Document ID: 12200
Updated: Jan 12, 2006
Contents
Introduction
This document discusses the reason why console or Telnet access to a cable modem that has achieved online status is disabled.
Prerequisites
Requirements
Readers of this document should have a basic understanding of the Data-over-Cable Service Interface Specifications (DOCSIS) protocol.
Components Used
This document is not restricted to specific software and hardware versions.
Conventions
For more information on document conventions, refer to the Cisco Technical Tips Conventions.
Why Console Access Is Disabled
When the cable interface on the cable modem is not initialized, console and Telnet access to the cable modem function as on any other Cisco router. However, once the modem achieves online status and the cable interface is initialized, console access is disabled automatically following a new configuration that is downloaded into the cable modem through the DOCSIS configuration file. This newly downloaded configuration contains a new enable password and new Telnet passwords that are not visible to the end user. These changes are all controlled by the service provider, so no configuration can be done on the cable modem side to override them. Any previously stored configurations are superseded by the newly downloaded configuration file. This is done so that tampering with cable modem configurations is prevented once the cable modem is online. This security measure was a request by the majority of cable providers in the United States.
Moreover, users with active enable sessions are forced out of enable mode before the download occurs, and the console is locked, preventing users from getting back into enable mode or changing the password. This approach also addresses concerns that security is compromised by users being able to display the running configuration. For example, Simple Network Management Protocol (SNMP) community passwords are not compromised.
Copying a Cisco IOSĀ® Software configuration file to a running configuration file each time the interface initializes prevents the need to write the configuration to nonvolatile RAM (NVRAM). If Telnet access through the Ethernet interface is restricted by setting filters through the cable device MIB, the running configuration file is never visible to the user.
Note: For detailed information on how to download a Cisco IOS Software configuration file, refer to the Cisco Vendor Specific Fields section in Building DOCSIS 1.0 Configuration Files Using Cisco DOCSIS Configurator (registered customers only) . To verify that the configuration is working, make a Telnet connection to the cable modem from the head end router using the passwords that were created in the configuration file. The following should appear in the show version command output on the cable modem:
Host configuration file is "ios.cnf", booted via tftp from ......
Related Information
Open a Support Case 
(Requires a Cisco Service Contract.)
Related Cisco Support Community Discussions
The Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers.
Refer to Cisco Technical Tips Conventions for information on conventions used in this document.