Troubleshooting guide
6-2
Cisco Broadband Local Integrated Services Solution Troubleshooting Guide
OL-5169-01
Chapter 6 Troubleshooting MTAs
Troubleshooting EMTA Provisioning
Embedded Media Terminal Adapter
The EMTA is a cable modem (CM) and a Media Terminal Adapter (MTA) in one box, with a common
software image. The CM and MTA each has its own MAC-address and each performs DHCP to get its
own IP address. The EMTA contains, at minimum, 2 certificates. One certificate is a unique MTA
certificate, sent by the MTA to authenticate itself to the key distribution center (KDC). The other is a
telephony root certificate used to verify the certificate sent by the KDC to the MTA. The KDC’s
certificate will be chained from the telephony root, therefore the telephony root must reside on the MTA
to validate the authenticity of the KDC certificate. The MTA portion receives its own configuration file,
which it uses to identify its controlling call agent, among other things.
DHCP Server
The DOCSIS specifications mandate that cable modems negotiate their IP address using the Dynamic
Host Configuration Protocol (DHCP). The MTA, like most CPE on a DOCSIS network, must use DHCP
to obtain its IP address and other crucial information (DNS servers, PacketCable option 122 for Kerberos
realm name of KDC, provisioning server FQDN).
Note The CM portion, in addition to its normally required DHCP options, also requests, and must receive,
Option 122 suboption 1, which it passes to the MTA portion as the IP address of the correct DHCP server
from which to accept offers.
When using BACC with PacketCable support, be aware that BACC will automatically populate the ToD
server, DNS servers, TFTP server, as well as the Option 122 (or 177) fields; these do not need to be
explicitly set in the CNR policy.
DNS Server
The Domain Name System (DNS) server is fundamental in PacketCable provisioning. The PacketCable
provisioning server, the device provisioning engine (DPE) in a BACC architecture, must have an address
(A) record in the appropriate zone, as its fully qualified domain name (FQDN) is provided to the MTA
in Option 122 by the DHCP server. The KDC realm must have a zone of the same name as the realm
name, containing a server (SRV) record that contains the FQDN of the Kerberos server.
The Kerberos server identified in the SRV record must itself have an A record in the appropriate zone.
The call management server (CMS) identified in the MTA config file must also have an A record in the
appropriate zone. Lastly, the MTAs themselves must have A records in the appropriate zone, since the
CMS reaches the MTA by resolving its FQDN. Dynamic DNS (DDNS) is the preferred method of
creating A records for the MTA; refer to configuring and troubleshooting DDNS on CNR.
Key Distribution Center
A key distribution center (KDC) is included in the BACC with PacketCable support. The KDC is
responsible for authenticating MTAs. As such, it must check the MTA’s certificate, and provide its own
certificate so the MTA can authenticate the KDC. It also communicates with the Provisioning Server
(DPE in the BACC architecture) to validate that the MTA is, in fact, provisioned on the network.
PacketCable Provisioning Server
The PacketCable provisioning server is responsible for communicating the location of the MTA
configuration file to the MTA, and/or, provisioning MTA parameters via SNMP. SNMPv3 is used for all
communication between the MTA and the provisioning server. The keys used to initiate SNMPv3
communication are obtained by the MTA during its authentication phase with the KDC. Provisioning
server functionality is provided by the DPE in a BACC architecture.