIDtoset 0disabled,1enabled Sytnax:TlvCodeXXX TlvLengthXTlvValue 0xXX "filename" IPaddress Syntax:OIDtypevalue
MtaConfigDelimiter Note:tocreateMfgCVCData,takemfgcertandthen:
hexdump -v -e ' 2/1 "%02X" ' -n 254 cert.cer
ThecompleteMfgCVCDataoptionwouldbeMfgCVCData0xOUTPUT_FROM_ABOVE; Tocreatenextportionjustskipfirst254charswiths:
hexdump -v -e ' 2/1 "%02X" ' -n 254 -s 254 cert.cer
Increasesby254fornextportions.
5)Serviceflowparametersexplained
GeneralSFparameters: Name Description Values QualityofServiceParameterSetType.Describeswhether serviceflowis:Provisioned,AdmittedandActive.Bit0 7Active Provisionedflag,Bit1Admittedflag,Bit2Activeflag.Fora other servceflowtobeworkingall3bitsmustbesetto1.Binary111 disabled equals7deciminal. Setspriorityforpacketsmatchingthatserviceflow.CMTS shouldservefirstSFswithhigherpriority. 0lowest (default) 7highest
QosParamSetType
TrafficPriority
NumberofdownstreamserviceflowmustmatchServiceFlowRef anynumber DsServiceFlowRef inpacketclasifiers(ifexists).Serviceflowswithlowestnumbersare (165535) takenasdefaultnoclassifiersneededthere. MaxDsLatency Sprecifiesmaximaltimebetweenreceptionofpacketand forwardingittoRFinterfaceontheCMTS Valuein micro seconds.
UsServiceFlowRef
Maximumdatainbytestobe MaxConcatenatedBurst transmitedinone Sizeinbytes,default1522 concatenationburst SchedulingType Schedulingtypetobeusedin 2Besteffort,3NonRealTimePolling,4 serviceflow RealTimePolling,5UnsolicitedGrant ServicewithActivityDetection,6Unsolicited
GrantService Thereare16bitsnumberedfrom15to0. Bit0disablesallcmopportunities,bit1disables PriorityRequestmulticastopportunities,bit2 disablesRequest/Dataopportunitiesfor Request/TransmissionPolicy Requestsbit3samefordata,bit4disables specifiesbehaviourofa piggybackrequestswithdata,bit5disables sericeflow concatenation,bit6disablesfragmentation,bit7 disablespayloadheadersuppression,bit8 enablesdropingofpacketsthatdonotfitinthe UnsolicitedGrant.Example:0x000001ff;Size
RequestOrTxPolicy
EnablesoverwritingToS NewToS=(OldTosANDAA)OROO,example: valuesformatchinpackets 0xAAOO I'vepurposelyomitedinformationaboutothershedulingtypes:UGS,UGSwithAD,nonrealtime polling,realtimepolling. TestrevealedthattheyareonlyusefulwithVOIPand/orstreamingvideo.Onemayusesourceipor destinationportbasedclassifiertocapturevoiptrafficandlimitUPanddownstreamserviceflowsto nomorethan128k.SinceitsusellesforbrowsingtheinternetnooneshouldexploitthatSF.With streamingvideodestiantionIPofvideoservermustbeknownbecausehighspeed,lowlatency connectionisVERYlikelytobeexploitedifunprotectedproperly.Itmightbegoodideaforvoipto createseparateIPaddressclassforvoipgatewaysandcreatebesteffortserviceflowswithhighest trafficpriority.AddingMinReservedRatemaygiveevenbetterresults. IpTosOverwrite
6)Classifies
IPandportbasedclassifier
UsPacketClass { ServiceFlowRef 3; ClassifierRef 11; RulePriority 68; ActivationState 1; IpPacketClassifier { IpSrcAddr 192.168.0.0; IpSrcMask 255.255.255.0; SrcPortStart 1024; SrcPortEnd 2000; IpDstAddr 113.206.95.144; IpDstMask 255.255.255.248; DstPortStart 80; DstPortEnd 80; IpProto 6; } }
/* /* /* /* /* /* /* /*
Matches: */ source IPs from 192.168.0.0 */ to 192.168.0.255 */ source ports from 1024 */ to 2000 */ destination IPs from 113.206.95.144 */ to 113.206.95.151 */ destination port 80 */
/* TCP protocol */
MACaddressbasedclassifier
UsPacketClass { ServiceFlowRef 3;
ClassifierRef 11; RulePriority 68; ActivationState 1; LLCPacketClassifier { SrcMacAddress 00:11:22:33:44:55 /* Matches that MAC address }
*/
Generalclassifierparameters: Name Description none none anynumber(1255) Values DsPacketClass Createsdownstreamclassifier UsPacketClass Createsupstreamclassifier ClassifierRef ServiceFlowRef RulePriority Numberofclassifier,mustbeuniqueinconfigfile
ServiceFlowRefnumberofserviceflow,whichisused NumberofexistingSF ifpacketsmatchesthatclassifier. Specifiesthepriorityfortheclassifier.Highernumber higherpriority.Classifierswithhigherpriorityare anynumber(0255) checkedfirst. 1enabled,0disabled? 0Addclasifier,1replace classifier,2delete classifier WhattodowithclassifierwhenDynamicService ChangeRequestisrecived
IPclassifierparameters: Name Description none 0xLLHHMM,whereLLlowtos,HHhightos,MM tosmask.Matchespackets,whereLL>=(tosAND MM)<=HH. IPaddress IPaddress IPaddress Values IpPacketClassifier CreatesIPclassifiermatch IpTos IpSrcAddr IpSrcMask IpDstAddr IpDstMask SrcPortStart SrcPortEnd MatchesToSvalues MatchessourceIP Specifiessourcemask. Match=SrcIPAND SrcMask MatchesdestinationIP
Specifiesdestinationmask. Match=DstIPAND IPaddress DstMask Matchessourceportsstaring 0(default)65535 fromthatvalue Matchessourceportsending 065535(default) onthatvalue
LLCclassifierparameters: Name LLCPacketClassifier DstMacAddress SrcMacAddress EtherType Description CreatesLLC(MAC)classifiermatch MatchesdestinationMAC MatchessourceMAC Matchesethertype none MACaddress MACaddress Ethertypeinhex Values
802.1qclassifierparameters: Name IEEE802Classifier UserPriority Matchespriorityfield Description Creates802.1P/Qclassifiermatch Values none 07 04095
Nmaccessentriesexplained: Name docsDevNmAccessStatus docsDevNmAccessIp Description Values 1active,2inactive,4createand Configuresrowcreationand activate,5createanddeactivate,6 it'sactivation delete.Stickwtih4. SpecifiessourceIPofa IPaddress
SNMPquerymatchingthis rule. docsDevNmAccessIpMask docsDevNmAccessControl docsDevNmAccessInterfaces docsDevNmAccessCommunity Firewallrule: Thisfirewallrulepreventsusersfromsendingmailusingport25(SMTP). NotethatbysettingdocsDevFilterIpDefaultto2(drop)onecanallowonlyselectedtrafficinstedof dropingit.
SnmpMibObject SnmpMibObject SnmpMibObject SnmpMibObject SnmpMibObject SnmpMibObject SnmpMibObject SnmpMibObject SnmpMibObject SnmpMibObject SnmpMibObject SnmpMibObject SnmpMibObject SnmpMibObject docsDevFilterIpControl.7 Integer 1; /* discard */ docsDevFilterIpIfIndex.7 Integer 0 ; docsDevFilterIpDirection.7 Integer 3; /* both */ docsDevFilterIpBroadcast.7 Integer 2; /* false */ docsDevFilterIpSaddr.7 IPAddress 0.0.0.0 ; docsDevFilterIpSmask.7 IPAddress 0.0.0.0 ; docsDevFilterIpDaddr.7 IPAddress 0.0.0.0 ; docsDevFilterIpDmask.7 IPAddress 0.0.0.0 ; docsDevFilterIpProtocol.7 Integer 6 ; docsDevFilterIpSourcePortLow.7 Integer 0 ; docsDevFilterIpSourcePortHigh.7 Integer 65535 ; docsDevFilterIpDestPortLow.7 Integer 25 ; docsDevFilterIpDestPortHigh.7 Integer 25 ; docsDevFilterIpStatus.7 Integer 4; /* createAndGo */
SpecifiessourceIPmaskofa SNMPquerymatchingthis maskaddress rule. Specifiesaccessprivileges Specifiesmatchinginterface Specifiesthecommunity string 2RO,3RW,4ROwithtraps,5 RWwithtraps,6traps 0x40cable,0x80ethernet, 0xC0,0x00both "desired_community_string"
8)Otherconfiguarionparameters
Currentlyotherparametersareonlylisted.Willwritedescriptionswhenthere'stime. BaselinePrivacy,mustbeturnedonbyGlobalPrivacyEnable. Name SAMapWaitTimeout SAMapMaxRetries BaselinePrivacy AuthTimeout ReAuthTimeout AuthGraceTime ReKeyTimeout TEKGraceTime AuthRejectTimeout SNMPv3specific: Name SnmpV3Kickstart SnmpV3SecurityName SnmpV3MgrPublicNumber Name SnmpV3TrapReceiver SnmpV3TrapRxIP SnmpV3TrapRxPort SnmpV3TrapRxType SnmpV3TrapRxTimeout SnmpV3TrapRxRetries SnmpV3TrapRxFilterOID SnmpV3TrapRxSecurityName PHSPayloadheadersupression: Name PHS PHSClassifierRef PHSClassifierId PHSServiceFlowRef PHSServiceFlowId Description SpecifiesPHSoptions Values nonetree "security_name" Description SpecifiesSNMPv3trapssettings Values nonetree Description SpecifiesSNMPv3engineoptions Values nonetree SpecifiesBPIoptions nonetree Description Values
PHSField PHSIndex PHSMask PHSSize PHSVerify Vendorspecific: Name VendorSpecific VendorIdentifier ModemCapabilities: Everythingshuldbeenabledbydefaultsouseitonlytodisablethings. Name ModemCapabilities ConcatenationSupport ModemDocsisVersion FragmentationSupport PHSSupport IGMPSupport BaselinePrivacySupport DownstreamSAIDSupport UpstreamSIDSupport DCCSupport SubMgmtControl SubMgmtFilters Description Startsthetree Values none Description Specifiesvendorspecificoptions Specifiesvendoridentifier nonetree vendorid0xIIIIII Values
Latestarticles:
BanalnakonfiguracjaTPLinkaTLWR340G[PL] GeneratingSSLCertificates[EN] Configuringtrapsandsnmptrapd[EN] ConfiguringuBR7246[EN]
Contact:
email:johnx@elwico.pl