Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1

 

 

Retour à l'accueil, cliquez ici

Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1
Book-level PDFs are generated periodically and therefore may not reflect the latest updates to documentation as contained in the chapter-level HTML or PDF documents below. This book-level PDF was last generated on August 29, 2012.
Suggest ways Cisco technical documentation can be improved and better serve your needs.
Participate in the Technical Documentation Ideas forum.

Click the links on the left to view the individual chapters in HTML format.

Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Cisco ONS 15454 Reference Manual Product and Documentation Releases 9.1, 9.2 and 9.2.1 August 2012 Text Part Number: 78-19870-01THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense. The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it is not installed in accordance with Cisco’s installation instructions, it may cause interference with radio and television reception. This equipment has been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation. Modifying the equipment without Cisco’s written authorization may result in the equipment no longer complying with FCC requirements for Class A or Class B digital devices. In that event, your right to use the equipment may be limited by FCC regulations, and you may be required to correct any interference to radio or television communications at your own expense. You can determine whether your equipment is causing interference by turning it off. If the interference stops, it was probably caused by the Cisco equipment or one of its peripheral devices. If the equipment causes interference to radio or television reception, try to correct the interference by using one or more of the following measures: • Turn the television or radio antenna until the interference stops. • Move the equipment to one side or the other of the television or radio. • Move the equipment farther away from the television or radio. • Plug the equipment into an outlet that is on a different circuit from the television or radio. (That is, make certain the equipment and the television or radio are on circuits controlled by different circuit breakers or fuses.) Modifications to this product not authorized by Cisco Systems, Inc. could void the FCC approval and negate your authority to operate the product. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental. Cisco ONS 15454 Reference Manual, Release 9.1, 9.2 and 9.2.1 © 2007–2012 Cisco Systems, Inc. All rights reserved.iii Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 CONTENTS About this Manual xliii Revision History xliii Document Objectives xlv Audience xlv Related Documentation xlv Document Conventions xlvi Obtaining Optical Networking Information lii Where to Find Safety and Warning Information lii Cisco Optical Networking Product Documentation CD-ROM lii Obtaining Documentation and Submitting a Service Request liii Cisco ONS Documentation Roadmap for Release 9.2.1 lv CHAPTER 1 Shelf and Backplane Hardware 1-1 1.1 Overview 1-2 1.2 Rack Installation 1-3 1.2.1 Reversible Mounting Bracket 1-5 1.2.2 Mounting a Single Node 1-5 1.2.3 Mounting Multiple Nodes 1-6 1.2.4 ONS 15454 Bay Assembly 1-6 1.3 Front Door 1-6 1.4 Backplane Covers 1-11 1.4.1 Lower Backplane Cover 1-12 1.4.2 Rear Cover 1-13 1.4.3 Alarm Interface Panel 1-14 1.4.4 Alarm Interface Panel Replacement 1-15 1.5 Electrical Interface Assemblies 1-15 1.5.1 EIA Installation 1-16 1.5.2 EIA Configurations 1-16 1.5.3 BNC EIA 1-18 1.5.3.1 BNC Connectors 1-19 1.5.3.2 BNC Insertion and Removal Tool 1-20 1.5.4 High-Density BNC EIA 1-20 1.5.5 MiniBNC EIA 1-21Contents iv Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 1.5.5.1 MiniBNC Connectors 1-22 1.5.5.2 MiniBNC Insertion and Removal Tool 1-27 1.5.6 SMB EIA 1-28 1.5.7 AMP Champ EIA 1-29 1.5.8 UBIC-V EIA 1-33 1.5.9 UBIC-H EIA 1-34 1.5.10 EIA Replacement 1-38 1.6 Coaxial Cable 1-38 1.7 DS-1 Cable 1-38 1.7.1 Twisted Pair Wire-Wrap Cables 1-38 1.7.2 Electrical Interface Adapters 1-39 1.8 UBIC-V Cables 1-40 1.9 UBIC-H Cables 1-45 1.10 Ethernet Cables 1-51 1.11 Cable Routing and Management 1-53 1.11.1 Fiber Management 1-54 1.11.2 Fiber Management Using the Tie-Down Bar 1-55 1.11.3 Coaxial Cable Management 1-56 1.11.4 DS-1 Twisted-Pair Cable Management 1-56 1.11.5 AMP Champ Cable Management 1-56 1.12 Alarm Expansion Panel 1-56 1.12.1 Wire-Wrap and Pin Connections 1-57 1.13 Filler Card 1-61 1.14 Filler Plus Cards 1-62 1.15 Fan-Tray Assembly 1-64 1.15.1 Fan Tray Units for ONS 15454 Cards 1-65 1.15.2 1Fan Speed 1-67 1.15.3 Fan Failure 1-67 1.15.4 Air Filter 1-67 1.15.5 Pilot Fuse 1-68 1.16 Power and Ground Description 1-68 1.17 Shelf Voltage and Temperature 1-69 1.18 Alarm, Timing, LAN, and Craft Pin Connections 1-70 1.18.1 Alarm Contact Connections 1-72 1.18.2 Timing Connections 1-73 1.18.3 LAN Connections 1-73 1.18.4 TL1 Craft Interface Installation 1-74 1.19 Cards and Slots 1-74Contents v Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 1.19.1 Card Slot Requirements 1-75 1.19.2 Card Replacement 1-79 1.20 Software and Hardware Compatibility 1-79 CHAPTER 2 Common Control Cards 2-1 2.1 Common Control Card Overview 2-1 2.1.1 Cards Summary 2-1 2.1.2 Card Compatibility 2-3 2.1.3 Cross-Connect Card Compatibility 2-3 2.2 TCC2 Card 2-7 2.2.1 TCC2 Card Functionality 2-8 2.2.2 TCC2 Card-Level Indicators 2-9 2.2.3 Network-Level Indicators 2-10 2.2.4 Power-Level Indicators 2-11 2.3 TCC2P Card 2-11 2.3.1 TCC2P Functionality 2-12 2.3.1.1 System Timing Functions 2-13 2.3.2 TCC2P Card-Level Indicators 2-14 2.3.3 Network-Level Indicators 2-15 2.3.4 Power-Level Indicators 2-16 2.4 TCC3 Card 2-16 2.5 XCVT Card 2-16 2.5.1 XCVT Functionality 2-17 2.5.2 VT Mapping 2-18 2.5.3 XCVT Hosting DS3XM-6 or DS3XM-12 2-19 2.5.4 XCVT Card-Level Indicators 2-19 2.6 XC10G Card 2-20 2.6.1 XC10G Functionality 2-21 2.6.2 VT Mapping 2-22 2.6.3 XC10G Hosting DS3XM-6 or DS3XM-12 2-23 2.6.4 XC10G Card-Level Indicators 2-23 2.6.5 XCVT/XC10G/XC-VXC-10G Compatibility 2-24 2.7 XC-VXC-10G Card 2-24 2.7.1 XC-VXC-10G Functionality 2-25 2.7.2 VT Mapping 2-27 2.7.3 XC-VXC-10G Hosting DS3XM-6 or DS3XM-12 2-28 2.7.4 XC-VXC-10G Card-Level Indicators 2-28 2.7.5 XC-VXC-10G Compatibility 2-29 2.8 AIC-I Card 2-29Contents vi Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 2.8.1 AIC-I Card-Level Indicators 2-30 2.8.2 External Alarms and Controls 2-31 2.8.3 Orderwire 2-32 2.8.4 Power Monitoring 2-33 2.8.5 User Data Channel 2-33 2.8.6 Data Communications Channel 2-34 CHAPTER 3 Electrical Cards 3-1 3.1 Electrical Card Overview 3-1 3.1.1 Card Summary 3-1 3.1.2 Card Compatibility 3-3 3.2 Bit Error Rate Testing 3-4 3.3 EC1-12 Card 3-5 3.3.1 EC1-12 Slots and Connectors 3-6 3.3.2 EC1-12 Faceplate and Block Diagram 3-6 3.3.3 EC1-12 Hosted by XCVT, XC10G, or XC-VXC-10G 3-7 3.3.4 EC1-12 Card-Level Indicators 3-7 3.3.5 EC1-12 Port-Level Indicators 3-7 3.4 DS1-14 and DS1N-14 Cards 3-7 3.4.1 DS1N-14 Features and Functions 3-8 3.4.2 DS1-14 and DS1N-14 Slot Compatibility 3-8 3.4.3 DS1-14 and DS1N-14 Faceplate and Block Diagram 3-8 3.4.4 DS1-14 and DS1N-14 Hosted by XCVT, XC10G, or XC-VXC-10G 3-10 3.4.5 DS1-14 and DS1N-14 Card-Level Indicators 3-10 3.4.6 DS1-14 and DS1N-14 Port-Level Indicators 3-11 3.5 DS1/E1-56 Card 3-11 3.5.1 DS1/E1-56 Slots and Connectors 3-11 3.5.2 DS1/E1-56 Faceplate and Block Diagram 3-12 3.5.3 DS1/E1-56 Card-Level Indicators 3-13 3.5.4 DS1/E1-56 Port-Level Indicators 3-14 3.6 DS3-12 and DS3N-12 Cards 3-14 3.6.1 DS3-12 and DS3N-12 Slots and Connectors 3-15 3.6.2 DS3-12 and DS3N-12 Faceplate and Block Diagram 3-15 3.6.3 DS3-12 and DS3N-12 Card-Level Indicators 3-16 3.6.4 DS3-12 and DS3N-12 Port-Level Indicators 3-17 3.7 DS3/EC1-48 Card 3-17 3.7.1 DS3/EC1-48 Slots and Connectors 3-17 3.7.2 DS3/EC1-48 Faceplate and Block Diagram 3-18 3.7.3 DS3/EC1-48 Card-Level Indicators 3-19Contents vii Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 3.7.4 DS3/EC1-48 Port-Level Indicators 3-20 3.8 DS3i-N-12 Card 3-20 3.8.1 DS3i-N-12 Slots and Connectors 3-20 3.8.2 DS3i-N-12 Card-Level Indicators 3-22 3.8.3 DS3i-N-12 Port-Level Indicators 3-22 3.9 DS3-12E and DS3N-12E Cards 3-22 3.9.1 DS3-12E and DS3N-12E Slots and Connectors 3-23 3.9.2 DS3-12E Faceplate and Block Diagram 3-23 3.9.3 DS3-12E and DS3N-12E Card-Level Indicators 3-25 3.9.4 DS3-12E and DS3N-12E Port-Level Indicators 3-26 3.10 DS3XM-6 Card 3-26 3.10.1 DS3XM-6 Slots and Connectors 3-26 3.10.2 DS3XM-6 Faceplate and Block Diagram 3-26 3.10.3 DS3XM-6 Hosted By XCVT, XC10G, or XC-VXC-10G 3-27 3.10.4 DS3XM-6 Card-Level Indicators 3-27 3.10.5 DS3XM-6 Port-Level Indicators 3-28 3.11 DS3XM-12 Card 3-28 3.11.1 Backplane Configurations 3-28 3.11.2 Ported Mode 3-29 3.11.3 Portless Mode 3-29 3.11.4 Shelf Configurations 3-29 3.11.5 Protection Modes 3-30 3.11.6 Card Features 3-30 3.11.7 DS3XM-12 Slots and Connectors 3-31 3.11.8 DS3XM-12 Faceplate and Block Diagram 3-31 3.11.9 DS3XM-12 Card-Level Indicators 3-32 3.11.10 DS3XM-12 Port-Level Indicators 3-33 3.12 Interoperability Rules for Electrical Cards 3-33 3.12.1 Half Shelf Compatibility 3-33 3.12.2 Slot Compatibility 3-34 CHAPTER 4 Optical Cards 4-1 4.1 Optical Card Overview 4-2 4.1.1 Card Summary 4-2 4.1.2 Card Compatibility 4-4 4.2 OC3 IR 4/STM1 SH 1310 Card 4-6 4.2.1 OC3 IR 4/STM1 SH 1310 Card-Level Indicators 4-7 4.2.2 OC3 IR 4/STM1 SH 1310 Port-Level Indicators 4-8 4.3 OC3 IR/STM1 SH 1310-8 Card 4-8Contents viii Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 4.3.1 OC3 IR/STM1 SH 1310-8 Card-Level Indicators 4-10 4.3.2 OC3 IR/STM1 SH 1310-8 Port-Level Indicators 4-10 4.4 OC12 IR/STM4 SH 1310 Card 4-10 4.4.1 OC12 IR/STM4 SH 1310 Card-Level Indicators 4-11 4.4.2 OC12 IR/STM4 SH 1310 Port-Level Indicators 4-12 4.5 OC12 LR/STM4 LH 1310 Card 4-12 4.5.1 OC12 LR/STM4 LH 1310 Card-Level Indicators 4-13 4.5.2 OC12 LR/STM4 LH 1310 Port-Level Indicators 4-14 4.6 OC12 LR/STM4 LH 1550 Card 4-14 4.6.1 OC12 LR/STM4 LH 1550 Card-Level Indicators 4-15 4.6.2 OC12 LR/STM4 LH 1550 Port-Level Indicators 4-16 4.7 OC12 IR/STM4 SH 1310-4 Card 4-16 4.7.1 OC12 IR/STM4 SH 1310-4 Card-Level Indicators 4-18 4.7.2 OC12 IR/STM4 SH 1310-4 Port-Level Indicators 4-18 4.8 OC48 IR 1310 Card 4-18 4.8.1 OC48 IR 1310 Card-Level Indicators 4-19 4.8.2 OC48 IR 1310 Port-Level Indicators 4-20 4.9 OC48 LR 1550 Card 4-20 4.9.1 OC48 LR 1550 Card-Level Indicators 4-21 4.9.2 OC48 LR 1550 Port-Level Indicators 4-22 4.10 OC48 IR/STM16 SH AS 1310 Card 4-22 4.10.1 OC48 IR/STM16 SH AS 1310 Card-Level Indicators 4-23 4.10.2 OC48 IR/STM16 SH AS 1310 Port-Level Indicators 4-24 4.11 OC48 LR/STM16 LH AS 1550 Card 4-24 4.11.1 OC48 LR/STM16 LH AS 1550 Card-Level Indicators 4-25 4.11.2 OC48 LR/STM16 LH AS 1550 Port-Level Indicators 4-26 4.12 OC48 ELR/STM16 EH 100 GHz Cards 4-26 4.12.1 OC48 ELR 100 GHz Card-Level Indicators 4-28 4.12.2 OC48 ELR 100 GHz Port-Level Indicators 4-28 4.13 OC48 ELR 200 GHz Cards 4-28 4.13.1 OC48 ELR 200 GHz Card-Level Indicators 4-30 4.13.2 OC48 ELR 200 GHz Port-Level Indicators 4-30 4.14 OC192 SR/STM64 IO 1310 Card 4-30 4.14.1 OC192 SR/STM64 IO 1310 Card-Level Indicators 4-31 4.14.2 OC192 SR/STM64 IO 1310 Port-Level Indicators 4-32 4.15 OC192 IR/STM64 SH 1550 Card 4-32 4.15.1 OC192 IR/STM64 SH 1550 Card-Level Indicators 4-33 4.15.2 OC192 IR/STM64 SH 1550 Port-Level Indicators 4-34Contents ix Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 4.16 OC192 LR/STM64 LH 1550 Card 4-34 4.16.1 OC192 LR/STM64 LH 1550 Card-Level Indicators 4-39 4.16.2 OC192 LR/STM64 LH 1550 Port-Level Indicators 4-39 4.17 OC192 LR/STM64 LH ITU 15xx.xx Card 4-39 4.17.1 OC192 LR/STM64 LH ITU 15xx.xx Card-Level Indicators 4-41 4.17.2 OC192 LR/STM64 LH ITU 15xx.xx Port-Level Indicators 4-42 4.18 15454_MRC-12 Multirate Card 4-42 4.18.1 Slot Compatibility by Cross-Connect Card 4-43 4.18.2 Ports and Line Rates 4-44 4.18.3 15454_MRC-12 Card-Level Indicators 4-46 4.18.4 15454_MRC-12 Port-Level Indicators 4-47 4.19 MRC-2.5G-4 Multirate Card 4-47 4.19.1 Slot Compatibility by Cross-Connect Card 4-49 4.19.2 Ports and Line Rates 4-49 4.19.3 MRC-2.5G-4 Card-Level Indicators 4-50 4.19.4 MRC-2.5G-4 Port-Level Indicators 4-50 4.20 OC192SR1/STM64IO Short Reach and OC192/STM64 Any Reach Cards 4-51 4.20.1 OC192SR1/STM64IO Short Reach and OC192/STM64 Any Reach Card-Level Indicators 4-53 4.20.2 OC192SR1/STM64IO Short Reach and OC-192/STM-64 Any Reach Port-Level Indicators 4-53 4.21 Optical Card SFPs and XFPs 4-53 4.21.1 Compatibility by Card 4-53 4.21.2 SFP Description 4-55 4.21.3 XFP Description 4-56 4.21.4 PPM Provisioning 4-57 CHAPTER 5 Ethernet Cards 5-1 5.1 Ethernet Card Overview 5-2 5.1.1 Ethernet Cards 5-2 5.1.2 Card Compatibility 5-3 5.2 E100T-12 Card 5-4 5.2.1 Slot Compatibility 5-5 5.2.2 E100T-12 Card-Level Indicators 5-6 5.2.3 E100T-12 Port-Level Indicators 5-6 5.2.4 Cross-Connect Compatibility 5-6 5.3 E100T-G Card 5-6 5.3.1 Slot Compatibility 5-8 5.3.2 E100T-G Card-Level Indicators 5-8 5.3.3 E100T-G Port-Level Indicators 5-8Contents x Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 5.3.4 Cross-Connect Compatibility 5-8 5.4 E1000-2 Card 5-9 5.4.1 Slot Compatibility 5-10 5.4.2 E1000-2 Card-Level Indicators 5-10 5.4.3 E1000-2 Port-Level Indicators 5-10 5.4.4 Cross-Connect Compatibility 5-11 5.5 E1000-2-G Card 5-11 5.5.1 E1000-2-G Card-Level Indicators 5-13 5.5.2 E1000-2-G Port-Level Indicators 5-13 5.5.3 Cross-Connect Compatibility 5-13 5.6 G1K-4 Card 5-14 5.6.1 STS-24c Restriction 5-15 5.6.2 G1K-4 Compatibility 5-15 5.6.3 G1K-4 Card-Level Indicators 5-15 5.6.4 G1K-4 Port-Level Indicators 5-16 5.7 ML100T-12 Card 5-16 5.7.1 ML100T-12 Card-Level Indicators 5-17 5.7.2 ML100T-12 Port-Level Indicators 5-18 5.7.3 Cross-Connect and Slot Compatibility 5-18 5.8 ML100X-8 Card 5-18 5.8.1 ML100X-8 Card-Level Indicators 5-20 5.8.2 ML100X-8 Port-Level Indicators 5-20 5.8.3 Cross-Connect and Slot Compatibility 5-20 5.9 ML1000-2 Card 5-20 5.9.1 ML1000-2 Card-Level Indicators 5-22 5.9.2 ML1000-2 Port-Level Indicators 5-22 5.9.3 Cross-Connect and Slot Compatibility 5-22 5.10 ML-MR-10 Card 5-22 5.10.1 ML-MR-10 Card-Level Indicators 5-24 5.10.2 ML-MR-10 Port-Level Indicators 5-24 5.10.3 Cross-Connect and Slot Compatibility 5-25 5.10.4 ML-MR-10 Card-Differential Delay 5-25 5.11 CE-100T-8 Card 5-25 5.11.1 CE-100T-8 Card-Level Indicators 5-27 5.11.2 CE-100T-8 Port-Level Indicators 5-27 5.11.3 Cross-Connect and Slot Compatibility 5-27 5.12 CE-1000-4 Card 5-27 5.12.1 CE-1000-4 Card-Level Indicators 5-29 5.12.2 CE-1000-4 Port-Level Indicators 5-30Contents xi Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 5.12.3 Cross-Connect and Slot Compatibility 5-30 5.13 CE-MR-10 Card 5-30 5.13.1 CE-MR-10 Card-Level Indicators 5-32 5.13.2 CE-MR-10 Port-Level Indicators 5-33 5.13.3 Cross-Connect and Slot Compatibility 5-33 5.13.4 CE-MR-10 Card- Differential Delay 5-33 5.14 Ethernet Card GBICs and SFPs 5-34 5.14.1 Compatibility by Card 5-34 5.14.2 Speed-Duplex Combinations on SFPs 5-35 5.14.3 GBIC Description 5-37 5.14.4 G1K-4 DWDM and CWDM GBICs 5-38 5.14.5 SFP Description 5-39 CHAPTER 6 Storage Access Networking Cards 6-1 6.1 FC_MR-4 Card Overview 6-1 6.1.1 FC_MR-4 Card-Level Indicators 6-3 6.1.2 FC_MR-4 Port-Level Indicators 6-4 6.1.3 FC_MR-4 Compatibility 6-4 6.2 FC_MR-4 Card Modes 6-4 6.2.1 Line-Rate Card Mode 6-4 6.2.2 Enhanced Card Mode 6-5 6.2.2.1 Mapping 6-5 6.2.2.2 SW -LCAS 6-5 6.2.2.3 Distance Extension 6-5 6.2.2.4 Differential Delay Features 6-6 6.2.2.5 Interoperability Features 6-6 6.2.3 Link Integrity 6-7 6.2.4 Link Recovery 6-7 6.3 FC_MR-4 Card Application 6-7 6.4 FC_MR-4 Card GBICs and SFPs 6-8 CHAPTER 7 Card Protection 7-1 7.1 Electrical Card Protection 7-1 7.1.1 1:1 Protection 7-2 7.1.2 1:N Protection 7-3 7.1.2.1 Revertive Switching 7-4 7.1.2.2 1:N Protection Guidelines 7-4 7.2 Electrical Card Protection and the Backplane 7-5 7.2.1 Standard BNC Protection 7-11Contents xii Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 7.2.2 High-Density BNC Protection 7-11 7.2.3 MiniBNC Protection 7-12 7.2.4 SMB Protection 7-12 7.2.5 AMP Champ Protection 7-12 7.2.6 UBIC Protection 7-12 7.3 OC-N Card Protection 7-13 7.3.1 1+1 Protection 7-13 7.3.2 Optimized 1+1 Protection 7-13 7.4 Unprotected Cards 7-14 7.5 External Switching Commands 7-14 CHAPTER 8 Cisco Transport Controller Operation 8-1 8.1 CTC Software Delivery Methods 8-1 8.1.1 CTC Software Installed on the TCC2/TCC2P Card 8-1 8.1.2 CTC Software Installed on the PC or UNIX Workstation 8-3 8.2 CTC Installation Overview 8-4 8.3 PC and UNIX Workstation Requirements 8-4 8.4 ONS 15454 Connection 8-7 8.5 CTC Login 8-8 8.5.1 Legal Disclaimer 8-9 8.5.2 Login Node Group 8-9 8.6 CTC Window 8-9 8.6.1 Node View 8-10 8.6.1.1 CTC Card Colors 8-10 8.6.1.2 Node View Card Shortcuts 8-12 8.6.1.3 Node View Tabs 8-12 8.6.2 Network View 8-13 8.6.2.1 Network View Tabs 8-14 8.6.2.2 CTC Node Colors 8-15 8.6.2.3 DCC Links 8-15 8.6.2.4 Link Consolidation 8-16 8.6.3 Card View 8-16 8.6.4 Print or Export CTC Data 8-18 8.7 Using the CTC Launcher Application to Manage Multiple ONS Nodes 8-19 8.8 TCC2/TCC2P Card Reset 8-22 8.9 TCC2/TCC2P Card Database 8-22 8.10 Software Revert 8-23Contents xiii Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 CHAPTER 9 Security 9-1 9.1 User IDs and Security Levels 9-1 9.2 User Privileges and Policies 9-1 9.2.1 User Privileges by CTC Action 9-2 9.2.2 Security Policies 9-7 9.2.2.1 Superuser Privileges for Provisioning Users 9-7 9.2.2.2 Idle User Timeout 9-8 9.2.2.3 User Password, Login, and Access Policies 9-8 9.2.2.4 Secure Access 9-8 9.3 Audit Trail 9-9 9.3.1 Audit Trail Log Entries 9-9 9.3.2 Audit Trail Capacities 9-10 9.4 RADIUS Security 9-10 9.4.1 RADIUS Authentication 9-10 9.4.2 Shared Secrets 9-10 CHAPTER 10 Timing 10-1 10.1 Timing Parameters 10-1 10.2 Network Timing 10-2 10.3 Synchronization Status Messaging 10-3 10.3.1 SONET SSM Messages 10-3 10.3.2 SDH SSM Messages 10-4 CHAPTER 11 SONET Topologies and Upgrades 11-1 11.1 SONET Rings and TCC2/TCC2P Cards 11-1 11.2 Bidirectional Line Switched Rings 11-2 11.2.1 Two-Fiber BLSRs 11-2 11.2.2 Four-Fiber BLSRs 11-5 11.2.3 BLSR Bandwidth 11-8 11.2.4 BLSR Application Example 11-9 11.2.5 BLSR Fiber Connections 11-12 11.3 Path Protection 11-13 11.4 Dual-Ring Interconnect 11-18 11.4.1 BLSR DRI 11-18 11.4.2 Path Protection DRI 11-22 11.4.3 Path Protection/BLSR DRI Handoff Configurations 11-25 11.5 Comparison of the Protection Schemes 11-27 11.6 Subtending Rings 11-28Contents xiv Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 11.7 Linear ADM Configurations 11-30 11.8 Path-Protected Mesh Networks 11-30 11.9 Four-Shelf Node Configurations 11-32 11.10 STS around the Ring 11-33 11.11 OC-N Speed Upgrades 11-34 11.11.1 Span Upgrade Wizard 11-37 11.11.2 Manual Span Upgrades 11-37 11.11.3 In-Service MRC Card Upgrades 11-37 11.11.3.1 MRC-12 Multirate Card 11-38 11.11.3.2 MRC-2.5G-4 Multirate Card 11-39 11.12 In-Service Topology Upgrades 11-40 11.12.1 Unprotected Point-to-Point or Linear ADM to Path Protection 11-41 11.12.2 Point-to-Point or Linear ADM to Two-Fiber BLSR 11-42 11.12.3 Path Protection to Two-Fiber BLSR 11-42 11.12.4 Two-Fiber BLSR to Four-Fiber BLSR 11-43 11.12.5 Add or Remove a Node from a Topology 11-43 11.13 Overlay Ring Circuits 11-43 CHAPTER 12 Circuits and Tunnels 12-1 12.1 Overview 12-2 12.2 Circuit Properties 12-2 12.2.1 Concatenated STS Time Slot Assignments 12-4 12.2.2 Circuit Status 12-6 12.2.3 Circuit States 12-7 12.2.4 Circuit Protection Types 12-9 12.2.5 Circuit Information in the Edit Circuit Window 12-10 12.3 Cross-Connect Card Bandwidth 12-12 12.4 Portless Transmux 12-15 12.5 DCC Tunnels 12-16 12.5.1 Traditional DCC Tunnels 12-17 12.5.2 IP-Encapsulated Tunnels 12-18 12.6 SDH Tunneling 12-18 12.7 Multiple Destinations for Unidirectional Circuits 12-18 12.8 Monitor Circuits 12-18 12.8.1 Monitor Circuits using portless ports as a source on DS3XM-12 12-19 12.9 Path Protection Circuits 12-19 12.9.1 Open-Ended Path Protection Circuits 12-20 12.9.2 Go-and-Return Path Protection Routing 12-21Contents xv Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 12.10 BLSR Protection Channel Access Circuits 12-21 12.11 BLSR STS and VT Squelch Tables 12-22 12.11.1 BLSR STS Squelch Table 12-22 12.11.2 BLSR VT Squelch Table 12-23 12.12 IEEE 802.17 Resilient Packet Ring Circuit Display 12-23 12.13 Section and Path Trace 12-24 12.14 Path Signal Label, C2 Byte 12-25 12.15 Automatic Circuit Routing 12-27 12.15.1 Bandwidth Allocation and Routing 12-28 12.15.2 Secondary Sources and Destinations 12-28 12.16 Manual Circuit Routing 12-29 12.17 Constraint-Based Circuit Routing 12-33 12.18 Virtual Concatenated Circuits 12-34 12.18.1 VCAT Circuit States 12-34 12.18.2 VCAT Member Routing 12-34 12.18.3 Link Capacity Adjustment 12-36 12.18.4 VCAT Circuit Size 12-37 12.18.5 Open-Ended VCAT 12-38 12.19 Bridge and Roll 12-39 12.19.1 Rolls Window 12-39 12.19.2 Roll Status 12-41 12.19.3 Single and Dual Rolls 12-42 12.19.4 Two Circuit Bridge and Roll 12-44 12.19.5 Protected Circuits 12-45 12.20 Merged Circuits 12-45 12.21 Reconfigured Circuits 12-46 12.22 VLAN Management 12-46 12.23 Server Trails 12-46 12.23.1 Server Trail Protection Types 12-47 12.23.2 VCAT Circuit Routing over Server Trails 12-47 12.23.2.1 Shared Resource Link Group 12-48 CHAPTER 13 Alarm Monitoring and Management 13-1 13.1 Overview 13-1 13.2 LCD Alarm Counts 13-1 13.3 Alarm Information 13-2 13.3.1 Viewing Alarms With Each Node’s Time Zone 13-4 13.3.2 Controlling Alarm Display 13-4Contents xvi Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 13.3.3 Filtering Alarms 13-4 13.3.4 Viewing Alarm-Affected Circuits 13-5 13.3.5 Conditions Tab 13-5 13.3.6 Controlling the Conditions Display 13-6 13.3.6.1 Retrieving and Displaying Conditions 13-6 13.3.6.2 Conditions Column Descriptions 13-6 13.3.6.3 Filtering Conditions 13-7 13.3.7 Viewing History 13-7 13.3.7.1 History Column Descriptions 13-8 13.3.7.2 Retrieving and Displaying Alarm and Condition History 13-8 13.3.8 Alarm History and Log Buffer Capacities 13-9 13.4 Alarm Severities 13-9 13.5 Alarm Profiles 13-9 13.5.1 Creating and Modifying Alarm Profiles 13-10 13.5.2 Alarm Profile Buttons 13-11 13.5.3 Alarm Profile Editing 13-12 13.5.4 Alarm Severity Options 13-12 13.5.5 Row Display Options 13-12 13.5.6 Applying Alarm Profiles 13-13 13.6 Alarm Suppression 13-13 13.6.1 Alarms Suppressed for Maintenance 13-13 13.6.2 Alarms Suppressed by User Command 13-14 13.7 External Alarms and Controls 13-14 13.7.1 External Alarms 13-14 13.7.2 User Defined Alarm Types 13-15 13.7.3 External Controls 13-15 CHAPTER 14 Management Network Connectivity 14-1 14.1 IP Networking Overview 14-2 14.2 IP Addressing Scenarios 14-2 14.2.1 IP Scenario 1: CTC and ONS 15454s on Same Subnet 14-3 14.2.2 IP Scenario 2: CTC and ONS 15454 Nodes Connected to a Router 14-3 14.2.3 IP Scenario 3: Using Proxy ARP to Enable an ONS 15454 Gateway 14-4 14.2.4 IP Scenario 4: Default Gateway on a CTC Computer 14-6 14.2.5 IP Scenario 5: Using Static Routes to Connect to LANs 14-7 14.2.6 IP Scenario 6: Using OSPF 14-10 14.2.7 IP Scenario 7: Provisioning the ONS 15454 SOCKS Proxy Server 14-12 14.2.8 IP Scenario 8: Dual GNEs on a Subnet 14-18 14.2.9 IP Scenario 9: IP Addressing with Secure Mode Enabled 14-20Contents xvii Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 14.2.9.1 Secure Mode Behavior 14-20 14.2.9.2 Secure Node Locked and Unlocked Behavior 14-23 14.3 Routing Table 14-24 14.4 External Firewalls 14-25 14.5 Open GNE 14-27 14.6 TCP/IP and OSI Networking 14-29 14.6.1 Point-to-Point Protocol 14-30 14.6.2 Link Access Protocol on the D Channel 14-31 14.6.3 OSI Connectionless Network Service 14-31 14.6.4 OSI Routing 14-34 14.6.4.1 End System-to-Intermediate System Protocol 14-36 14.6.4.2 Intermediate System-to-Intermediate System Protocol 14-36 14.6.5 TARP 14-37 14.6.5.1 TARP Processing 14-38 14.6.5.2 TARP Loop Detection Buffer 14-39 14.6.5.3 Manual TARP Adjacencies 14-39 14.6.5.4 Manual TID to NSAP Provisioning 14-40 14.6.6 TCP/IP and OSI Mediation 14-40 14.6.7 OSI Virtual Routers 14-41 14.6.8 IP-over-CLNS Tunnels 14-43 14.6.8.1 Provisioning IP-over-CLNS Tunnels 14-44 14.6.8.2 IP-over-CLNS Tunnel Scenario 1: ONS Node to Other Vendor GNE 14-45 14.6.8.3 IP-over-CLNS Tunnel Scenario 2: ONS Node to Router 14-46 14.6.8.4 IP-over-CLNS Tunnel Scenario 3: ONS Node to Router Across an OSI DCN 14-47 14.6.9 OSI/IP Networking Scenarios 14-49 14.6.9.1 OSI/IP Scenario 1: IP OSS, IP DCN, ONS GNE, IP DCC, and ONS ENE 14-50 14.6.9.2 OSI/IP Scenario 2: IP OSS, IP DCN, ONS GNE, OSI DCC, and Other Vendor ENE 14-50 14.6.9.3 OSI/IP Scenario 3: IP OSS, IP DCN, Other Vendor GNE, OSI DCC, and ONS ENE 14-52 14.6.9.4 OSI/IP Scenario 4: Multiple ONS DCC Areas 14-54 14.6.9.5 OSI/IP Scenario 5: GNE Without an OSI DCC Connection 14-55 14.6.9.6 OSI/IP Scenario 6: IP OSS, OSI DCN, ONS GNE, OSI DCC, and Other Vendor ENE 14-56 14.6.9.7 OSI/IP Scenario 7: OSI OSS, OSI DCN, Other Vender GNE, OSI DCC, and ONS NEs 14-57 14.6.9.8 OSI/IP Scenario 8: OSI OSS, OSI DCN, ONS GNE, OSI DCC, and Other Vender NEs 14-59 14.6.10 Provisioning OSI in CTC 14-61 14.7 IPv6 Network Compatibility 14-62 14.8 IPv6 Native Support 14-62 14.8.1 IPv6 Enabled Mode 14-63Contents xviii Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 14.8.2 IPv6 Disabled Mode 14-63 14.8.3 IPv6 in Non-secure Mode 14-63 14.8.4 IPv6 in Secure Mode 14-64 14.8.5 IPv6 Limitations 14-64 14.9 FTP Support for ENE Database Backup 14-64 CHAPTER 15 Performance Monitoring 15-1 15.1 Threshold Performance Monitoring 15-2 15.2 Intermediate Path Performance Monitoring 15-3 15.3 Pointer Justification Count Performance Monitoring 15-4 15.4 Performance Monitoring Parameter Definitions 15-5 15.5 Performance Monitoring for Electrical Cards 15-12 15.5.1 EC1-12 Card Performance Monitoring Parameters 15-12 15.5.2 DS1/E1-56 Card Performance Monitoring Parameters 15-14 15.5.3 DS1-14 and DS1N-14 Card Performance Monitoring Parameters 15-16 15.5.3.1 DS-1 Facility Data Link Performance Monitoring 15-18 15.5.4 DS3-12 and DS3N-12 Card Performance Monitoring Parameters 15-18 15.5.5 DS3-12E and DS3N-12E Card Performance Monitoring Parameters 15-19 15.5.6 DS3i-N-12 Card Performance Monitoring Parameters 15-21 15.5.7 DS3XM-6 Card Performance Monitoring Parameters 15-23 15.5.8 DS3XM-12 Card Performance Monitoring Parameters 15-25 15.5.9 DS3/EC1-48 Card Performance Monitoring Parameters 15-27 15.6 Performance Monitoring for Ethernet Cards 15-29 15.6.1 E-Series Ethernet Card Performance Monitoring Parameters 15-29 15.6.1.1 E-Series Ethernet Statistics Window 15-29 15.6.1.2 E-Series Ethernet Utilization Window 15-31 15.6.1.3 E-Series Ethernet History Window 15-31 15.6.2 G-Series Ethernet Card Performance Monitoring Parameters 15-32 15.6.2.1 G-Series Ethernet Statistics Window 15-32 15.6.2.2 G-Series Ethernet Utilization Window 15-33 15.6.2.3 G-Series Ethernet History Window 15-34 15.6.3 ML-Series Ethernet Card Performance Monitoring Parameters 15-34 15.6.3.1 ML-Series Ether Ports Statistics Window 15-34 15.6.3.2 ML-Series Card Ether Ports Utilization Window 15-36 15.6.3.3 ML-Series Card Ether Ports History Window 15-37 15.6.3.4 ML-Series POS Ports Window 15-37 15.6.3.5 ML-Series RPR Span Window 15-38 15.6.4 CE-Series Ethernet Card Performance Monitoring Parameters 15-43 15.6.4.1 CE-Series Card Ether Port Statistics Window 15-44Contents xix Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 15.6.4.2 CE-Series Card Ether Ports Utilization Window 15-47 15.6.4.3 CE-Series Card Ether Ports History Window 15-47 15.6.4.4 CE-Series Card POS Ports Statistics Parameters 15-47 15.6.4.5 CE-Series Card POS Ports Utilization Window 15-48 15.6.4.6 CE-Series Card POS Ports History Window 15-49 15.7 Performance Monitoring for Optical Cards 15-49 15.8 Performance Monitoring for Optical Multirate Cards 15-52 15.9 Performance Monitoring for Storage Access Networking Cards 15-53 15.9.1 FC_MR-4 Statistics Window 15-53 15.9.2 FC_MR-4 Utilization Window 15-55 15.9.3 FC_MR-4 History Window 15-56 CHAPTER 16 SNMP 16-1 16.1 SNMP Overview 16-1 16.2 Basic SNMP Components 16-2 16.3 SNMP External Interface Requirement 16-4 16.4 SNMP Version Support 16-4 16.4.1 SNMPv3 Support 16-4 16.5 SNMP Message Types 16-5 16.6 SNMP Management Information Bases 16-5 16.6.1 IETF-Standard MIBs for the ONS 15454 16-6 16.6.2 Proprietary ONS 15454 MIBs 16-7 16.6.3 Generic Threshold and Performance Monitoring MIBs 16-11 16.7 SNMP Trap Content 16-13 16.7.1 Generic and IETF Traps 16-14 16.7.2 Variable Trap Bindings 16-14 16.8 SNMPv1/v2 Community Names 16-21 16.9 SNMPv1/v2 Proxy Over Firewalls 16-21 16.10 SNMPv3 Proxy Configuration 16-21 16.11 Remote Monitoring 16-22 16.11.1 64-Bit RMON Monitoring over DCC 16-23 16.11.1.1 Row Creation in MediaIndependentTable 16-23 16.11.1.2 Row Creation in cMediaIndependentHistoryControlTable 16-23 16.11.2 HC-RMON-MIB Support 16-24 16.11.3 Ethernet Statistics RMON Group 16-24 16.11.3.1 Row Creation in etherStatsTable 16-24 16.11.3.2 Get Requests and GetNext Requests 16-24 16.11.3.3 Row Deletion in etherStatsTable 16-24Contents xx Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 16.11.3.4 64-Bit etherStatsHighCapacityTable 16-25 16.11.4 History Control RMON Group 16-25 16.11.4.1 History Control Table 16-25 16.11.4.2 Row Creation in historyControlTable 16-25 16.11.4.3 Get Requests and GetNext Requests 16-26 16.11.4.4 Row Deletion in historyControl Table 16-26 16.11.5 Ethernet History RMON Group 16-26 16.11.5.1 64-Bit etherHistoryHighCapacityTable 16-26 16.11.6 Alarm RMON Group 16-26 16.11.6.1 Alarm Table 16-26 16.11.6.2 Row Creation in alarmTable 16-26 16.11.6.3 Get Requests and GetNext Requests 16-28 16.11.6.4 Row Deletion in alarmTable 16-28 16.11.7 Event RMON Group 16-28 16.11.7.1 Event Table 16-28 16.11.7.2 Log Table 16-29 APPENDIX A Hardware Specifications A-1 A.1 Shelf Specifications A-1 A.1.1 Bandwidth A-1 A.1.2 Configurations A-2 A.1.3 Cisco Transport Controller A-2 A.1.4 External LAN Interface A-2 A.1.5 TL1 Craft Interface A-2 A.1.6 Modem Interface A-2 A.1.7 Alarm Interface A-3 A.1.8 EIA Interface A-3 A.1.9 BITS Interface A-3 A.1.10 System Timing A-3 A.1.11 System Power A-3 A.1.12 Fan Tray A-4 A.1.13 System Environmental Specifications A-4 A.1.14 Dimensions A-4 A.2 SFP, XFP, and GBIC Specifications A-5 A.3 General Card Specifications A-7 A.3.1 Power A-7 A.3.2 Temperature A-10 A.4 Common Control Card Specifications A-12 A.4.1 TCC2 Card Specifications A-12Contents xxi Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 A.4.2 TCC2P Card Specifications A-13 A.4.3 XCVT Card Specifications A-14 A.4.4 XC10G Card Specifications A-14 A.4.5 XC-VXC-10G Card Specifications A-15 A.4.6 AIC-I Card Specifications A-15 A.4.7 AEP Specifications A-16 A.5 Electrical Card Specifications A-17 A.5.1 EC1-12 Card Specifications A-17 A.5.2 DS1-14 and DS1N-14 Card Specifications A-18 A.5.3 DS1/E1-56 Card Specifications A-19 A.5.4 DS3/EC1-48 Card Specifications A-21 A.5.5 DS3-12 and DS3N-12 Card Specifications A-22 A.5.6 DS3i-N-12 Card Specifications A-23 A.5.7 DS3-12E and DS3N-12E Card Specifications A-24 A.5.8 DS3XM-12 Card Specifications A-25 A.5.9 DS3XM-6 Card Specifications A-26 A.5.10 FILLER Card Specifications A-27 A.6 Optical Card Specifications A-28 A.6.1 OC3 IR 4/STM1 SH 1310 Card Specifications A-28 A.6.2 OC3 IR/STM1SH 1310-8 Card Specifications A-29 A.6.3 OC12 IR/STM4 SH 1310 Card Specifications A-30 A.6.4 OC12 LR/STM4 LH 1310 Card Specifications A-31 A.6.5 OC12 LR/STM4 LH 1550 Card Specifications A-32 A.6.6 OC12 IR/STM4 SH 1310-4 Specifications A-33 A.6.7 OC48 IR 1310 Card Specifications A-34 A.6.8 OC48 LR 1550 Card Specifications A-35 A.6.9 OC48 IR/STM16 SH AS 1310 Card Specifications A-36 A.6.10 OC48 LR/STM16 LH AS 1550 Card Specifications A-37 A.6.11 OC48 ELR/STM 16 EH 100 GHz Card Specifications A-38 A.6.12 OC48 ELR 200 GHz Card Specifications A-38 A.6.13 OC192 SR/STM64 IO 1310 Card Specifications A-39 A.6.14 OC192 IR/STM64 SH 1550 Card Specifications A-40 A.6.15 OC192 LR/STM64 LH 1550 Card Specifications A-41 A.6.16 OC192 LR/STM64 LH ITU 15xx.xx Card Specifications A-43 A.6.17 15454_MRC-12 Card Specifications A-44 A.6.18 MRC-2.5G-4 Card Specifications A-46 A.6.19 OC192SR1/STM64IO Short Reach Card Specifications A-47 A.6.20 OC192/STM64 Any Reach Card Specifications A-48 A.7 Ethernet Card Specifications A-49Contents xxii Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 A.7.1 E100T-12 Card Specifications A-49 A.7.2 E100T-G Card Specifications A-49 A.7.3 E1000-2 Card Specifications A-49 A.7.4 E1000-2-G Card Specifications A-50 A.7.5 CE-1000-4 Card Specifications A-50 A.7.6 CE-100T-8 Card Specifications A-51 A.7.7 CE-MR-10 Card Specifications A-51 A.7.8 G1K-4 Card Specifications A-51 A.7.9 ML100T-12 Card Specifications A-52 A.7.10 ML1000-2 Card Specifications A-52 A.7.11 ML100X-8 Card Specifications A-53 A.7.12 ML-MR-10 Card Specifications A-53 A.8 Storage Access Networking Card Specifications A-53 APPENDIX B Administrative and Service States B-1 B.1 Service States B-1 B.2 Administrative States B-2 B.3 Service State Transitions B-3 B.3.1 Card Service State Transitions B-3 B.3.2 Port and Cross-Connect Service State Transitions B-5 B.3.3 Pluggable Equipment Service State Transitions B-10 APPENDIX C Network Element Defaults C-1 C.1 Network Element Defaults Description C-1 C.2 Card Default Settings C-2 C.2.1 Configuration Defaults C-2 C.2.2 Threshold Defaults C-3 C.2.3 Defaults by Card C-4 C.2.3.1 DS-1 Card Default Settings C-4 C.2.3.2 DS1/E1-56 Card Default Settings C-7 C.2.3.3 DS-3 Card Default Settings C-13 C.2.3.4 DS3/EC1-48 Card Default Settings C-14 C.2.3.5 DS3E Card Default Settings C-19 C.2.3.6 DS3I Card Default Settings C-21 C.2.3.7 DS3XM-6 Card Default Settings C-23 C.2.3.8 DS3XM-12 Card Default Settings C-26 C.2.3.9 EC1-12 Card Default Settings C-30 C.2.3.10 FC_MR-4 Card Default Settings C-32 C.2.3.11 Ethernet Card Default Settings C-33Contents xxiii Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 C.2.3.12 OC-3 Card Default Settings C-35 C.2.3.13 OC3-8 Card Default Settings C-38 C.2.3.14 OC-12 Card Default Settings C-42 C.2.3.15 OC12-4 Card Default Settings C-45 C.2.3.16 OC-48 Card Default Settings C-49 C.2.3.17 OC-192 Card Default Settings C-54 C.2.3.18 OC192-XFP Default Settings C-59 C.2.3.19 MRC-12 Card Default Settings C-65 C.2.3.20 MRC-2.5G-4 Card Default Settings C-82 C.3 Node Default Settings C-99 C.3.1 Time Zones C-116 C.4 CTC Default Settings C-119 INDEXContents xxiv Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01FIGURES xxv Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Figure 1-1 Optical Fiber With Exposed Ferrule 1-3 Figure 1-2 Optical Fiber Without Exposed Ferrule 1-3 Figure 1-3 Cisco ONS 15454 ANSI Dimensions 1-4 Figure 1-4 Mounting an ONS 15454 in a Rack 1-5 Figure 1-5 The ONS 15454 Front Door 1-7 Figure 1-6 Cisco ONS 15454 Deep Door 1-8 Figure 1-7 ONS 15454 Front Door Ground Strap 1-9 Figure 1-8 Removing the ONS 15454 Front Door 1-10 Figure 1-9 Front-Door Erasable Label 1-11 Figure 1-10 Laser Warning on the Front-Door Label 1-11 Figure 1-11 Backplane Covers 1-12 Figure 1-12 Removing the Lower Backplane Cover 1-12 Figure 1-13 Backplane Attachment for Cover 1-13 Figure 1-14 Installing the Plastic Rear Cover with Spacers 1-14 Figure 1-15 BNC Backplane for Use in 1:1 Protection Schemes 1-19 Figure 1-16 BNC Insertion and Removal Tool 1-20 Figure 1-17 High-Density BNC Backplane for Use in 1:N Protection Schemes 1-21 Figure 1-18 MiniBNC Backplane for Use in 1:N Protection Schemes 1-23 Figure 1-19 MiniBNC Insertion and Removal Tool 1-28 Figure 1-20 SMB EIA Backplane 1-29 Figure 1-21 AMP Champ EIA Backplane 1-30 Figure 1-22 UBIC-V Slot Designations 1-33 Figure 1-23 UBIC-H EIA Connector Labeling 1-35 Figure 1-24 DS-1 Electrical Interface Adapter (Balun) 1-39 Figure 1-25 Cable Connector Pins 1-40 Figure 1-26 UBIC-V DS-1 Cable Schematic Diagram 1-42 Figure 1-27 UBIC-V DS-3/EC-1 Cable Schematic Diagram 1-45 Figure 1-28 Cable Connector Pins 1-47 Figure 1-29 UBIC-H DS-1 Cable Schematic Diagram 1-48 Figure 1-30 UBIC-H DS-3/EC-1 Cable Schematic Diagram 1-51Figures xxvi Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Figure 1-31 100BaseT Connector Pins 1-52 Figure 1-32 Straight-Through Cable 1-52 Figure 1-33 Crossover Cable 1-53 Figure 1-34 Managing Cables on the Front Panel 1-54 Figure 1-35 Fiber Capacity 1-54 Figure 1-36 Tie-Down Bar 1-55 Figure 1-37 AEP Printed Circuit Board Assembly 1-57 Figure 1-38 AEP Block Diagram 1-57 Figure 1-39 AEP Wire-Wrap Connections to Backplane Pins 1-58 Figure 1-40 Alarm Input Circuit Diagram 1-59 Figure 1-41 Alarm Output Circuit Diagram 1-60 Figure 1-42 Detectable Filler Card Faceplate 1-62 Figure 1-43 Filler Plus Card Faceplate 1-63 Figure 1-44 Filler Plus Card with Fiber Storage Bracket 1-64 Figure 1-45 Ground Posts on the ONS 15454 Backplane 1-69 Figure 1-46 ONS 15454 Backplane Pinouts (Release 3.4 or Later) 1-71 Figure 1-47 ONS 15454 Backplane Pinouts 1-72 Figure 1-48 Installing Cards in the ONS 15454 1-75 Figure 2-1 TCC2 Card Faceplate and Block Diagram 2-8 Figure 2-2 TCC2P Faceplate and Block Diagram 2-12 Figure 2-3 XCVT Faceplate and Block Diagram 2-17 Figure 2-4 XCVT Cross-Connect Matrix 2-18 Figure 2-5 XC10G Faceplate and Block Diagram 2-21 Figure 2-6 XC10G Cross-Connect Matrix 2-22 Figure 2-7 XC-VXC-10G Faceplate and Block Diagram 2-25 Figure 2-8 XC-VXC-10G Cross-Connect Matrix 2-27 Figure 2-9 AIC-I Faceplate and Block Diagram 2-30 Figure 2-10 RJ-11 Connector 2-33 Figure 3-1 EC1-12 Faceplate and Block Diagram 3-6 Figure 3-2 DS1-14 Faceplate and Block Diagram 3-9 Figure 3-3 DS1N-14 Faceplate and Block Diagram 3-10 Figure 3-4 DS1/E1-56 Faceplate and Block Diagram 3-13 Figure 3-5 DS3-12 Faceplate and Block Diagram 3-15 Figure 3-6 DS3N-12 Faceplate and Block Diagram 3-16 Figure 3-7 DS3/EC1-48 Faceplate and Block Diagram 3-19Figures xxvii Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Figure 3-8 DS3i-N-12 Faceplate and Block Diagram 3-21 Figure 3-9 DS3-12E Faceplate and Block Diagram 3-24 Figure 3-10 DS3N-12E Faceplate and Block Diagram 3-25 Figure 3-11 DS3XM-6 Faceplate and Block Diagram 3-27 Figure 3-12 DS3XM-12 Faceplate and Block Diagram 3-32 Figure 4-1 OC3 IR 4/STM1 SH 1310 Faceplate and Block Diagram 4-7 Figure 4-2 OC3IR/STM1 SH 1310-8 Faceplate and Block Diagram 4-9 Figure 4-3 OC12 IR/STM4 SH 1310 Faceplate and Block Diagram 4-11 Figure 4-4 OC12 LR/STM4 LH 1310 Faceplate and Block Diagram 4-13 Figure 4-5 OC12 LR/STM4 LH 1550 Faceplate and Block Diagram 4-15 Figure 4-6 OC12 IR/STM4 SH 1310-4 Faceplate and Block Diagram 4-17 Figure 4-7 OC48 IR 1310 Faceplate and Block Diagram 4-19 Figure 4-8 OC48 LR 1550 Faceplate and Block Diagram 4-21 Figure 4-9 OC48 IR/STM16 SH AS 1310 Faceplate and Block Diagram 4-23 Figure 4-10 OC48 LR/STM16 LH AS 1550 Faceplate and Block Diagram 4-25 Figure 4-11 OC48 ELR/STM16 EH 100 GHz Faceplate and Block Diagram 4-27 Figure 4-12 OC48 ELR 200 GHz Faceplate and Block Diagram 4-29 Figure 4-13 OC192 SR/STM64 IO 1310 Faceplate and Block Diagram 4-31 Figure 4-14 OC192 IR/STM64 SH 1550 Faceplate and Block Diagram 4-33 Figure 4-15 OC192 LR/STM64 LH 1550 (15454-OC192LR1550) Faceplate and Block Diagram 4-35 Figure 4-16 Enlarged Section of the OC192 LR/STM64 LH 1550 (15454-OC192LR1550) Faceplate 4-36 Figure 4-17 OC192 LR/STM64 LH 1550 (15454-OC192-LR2) Faceplate and Block Diagram 4-37 Figure 4-18 Enlarged Section of the OC192 LR/STM64 LH 1550 (15454-OC192-LR2) Faceplate 4-38 Figure 4-19 OC192 LR/STM64 LH ITU 15xx.xx Faceplate 4-40 Figure 4-20 OC192 LR/STM64 LH ITU 15xx.xx Block Diagram 4-41 Figure 4-21 15454_MRC-12 Card Faceplate and Block Diagram 4-43 Figure 4-22 MRC-2.5G-4 Card Faceplate and Block Diagram 4-48 Figure 4-23 OC192SR1/STM64IO Short Reach and OC192/STM64 Any Reach Card Faceplates and Block Diagram 4-52 Figure 4-24 Mylar Tab SFP 4-55 Figure 4-25 Actuator/Button SFP 4-55 Figure 4-26 Bail Clasp SFP 4-55 Figure 4-27 Bail Clasp XFP (Unlatched) 4-56 Figure 4-28 Bail Clasp XFP (Latched) 4-56 Figure 5-1 E100T-12 Faceplate and Block Diagram 5-5 Figure 5-2 E100T-G Faceplate and Block Diagram 5-7Figures xxviii Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Figure 5-3 E1000-2 Faceplate and Block Diagram 5-9 Figure 5-4 E1000-2-G Faceplate and Block Diagram 5-12 Figure 5-5 G1K-4 Faceplate and Block Diagram 5-14 Figure 5-6 ML100T-12 Faceplate and Block Diagram 5-17 Figure 5-7 ML100X-8 Faceplate and Block Diagram 5-19 Figure 5-8 ML1000-2 Faceplate and Block Diagram 5-21 Figure 5-9 ML-MR-10 Faceplate and Block Diagram 5-23 Figure 5-10 CE-100T-8 Faceplate and Block Diagram 5-26 Figure 5-11 CE-1000-4 Faceplate and Block Diagram 5-29 Figure 5-12 CE-MR-10 Faceplate and Block Diagram 5-32 Figure 5-13 GBICs with Clips (left) and with a Handle (right) 5-37 Figure 5-14 CWDM GBIC with Wavelength Appropriate for Fiber-Connected Device 5-39 Figure 5-15 G-Series with CWDM/DWDM GBICs in Cable Network 5-39 Figure 5-16 Mylar Tab SFP 5-40 Figure 5-17 Actuator/Button SFP 5-40 Figure 5-18 Bail Clasp SFP 5-40 Figure 6-1 FC_MR-4 Faceplate and Block Diagram 6-3 Figure 7-1 Example: ONS 15454 Cards in a 1:1 Protection Configuration (SMB EIA) 7-2 Figure 7-2 Example: ONS 15454 Cards in a 1:N Protection Configuration (SMB EIA) 7-3 Figure 7-3 Unprotected Low-Density Electrical Card Schemes for EIA Types 7-7 Figure 7-4 Unprotected High-Density Electrical Card Schemes for EIA Types 7-8 Figure 7-5 1:1 Protection Schemes for Low-Density Electrical Cards with EIA Types 7-9 Figure 7-6 1:N Protection Schemes for Low-Density Electrical Cards with EIA Types 7-10 Figure 7-7 1:1 Protection Schemes for High-Density Electrical Cards with UBIC or MiniBNC EIA Types 7-11 Figure 7-8 ONS 15454 in an Unprotected Configuration 7-14 Figure 8-1 CTC Software Versions, Node View 8-2 Figure 8-2 CTC Software Versions, Network View 8-3 Figure 8-3 Node View (Default Login View) 8-10 Figure 8-4 Terminal Loopback Indicator 8-12 Figure 8-5 Facility Loopback Indicator 8-12 Figure 8-6 Network in CTC Network View 8-14 Figure 8-7 CTC Card View Showing a DS1 Card 8-17 Figure 8-8 Static IP-Over-CLNS Tunnels 8-20 Figure 8-9 TL1 Tunnels 8-21 Figure 10-1 ONS 15454 Timing Example 10-2Figures xxix Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Figure 11-1 Four-Node, Two-Fiber BLSR 11-3 Figure 11-2 Four-Node, Two-Fiber BLSR Traffic Pattern Sample 11-4 Figure 11-3 Four-Node, Two-Fiber BLSR Traffic Pattern Following Line Break 11-5 Figure 11-4 Four-Node, Four-Fiber BLSR 11-6 Figure 11-5 Four-Fiber BLSR Span Switch 11-7 Figure 11-6 Four-Fiber BLSR Ring Switch 11-8 Figure 11-7 BLSR Bandwidth Reuse 11-9 Figure 11-8 Five-Node Two-Fiber BLSR 11-10 Figure 11-9 Shelf Assembly Layout for Node 0 in Figure 11-8 11-11 Figure 11-10 Shelf Assembly Layout for Nodes 1 to 4 in Figure 11-8 11-11 Figure 11-11 Connecting Fiber to a Four-Node, Two-Fiber BLSR 11-12 Figure 11-12 Connecting Fiber to a Four-Node, Four-Fiber BLSR 11-13 Figure 11-13 Basic Four-Node Path Protection 11-14 Figure 11-14 Path Protection with a Fiber Break 11-15 Figure 11-15 Four-Port, OC-3 Path Protection 11-16 Figure 11-16 Layout of Node ID 0 in the OC-3 Path Protection Example in Figure 11-15 11-17 Figure 11-17 Layout of Node IDs 1 to 3 in the OC-3 Path Protection Example in Figure 11-15 11-17 Figure 11-18 ONS 15454 Traditional BLSR Dual-Ring Interconnect (Same-Side Routing) 11-19 Figure 11-19 ONS 15454 Traditional BLSR Dual-Ring Interconnect (Opposite-Side Routing) 11-20 Figure 11-20 ONS 15454 Integrated BLSR Dual-Ring Interconnect 11-21 Figure 11-21 Integrated BLSR DRI on the Edit Circuits Window 11-22 Figure 11-22 ONS 15454 Traditional Path Protection Dual-Ring Interconnect 11-23 Figure 11-23 ONS 15454 Integrated Path Protection Dual-Ring Interconnect 11-24 Figure 11-24 ONS 15454 Path Protection to BLSR Traditional DRI Handoff 11-25 Figure 11-25 ONS 15454 Path Protection to BLSR Integrated DRI Handoff 11-26 Figure 11-26 Path Protection to BLSR Integrated DRI Handoff on the Detailed Circuit Map 11-27 Figure 11-27 ONS 15454 with Multiple Subtending Rings 11-28 Figure 11-28 Path Protection Subtending from a BLSR 11-29 Figure 11-29 BLSR Subtending from a BLSR 11-29 Figure 11-30 Linear (Point-to-Point) ADM Configuration 11-30 Figure 11-31 Path-Protected Mesh Network 11-31 Figure 11-32 PPMN Virtual Ring 11-32 Figure 11-33 Four-Shelf Node Configuration 11-33 Figure 11-34 STS Around the Ring 11-34 Figure 11-35 Unprotected Point-to-Point ADM to Path Protection Conversion 11-42Figures xxx Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Figure 11-36 Overlay Ring Circuit 11-44 Figure 12-1 ONS 15454 Circuit Window in Network View 12-4 Figure 12-2 BLSR Circuit Displayed on the Detailed Circuit Map 12-12 Figure 12-3 One VT1.5 Circuit on One STS 12-13 Figure 12-4 Two VT1.5 Circuits in a BLSR 12-14 Figure 12-5 Traditional DCC Tunnel 12-17 Figure 12-6 VT1.5 Monitor Circuit Received at an EC1-12 Port 12-19 Figure 12-7 Editing Path Protection Selectors 12-20 Figure 12-8 Path Protection Go-and-Return Routing 12-21 Figure 12-9 Secondary Sources and Destinations 12-29 Figure 12-10 Alternate Paths for Virtual Path Protection Segments 12-30 Figure 12-11 Mixing 1+1 or BLSR Protected Links With a Path Protection Configuration 12-30 Figure 12-12 Ethernet Shared Packet Ring Routing 12-31 Figure 12-13 Ethernet and Path Protection 12-31 Figure 12-14 VCAT Common Fiber Routing 12-35 Figure 12-15 VCAT Split Fiber Routing 12-35 Figure 12-16 Open-Ended VCAT 12-39 Figure 12-17 Rolls Window 12-40 Figure 12-18 Single Source Roll 12-42 Figure 12-19 Single Destination Roll 12-43 Figure 12-20 Single Roll from One Circuit to Another Circuit (Destination Changes) 12-43 Figure 12-21 Single Roll from One Circuit to Another Circuit (Source Changes) 12-43 Figure 12-22 Dual Roll to Reroute a Link 12-44 Figure 12-23 Dual Roll to Reroute to a Different Node 12-44 Figure 13-1 Shelf LCD Panel 13-2 Figure 13-2 Select Affected Circuits Option 13-5 Figure 13-3 Network View Alarm Profiles Window 13-10 Figure 13-4 DS1 Card Alarm Profile 13-13 Figure 14-1 IP Scenario 1: CTC and ONS 15454s on Same Subnet 14-3 Figure 14-2 IP Scenario 2: CTC and ONS 15454 Nodes Connected to a Router 14-4 Figure 14-3 IP Scenario 3: Using Proxy ARP 14-5 Figure 14-4 IP Scenario 3: Using Proxy ARP with Static Routing 14-6 Figure 14-5 IP Scenario 4: Default Gateway on a CTC Computer 14-7 Figure 14-6 IP Scenario 5: Static Route With One CTC Computer Used as a Destination 14-8 Figure 14-7 IP Scenario 5: Static Route With Multiple LAN Destinations 14-9Figures xxxi Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Figure 14-8 IP Scenario 6: OSPF Enabled 14-11 Figure 14-9 IP Scenario 6: OSPF Not Enabled 14-12 Figure 14-10 SOCKS Proxy Server Gateway Settings 14-13 Figure 14-11 IP Scenario 7: ONS 15454 SOCKS Proxy Server with GNE and ENEs on the Same Subnet 14-15 Figure 14-12 IP Scenario 7: ONS 15454 SOCKS Proxy Server with GNE and ENEs on Different Subnets 14-16 Figure 14-13 IP Scenario 7: ONS 15454 SOCKS Proxy Server With ENEs on Multiple Rings 14-17 Figure 14-14 IP Scenario 8: Dual GNEs on the Same Subnet 14-19 Figure 14-15 IP Scenario 8: Dual GNEs on Different Subnets 14-20 Figure 14-16 IP Scenario 9: ONS 15454 GNE and ENEs on the Same Subnet with Secure Mode Enabled 14-22 Figure 14-17 IP Scenario 9: ONS 15454 GNE and ENEs on Different Subnets with Secure Mode Enabled 14-23 Figure 14-18 Proxy and Firewall Tunnels for Foreign Terminations 14-28 Figure 14-19 Foreign Node Connection to an ENE Ethernet Port 14-29 Figure 14-20 ISO-DCC NSAP Address 14-33 Figure 14-21 OSI Main Setup 14-34 Figure 14-22 Level 1 and Level 2 OSI Routing 14-35 Figure 14-23 Manual TARP Adjacencies 14-40 Figure 14-24 T–TD Protocol Flow 14-41 Figure 14-25 FT–TD Protocol Flow 14-41 Figure 14-26 Provisioning OSI Routers 14-42 Figure 14-27 IP-over-CLNS Tunnel Flow 14-44 Figure 14-28 IP-over-CLNS Tunnel Scenario 1: ONS NE to Other Vender GNE 14-46 Figure 14-29 IP-over-CLNS Tunnel Scenario 2: ONS Node to Router 14-47 Figure 14-30 IP-over-CLNS Tunnel Scenario 3: ONS Node to Router Across an OSI DCN 14-49 Figure 14-31 OSI/IP Scenario 1: IP OSS, IP DCN, ONS GNE, IP DCC, and ONS ENE 14-50 Figure 14-32 OSI/IP Scenario 2: IP OSS, IP DCN, ONS GNE, OSI DCC, and Other Vendor ENE 14-51 Figure 14-33 OSI/IP Scenario 3: IP OSS, IP DCN, Other Vendor GNE, OSI DCC, and ONS ENE 14-53 Figure 14-34 OSI/IP Scenario 3 with OSI/IP-over-CLNS Tunnel Endpoint at the GNE 14-54 Figure 14-35 OSI/IP Scenario 4: Multiple ONS DCC Areas 14-55 Figure 14-36 OSI/IP Scenario 5: GNE Without an OSI DCC Connection 14-56 Figure 14-37 OSI/IP Scenario 6: IP OSS, OSI DCN, ONS GNE, OSI DCC, and Other Vendor ENE 14-57 Figure 14-38 OSI/IP Scenario 7: OSI OSS, OSI DCN, Other Vender GNE, OSI DCC, and ONS NEs 14-58 Figure 14-39 OSI/IP Scenario 8: OSI OSS, OSI DCN, ONS GNE, OSI DCC, and Other Vender NEs 14-60 Figure 14-40 IPv6-IPv4 Interaction 14-62 Figure 15-1 TCAs Displayed in CTC 15-2 Figure 15-2 Monitored Signal Types for the EC1-12 Card 15-13Figures xxxii Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Figure 15-3 PM Read Points on the EC1-12 Card 15-13 Figure 15-4 Monitored Signal Types for the DS1/E1-56 Card 15-14 Figure 15-5 PM Read Points on the DS1/E1-56 Card 15-15 Figure 15-6 Monitored Signal Types for the DS1-14 and DS1N-14 Cards 15-16 Figure 15-7 PM Read Points on the DS1-14 and DS1N-14 Cards 15-17 Figure 15-8 Monitored Signal Types for the DS3-12 and DS3N-12 Cards 15-18 Figure 15-9 PM Read Points on the DS3-12 and DS3N-12 Cards 15-19 Figure 15-10 Monitored Signal Types for the DS3-12E and DS3N-12E Cards 15-20 Figure 15-11 PM Read Points on the DS3-12E and DS3N-12E Cards 15-20 Figure 15-12 Monitored Signal Types for the DS3i-N-12 Cards 15-21 Figure 15-13 PM Read Points on the DS3i-N-12 Cards 15-22 Figure 15-14 Monitored Signal Types for the DS3XM-6 Card 15-23 Figure 15-15 PM Read Points on the DS3XM-6 Card 15-24 Figure 15-16 Monitored Signal Types for the DS3XM-12 Card 15-25 Figure 15-17 PM Read Points on the DS3XM-12 Card 15-26 Figure 15-18 Monitored Signal Types for the DS3/EC1-48 Card 15-27 Figure 15-19 PM Read Points on the DS3/EC1-48 Card 15-28 Figure 15-20 Monitored Signal Types for the OC-3 Cards 15-49 Figure 15-21 PM Read Points on the OC-3 Cards 15-50 Figure 15-22 PM Read Points for the MRC-12 and the MRC-2.5G-4 Cards 15-52 Figure 16-1 Basic Network Managed by SNMP 16-2 Figure 16-2 Example of the Primary SNMP Components 16-3 Figure 16-3 Agent Gathering Data from a MIB and Sending Traps to the Manager 16-3TABLES xxxiii Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Table 1-1 EIA Types Compatible with the 15454-SA-ANSI Only 1-16 Table 1-2 EIA Configurations Compatible with the 15454-SA-ANSI and the 15454-SA-HD 1-17 Table 1-3 MiniBNC Protection Types and Slots 1-22 Table 1-4 J-Labeling Port Assignments for a Shelf Assembly Configure with Low-Density Electrical Cards (A Side) 1-24 Table 1-5 J-Labeling Port Assignments for a Shelf Assembly Configured with Low-Density Electrical Cards (B Side) 1-25 Table 1-6 J-Labeling Port Assignments for a Shelf Configured with High-Density Electrical Cards (A Side) 1-26 Table 1-7 J-Labeling Port Assignments for a Shelf Configured with High-Density Electrical Cards (B Side) 1-27 Table 1-8 AMP Champ Connector Pin Assignments 1-31 Table 1-9 AMP Champ Connector Pin Assignments (Shielded DS-1 Cable) 1-32 Table 1-10 UBIC-V Protection Types and Slots 1-34 Table 1-11 J-Labeling Port Assignments for a Shelf Assembly Configured with Low-Density Electrical Cards (A Side) 1-36 Table 1-12 J-Labeling Port Assignments for a Shelf Assembly Configured with Low-Density Electrical Cards (B Side) 1-36 Table 1-13 J-Labeling Port Assignments for a Shelf Configured with High-Density Electrical Cards (A Side) 1-37 Table 1-14 J-Labeling Port Assignments for a Shelf Configured with High-Density Electrical Cards (B Side) 1-37 Table 1-15 UBIC-H Protection Types and Slots 1-38 Table 1-16 UBIC-V DS-1 SCSI Connector Pin Out 1-41 Table 1-17 UBIC-V DS-1 Tip/Ring Color Coding 1-43 Table 1-18 UBIC-V DS-3/EC-1 SCSI Connector Pin Out 1-43 Table 1-19 UBIC-H DS-1 SCSI Connector Pin Out 1-47 Table 1-20 UBIC-H DS-1 Tip/Ring Color Coding 1-49 Table 1-21 UBIC-H DS-3/EC-1 SCSI Connector Pin Out 1-49 Table 1-22 E100-TX Connector Pinout 1-52 Table 1-23 Fiber Channel Capacity (One Side of the Shelf) 1-55 Table 1-24 Pin Assignments for the AEP 1-58 Table 1-25 Alarm Input Pin Association 1-59 Table 1-26 Pin Association for Alarm Output Pins 1-60 Table 1-27 Fan Tray Units for ONS 15454 Cards 1-65 Table 1-28 Pilot Fuse Ratings 1-68 Table 1-29 BITS External Timing Pin Assignments 1-73 Table 1-30 LAN Pin Assignments 1-74Tables xxxiv Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Table 1-31 Craft Interface Pin Assignments 1-74 Table 1-32 Slot and Card Symbols 1-76 Table 1-33 Card Ports, Line Rates, and Connectors 1-77 Table 1-34 ONS 15454 Software and Hardware Compatibility—XC and XCVT Configurations 1-80 Table 1-35 ONS 15454 Software and Hardware Compatibility—XC10G and XC-VXC-10G Configurations 1-84 Table 2-1 Common Control Card Functions 2-2 Table 2-2 Common-Control Card Software Release Compatibility 2-3 Table 2-3 Common-Control Card Cross-Connect Compatibility 2-4 Table 2-4 Electrical Card Cross-Connect Compatibility 2-5 Table 2-5 Optical Card Cross-Connect Compatibility 2-6 Table 2-6 Ethernet Card Cross-Connect Compatibility 2-6 Table 2-7 SAN Card Cross-Connect Compatibility 2-7 Table 2-8 TCC2 Card-Level Indicators 2-10 Table 2-9 TCC2 Network-Level Indicators 2-10 Table 2-10 TCC2 Power-Level Indicators 2-11 Table 2-11 TCC2P Card-Level Indicators 2-15 Table 2-12 TCC2P Network-Level Indicators 2-15 Table 2-13 TCC2P Power-Level Indicators 2-16 Table 2-14 VT Mapping 2-18 Table 2-15 XCVT Card-Level Indicators 2-20 Table 2-16 VT Mapping 2-22 Table 2-17 XC10G Card-Level Indicators 2-23 Table 2-18 VT Mapping 2-27 Table 2-19 XC-VXC-10G Card-Level Indicators 2-28 Table 2-20 AIC-I Card-Level Indicators 2-30 Table 2-21 Orderwire Pin Assignments 2-33 Table 2-22 UDC Pin Assignments 2-34 Table 2-23 DCC Pin Assignments 2-34 Table 3-1 Cisco ONS 15454 Electrical Cards 3-2 Table 3-2 Electrical Card Software Release Compatibility 3-3 Table 3-3 Enabling BERT on Line Side and Backplane Side 3-5 Table 3-4 EC1-12 Card-Level Indicators 3-7 Table 3-5 DS1-14 and DS1N-14 Card-Level Indicators 3-11 Table 3-6 DS1/E1-56 Slot Restrictions 3-12 Table 3-7 DS1/E1-56 Card-Level Indicators 3-14Tables xxxv Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Table 3-8 DS3-12 and DS3N-12 Card-Level Indicators 3-16 Table 3-9 DS3/EC1-48 Slot Restrictions 3-17 Table 3-10 DS3/EC1-48 Card-Level Indicators 3-20 Table 3-11 DS3i-N-12 Card-Level Indicators 3-22 Table 3-12 DS3-12E and DS3N-12E Card-Level Indicators 3-25 Table 3-13 DS3XM-6 Card-Level Indicators 3-28 Table 3-14 DS3XM-12 Shelf Configurations 3-29 Table 3-15 DS3XM-12 Features 3-30 Table 3-16 DS3XM-12 Card-Level Indicators 3-33 Table 4-1 Optical Cards for the ONS 15454 4-2 Table 4-2 Optical Card Software Release Compatibility 4-5 Table 4-3 OC3 IR 4/STM1 SH 1310 Card-Level Indicators 4-8 Table 4-4 OC3IR/STM1 SH 1310-8 Card-Level Indicators 4-10 Table 4-5 OC12 IR/STM4 SH 1310 Card-Level Indicators 4-12 Table 4-6 OC12 LR/STM4 LH 1310 Card-Level Indicators 4-14 Table 4-7 OC12 LR/STM4 LH 1550 Card-Level Indicators 4-16 Table 4-8 OC12 IR/STM4 SH 1310-4 Card-Level Indicators 4-18 Table 4-9 OC48 IR 1310 Card-Level Indicators 4-20 Table 4-10 OC48 LR 1550 Card-Level Indicators 4-22 Table 4-11 OC48 IR/STM16 SH AS 1310 Card-Level Indicators 4-24 Table 4-12 OC48 LR/STM16 LH AS 1550 Card-Level Indicators 4-26 Table 4-13 OC48 ELR/STM16 EH 100 GHz Card-Level Indicators 4-28 Table 4-14 OC48 ELR 200 GHz Card-Level Indicators 4-30 Table 4-15 OC192 SR/STM64 IO 1310 Card-Level Indicators 4-32 Table 4-16 OC192 IR/STM64 SH 1550 Card-Level Indicators 4-34 Table 4-17 OC192 LR/STM64 LH 1550 Card-Level Indicators 4-39 Table 4-18 OC192 LR/STM64 LH ITU 15xx.xx Card-Level Indicators 4-42 Table 4-19 Maximum Bandwidth by Shelf Slot for the 15454_MRC-12 in Different Cross-Connect Configurations 4-44 Table 4-20 Line Rate Configurations Per 15454_MRC-12 Port, Based on Available Bandwidth 4-45 Table 4-21 15454_MRC-12 Card-Level Indicators 4-47 Table 4-22 Maximum Bandwidth by Shelf Slot for the MRC-2.5G-4 in Different Cross-Connect Configurations 4-49 Table 4-23 Line Rate Configurations Per 15454_MRC- 4 Port, Based on Available Bandwidth 4-50 Table 4-24 MRC-2.5G-4 Card-Level Indicators 4-50 Table 4-25 OC192SR1/STM64IO Short Reach and OC192/STM64 Any Reach Card-Level Indicators 4-53 Table 4-26 SFP and XFP Card Compatibility 4-54Tables xxxvi Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Table 4-27 LED Based SFPs 4-54 Table 5-1 Ethernet Cards for the ONS 15454 5-2 Table 5-2 Ethernet Card Software Compatibility 5-3 Table 5-3 E100T-12 Card-Level Indicators 5-6 Table 5-4 E100T-12 Port-Level Indicators 5-6 Table 5-5 E100T-G Card-Level Indicators 5-8 Table 5-6 E100T-G Port-Level Indicators 5-8 Table 5-7 E1000-2 Card-Level Indicators 5-10 Table 5-8 E1000-2 Port-Level Indicators 5-11 Table 5-9 E1000-2-G Card-Level Indicators 5-13 Table 5-10 E1000-2-G Port-Level Indicators 5-13 Table 5-11 G1K-4 Card-Level Indicators 5-15 Table 5-12 G1K-4 Port-Level Indicators 5-16 Table 5-13 ML100T-12 Card-Level Indicators 5-18 Table 5-14 ML100T-12 Port-Level Indicators 5-18 Table 5-15 ML100X-8 Card-Level Indicators 5-20 Table 5-16 ML100X-8 Port-Level Indicators 5-20 Table 5-17 ML1000-2 Card-Level Indicators 5-22 Table 5-18 ML1000-2 Port-Level Indicators 5-22 Table 5-19 ML-MR-10 Card-Level Indicators 5-24 Table 5-20 ML-MR-10 Port-Level Indicators 5-24 Table 5-21 CE-100T-8 Card-Level Indicators 5-27 Table 5-22 CE-100T-8 Port-Level Indicators 5-27 Table 5-23 CE-1000-4 Card-Level Indicators 5-30 Table 5-24 CE-1000-4 Port-Level Indicators 5-30 Table 5-25 CE-MR-10 Card-Level Indicators 5-33 Table 5-26 CE-MR-10 Port-Level Indicators 5-33 Table 5-27 Available GBICs 5-34 Table 5-28 Available SFPs and XFPs 5-34 Table 5-29 Speed-Duplex Matrix for Electrical 10/100/1000Base-T SFPs 5-35 Table 5-30 Speed-Duplex Matrix for Optical 1000BaseSX/LX/ZX SFPs 5-36 Table 5-31 Speed-Duplex Matrix for Optical 100Base FX/LX10/BX-D/BX-U SFPs 5-36 Table 5-32 Speed-Duplex Matrix for E1/DS1 over Fast Ethernet SFP 5-36 Table 5-33 Speed-Duplex Matrix for E3/DS3 PDH over Fast Ethernet SFP 5-37 Table 5-34 Supported Wavelengths for CWDM GBICs 5-38Tables xxxvii Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Table 5-35 Supported Wavelengths for DWDM GBICs 5-38 Table 6-1 FC_MR-4 Card-Level Indicators 6-3 Table 6-2 GBIC and SFP Compatibility 6-8 Table 7-1 Supported 1:1 Protection by Electrical Card 7-2 Table 7-2 Supported 1:N Protection by Electrical Card 7-3 Table 7-3 EIA Connectors Per Side 7-5 Table 7-4 Electrical Card Protection By EIA Type 7-6 Table 8-1 JRE Compatibility 8-5 Table 8-2 CTC Computer Requirements 8-5 Table 8-3 ONS 15454 Connection Methods 8-8 Table 8-4 Node View Card Colors 8-10 Table 8-5 Node View Card Statuses 8-11 Table 8-6 Node View Card Port Colors and Service States 8-11 Table 8-7 Node View Tabs and Subtabs 8-12 Table 8-8 Network View Tabs and Subtabs 8-14 Table 8-9 Node Status Shown in Network View 8-15 Table 8-10 DCC Colors Indicating State in Network View 8-15 Table 8-11 Link Icons 8-16 Table 8-12 Card View Tabs and Subtabs 8-17 Table 8-13 TL1 and Static IP-Over-CLNS Tunnels Comparison 8-21 Table 9-1 ONS 15454 Security Levels—Node View 9-2 Table 9-2 ONS 15454 Security Levels—Network View 9-6 Table 9-3 ONS 15454 Default User Idle Times 9-8 Table 9-4 Audit Trail Window Columns 9-9 Table 9-5 Shared Secret Character Groups 9-11 Table 10-1 SONET SSM Generation 1 Message Set 10-3 Table 10-2 SONET SSM Generation 2 Message Set 10-3 Table 10-3 SDH SSM Messages 10-4 Table 11-1 ONS 15454 Rings with Redundant TCC2/TCC2P Cards 11-2 Table 11-2 Two-Fiber BLSR Capacity 11-8 Table 11-3 Four-Fiber BLSR Capacity 11-9 Table 11-4 Comparison of the Protection Schemes 11-27 Table 11-5 Slot 5, 6, 12, and 13 Upgrade Options 11-35 Table 11-6 Upgrade Options for Slots 1 through 4 and 14 through 17 11-36 Table 11-7 MRC-12 Card Upgrade Matrix 11-38Tables xxxviii Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Table 11-8 MRC-2.5G-4 Card Upgrade Matrix 11-39 Table 12-1 STS Mapping Using CTC 12-4 Table 12-2 ONS 15454 Circuit Status 12-6 Table 12-3 Circuit Protection Types 12-9 Table 12-4 Port State Color Indicators 12-11 Table 12-5 VT Matrix Port Usage for One VT1.5 Circuit 12-15 Table 12-6 Portless Transmux Mapping for XCVT Drop Ports 12-16 Table 12-7 Portless Transmux Mapping for XCVT Trunk and XC10G/XC-VXC-10G Any-Slot Ports 12-16 Table 12-8 DCC Tunnels 12-17 Table 12-9 ONS 15454 Cards Capable of J1 Path Trace 12-25 Table 12-10 STS Path Signal Label Assignments for Signals 12-26 Table 12-11 STS Path Signal Label Assignments for Signals with Payload Defects 12-26 Table 12-12 Bidirectional STS/VT/Regular Multicard EtherSwitch/Point-to-Point (Straight) Ethernet Circuits 12-31 Table 12-13 Unidirectional STS/VT Circuit 12-32 Table 12-14 Multicard Group Ethernet Shared Packet Ring Circuit 12-32 Table 12-15 Bidirectional VT Tunnels 12-32 Table 12-16 Switch Times 12-36 Table 12-17 ONS 15454 Card VCAT Circuit Rates and Members 12-37 Table 12-18 ONS 15454 VCAT Card Capabilities 12-38 Table 12-19 Roll Statuses 12-41 Table 13-1 Alarms Column Descriptions 13-2 Table 13-2 Color Codes for Alarm and Condition Severities 13-3 Table 13-3 Alarm Display 13-4 Table 13-4 Conditions Display 13-6 Table 13-5 Conditions Column Description 13-6 Table 13-6 History Column Description 13-8 Table 13-7 Alarm Profile Buttons 13-11 Table 13-8 Alarm Profile Editing Options 13-12 Table 14-1 General ONS 15454 IP Troubleshooting Checklist 14-2 Table 14-2 ONS 15454 Gateway and End NE Settings 14-15 Table 14-3 SOCKS Proxy Server Firewall Filtering Rules 14-17 Table 14-4 SOCKS Proxy Server Firewall Filtering Rules When Packet Addressed to the ONS 15454 14-18 Table 14-5 Sample Routing Table Entries 14-24 Table 14-6 Ports Used by the TCC2/TCC2P 14-25 Table 14-7 TCP/IP and OSI Protocols 14-30Tables xxxix Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Table 14-8 NSAP Fields 14-32 Table 14-9 TARP PDU Fields 14-37 Table 14-10 TARP PDU Types 14-37 Table 14-11 TARP Timers 14-38 Table 14-12 TARP Processing Flow 14-39 Table 14-13 OSI Virtual Router Constraints 14-43 Table 14-14 IP-over-CLNS Tunnel IOS Commands 14-45 Table 14-15 OSI Actions from the CTC Provisioning Tab 14-61 Table 14-16 OSI Actions from the CTC Maintenance Tab 14-61 Table 14-17 Differences Between an IPv6 Node and an IPv4 Node 14-63 Table 15-1 Electrical Cards that Report RX and TX Direction for TCAs 15-3 Table 15-2 ONS 15454 Line Terminating Equipment 15-3 Table 15-3 Performance Monitoring Parameters 15-5 Table 15-4 EC1-12 Card PMs 15-14 Table 15-5 DS1/E1-56 Card PMs 15-16 Table 15-6 DS1-14 and DS1N-14 Card PMs 15-17 Table 15-7 DS3-12 and DS3N-12 Card PMs 15-19 Table 15-8 DS3-12E and DS3N-12E Card PMs 15-21 Table 15-9 DS3i-N-12 Card PMs 15-22 Table 15-10 DS3XM-6 Card PMs 15-24 Table 15-11 DS3XM-12 Card PMs 15-26 Table 15-12 DS3/EC1-48 Card PMs 15-28 Table 15-13 E-Series Ethernet Statistics Parameters 15-29 Table 15-14 maxBaseRate for STS Circuits 15-31 Table 15-15 Ethernet History Statistics per Time Interval 15-31 Table 15-16 G-Series Ethernet Statistics Parameters 15-32 Table 15-17 ML-Series Ether Ports PM Parameters 15-34 Table 15-18 ML-Series POS Ports Parameters for HDLC Mode 15-37 Table 15-19 ML-Series POS Ports Parameters for GFP-F Mode 15-38 Table 15-20 ML-Series RPR Span Parameters for 802.17 MIB 15-38 Table 15-21 CE-Series Ether Port PM Parameters 15-44 Table 15-22 CE-Series Card POS Ports Parameters 15-47 Table 15-23 OC-3 Card PMs 15-50 Table 15-24 OC3-8 Card PMs 15-51 Table 15-25 OC-12, OC-48, OC-192, OC-192-XFP Card PMs 15-51Tables xl Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Table 15-26 Table of Border Error Rates 15-52 Table 15-27 MRC Card PMs 15-53 Table 15-28 FC_MR-4 Card Statistics 15-53 Table 15-29 maxBaseRate for STS Circuits 15-55 Table 15-30 FC_MR-4 History Statistics per Time Interval 15-56 Table 16-1 ONS 15454 SNMP Message Types 16-5 Table 16-2 IETF Standard MIBs Implemented in the ONS 15454 System 16-6 Table 16-3 ONS 15454 Proprietary MIBs 16-7 Table 16-4 cerentGenericPmThresholdTable 16-12 Table 16-5 32-Bit cerentGenericPmStatsCurrentTable 16-13 Table 16-6 32-Bit cerentGenericPmStatsIntervalTable 16-13 Table 16-7 Supported Generic IETF Traps 16-14 Table 16-8 Supported ONS 15454 SNMPv2 Trap Variable Bindings 16-15 Table 16-9 RMON History Control Periods and History Categories 16-25 Table 16-10 OIDs Supported in the AlarmTable 16-27 Table A-1 Fan Tray Assembly Power Requirements A-4 Table A-2 SFP, XFP, and GBIC Specifications A-5 Table A-3 Individual Card Power Requirements A-8 Table A-4 Card Temperature Ranges and Product Names A-10 Table B-1 ONS 15454 Service State Primary States and Primary State Qualifiers B-1 Table B-2 ONS 15454 Secondary States B-2 Table B-3 ONS 15454 Administrative States B-3 Table B-4 ONS 15454 Card Service State Transitions B-3 Table B-5 ONS 15454 Port and Cross-Connect Service State Transitions B-6 Table B-6 ONS 15454 Pluggable Equipment Service State Transitions B-10 Table C-1 DS-1 Card Default Settings C-4 Table C-2 DS1/E1-56 Card Default Settings C-7 Table C-3 DS-3 Card Default Settings C-13 Table C-4 DS3/EC1-48 Card Default Settings C-14 Table C-5 DS3E Card Default Settings C-19 Table C-6 DS3I Card Default Settings C-21 Table C-7 DS3XM-6 Card Default Settings C-24 Table C-8 DS3XM-12 Card Default Settings C-26 Table C-9 EC1-12 Card Default Settings C-30 Table C-10 FC_MR-4 Card Default Settings C-33Tables xli Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Table C-11 Ethernet Card Default Settings C-34 Table C-12 OC-3 Card Default Settings C-35 Table C-13 OC3-8 Card Default Settings C-38 Table C-14 OC-12 Card Default Settings C-42 Table C-15 OC12-4 Card Default Settings C-46 Table C-16 OC-48 Card Default Settings C-50 Table C-17 OC-192 Card Default Settings C-54 Table C-18 OC192-XFP Default Settings C-59 Table C-19 MRC-12 Card Default Settings C-65 Table C-20 MRC-2.5G-4 Card Default Settings C-82 Table C-21 Node Default Settings C-101 Table C-22 Time Zones C-117 Table C-23 CTC Default Settings C-120Tables xlii Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01xliii Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 About this Manual Note The terms “Unidirectional Path Switched Ring” and “UPSR” may appear in Cisco literature. These terms do not refer to using Cisco ONS 15xxx products in a unidirectional path switched ring configuration. Rather, these terms, as well as “Path Protected Mesh Network” and “PPMN,” refer generally to Cisco's path protection feature, which may be used in any topological network configuration. Cisco does not recommend using its path protection feature in any particular topological network configuration. This section explains the objectives, intended audience, and organization of this publication and describes the conventions that convey instructions and other information. This section provides the following information: • Revision History • Document Objectives • Audience • Related Documentation • Document Conventions • Obtaining Optical Networking Information • Obtaining Documentation and Submitting a Service Request Revision History Date Notes November 2009 Updated the table “Line Rate Configurations Per 15454_MRC-12 Port, Based on Available Bandwidth” in the chapter, “Optical Cards”. December 2009 Added the section, Filler Plus Cards in the chapter, Shelf and Backplane Hardware. January 2010 Updated the section “OC-N Speed Upgrades” in the chapter SONET Topologies and Upgrades. February 2010 Updated the table “SFP, XFP, and GBIC Specifications” in the appendix Hardware Specifications.xliv Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 About this Manual April 2010 • Updated Span Upgrade Wizard section and In-Service MRC Card Upgrades section content. • Updated the section “SNMP Overview” in the chapter “SNMP”. • Created a section “Fan Tray Units for ONS 15454 Cards” in the chapter “Shelf and Backplane Hardware”. • Added tables “Speed-Duplex Matrix for E1/DS1 over Fast Ethernet SFP” and “Speed-Duplex Matrix for E3/DS3 PDH over Fast Ethernet SFP” in the section “Speed-Duplex Combinations on SFPs” and updated table “Available SFPs/XFPs” in the chapter “Ethernet Cards”. • Added footnote and note for ONS-SC-2G-28.7 SFP in the chapter “Optical Cards” and appendix “Hardware Specifications”. May 2010 Updated the note in the section “DS3/EC1-48 Card” in the chapter “Electrical Cards”. June 2010 • Updated the caution in the section “DS1/E1-56 Card” in the chapter “Electrical Cards”. • Updated the “OC-N Speed Upgrades” section in the chapter “SONET Topologies and Upgrades”. August 2010 • Updated the section “Bridge and Roll” in the chapter “Circuits and Tunnels”. • Removed the reference to G1000 card support in the chapters “Shelf and Backplane Hardware”, “Network Element Defaults”, and “Ethernet Cards”. November 2010 Updated the figure “ML1000-2 Faceplate and Block Diagram” under the section “ML1000-2 Card” in the chapter “Ethernet Cards”. December 2010 • Updated the section “MRC-12 Multirate Card” and the table “MRC-12 Card Upgrade Matrix” in the chapter “SONET Topologies and Upgrades”. • Updated the section “CE-MR-10 Card” in the chapter “Ethernet Cards”. • Updated the table "ONS 15454 Security Levels—Node View" in the chapter "Security". January 2011 Updated the sections “CE-100T-8 Card” and “CE-MR-10 Card” in the chapter “Ethernet Cards”. April 2011 Updated the table “SFP and XFP Card Compatibility” in the chapter “Optical Cards”. May 2011 Updated the “Common-Control Card Software Release Compatibility” table in the chapter “Common Control Cards”. May 2011 • Updated the sections “Link Capacity Adjustment” and “VCAT Circuit Size” in the chapter “Circuits and Tunnels”. • Updated the tables “ONS 15454 Card VCAT Circuit Rates and Members” and “ONS 15454 VCAT Card Capabilities” in the chapter “Circuits and Tunnels”. June 2011 • Updated the section “AIC-I Card” in the chapter “Common Control Cards”. • Updated the table “ONS 15454 Software and Hardware Compatibility—XC1 and XCVT Configurations” in the chapter “Shelf and Backplane Hardware”. Date Notesxlv Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 About this Manual Document Objectives This manual provides reference information for the Cisco ONS 15454. Audience To use this publication, you should be familiar with Cisco or equivalent optical transmission hardware and cabling, telecommunications hardware and cabling, electronic circuitry and wiring practices, and preferably have experience as a telecommunications technician. Related Documentation Use the Cisco ONS 15454 Reference Manual with the following referenced Release 9.1 and Release 9.2 publications: • Cisco ONS 15454 Procedure Guide Provides procedures to install, turn up, provision, and maintain a Cisco ONS 15454 node and network. • Cisco ONS 15454 Troubleshooting Guide Provides general troubleshooting procedures, alarm descriptions and troubleshooting procedures, error messages, and transient conditions. July 2011 • Added a note in the “PC and UNIX Workstation Requirements” section of Chapter, “Cisco Transport Controller Operation”. • Updated the tables “DS3XM-6 Card PMs” and “DS3XM-12 Card PMs” in the chapter “Performance Monitoring”. September 2011 Added a note to Performance Monitoring Parameters table in “Performance Monitoring Parameter Definitions” section. October 2011 Updated the section “AMP Champ EIA” in the chapter, “Shelf and Backplane Hardware”. January 2012 Updated the privileges for the Download/Cancel operations in the table, "ONS 15454 SDH Security Levels—Network View " in the chapter, “Security”. February 2012 Updated the table “SFP and XFP Card Compatibility” in the chapter “Optical Cards”. March 2012 • Updated the software release compatibility tables in the chapters, “Common Control Cards”, “Optical Cards”, “Electrical Cards”, and “Ethernet Cards”. • Updated the section “SONET Timing Operation” for TCC2P card in the chapter, “Common Control Cards”. • Updated the section "DS3/EC1-48 Card Specifications" in the appendix "Hardware Specifications". August 2012 • Updated the table “Common-Control Card Software Release Compatibility” in the chapter “Common Control Cards”. • The full length book-PDF was generated. Date Notesxlvi Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 About this Manual • Cisco ONS SONET TL1 Command Guide Provides a full TL1 command and autonomous message set including parameters, AIDs, conditions and modifiers for the Cisco ONS 15454, ONS 15600, ONS 15310-CL, and ONS 15310-MA systems. • Cisco ONS SONET TL1 Reference Guide Provides general information, procedures, and errors for TL1 in the Cisco ONS 15454, ONS 15600, ONS 15310-CL, and ONS 15310-MA systems. • Cisco ONS 15454 and Cisco ONS 15454 SDH Ethernet Card Software Feature and Configuration Guide Provides software features for all Ethernet cards and configuration information for Cisco IOS on ML-Series cards. • Release Notes for the Cisco ONS 15454 Release 9.1 Provides caveats, closed issues, and new features and functionality information. • Release Notes for Cisco ONS 15454 SONET and SDH, Release 9.2 Provides caveats, closed issues, and new features and functionality information. • Release Notes for Cisco ONS 15454 SONET and SDH, Release 9.2.1 Provides caveats, closed issues, and new features and functionality information. For an update on End-of-Life and End-of-Sale notices, refer to http://www.cisco.com/en/US/products/hw/optical/ps2006/prod_eol_notices_list.html. Document Conventions This publication uses the following conventions: Convention Application boldface Commands and keywords in body text. italic Command input that is supplied by the user. [ ] Keywords or arguments that appear within square brackets are optional. { x | x | x } A choice of keywords (represented by x) appears in braces separated by vertical bars. The user must select one. Ctrl The control key. For example, where Ctrl + D is written, hold down the Control key while pressing the D key. screen font Examples of information displayed on the screen. boldface screen font Examples of information that the user must enter. < > Command parameters that must be replaced by module-specific codes.xlvii Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 About this Manual Note Means reader take note. Notes contain helpful suggestions or references to material not covered in the document. Caution Means reader be careful. In this situation, the user might do something that could result in equipment damage or loss of data. Warning IMPORTANT SAFETY INSTRUCTIONS This warning symbol means danger. You are in a situation that could cause bodily injury. Before you work on any equipment, be aware of the hazards involved with electrical circuitry and be familiar with standard practices for preventing accidents. Use the statement number provided at the end of each warning to locate its translation in the translated safety warnings that accompanied this device. Statement 1071 SAVE THESE INSTRUCTIONS Waarschuwing BELANGRIJKE VEILIGHEIDSINSTRUCTIES Dit waarschuwingssymbool betekent gevaar. U verkeert in een situatie die lichamelijk letsel kan veroorzaken. Voordat u aan enige apparatuur gaat werken, dient u zich bewust te zijn van de bij elektrische schakelingen betrokken risico's en dient u op de hoogte te zijn van de standaard praktijken om ongelukken te voorkomen. Gebruik het nummer van de verklaring onderaan de waarschuwing als u een vertaling van de waarschuwing die bij het apparaat wordt geleverd, wilt raadplegen. BEWAAR DEZE INSTRUCTIES Varoitus TÄRKEITÄ TURVALLISUUSOHJEITA Tämä varoitusmerkki merkitsee vaaraa. Tilanne voi aiheuttaa ruumiillisia vammoja. Ennen kuin käsittelet laitteistoa, huomioi sähköpiirien käsittelemiseen liittyvät riskit ja tutustu onnettomuuksien yleisiin ehkäisytapoihin. Turvallisuusvaroitusten käännökset löytyvät laitteen mukana toimitettujen käännettyjen turvallisuusvaroitusten joukosta varoitusten lopussa näkyvien lausuntonumeroiden avulla. SÄILYTÄ NÄMÄ OHJEET Attention IMPORTANTES INFORMATIONS DE SÉCURITÉ Ce symbole d'avertissement indique un danger. Vous vous trouvez dans une situation pouvant entraîner des blessures ou des dommages corporels. Avant de travailler sur un équipement, soyez conscient des dangers liés aux circuits électriques et familiarisez-vous avec les procédures couramment utilisées pour éviter les accidents. Pour prendre connaissance des traductions des avertissements figurant dans les consignes de sécurité traduites qui accompagnent cet appareil, référez-vous au numéro de l'instruction situé à la fin de chaque avertissement. CONSERVEZ CES INFORMATIONSxlviii Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 About this Manual Warnung WICHTIGE SICHERHEITSHINWEISE Dieses Warnsymbol bedeutet Gefahr. Sie befinden sich in einer Situation, die zu Verletzungen führen kann. Machen Sie sich vor der Arbeit mit Geräten mit den Gefahren elektrischer Schaltungen und den üblichen Verfahren zur Vorbeugung vor Unfällen vertraut. Suchen Sie mit der am Ende jeder Warnung angegebenen Anweisungsnummer nach der jeweiligen Übersetzung in den übersetzten Sicherheitshinweisen, die zusammen mit diesem Gerät ausgeliefert wurden. BEWAHREN SIE DIESE HINWEISE GUT AUF. Avvertenza IMPORTANTI ISTRUZIONI SULLA SICUREZZA Questo simbolo di avvertenza indica un pericolo. La situazione potrebbe causare infortuni alle persone. Prima di intervenire su qualsiasi apparecchiatura, occorre essere al corrente dei pericoli relativi ai circuiti elettrici e conoscere le procedure standard per la prevenzione di incidenti. Utilizzare il numero di istruzione presente alla fine di ciascuna avvertenza per individuare le traduzioni delle avvertenze riportate in questo documento. CONSERVARE QUESTE ISTRUZIONI Advarsel VIKTIGE SIKKERHETSINSTRUKSJONER Dette advarselssymbolet betyr fare. Du er i en situasjon som kan føre til skade på person. Før du begynner å arbeide med noe av utstyret, må du være oppmerksom på farene forbundet med elektriske kretser, og kjenne til standardprosedyrer for å forhindre ulykker. Bruk nummeret i slutten av hver advarsel for å finne oversettelsen i de oversatte sikkerhetsadvarslene som fulgte med denne enheten. TA VARE PÅ DISSE INSTRUKSJONENE Aviso INSTRUÇÕES IMPORTANTES DE SEGURANÇA Este símbolo de aviso significa perigo. Você está em uma situação que poderá ser causadora de lesões corporais. Antes de iniciar a utilização de qualquer equipamento, tenha conhecimento dos perigos envolvidos no manuseio de circuitos elétricos e familiarize-se com as práticas habituais de prevenção de acidentes. Utilize o número da instrução fornecido ao final de cada aviso para localizar sua tradução nos avisos de segurança traduzidos que acompanham este dispositivo. GUARDE ESTAS INSTRUÇÕES ¡Advertencia! INSTRUCCIONES IMPORTANTES DE SEGURIDAD Este símbolo de aviso indica peligro. Existe riesgo para su integridad física. Antes de manipular cualquier equipo, considere los riesgos de la corriente eléctrica y familiarícese con los procedimientos estándar de prevención de accidentes. Al final de cada advertencia encontrará el número que le ayudará a encontrar el texto traducido en el apartado de traducciones que acompaña a este dispositivo. GUARDE ESTAS INSTRUCCIONESxlix Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 About this Manual Varning! VIKTIGA SÄKERHETSANVISNINGAR Denna varningssignal signalerar fara. Du befinner dig i en situation som kan leda till personskada. Innan du utför arbete på någon utrustning måste du vara medveten om farorna med elkretsar och känna till vanliga förfaranden för att förebygga olyckor. Använd det nummer som finns i slutet av varje varning för att hitta dess översättning i de översatta säkerhetsvarningar som medföljer denna anordning. SPARA DESSA ANVISNINGARl Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 About this Manual Aviso INSTRUÇÕES IMPORTANTES DE SEGURANÇA Este símbolo de aviso significa perigo. Você se encontra em uma situação em que há risco de lesões corporais. Antes de trabalhar com qualquer equipamento, esteja ciente dos riscos que envolvem os circuitos elétricos e familiarize-se com as práticas padrão de prevenção de acidentes. Use o número da declaração fornecido ao final de cada aviso para localizar sua tradução nos avisos de segurança traduzidos que acompanham o dispositivo. GUARDE ESTAS INSTRUÇÕES Advarsel VIGTIGE SIKKERHEDSANVISNINGER Dette advarselssymbol betyder fare. Du befinder dig i en situation med risiko for legemesbeskadigelse. Før du begynder arbejde på udstyr, skal du være opmærksom på de involverede risici, der er ved elektriske kredsløb, og du skal sætte dig ind i standardprocedurer til undgåelse af ulykker. Brug erklæringsnummeret efter hver advarsel for at finde oversættelsen i de oversatte advarsler, der fulgte med denne enhed. GEM DISSE ANVISNINGERli Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 About this Manuallii Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 About this Manual Obtaining Optical Networking Information This section contains information that is specific to optical networking products. For information that pertains to all of Cisco, refer to the Obtaining Documentation and Submitting a Service Request section. Where to Find Safety and Warning Information For safety and warning information, refer to the Cisco Optical Transport Products Safety and Compliance Information document that accompanied the product. This publication describes the international agency compliance and safety information for the Cisco ONS 15454 system. It also includes translations of the safety warnings that appear in the ONS 15454 system documentation. Cisco Optical Networking Product Documentation CD-ROM Optical networking-related documentation, including Cisco ONS 15xxx product documentation, is available in a CD-ROM package that ships with your product. The Optical Networking Product Documentation CD-ROM is updated periodically and may be more current than printed documentation.liii Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 About this Manual Obtaining Documentation and Submitting a Service Request For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.liv Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 About this Manuallv Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Cisco ONS Documentation Roadmap for Release 9.2.1 To quickly access publications of Cisco ONS Release 9.2.1, see the Cisco ONS Documentation Roadmap for Release 9.2.1.lvi Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-18908-01 Cisco ONS Documentation Roadmap for Release 9.2.1CHAPTER 1-1 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 1 Shelf and Backplane Hardware Note The terms “Unidirectional Path Switched Ring” and “UPSR” may appear in Cisco literature. These terms do not refer to using Cisco ONS 15xxx products in a unidirectional path switched ring configuration. Rather, these terms, as well as “Path Protected Mesh Network” and “PPMN,” refer generally to Cisco's path protection feature, which may be used in any topological network configuration. Cisco does not recommend using its path protection feature in any particular topological network configuration. This chapter provides a description of Cisco ONS 15454 shelf and backplane hardware. Card descriptions are provided in Chapter 2, “Common Control Cards,” Chapter 3, “Electrical Cards,” Chapter 4, “Optical Cards,” Chapter 5, “Ethernet Cards,” and Chapter 6, “Storage Access Networking Cards.” To install equipment, refer to the Cisco ONS 15454 Procedure Guide. Chapter topics include: • 1.1 Overview, page 1-2 • 1.2 Rack Installation, page 1-3 • 1.3 Front Door, page 1-6 • 1.4 Backplane Covers, page 1-11 • 1.5 Electrical Interface Assemblies, page 1-15 • 1.6 Coaxial Cable, page 1-38 • 1.7 DS-1 Cable, page 1-38 • 1.8 UBIC-V Cables, page 1-40 • 1.9 UBIC-H Cables, page 1-45 • 1.11 Cable Routing and Management, page 1-53 • 1.12 Alarm Expansion Panel, page 1-56 • 1.13 Filler Card, page 1-61 • 1.15 Fan-Tray Assembly, page 1-64 • 1.16 Power and Ground Description, page 1-68 • 1.17 Shelf Voltage and Temperature, page 1-69 • 1.18 Alarm, Timing, LAN, and Craft Pin Connections, page 1-70 • 1.19 Cards and Slots, page 1-74 • 1.20 Software and Hardware Compatibility, page 1-791-2 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.1 Overview Caution Unused card slots should be filled with a detectable filler card (Cisco P/N 15454-FILLER) or a non-detectable filler card (Cisco P/N 15454-BLANK). The filler card ensures proper airflow when operating the ONS 15454 without the front door attached, although Cisco recommends that the front door remain attached. Note The ONS 15454 is designed to comply with Telcordia GR-1089-CORE Type 2 and Type 4. Install and operate the ONS 15454 only in environments that do not expose wiring or cabling to the outside plant. Acceptable applications include Central Office Environments (COEs), Electronic Equipment Enclosures (EEEs), Controlled Environment Vaults (CEVs), huts, and Customer Premise Environments (CPEs). Note The Cisco ONS 15454 assembly is intended for use with telecommunications equipment only. Note You can search for cross-referenced Cisco part numbers and CLEI (Common Language Equipment Identification) codes at the following link: http://www.cisco.com/cgi-bin/front.x/clei/code_search.cgi. 1.1 Overview When installed in an equipment rack, the ONS 15454 assembly is typically connected to a fuse and alarm panel to provide centralized alarm connection points and distributed power for the ONS 15454. Fuse and alarm panels are third-party equipment and are not described in this documentation. If you are unsure about the requirements or specifications for a fuse and alarm panel, consult the user documentation for the related equipment. The front door of the ONS 15454 allows access to the shelf assembly, fan-tray assembly, and cable-management area. The backplanes provide access to alarm contacts, external interface contacts, power terminals, and BNC/SMB connectors. You can mount the ONS 15454 in a 19- or 23-inch rack (482.6 or 584.2 mm). The shelf assembly weighs approximately 55 pounds (24.94 kg) with no cards installed. The shelf assembly includes a front door for added security, a fan tray module for cooling, and extensive cable-management space. ONS 15454 optical cards have SC and LC connectors on the card faceplate. Fiber-optic cables are routed into the front of the destination cards. Electrical cards (DS-1, DS-3, DS3XM, and EC-1) require electrical interface assemblies (EIAs) to provide the cable connection points for the shelf assembly. In most cases, EIAs are ordered with the ONS 15454 and come preinstalled on the backplane. See the “1.5 Electrical Interface Assemblies” section on page 1-15 for more information about the EIAs. The ONS 15454 is powered using –48 VDC power. Negative, return, and ground power terminals are accessible on the backplane. Optical fibers without exposed metallic ferrule must be used with all the products and platforms covered by this document (see Figure 1-1 and Figure 1-2). Electrostatic discharge is more easily coupled into the equipment through exposed metallic ferrules near the fiber connectors.1-3 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.2 Rack Installation Figure 1-1 Optical Fiber With Exposed Ferrule Figure 1-2 Optical Fiber Without Exposed Ferrule Note In this chapter, the terms “ONS 15454” and “shelf assembly” are used interchangeably. In the installation context, these terms have the same meaning. Otherwise, shelf assembly refers to the physical steel enclosure that holds cards and connects power, and ONS 15454 refers to the entire system, both hardware and software. Install the ONS 15454 in compliance with your local and national electrical codes: • United States: National Fire Protection Association (NFPA) 70; United States National Electrical Code • Canada: Canadian Electrical Code, Part I, CSA C22.1 • Other countries: If local and national electrical codes are not available refer to IEC 364, Part 1 through Part 7 1.2 Rack Installation The ONS 15454 is mounted in a 19- or 23-in. (482.6- or 584.2-mm) equipment rack. The shelf assembly projects five inches (127 mm) from the front of the rack. It mounts in both Electronic Industries Alliance (EIA) standard and Telcordia-standard racks. The shelf assembly is a total of 17 inches (431.8 mm) wide with no mounting ears attached. Ring runs are not provided by Cisco and might hinder side-by-side installation of shelves where space is limited. The ONS 15454 measures 18.25 inches (463.5 mm) high, 19 or 23 inches (482.6 or 584.2 mm) wide (depending on which way the mounting ears are attached), 12.018 inches (305.2 mm) deep for standard door and 13.810 inches (350.7 mm) for deep door. You can install up to four ONS 15454 shelves in a seven-foot (2133.6 mm) equipment rack. The ONS 15454 must have one inch (25.4 mm) of airspace below the installed shelf assembly to allow air flow to the fan intake. If a second ONS 15454 is 249381 Exposed ferrule 249382 No exposed ferrule1-4 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.2 Rack Installation installed underneath the shelf assembly, the air ramp on top of the lower shelf assembly provides the air spacing needed and should not be modified in any way. Figure 1-3 shows the dimensions of the ONS 15454. Note A 10-Gbps-compatible shelf assembly (15454-SA-ANSI or 15454-SA-HD) and fan-tray assembly (15454-FTA3, 15454-FTA3-T, or 15454-CC-FTA) are required if ONS 15454 XC10G and ONS 15454 XC-VXC-10G cards are installed in the shelf. Figure 1-3 Cisco ONS 15454 ANSI Dimensions Standard Door - Front View Side View 240922 18.25 in. (46.35 cm) Height 19 in. (48.26 cm) or 23 in. (58.42 cm) between mounting screw holes Width 16.78 in. (42.62 cm) 5.015 in. (12.73 cm) 12.018 in. (30.52 cm) Depth Deep Door - Front View Side View 18.25 in. (46.35 cm) Height 19 in. (48.26 cm) or 23 in. (58.42 cm) between mounting screw holes Width 16.78 in. (42.62 cm) 4.807 in. (12.20 cm) 13.810 in. (35.07 cm) Depth1-5 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.2.1 Reversible Mounting Bracket 1.2.1 Reversible Mounting Bracket Caution Use only the fastening hardware provided with the ONS 15454 to prevent loosening, deterioration, and electromechanical corrosion of the hardware and joined material. Caution When mounting the ONS 15454 in a frame with a nonconductive coating (such as paint, lacquer, or enamel) either use the thread-forming screws provided with the ONS 15454 shipping kit, or remove the coating from the threads to ensure electrical continuity. The shelf assembly comes preset for installation in a 23-inch (584.2 mm) rack, but you can reverse the mounting bracket to fit the smaller 19-inch (482.6 mm) rack. 1.2.2 Mounting a Single Node Mounting the ONS 15454 in a rack requires a minimum of 18.5 inches (469.9 mm) of vertical rack space and one additional inch (25.4 mm) for air flow. To ensure the mounting is secure, use two to four #12-24 mounting screws for each side of the shelf assembly. Figure 1-4 shows the rack mounting position for the ONS 15454. Figure 1-4 Mounting an ONS 15454 in a Rack Two people should install the shelf assembly; however, one person can install it using the temporary set screws included. The shelf assembly should be empty for easier lifting. The front door can also be removed to lighten the shelf assembly. FAN FAIL CRIT MAJ MIN Equipment rack Universal ear mounts (reversible) 393921-6 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.2.3 Mounting Multiple Nodes If you are installing the fan-tray air filter using the bottom (external) brackets provided, mount the brackets on the bottom of the shelf assembly before installing the ONS 15454 in a rack. 1.2.3 Mounting Multiple Nodes Most standard (Telcordia GR-63-CORE, 19-inch [482.6 mm] or 23-inch [584.2 mm]) seven-foot (2,133 mm) racks can hold four ONS 15454 shelves and a fuse and alarm panel. However, unequal flange racks are limited to three ONS 15454 shelves and a fuse and alarm panel or four ONS 15454 shelves and a fuse and alarm panel from an adjacent rack. If you are using the external (bottom) brackets to install the fan-tray air filter, you can install three shelf assemblies in a standard seven-foot (2.133 m) rack. If you are not using the external (bottom) brackets, you can install four shelf assemblies in a rack. The advantage to using the bottom brackets is that you can replace the filter without removing the fan tray. 1.2.4 ONS 15454 Bay Assembly The Cisco ONS 15454 bay assembly simplifies ordering and installing the ONS 15454 because it allows you to order shelf assemblies preinstalled in a seven-foot (2.133 m) rack. The bay assembly is available in a three- or four-shelf configuration. The three-shelf configuration includes three ONS 15454 shelf assemblies, a prewired fuse and alarm panel, and two cable-management trays. The four-shelf configuration includes four ONS 15454 shelf assemblies and a prewired fuse and alarm panel. You can order optional fiber channels with either configuration. Installation procedures are included in the Unpacking and Installing the Cisco ONS 15454 Four-Shelf and Zero-Shelf Bay Assembly document that ships with the Bay Assembly, 1.3 Front Door The Critical, Major, and Minor alarm LEDs visible through the front door indicate whether a critical, major, or minor alarm is present anywhere on the ONS 15454. These LEDs must be visible so technicians can quickly determine if any alarms are present on the ONS 15454 shelf or the network. You can use the LCD to further isolate alarms. The front door (Figure 1-5) provides access to the shelf assembly, cable-management tray, fan-tray assembly, and LCD screen. 1-7 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.3 Front Door Figure 1-5 The ONS 15454 Front Door The ONS 15454 ships with a standard door but can also accommodate a deep door and extended fiber clips (15454-DOOR-KIT) to provide additional room for cabling (Figure 1-6). Door lock Door button Viewholes for Critical, Major and Minor alarm LEDs 33923 CISCO ONS 15454 Optical Network System1-8 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.3 Front Door Figure 1-6 Cisco ONS 15454 Deep Door . The ONS 15454 door locks with a pinned hex key that ships with the ONS 15454. A button on the right side of the shelf assembly releases the door. You can remove the front door of the ONS 15454 to provide unrestricted access to the front of the shelf assembly. Before you remove the front door, you have to remove the ground strap of the front door (Figure 1-7). 1150111-9 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.3 Front Door Figure 1-7 ONS 15454 Front Door Ground Strap Figure 1-8 shows how to remove the front door. 710481-10 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.3 Front Door Figure 1-8 Removing the ONS 15454 Front Door An erasable label is pasted on the inside of the front door (Figure 1-9). You can use the label to record slot assignments, port assignments, card types, node ID, rack ID, and serial number for the ONS 15454. Door hinge Assembly hinge pin Assembly hinge Translucent circles for LED viewing 38831 FAN FAIL CRIT MAJ MIN1-11 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.4 Backplane Covers Figure 1-9 Front-Door Erasable Label Note The front door label also includes the Class I and Class 1M laser warning (Figure 1-10). Figure 1-10 Laser Warning on the Front-Door Label 1.4 Backplane Covers If a backplane does not have an EIA panel installed, it should have two sheet metal backplane covers (one on each side of the backplane) as shown in Figure 1-11 on page 1-12. Each cover is held in place with nine 6-32 x 3/8 inch Phillips screws. Note See the “1.5 Electrical Interface Assemblies” section on page 1-15 for information on EIAs. 61840 675751-12 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.4.1 Lower Backplane Cover Figure 1-11 Backplane Covers 1.4.1 Lower Backplane Cover The lower section of the ONS 15454 backplane is covered by either a clear plastic protector (15454-SA-ANSI) or a sheet metal cover (15454-SA-HD), which is held in place by five 6-32 x 1/2 inch screws. Remove the lower backplane cover to access the alarm interface panel (AIP), alarm pin fields, frame ground, and power terminals (Figure 1-12). Figure 1-12 Removing the Lower Backplane Cover B A 32074 Lower Backplane Cover Backplane Sheet Metal Covers 32069 Retaining screws1-13 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.4.2 Rear Cover 1.4.2 Rear Cover The ONS 15454 has an optional clear plastic rear cover. This clear plastic cover provides additional protection for the cables and connectors on the backplane. Figure 1-13 shows the rear cover screw locations. Figure 1-13 Backplane Attachment for Cover You can also install the optional spacers if more space is needed between the cables and rear cover (Figure 1-14). 32073 Screw locations for attaching the rear cover1-14 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.4.3 Alarm Interface Panel Figure 1-14 Installing the Plastic Rear Cover with Spacers 1.4.3 Alarm Interface Panel The AIP is located above the alarm contacts on the lower section of the backplane. The AIP provides surge protection for the ONS 15454. It also provides an interface from the backplane to the fan-tray assembly and LCD. The AIP plugs into the backplane using a 96-pin DIN connector and is held in place with two retaining screws. The panel has a nonvolatile memory chip that stores the unique node address (MAC address). Note The MAC address identifies the nodes that support circuits. It allows Cisco Transport Controller (CTC) to determine circuit sources, destinations, and spans. The TCC2/TCC2P cards in the ONS 15454 also use the MAC address to store the node database. Note Read all references of “TCC2/TCC2P cards” in this document as “TCC2/TCC2P/TCC3 cards”. The 5-A AIP (73-7665-XX) is required when installing fan-tray assembly 15454-FTA3 or 15454-CC-FTA, which comes preinstalled on the shelf assembly (15454-SA-ANSI or 15454-SA-HD). Note A blown fuse on the AIP board can cause the LCD display to go blank. 55374 RET 1 CAUTION: Remove power from both the BAT1 and terminal blocks prior to servicing SUITABLE FOR MOUNTING ON A NON-COMBUSTIBLE SURFACE. PLEASE REFER TO INSTALLATION INSTRUCTIONS. -42 TO -57Vdc 650 Watts Maximum BAT 1 RET 2 BAT 21-15 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.4.4 Alarm Interface Panel Replacement 1.4.4 Alarm Interface Panel Replacement If the alarm interface panel (AIP) fails, a MAC Fail alarm appears on the CTC Alarms menu and/or the LCD display on the fan-tray assembly goes blank. To perform an in-service replacement of the AIP, you must contact Cisco Technical Assistance Center (TAC). For contact information, go to the TAC website at http://www.cisco.com/tac. You can replace the AIP on an in-service system without affecting traffic (except Ethernet traffic on nodes running a software release earlier than Release 4.0). The circuit repair feature allows you to repair circuits affected by MAC address changes on one node at a time. Circuit repair works when all nodes are running the same software version. Each individual AIP upgrade requires an individual circuit repair; if AIPs are replaced on two nodes, the circuit repair must be performed twice. Caution Do not use a 2-A AIP with a 5-A fan-tray assembly; doing so causes a blown fuse on the AIP. Note Ensure that all nodes in the affected network are running the same software version before replacing the AIP and repairing circuits. If you need to upgrade nodes to the same software version, do not change any hardware or repair circuits until after the software upgrade is complete. Replace an AIP during a maintenance window. Resetting the active TCC2/TCC2P card can cause a service disruption of less then 50 ms to optical or electrical traffic. Resetting the active TCC2/TCC2P card causes a service disruption of three to five minutes on all E-Series Ethernet traffic due to spanning tree reconvergence. Refer to the Cisco ONS 15454 Troubleshooting Guide for an AIP replacement procedure. 1.5 Electrical Interface Assemblies Optional EIA backplane covers are typically preinstalled when ordered with the ONS 15454. EIAs must be ordered when using DS-1, DS-3, DS3XM, or EC-1 cards. This section describes each EIA. Six different EIA backplane covers are available for the ONS 15454: BNC, High-Density BNC, MiniBNC, SMB, AMP Champ, UBIC-H (Universal Backplane Interface Connector-Horizontal), and UBIC-V (Vertical). If the shelf was not shipped with the correct EIA interface, you must order and install the correct EIA. EIAs are attached to the shelf assembly backplane to provide electrical interface cable connections. EIAs are available with SMB and BNC connectors for DS-3 or EC-1 cards. EIAs are available with AMP Champ connectors for DS-1 cards. You must use SMB EIAs for DS-1 twisted-pair cable installation. UBIC-V EIAs have SCSI connectors. They are available for use with any DS-1, DS-3, or EC-1 card, but are intended for use with high-density electrical cards. Note The MiniBNC EIAs only support cables using the Trompetor connectors for termination. You can install EIAs on one or both sides of the ONS 15454 backplane in any combination (in other words, AMP Champ on Side A and BNC on Side B or High-Density BNC on Side A and SMB on Side B, and so forth). As you face the rear of the ONS 15454 shelf assembly, the right side is the A side and the left side is the B side. The top of the EIA connector columns are labeled with the corresponding slot number, and EIA connector pairs are marked transmit (Tx) and receive (Rx) to correspond to transmit and receive cables. 1-16 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.5.1 EIA Installation Note For information about EIA types, protection schemes, and card slots, see Chapter 7, “Card Protection.” 1.5.1 EIA Installation Optional EIA backplane covers are typically preinstalled when ordered with the ONS 15454. A minimal amount of assembly might be required when EIAs are ordered separately from the ONS 15454. If you are installing EIAs after the shelf assembly is installed, plug the EIA into the backplane. The EIA has six electrical connectors that plug into six corresponding backplane connectors. The EIA backplane must replace the standard sheet metal cover to provide access to the coaxial cable connectors. The EIA sheet metal covers use the same screw holes as the solid backplane panels, but they have 12 additional 6-32 x 1/2 inch Phillips screw holes so you can screw down the cover and the board using standoffs on the EIA board. When using the RG-179 coaxial cable on an EIA, the maximum distance available (122 feet [37 meters]) is less than the maximum distance available with standard RG-59 (734A) cable (306 feet [93 meters]). The maximum distance when using the RG-59 (734A) cable is 450 feet (137 meters). The shorter maximum distance available with the RG179 is due to a higher attenuation rate for the thinner cable. Attenuation rates are calculated using a DS-3 signal: • For RG-179, the attenuation rate is 59 dB/kft at 22 MHz. • For RG-59 (734A) the attenuation rate is 11.6 dB/kft at 22 MHz. 1.5.2 EIA Configurations Table 1-1 shows the EIA types supported only by ONS 15454 shelf assembly 15454-SA-ANSI. Table 1-1 EIA Types Compatible with the 15454-SA-ANSI Only EIA Type Cards Supported A-Side Hosts A-Side Columns Map to A-Side Product Number B-Side Hosts B-Side Columns Map to B-Side Product Number BNC DS-3 DS3XM-6 EC-1 24 pairs of BNC connectors Slot 2 Slot 4 15454-EIA-BNC-A24= 24 pairs of BNC connectors Slot 14 Slot 16 15454-EIA-BNC-B24= High- Density BNC DS-3 DS3XM-6 EC-1 48 pairs of BNC connectors Slot 1 Slot 2 Slot 4 Slot 5 15454-EIA-BNC-A48= 48 pairs of BNC Slot 13 Slot 14 Slot 16 Slot 17 15454-EIA-BNC-B48=1-17 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.5.2 EIA Configurations Table 1-2 shows the EIA types supported by both the 15454-SA-ANSI and the 15454-SA-HD (high density) shelf assemblies. SMB DS-1 DS-3 EC-1 DS3XM-6 84 pairs of SMB connectors Slot 1 Slot 2 Slot 3 Slot 4 Slot 5 Slot 6 15454-EIA-SMB-A84= 84 pairs of SMB connectors Slot 12 Slot 13 Slot 14 Slot 15 Slot 16 Slot 17 15454-EIA-SMB-B84= AMP Champ DS-1 6 AMP Champ connectors Slot 1 Slot 2 Slot 3 Slot 4 Slot 5 Slot 6 15454-EIA-AMP-A84= 6 AMP Champ connectors Slot 12 Slot 13 Slot 14 Slot 15 Slot 16 Slot 17 15454-EIA-AMP-B84= Table 1-1 EIA Types Compatible with the 15454-SA-ANSI Only (continued) EIA Type Cards Supported A-Side Hosts A-Side Columns Map to A-Side Product Number B-Side Hosts B-Side Columns Map to B-Side Product Number Table 1-2 EIA Configurations Compatible with the 15454-SA-ANSI and the 15454-SA-HD EIA Type Cards Supported A-Side Hosts A-Side Columns Map to A-Side Product Number B-Side Hosts B-Side Columns Map to B-Side Product Number BNC DS-3 DS3XM-6 DS3XM-12 EC-1 24 pairs of BNC connectors Slot 2 Slot 4 15454-EIA-1BNCA24= 24 pairs of BNC connectors Slot 14 Slot 16 15454-EIA-1BNCB24= High- Density BNC DS-3 DS3XM-6 DS3XM-12 EC-1 48 pairs of BNC connectors Slot 1 Slot 2 Slot 4 Slot 5 15454-EIA-1BNCA48= 48 pairs of BNC connectors Slot 13 Slot 14 Slot 16 Slot 17 15454-EIA-1BNCB48= Mini BNC DS-3 DS-3/EC1-48 DS3XM-6 DS3XM-12 EC-1 96 pairs of MiniBNC connectors Slot 1 Slot 2 Slot 4 Slot 5 Slot 6 15454-EIA-HDBNC-A9 6= 96 pairs of MiniBNC connectors Slot 12 Slot 13 Slot 14 Slot 16 Slot 17 15454-EIA-HDBNC-B96 =1-18 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.5.3 BNC EIA 1.5.3 BNC EIA The ONS 15454 BNC EIA supports 24 DS-3 circuits on each side of the ONS 15454 (24 transmit and 24 receive connectors). If you install BNC EIAs on both sides of the shelf assembly, the ONS 15454 hosts up to 48 circuits. The BNC connectors on the EIA supports Trompeter UCBJ224 (75-ohm) 4-leg connectors (King or ITT are also compatible). Right-angle mating connectors for the connecting cable are AMP 413588-2 (75-ohm) connectors. If preferred, you can also use a straight connector of the same SMB DS-1 DS-3 EC-1 DS3XM-6 DS3XM-12 84 pairs of SMB connectors Slot 1 Slot 2 Slot 3 Slot 4 Slot 5 Slot 6 15454-EIA-1SMBA84= 84 pairs of SMB connectors Slot 12 Slot 13 Slot 14 Slot 15 Slot 16 Slot 17 15454-EIA-1SMBB84= AMP Champ DS-1 6 AMP Champ connectors Slot 1 Slot 2 Slot 3 Slot 4 Slot 5 Slot 6 15454-EIA-1AMPA84= 6 AMP Champ connectors Slot 12 Slot 13 Slot 14 Slot 15 Slot 16 Slot 17 15454-EIA-1AMPB84= UBICV DS-1 DS-3 EC-1 DS3XM-6 DS3XM-12 DS3/EC1-48 DS1/E1-56 8 pairs of SCSI connectors Slot 1 Slot 2 Slot 3 Slot 4 Slot 5 Slot 6 15454-EIA-UBICV-A 8 pairs of SCSI connectors Slot 12 Slot 13 Slot 14 Slot 15 Slot 16 Slot 17 15454-EIA-UBICV-B UBICH DS-1 DS-3 EC-1 DS3XM-6 DS3XM-12 DS3/EC1-48 DS1/E1-56 8 pairs of SCSI connectors Slot 1 Slot 2 Slot 3 Slot 4 Slot 5 Slot 6 15454-EIA-UBICH-A 8 pairs of SCSI connectors Slot 12 Slot 13 Slot 14 Slot 15 Slot 16 Slot 17 15454-EIA-UBICH-B Table 1-2 EIA Configurations Compatible with the 15454-SA-ANSI and the 15454-SA-HD (continued) EIA Type Cards Supported A-Side Hosts A-Side Columns Map to A-Side Product Number B-Side Hosts B-Side Columns Map to B-Side Product Number1-19 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.5.3 BNC EIA type. Use RG-59/U cable to connect to the ONS 15454 BNC EIA. These cables are recommended to connect to a patch panel and are designed for long runs. You can use BNC EIAs for DS-3 (including the DS3XM-6 and DS3XM-12) or EC-1 cards. Figure 1-15 shows the ONS 15454 with preinstalled BNC EIAs. To install coaxial cable with BNC connectors, refer to the “Install Shelf and Backplane Cable” chapter in the Cisco ONS 15454 Procedure Guide. Figure 1-15 BNC Backplane for Use in 1:1 Protection Schemes 1.5.3.1 BNC Connectors The EIA side marked “A” has 24 pairs of BNC connectors. The first 12 pairs of BNC connectors correspond to Ports 1 to 12 for a 12-port card and map to Slot 2 on the shelf assembly. The BNC connector pairs are marked “Tx” and “Rx” to indicate transmit and receive cables for each port. You can install an additional card in Slot 1 as a protect card for the card in Slot 2. The second 12 BNC connector pairs correspond to Ports 1 to 12 for a 12-port card and map to Slot 4 on the shelf assembly. You can install an additional card in Slot 3 as a protect card for the card in Slot 4. Slots 5 and 6 do not support DS-3 cards when the standard BNC EIA panel connectors are used. The EIA side marked “B” provides an additional 24 pairs of BNC connectors. The first 12 BNC connector pairs correspond to Ports 1 to 12 for a 12-port card and map to Slot 14 on the shelf assembly. The BNC connector pairs are marked “Tx” and “Rx” to indicate transmit and receive cables for each port. You can install an additional card in Slot 15 as a protect card for the card in Slot 14. The second 12 BNC connector pairs correspond to Ports 1 to 12 for a 12-port card and map to Slot 16 on the shelf assembly. You can install an additional card in Slot 17 as a protect card for the card in Slot 16. Slots 12 and 13 do not support DS-3 cards when the standard BNC EIA panel connectors are used. When BNC connectors are used with a DS3N-12 card in Slot 3 or 15, the 1:N card protection extends only to the two slots adjacent to the 1:N card due to BNC wiring constraints. B A BNC backplane connectors Tie wrap posts 32076 1717 2 8 2 8 3 9 3 9 4 10 4 10 5 11 5 11 6 12 6 12 16 TX RX TX RX TX RX TX RX TX RX TX RX TX RX TX RX 1717 2 8 2 8 3 9 3 9 4 10 4 10 5 11 5 11 6 12 6 12 TX RX TX RX TX RX TX RX TX RX TX RX TX RX TX RX 14 4 21-20 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.5.4 High-Density BNC EIA 1.5.3.2 BNC Insertion and Removal Tool Due to the large number of BNC connectors on the high-density BNC EIA, you might require a special tool for inserting and removing BNC EIAs (Figure 1-16). This tool also helps with ONS 15454 patch panel connections. Figure 1-16 BNC Insertion and Removal Tool This tool can be obtained with P/N 227-T1000 from: Amphenol USA (www.amphenol.com) One Kennedy Drive Danbury, CT 06810 Phone: 203 743-9272 Fax: 203 796-2032 This tool can be obtained with P/N RT-4L from: Trompeter Electronics Inc. (www.trompeter.com) 31186 La Baya Drive Westlake Village, CA 91362-4047 Phone: 800 982-2629 Fax: 818 706-1040 1.5.4 High-Density BNC EIA The ONS 15454 high-density BNC EIA supports 48 DS-3 circuits on each side of the ONS 15454 (48 transmit and 48 receive connectors). If you install BNC EIAs on both sides of the unit, the ONS 15454 hosts up to 96 circuits. The high-density BNC EIA supports Trompeter UCBJ224 (75-ohm) 4-leg connectors (King or ITT are also compatible). Use straight connectors on RG-59/U cable to connect to the high-density BNC EIA. Cisco recommends these cables for connection to a patch panel; they are designed for long runs. You can use high-density BNC EIAs for DS-3 (including the DS3XM-6 and DS3XM-12) or EC-1 cards. Figure 1-17 shows the ONS 15454 with preinstalled high-density BNC EIAs. To install coaxial cable with high-density BNC connectors, refer to the “Install Shelf and Backplane Cable” in the Cisco ONS 15454 Procedure Guide. 445521-21 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.5.5 MiniBNC EIA Figure 1-17 High-Density BNC Backplane for Use in 1:N Protection Schemes The EIA side marked “A” hosts 48 pairs of BNC connectors. Each column of connector pairs is numbered and corresponds to the slot of the same number. The first column (12 pairs) of BNC connectors corresponds to Slot 1 on the shelf assembly, the second column to Slot 2, the third column to Slot 4, and the fourth column to Slot 5. The rows of connectors correspond to Ports 1 to 12 of a 12-port card. The EIA side marked “B” provides an additional 48 pairs of BNC connectors. The first column (12 pairs) of BNC connectors corresponds to Slot 13 on the shelf assembly, the second column to Slot 14, the third column to Slot 16, and the fourth column to Slot 17. The rows of connectors correspond to Ports 1 to 12 of a 12-port card. The BNC connector pairs are marked “Tx” and “Rx” to indicate transmit and receive cables for each port. The High-Density BNC EIA supports both 1:1 and 1:N protection across all slots except Slots 6 and 12. 1.5.5 MiniBNC EIA The ONS 15454 MiniBNC EIA supports a maximum of 192 transmit and receive DS-3 connections, 96 per side (A and B) through 192 miniBNC connectors on each side. If you install BNC EIAs on both sides of the unit, the ONS 15454 hosts up to 192 circuits. The MiniBNC EIAs are designed to support DS-3 and EC-1 signals. The MiniBNC EIA supports the following cards: • DS3-12, DS3N-12 • DS3i-N-12 • DS3-12E, DS3N-12E • EC1-12 • DS3XM-6 • DS3XM-12 B A BNC backplane connectors 39141 1111 3333 4444 5555 6666 7777 8888 9999 10 10 10 10 11 11 11 11 12 12 12 12 2222 TX RX TX RX TX RX TX RX TX RX TX RX TX RX TX RX 1111 3333 4444 5555 6666 7777 8888 9999 10 10 10 10 11 11 11 11 12 12 12 12 2222 TX RX TX RX TX RX TX RX TX RX TX RX TX RX TX RX 17 16 14 13 54211-22 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.5.5 MiniBNC EIA • DS3/EC1-48 MiniBNCs support available high-density cards in unprotected and 1:N protection (where N < 2) protection groups. Table 1-3 shows protection groups and their applicable slot assignments. 1.5.5.1 MiniBNC Connectors You can install MiniBNCs on one or both sides of the ONS 15454. As you face the rear of the ONS 15454 shelf assembly, the right side is the A side (15454-EIA-HDBNC-A96) and the left side is the B side (15454-EIA-HDBNC-B96). The diagrams adjacent to each row of connectors indicate the slots and ports that correspond with each connector in that row, depending on whether you are using a high density (HD) or low density (LD) configuration. The MiniBNC connector pairs are marked Tx and Rx to indicate transmit and receive cables for each port. Figure 1-18 shows the ONS 15454 with preinstalled MiniBNC EIAs. To install coaxial cable with MiniBNC connectors, refer to the “Install the Shelf and Backplane Cable” chapter in the Cisco ONS 15454 Procedure Guide. Table 1-3 MiniBNC Protection Types and Slots Protection Type Working Slots Protection Slots Unprotected 1–6, 12–17 — 1:1 2, 4, 6, 12, 14, 16 1, 3, 5, 13, 15, 17 1:N (HD, where N < 5) 1, 2, 16, 17 3, 15 1:N (LD, where N < 2) 1, 2, 4, 5, 6, 12, 13, 14, 16, 17 3, 151-23 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.5.5 MiniBNC EIA Figure 1-18 MiniBNC Backplane for Use in 1:N Protection Schemes1-24 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.5.5 MiniBNC EIA Table 1-4 and Table 1-5 show the J-labeling and corresponding card ports for a shelf assembly configured with low-density electrical cards. Table 1-4 J-Labeling Port Assignments for a Shelf Assembly Configure with Low-Density Electrical Cards (A Side) Slot Port Type TX J4 J3 J2 J1 J5 J6 J7 J8 T1 T13 T25 T37 T1 T13 T25 T37 T2 T14 T26 T38 T2 T14 T26 T38 T3 T15 T27 T39 T3 T15 T27 T39 T4 T16 T28 T40 T4 T16 T28 T40 T5 T17 T29 T41 T5 T17 T29 T41 T6 T18 T30 T42 T6 T18 T30 T42 T7 T19 T31 T43 T7 T19 T31 T43 T8 T20 T32 T44 T8 T20 T32 T44 T9 T21 T33 T45 T9 T21 T33 T45 T10 T22 T34 T46 T10 T22 T34 T46 T11 T23 T35 T47 T11 T23 T35 T47 T12 T24 T36 T48 T12 T24 T36 T48 RX J12 J11 J10 J9 J13 J14 J15 J16 R1 R13 R25 R37 R1 R13 R25 R37 R2 R14 R26 R38 R2 R14 R26 R38 R3 R15 R27 R39 R3 R15 R27 R39 R4 R16 R28 R40 R4 R16 R28 R40 R5 R17 R29 R41 R5 R17 R29 R41 R6 R18 R30 R42 R6 R18 R30 R42 R7 R19 R31 R43 R7 R19 R31 R43 R8 R20 R32 R44 R8 R20 R32 R44 R9 R21 R33 R45 R9 R21 R33 R45 R10 R22 R34 R46 R10 R22 R34 R46 R11 R23 R35 R47 R11 R23 R35 R47 R12 R24 R36 R48 R12 R24 R36 R48 Ports Ports Ports Ports Ports Ports Ports Ports 1 LD DS-3 1–12 — — — — — — — 2 LD DS-3 — — — — 1–12 — — — 3 LD DS-3 — — — — — — 1–12 — 4 LD DS-3 — — — — — 1–12 — — 5 LD DS-3 — 1–12 — — — — — — 6 LD DS-3 — — 1–12 — — — —1-25 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.5.5 MiniBNC EIA Table 1-6 and Table 1-7 show the J-labeling and corresponding card ports for a shelf assembly configured with high-density 48-port DS-3/EC-1electrical cards. Table 1-5 J-Labeling Port Assignments for a Shelf Assembly Configured with Low-Density Electrical Cards (B Side) Slot Port Type TX J20 J19 J18 J17 J21 J22 J23 J24 T1 T13 T25 T37 T1 T13 T25 T37 T2 T14 T26 T38 T2 T14 T26 T38 T3 T15 T27 T39 T3 T15 T27 T39 T4 T16 T28 T40 T4 T16 T28 T40 T5 T17 T29 T41 T5 T17 T29 T41 T6 T18 T30 T42 T6 T18 T30 T42 T7 T19 T31 T43 T7 T19 T31 T43 T8 T20 T32 T44 T8 T20 T32 T44 T9 T21 T33 T45 T9 T21 T33 T45 T10 T22 T34 T46 T10 T22 T34 T46 T11 T23 T35 T47 T11 T23 T35 T47 T12 T24 T36 T48 T12 T24 T36 T48 RX J28 J27 J26 J25 J29 J30 J31 J32 R1 R13 R25 R37 R1 R13 R25 R37 R2 R14 R26 R38 R2 R14 R26 R38 R3 R15 R27 R39 R3 R15 R27 R39 R4 R16 R28 R40 R4 R16 R28 R40 R5 R17 R29 R41 R5 R17 R29 R41 R6 R18 R30 R42 R6 R18 R30 R42 R7 R19 R31 R43 R7 R19 R31 R43 R8 R20 R32 R44 R8 R20 R32 R44 R9 R21 R33 R45 R9 R21 R33 R45 R10 R22 R34 R46 R10 R22 R34 R46 R11 R23 R35 R47 R11 R23 R35 R47 R12 R24 R36 R48 R12 R24 R36 R48 Ports Ports Ports Ports Ports Ports Ports Ports 17 LD DS-3 1–12 — — — — — — — 16 LD DS-3 — — — — 1–12 — — — 15 LD DS-3 — — — — — — 1–12 — 14 LD DS-3 — — — — — 1–12 — — 13 LD DS-3 — 1–12 — — — — — — 12 LD DS-3 — — 1–12 — — — —1-26 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.5.5 MiniBNC EIA Table 1-6 J-Labeling Port Assignments for a Shelf Configured with High-Density Electrical Cards (A Side) Slot Port Type TX J4 J3 J2 J1 J5 J6 J7 J8 T1 T13 T25 T37 T1 T13 T25 T37 T2 T14 T26 T38 T2 T14 T26 T38 T3 T15 T27 T39 T3 T15 T27 T39 T4 T16 T28 T40 T4 T16 T28 T40 T5 T17 T29 T41 T5 T17 T29 T41 T6 T18 T30 T42 T6 T18 T30 T42 T7 T19 T31 T43 T7 T19 T31 T43 T8 T20 T32 T44 T8 T20 T32 T44 T9 T21 T33 T45 T9 T21 T33 T45 T10 T22 T34 T46 T10 T22 T34 T46 T11 T23 T35 T47 T11 T23 T35 T47 T12 T24 T36 T48 T12 T24 T36 T48 RX J12 J11 J10 J9 J13 J14 J15 J16 R1 R13 R25 R37 R1 R13 R25 R37 R2 R14 R26 R38 R2 R14 R26 R38 R3 R15 R27 R39 R3 R15 R27 R39 R4 R16 R28 R40 R4 R16 R28 R40 R5 R17 R29 R41 R5 R17 R29 R41 R6 R18 R30 R42 R6 R18 R30 R42 R7 R19 R31 R43 R7 R19 R31 R43 R8 R20 R32 R44 R8 R20 R32 R44 R9 R21 R33 R45 R9 R21 R33 R45 R10 R22 R34 R46 R10 R22 R34 R46 R11 R23 R35 R47 R11 R23 R35 R47 R12 R24 R36 R48 R12 R24 R36 R48 Ports Ports Ports Ports Ports Ports Ports Ports 1 HD DS-3 1–12 13–24 25–36 37–48 — — — — 2 HD DS-3 — — — — 1–12 13–24 25–36 37–481-27 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.5.5 MiniBNC EIA 1.5.5.2 MiniBNC Insertion and Removal Tool Due to the large number of MiniBNC connectors on the MiniBNC EIA, you might require a special tool for inserting and removing MiniBNC EIAs (Figure 1-19). This tool also helps with ONS 15454 patch panel connections. Table 1-7 J-Labeling Port Assignments for a Shelf Configured with High-Density Electrical Cards (B Side) Slot Port Type TX J20 J19 J18 J17 J21 J22 J23 J24 T1 T13 T25 T37 T1 T13 T25 T37 T2 T14 T26 T38 T2 T14 T26 T38 T3 T15 T27 T39 T3 T15 T27 T39 T4 T16 T28 T40 T4 T16 T28 T40 T5 T17 T29 T41 T5 T17 T29 T41 T6 T18 T30 T42 T6 T18 T30 T42 T7 T19 T31 T43 T7 T19 T31 T43 T8 T20 T32 T44 T8 T20 T32 T44 T9 T21 T33 T45 T9 T21 T33 T45 T10 T22 T34 T46 T10 T22 T34 T46 T11 T23 T35 T47 T11 T23 T35 T47 T12 T24 T36 T48 T12 T24 T36 T48 RX J28 J27 J26 J25 J29 J30 J31 J32 R1 R13 R25 R37 R1 R13 R25 R37 R2 R14 R26 R38 R2 R14 R26 R38 R3 R15 R27 R39 R3 R15 R27 R39 R4 R16 R28 R40 R4 R16 R28 R40 R5 R17 R29 R41 R5 R17 R29 R41 R6 R18 R30 R42 R6 R18 R30 R42 R7 R19 R31 R43 R7 R19 R31 R43 R8 R20 R32 R44 R8 R20 R32 R44 R9 R21 R33 R45 R9 R21 R33 R45 R10 R22 R34 R46 R10 R22 R34 R46 R11 R23 R35 R47 R11 R23 R35 R47 R12 R24 R36 R48 R12 R24 R36 R48 Ports Ports Ports Ports Ports Ports Ports Ports 17 HD DS-3 1–12 13–24 25–36 37–48 — — — — 16 HD DS-3 — — — — 1–12 13–24 25–36 37–481-28 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.5.6 SMB EIA Figure 1-19 MiniBNC Insertion and Removal Tool This tool can be obtained with P/N 227-T1000 from: Amphenol USA (www.amphenol.com) One Kennedy Drive Danbury, CT 06810 Phone: 203 743-9272 Fax: 203 796-2032 This tool can be obtained with P/N RT-1L from: Trompeter Electronics Inc. (www.trompeter.com) 31186 La Baya Drive Westlake Village, CA 91362-4047 Phone: 800 982-2629 Fax: 818 706-1040 1.5.6 SMB EIA The ONS 15454 SMB EIA supports AMP 415484-1 75-ohm 4-leg connectors. Right-angle mating connectors for the connecting cable are AMP 415484-2 (75-ohm) connectors. Use RG-179/U cable to connect to the ONS 15454 EIA. Cisco recommends these cables for connection to a patch panel; they are not designed for long runs. Range does not affect loopback testing. You can use SMB EIAs with DS-1, DS-3 (including the DS3XM-6 and DS3XM-12), and EC-1 cards. If you use DS-1 cards, use the DS-1 electrical interface adapter (balun) to terminate the twisted pair DS-1 cable to the SMB EIA (see the “1.7.2 Electrical Interface Adapters” section on page 1-39). SMB EIAs support 14 ports per slot when used with a DS-1 card, 12 ports per slot when used with a DS-3 or EC-1 card, and 6 ports per slot when used with a DS3XM-6 card. Figure 1-20 shows the ONS 15454 with preinstalled SMB EIAs and the sheet metal cover and screw locations for the EIA. The SMB connectors on the EIA are AMP 415504-3 (75-ohm) 4-leg connectors. To install SMB connectors, refer to the “Install Shelf and Backplane Cable” chapter in the Cisco ONS 15454 Procedure Guide. 1154191-29 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.5.7 AMP Champ EIA Figure 1-20 SMB EIA Backplane The SMB EIA has 84 transmit and 84 receive connectors on each side of the ONS 15454 for a total of 168 SMB connectors (84 circuits). The EIA side marked “A” hosts 84 SMB connectors in six columns of 14 connectors. The “A” side columns are numbered 1 to 6 and correspond to Slots 1 to 6 on the shelf assembly. The EIA side marked “B” hosts an additional 84 SMB connectors in six columns of 14 connectors. The “B” side columns are numbered 12 to 17 and correspond to Slots 12 to 17 on the shelf assembly. The connector rows are numbered 1 to 14 and correspond to the 14 ports on a DS-1 card. For DS-3 or EC-1 cards, the EIA supports 72 transmit and 72 receive connectors, for a total of 144 SMB connectors (72 circuits). If you use a DS-3 or EC-1 card, only Ports 1 to 12 are active. If you use a DS3XM-6 card, only Ports 1 to 6 are active. The SMB connector pairs are marked “Tx” and “Rx” to identify transmit and receive cables for each port. If you use SMB connectors, you can install DS-1, DS-3, or EC-1 cards in Slots 1 to 4 or 14 to 17. 1.5.7 AMP Champ EIA The ONS 15454 AMP Champ EIA supports 64-pin (32 pair) AMP Champ connectors for each slot on both sides of the shelf assembly where the EIA is installed. Cisco AMP Champ connectors are female AMP # 552246-1 with AMP # 552562-2 bail locks. Each AMP Champ connector supports 14 DS-1 ports. You can use AMP Champ EIAs with DS-1 cards only. Figure 1-21 shows the ONS 15454 with preinstalled AMP Champ EIAs and the corresponding sheet metal cover and screw locations for the EIA. To install AMP Champ connector DS-1 cables, you must use 64-pin bundled cable connectors with a 64-pin male AMP Champ connector. You need an AMP Champ connector #552276-1 for the receptacle side and #1-552496-1 (for cable diameter 0.475 in. to 0.540 in.) or #2-552496-1 (for cable diameter 0.540 in. to 0.605 in.) for the right-angle shell housing (or their functional equivalent). The corresponding 64-pin female AMP Champ connector on the AMP Champ EIA supports one receive and one transmit for each DS-1 port for the corresponding card slot. B A Reserved for DS-1s 12x DS-3s 32101 1 2 3 4 5 6 7 8 9 10 11 12 13 14 1 2 3 4 5 6 7 8 9 10 11 12 13 14 17 16 15 14 13 12 TX RX TX RX TX RX TX RX TX RX TX RX TX RX TX RX TX RX TX RX TX RX TX RX 1 2 3 4 5 6 7 8 9 10 11 12 13 14 1 2 3 4 5 6 7 8 9 10 11 12 13 14 6 54 3 2 1 TX RX TX RX TX RX TX RX TX RX TX RX TX RX TX RX TX RX TX RX TX RX TX RX SMB backplane connectors Tie wrap posts1-30 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.5.7 AMP Champ EIA Because each DS1-14 card supports 14 DS-1 ports, only 56 pins (28 pairs) of the 64-pin connector are used. Prepare one 56-wire cable for each DS-1 facility installed. Figure 1-21 AMP Champ EIA Backplane Table 1-8 shows the pin assignments for the AMP Champ connectors on the ONS 15454 AMP Champ EIA. The EIA side marked “A” hosts six AMP Champ connectors. The connectors are numbered 1 to 6 for the corresponding slots on the shelf assembly. Each AMP Champ connector on the backplane supports 14 DS-1 ports for a DS1-14 card, and each connector features 28 live pairs—one transmit pair and one receive pair—for each DS-1 port. The EIA side marked “B” hosts six AMP Champ connectors. The connectors are labeled 12 to 17 for the corresponding slots on the shelf assembly. Each AMP Champ connector on the backplane supports 14 DS-1 ports for a DS1-14 card, and each connector features 28 live pairs—one transmit pair and one receive pair—for each DS-1 port. Note EIAs are hot-swappable. You do not need to disconnect power to install or remove EIAs. Caution Always use an electrostatic discharge (ESD) wristband when working with a powered ONS 15454. For detailed instructions on how to wear the ESD wristband, refer to the Cisco ONS Electrostatic Discharge (ESD) and Grounding Guide. AMP CHAMP connector 320701-31 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.5.7 AMP Champ EIA Caution Table 1-9 shows the pin assignments for the AMP Champ connectors on the ONS 15454 AMP Champ EIA for a shielded DS-1 cable. Table 1-8 AMP Champ Connector Pin Assignments Signal/Wire Pin Pin Signal/Wire Signal/Wire Pin Pin Signal/Wire Tx Tip 1 white/blue 1 33 Tx Ring 1 blue/white Rx Tip 1 yellow/orange 17 49 Rx Ring 1 orange/yellow Tx Tip 2 white/orange 2 34 Tx Ring 2 orange/white Rx Tip 2 yellow/green 18 50 Rx Ring 2 green/yellow Tx Tip 3 white/green 3 35 Tx Ring 3 green/white Rx Tip 3 yellow/brown 19 51 Rx Ring 3 brown/yellow Tx Tip 4 white/brown 4 36 Tx Ring 4 brown/white Rx Tip 4 yellow/slate 20 52 Rx Ring 4 slate/yellow Tx Tip 5 white/slate 5 37 Tx Ring 5 slate/white Rx Tip 5 violet/blue 21 53 Rx Ring 5 blue/violet Tx Tip 6 red/blue 6 38 Tx Ring 6 blue/red Rx Tip 6 violet/orange 22 54 Rx Ring 6 orange/violet Tx Tip 7 red/orange 7 39 Tx Ring 7 orange/red Rx Tip 7 violet/green 23 55 Rx Ring 7 green/violet Tx Tip 8 red/green 8 40 Tx Ring 8 green/red Rx Tip 8 violet/brown 24 56 Rx Ring 8 brown/violet Tx Tip 9 red/brown 9 41 Tx Ring 9 brown/red Rx Tip 9 violet/slate 25 57 Rx Ring 9 slate/violet Tx Tip 10 red/slate 10 42 Tx Ring 10 slate/red Rx Tip 10 white/blue 26 58 Rx Ring 10 blue/white Tx Tip 11 black/blue 11 43 Tx Ring 11 blue/black Rx Tip 11 white/orange 27 59 Rx Ring 11 orange/white Tx Tip 12 black/orange 12 44 Tx Ring 12 orange/black Rx Tip 12 white/green 28 60 Rx Ring 12 green/white Tx Tip 13 black/green 13 45 Tx Ring 13 green/black Rx Tip 13 white/brown 29 61 Rx Ring 13 brown/white Tx Tip 14 black/brown 14 46 Tx Ring 14 brown/black Rx Tip 14 white/slate 30 62 Rx Ring 14 slate/white Tx Spare0+ N/A 15 47 Tx Spare0– N/A Rx Spare0+ N/A 31 63 Rx Spare0– N/A Tx Spare1+ N/A 16 48 Tx Spare1– N/A Rx Spare1+ N/A 32 64 Rx Spare1– N/A1-32 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.5.7 AMP Champ EIA When using DS-1 AMP Champ cables, you must equip the ONS 15454 with an AMP Champ connector EIA on each side of the backplane where DS-1 cables will terminate. Each AMP Champ connector on the EIA corresponds to a slot in the shelf assembly and is numbered accordingly. The AMP Champ connectors have screw-down tooling at each end of the connector. When the DS1N-14 card is installed in an ONS 15454 shelf that has an AMP Champ EIA, the cable that connects the AMP Champ connector with the traffic source must be connected to the ground on both the sides to meet the EMC standard. Table 1-9 AMP Champ Connector Pin Assignments (Shielded DS-1 Cable) 64-Pin Blue Bundle 64-Pin Orange Bundle Signal/Wire Pin Pin Signal/Wire Signal/Wire Pin Pin Signal/Wire Tx Tip 1 white/blue 1 33 Tx Ring 1 blue/white Rx Tip 1 white/blue 17 49 Rx Ring 1 blue/white Tx Tip 2 white/orange 2 34 Tx Ring 2 orange/white Rx Tip 2 white/orange 18 50 Rx Ring 2 orange/white Tx Tip 3 white/green 3 35 Tx Ring 3 green/white Rx Tip 3 white/green 19 51 Rx Ring 3 green/white Tx Tip 4 white/brown 4 36 Tx Ring 4 brown/white Rx Tip 4 white/brown 20 52 Rx Ring 4 brown/white Tx Tip 5 white/slate 5 37 Tx Ring 5 slate/white Rx Tip 5 white/slate 21 53 Rx Ring 5 slate/white Tx Tip 6 red/blue 6 38 Tx Ring 6 blue/red Rx Tip 6 red/blue 22 54 Rx Ring 6 blue/red Tx Tip 7 red/orange 7 39 Tx Ring 7 orange/red Rx Tip 7 red/orange 23 55 Rx Ring 7 orange/red Tx Tip 8 red/green 8 40 Tx Ring 8 green/red Rx Tip 8 red/green 24 56 Rx Ring 8 green/red Tx Tip 9 red/brown 9 41 Tx Ring 9 brown/red Rx Tip 9 red/brown 25 57 Rx Ring 9 brown/red Tx Tip 10 red/slate 10 42 Tx Ring 10 slate/red Rx Tip 10 red/slate 26 58 Rx Ring 10 slate/red Tx Tip 11 black/blue 11 43 Tx Ring 11 blue/black Rx Tip 11 black/blue 27 59 Rx Ring 11 blue/black Tx Tip 12 black/orange 12 44 Tx Ring 12 orange/black Rx Tip 12 black/orange 28 60 Rx Ring 12 orange/black Tx Tip 13 black/green 13 45 Tx Ring 13 green/black Rx Tip 13 black/green 29 61 Rx Ring 13 green/black Tx Tip 14 black/brown 14 46 Tx Ring 14 brown/black Rx Tip 14 black/brown 30 62 Rx Ring 14 brown/black Tx Tip 15 black/slate 15 47 Tx Tip 15 slate/black Rx Tip 15 black/slate 31 63 Rx Tip 15 slate/black Tx Tip 16 yellow/blue 16 48 Tx Tip 16 blue/yellow Rx Tip 16 yellow/blue 32 64 Rx Tip 16 blue/yellow1-33 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.5.8 UBIC-V EIA 1.5.8 UBIC-V EIA UBIC-V EIAs are attached to the shelf assembly backplane to provide up to 112 transmit and receive connections through 16 SCSI connectors per side (A and B). The UBIC-V EIAs are designed to support DS-1, DS-3, and EC-1 signals. The appropriate cable assembly is required depending on the type of signal. You can install UBIC-Vs on one or both sides of the ONS 15454. As you face the rear of the ONS 15454 shelf assembly, the right side is the A side (15454-EIA-UBICV-A) and the left side is the B side (15454-EIA-UBICV-B). The diagrams adjacent to each row of SCSI connectors indicate the slots and ports that correspond with each SCSI connector in that row, depending on whether you are using a high-density (HD) or low-density (LD) configuration. UBIC-V EIAs will support high-density electrical cards (DS3/EC1-48, DS1/E1-56), as well as low-density electrical cards. Figure 1-22 shows the A- and B-side slot assignments. Figure 1-22 UBIC-V Slot Designations 102176 B DS1/DS3 Tx Tx Rx Rx HD(SLOT 17) HD(SLOT 16) DS3 37-48 DS1 43-56 DS3 1-12 DS1 1-14 DS3 1-12 DS1 1-14 DS3 25-36 DS1 29-42 HD(SLOT 17) HD(SLOT 16) DS3 37-48 DS1 43-56 DS3 1-12 DS1 1-14 DS3 1-12 DS1 1-14 DS3 25-36 DS1 29-42 HD(SLOT 16) HD(SLOT 17) DS3 37-48 DS1 43-56 DS3 13-24 DS1 15-28 DS3 13-24 DS1 15-28 DS3 25-36 DS1 29-42 HD(SLOT 16) HD(SLOT 17) DS3 37-48 DS1 43-56 DS3 13-24 DS1 15-28 DS3 13-24 DS1 15-28 DS3 25-36 DS1 29-42 JACKSCREW SHOULD BE INSTALLED FIRST AND REMOVED LAST JACKSCREW SHOULD BE INSTALLED FIRST AND REMOVED LAST JACKSCREW SHOULD BE INSTALLED FIRST AND REMOVED LAST REAR COVER BRACKET LOCATION REAR COVER BRACKET LOCATION LD DS3 1-12 DS1 1-14 DS3 1-12 DS1 1-14 DS3 1-12 DS1 1-14 (SLOT 14)(SLOT 13)(SLOT 12) DS3 1-12 DS1 1-14 DS3 1-12 DS1 1-14 DS3 1-12 DS1 1-14 UNUSED UNUSED TX RX LD DS3 1-12 DS1 1-14 DS3 1-12 DS1 1-14 (SLOT 17)(SLOT 16)(SLOT 15) DS3 1-12 DS1 1-14 DS3 1-12 DS1 1-14 UNUSED UNUSED TX RX P P J17 J20 J21 J23 J25 J28 J29 J31 J24 J22 J19 J18 J32 J30 J27 J26 A Tx Tx Rx Rx DS1/DS3 DS3 25-36 DS1 29-42 DS3 1-12 DS1 1-14 DS3 1-12 DS1 1-14 DS3 37-48 DS1 43-56 HD(SLOT 2) HD(SLOT 1) DS3 25-36 DS1 29-42 DS3 1-12 DS1 1-14 DS3 1-12 DS1 1-14 DS3 37-48 DS1 43-56 HD(SLOT 1) HD(SLOT 2) DS3 25-36 DS1 29-42 DS3 13-24 DS1 15-28 DS3 13-24 DS1 15-28 DS3 37-48 DS1 43-56 HD(SLOT 1) HD(SLOT 2) DS3 25-36 DS1 29-42 DS3 13-24 DS1 15-28 DS3 13-24 DS1 15-28 DS3 37-48 DS1 43-56 JACKSCREW SHOULD BE INSTALLED FIRST AND REMOVED LAST REAR COVER BRACKET LOCATION JACKSCREW SHOULD BE INSTALLED FIRST AND REMOVED LAST JACKSCREW SHOULD BE INSTALLED FIRST AND REMOVED LAST REAR COVER BRACKET LOCATION HD(SLOT 2) HD(SLOT 1) LD DS3 1-12 DS1 1-14 DS3 1-12 DS1 1-14 DS3 1-12 DS1 1-14 (SLOT 6) (SLOT 5) (SLOT 4) DS3 1-12 DS1 1-14 DS3 1-12 DS1 1-14 DS3 1-12 DS1 1-14 UNUSED UNUSED TX RX LD DS3 1-12 DS1 1-14 DS3 1-12 DS1 1-14 (SLOT 3) (SLOT 2) (SLOT 1) DS3 1-12 DS1 1-14 DS3 1-12 DS1 1-14 UNUSED UNUSED P P TX RX J7 J5 J4 J1 J15 J13 J12 J9 J2 J3 J6 J8 J10 J11 J14 J161-34 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.5.9 UBIC-H EIA The UBIC-V sheet metal covers use the same screw holes as the standard sheet metal covers, but they have 12 additional holes for pan-head screws and three holes for jack screws, so you can screw down the cover and the board using standoffs on the UBIC-V board. When installed with the standard door and cabling on the backplane, the ONS 15454 shelf measures approximately 15.7 inches (399 mm) deep when partially populated with backplane cables, 16.1 inches (409 mm) deep when fully populated, and 16.75 inches (425 mm) deep with the rear cover installed. When installed with the deep door and cabling on the backplane, the ONS 15454 shelf measures approximately 17.5 inches (445 mm) deep when partially populated with backplane cables, 17.9 inches (455 mm) deep when fully populated, and 18.55 inches (471 mm) deep with the rear cover installed. The UBIC-V EIA supports the following cards: • DS1-14, DS1N-14 • DS3-12, DS3N-12 • DS3i-N-12 • DS3-12E, DS3N-12E • EC1-12 • DS3XM-6 • DS3XM-12 • DS3/EC1-48 • DS1/E1-56 The A and B sides each host 16 high-density, 50-pin SCSI connectors. The A-side maps to Slots 1 through 6 and the B-side maps to Slots 12 through 17. In Software Releases 4.1.x and 4.6, UBIC-Vs support unprotected, 1:1, and 1:N (N < 5) protection groups. In Software R5.0 and later, UBIC-Vs also support available high-density cards in unprotected and 1:N (N < 2) protection groups. Table 1-10 shows the UBIC-V protection types and their applicable slot assignments. 1.5.9 UBIC-H EIA UBIC-H EIAs are attached to the shelf assembly backplane to provide up to 112 transmit and receive DS-1 connections through 16 SCSI connectors per side (A and B) or 96 transmit and receive DS-3 connections. The UBIC-H EIAs are designed to support DS-1, DS-3, and EC-1 signals. The appropriate cable assembly is required depending on the type of signal. Table 1-10 UBIC-V Protection Types and Slots Protection Type Working Slots Protection Slots Unprotected 1–6, 12–17 — 1:1 2, 4, 6, 12, 14, 16 1, 3, 5, 13, 15, 17 1:2 1, 2, 16, 17 3, 15 1:5 1, 2, 4, 5, 6, 12, 13, 14, 16, 17 3, 151-35 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.5.9 UBIC-H EIA You can install UBIC-Hs on one or both sides of the ONS 15454. As you face the rear of the ONS 15454 shelf assembly, the right side is the A side (15454-EIA-UBICH-A) and the left side is the B side (15454-EIA-UBICH-B). The diagrams adjacent to each row of SCSI connectors indicate the slots and ports that correspond with each SCSI connector in that row, depending on whether you are using a high density (HD) or low density (LD) configuration. Note UBIC-H EIAs will support use with the high-density (DS3/EC1-48, DS1/E1-56, and DS3XM-12) electrical cards, as well as existing low-density electrical cards. Figure 1-23 shows the A- and B-side connector labeling. Figure 1-23 UBIC-H EIA Connector Labeling Tables 1-11 and 1-12 show the J-labeling and corresponding card ports for a shelf assembly configured with low-density electrical cards. 1245331-36 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.5.9 UBIC-H EIA Tables 1-13 and 1-14 show the J-labeling and corresponding card ports for a shelf assembly configured with high-density 48-port DS-3/EC-1 or 56-port DS-1 electrical cards. Table 1-11 J-Labeling Port Assignments for a Shelf Assembly Configured with Low-Density Electrical Cards (A Side) Slot Port Type TX J4 J3 J2 J1 J5 J6 J7 J8 RX J12 J11 J10 J9 J13 J14 J15 J16 Ports Ports Ports Ports Ports Ports Ports Ports 1 DS-1 1–14 — — — — — — — DS-3 1–12 — — — — — — — 2 DS-1 — — — — 1–14 — — — DS-3 — — — — 1–12 — — — 3 DS-1 — — — — — — 1–14 — DS-3 — — — — — — 1–12 — 4 DS-1 — — — — — 1–14 — — DS-3 — — — — — 1–12 — — 5 DS-1 — 1–14 — — — — — — DS-3 — 1–12 — — — — — — 6 DS-1 — — 1–14 — — — — — DS-3 — — 1–12 — — — — — Table 1-12 J-Labeling Port Assignments for a Shelf Assembly Configured with Low-Density Electrical Cards (B Side) Slot Port Type TX J20 J19 J18 J17 J21 J22 J23 24 RX J28 J27 J26 J25 J29 J30 J31 J32 Ports Ports Ports Ports Ports Ports Ports Ports 17 DS-1 1–14 — — — — — — — DS-3 1–12 — — — — — — — 16 DS-1 — — — — 1–14 — — — DS-3 — — — — 1–12 — — — 15 DS-1 — — — — — — 1–14 — DS-3 — — — — — — 1–12 — 14 DS-1 — — — — — 1–14 — — DS-3 — — — — — 1–12 — — 13 DS-1 — 1–14 — — — — — — DS-3 — 1–12 — — — — — — 12 DS-1 — — 1–14 — — — — — DS-3 — — 1–12 — — — — —1-37 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.5.9 UBIC-H EIA If you are installing UBIC-H EIAs after the shelf assembly is installed, plug the UBIC-H EIA into the backplane. The UBIC-H backplane must replace the standard sheet metal cover to provide access to the cable connectors. The UBIC-H sheet metal covers use the same screw holes as the standard sheet metal covers, but they have 12 additional holes for panhead screws and three holes for jack screws so you can screw down the cover and the board using standoffs on the UBIC-H board. When installed with the standard door and cabling on the backplane, the ONS 15454 shelf measures approximately 14.5 inches deep when fully populated with backplane cables, and 15.0 inches deep with the rear cover installed. When installed with the deep door and cabling on the backplane, the ONS 15454 shelf measures approximately 16.5 inches deep when fully populated with backplane cables, and 17.0 inches deep with the rear cover installed. The UBIC-H EIA supports the following cards: • DS1-14, DS1N-14 • DS3-12, DS3N-12 • DS3-12E, DS3N-12E • EC1-12 • DS3XM-6 • DS3XM-12 • DS3/EC1-48 • DS1/E1-56 Table 1-13 J-Labeling Port Assignments for a Shelf Configured with High-Density Electrical Cards (A Side) Slot Port Type TX J4 J3 J2 J1 J5 J6 J7 J8 RX J12 J11 J10 J9 J13 J14 J15 J16 Ports Ports Ports Ports Ports Ports Ports Ports 1 DS-1 1–14 15–28 29–42 43–56 — — — — DS-3 1–12 13–24 25–36 37–48 — — — — 2 DS-1 — — — — 1–14 15–28 29–42 43–56 DS-3 — — — — 1–12 13–24 25–36 37–48 Table 1-14 J-Labeling Port Assignments for a Shelf Configured with High-Density Electrical Cards (B Side) Slot Port Type TX J20 J19 J18 J17 J21 J22 J23 24 RX J28 J27 J26 J25 J29 J30 J31 J32 Ports Ports Ports Ports Ports Ports Ports Ports 17 DS-1 1–14 15–28 29–42 43–56 — — — — DS-3 1–12 13–24 25–36 37–48 — — — — 16 DS-1 — — — — 1–14 15–28 29–42 43–56 DS-3 — — — — 1–12 13–24 25–36 37–481-38 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.5.10 EIA Replacement The A and B sides each host 16 high-density, 50-pin SCSI connectors. The A-side maps to Slots 1 through 6 and the B-side maps to Slots 12 through 17. In Software Releases prior to Release 5.0, UBIC-Hs support unprotected, 1:1, and 1:N (where N < 5) protection groups. In Software R5.0 and greater, UBIC-Hs additionally support available high-density cards in unprotected and 1:N protection (where N < 2) protection groups. Table 1-15 shows protection groups and their applicable slot assignments. 1.5.10 EIA Replacement Before you attach a new EIA, you must remove the backplane cover or EIA already installed on the ONS 15454. Refer to the spare document(s) for the EIA type(s) you are removing and replacing for specific information. 1.6 Coaxial Cable Caution Always use the supplied ESD wristband when working with a powered ONS 15454. For detailed instructions on how to wear the ESD wristband, refer to the Cisco ONS Electrostatic Discharge (ESD) and Grounding Guide. When using ONS 15454 DS-3 electrical cables, the cables must terminate on an EIA installed on the ONS 15454 backplane. All DS-3 cables connected to the ONS 15454 DS-3 card must terminate with coaxial cables using the desired connector type to connect to the specified EIA. The electromagnetic compatibility (EMC) performance of the node depends on good-quality DS-3 coaxial cables, such as Shuner Type G 03233 D, or the equivalent. 1.7 DS-1 Cable DS-1 cables support AMP Champ connectors and twisted-pair wire-wrap cabling. Twisted-pair wire-wrap cables require SMB EIAs. 1.7.1 Twisted Pair Wire-Wrap Cables Installing twisted-pair, wire-wrap DS-1 cables requires separate pairs of grounded twisted-pair cables for receive (in) and transmit (out). Prepare four cables, two for receive and two for transmit, for each DS-1 facility to be installed. Table 1-15 UBIC-H Protection Types and Slots Protection Type Working Slots Protection Slots Unprotected 1–6, 12–17 — 1:1 2, 4, 6, 12, 14, 16 1, 3, 5, 13, 15, 17 1:2 1, 2, 16, 17 3, 15 1:5 1, 2, 4, 5, 6, 12, 13, 14, 16, 17 3, 151-39 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.7.2 Electrical Interface Adapters Caution Always use the supplied ESD wristband when working with a powered ONS 15454. For detailed instructions on how to wear the ESD wristband, refer to the Cisco ONS Electrostatic Discharge (ESD) and Grounding Guide. If you use DS-1 electrical twisted-pair cables, equip the ONS 15454 with an SMB EIA on each side of the backplane where DS-1 cables will terminate. You must install special DS-1 electrical interface adapters, commonly referred to as a balun, on every transmit and receive connector for each DS-1 termination. 1.7.2 Electrical Interface Adapters Note DS-1 electrical interface adapters project an additional 1.72 inches (43.7 mm) from the ONS 15454 backplane. If you install DS-1 cards in the ONS 15454, you must fit the corresponding transmit and receive SMB connectors on the EIA with a DS-1 electrical interface adapter. You can install the adapter on the SMB connector for the port. The adapter has wire-wrap posts for DS-1 transmit and receive cables. Figure 1-24 shows the DS-1 electrical interface adapter. Note “EIA” refers to electrical interface assemblies and not electrical interface adapters. Electrical interface adapters are also known as baluns. Figure 1-24 DS-1 Electrical Interface Adapter (Balun) Each DS-1 electrical interface adapter has a female SMB connector on one end and a pair of 0.045 inch (1.14 mm) square wire-wrap posts on the other end. The wire-wrap posts are 0.200 inches (5.08 mm) apart. Caution Always use the supplied ESD wristband when working with a powered ONS 15454. For detailed instructions on how to wear the ESD wristband, refer to the Cisco ONS Electrostatic Discharge (ESD) and Grounding Guide. SMB Connector Wire wrap posts DS-1 Electrical interface adapter Ring Tip 320711-40 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.8 UBIC-V Cables 1.8 UBIC-V Cables Note Cisco Systems announced the end-of-sale and end-of-life dates for the Cisco ONS 15454 MSPP Universal BackPlane Interface Adapter, Vertical Orientation (UBIC-V), and its DS1 and DS3 Cables. For further details, refer to Product Bulletin No. EOL5039 at http://www.cisco.com/en/US/prod/collateral/optical/ps5724/ps2006/prod_end-of-life_notice0900aecd8 052a481.html. The UBIC-V EIA is designed to support DS-1, DS-3, or EC-1 signals. The type of signal supported is determined by the respective UBIC-V cable assembly. DS-1 cables for the UBIC-V have a maximum supported distance of 655 feet (199.6 m). DS-1 cables arrive with unterminated #24 AWG twisted pairs on the far end and are color coded as identified in Table 1-17. The following DS-1 cables are no longer available from Cisco Systems for use with the UBIC-V EIA: • DS-1 cable, 150 feet: 15454-CADS1-SD • DS-1 cable, 250 feet: 15454-CADS1-ID • DS-1 cable, 655 feet: 15454-CADS1-LD DS-3/EC-1 cables for the UBIC-V have a maximum supported distance of 450 feet (137.2 m). DS-3/EC-1 cables arrive with unterminated coaxial cable at the far end and labeled with the respective port number. 75-ohm BNC connectors for each port (qty. 12) are supplied and require that they be crimped on. The following DS-3/EC-1 cables are no longer available from Cisco Systems for use with the UBIC-V EIA: • DS-3/EC-1 cable, 75 feet: 15454-CADS3-SD • DS-3/EC-1 cable, 225 feet: 15454-CADS3-ID • DS-3/EC-1 cable, 450 feet: 15454-CADS3-LD Figure 1-25 identifies the pin numbers for the DS-1 and DS-3/EC-1 cables as referenced from the SCSI connector. Figure 1-25 Cable Connector Pins Table 1-16 identifies the UBIC-V SCSI connector pin assignments for the DS-1 cables as referenced from the EIA backplane to the SCSI connector. Note Conversion from the back plane’s single ended (unbalanced) 75-ohm signal to a differential (balanced) 100-ohm signal happens through the embedded transformer within the SCSI connector. The cable's shield is connected to the connector shell. This conversion is illustrated in Figure 1-26. 115171 Pin 1 Pin 25 Pin 26 Pin 501-41 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.8 UBIC-V Cables Table 1-16 UBIC-V DS-1 SCSI Connector Pin Out Port SCSI Pin SCSI Pin Port #1 1 26 #7 FGnd 2 27 FGnd FGnd 3 28 FGnd FGnd 4 29 FGnd #2 5 30 #8 FGnd 6 31 FGnd FGnd 7 32 FGnd FGnd 8 33 FGnd #3 9 34 #9 FGnd 10 35 FGnd FGnd 11 36 FGnd FGnd 12 37 FGnd #4 13 38 #10 FGnd 14 39 FGnd FGnd 15 40 FGnd FGnd 16 41 FGnd #5 17 42 #11 FGnd 18 43 FGnd FGnd 19 44 FGnd FGnd 20 45 FGnd #6 21 46 #12 FGnd 22 47 FGnd FGnd 23 48 FGnd FGnd 24 49 FGnd #13 25 50 #141-42 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.8 UBIC-V Cables Figure 1-26 UBIC-V DS-1 Cable Schematic Diagram Table 1-17 shows the UBIC-V DS-1 Tip/Ring color coding. UBIC-V DS-1 Cable Shield to connector shell Tip DS1 #1 Ring DS1 #1 Tip DS1 #2 Ring DS1 #2 100Ω Differential DS-1 To/From DSx 100Ω Differential DS-1 To/From DSx Shield to connector shell Tip DS1 #13 Ring DS1 #13 Tip DS1 #14 Ring DS1 #14 100Ω Differential DS-1 To/From DSx 100Ω Differential DS-1 To/From DSx DS1 75Ω Port #1 DS1 75Ω Port #2 FGND FGND FGND Pin 1 Pin 5 DS1 75Ω Port #13 Pin 25 Pin 2 — FGnd Pin 3 — FGnd Pin 4 — FGnd 75Ω Signal To/From UBIC-V 75Ω Signal To/From UBIC-V 75Ω Signal To/From UBIC-V FGND DS1 75Ω Port #14 Pin 50 75Ω Signal To/From UBIC-V 1:1.15 1:1.15 1:1.15 1:1.15 To/From Customer DSX To/From SCSI connector on the UBIC-V EIA 2738101-43 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.8 UBIC-V Cables Table 1-18 identifies the UBIC-V SCSI connector pin assignments for the DS-3/EC-1 cables as referenced from the EIA backplane to the SCSI connector. Table 1-17 UBIC-V DS-1 Tip/Ring Color Coding Wire Color Signal Signal Wire Color White/blue Tip DS-1 #1 Ring DS-1 #1 Blue/white White/orange Tip DS-1 #2 Ring DS-1 #2 Orange/white White/green Tip DS-1 #3 Ring DS-1 #3 Green/white White/brown Tip DS-1 #4 Ring DS-1 #4 Brown/white White/slate Tip DS-1 #5 Ring DS-1 #5 Slate/white Red/blue Tip DS-1 #6 Ring DS-1 #6 Blue/red Red/orange Tip DS-1 #7 Ring DS-1 #7 Orange/red Red/green Tip DS-1 #8 Ring DS-1 #8 Green/red Red/brown Tip DS-1 #9 Ring DS-1 #9 Brown/red Red/slate Tip DS-1 #10 Ring DS-1 #10 Slate/red Black/blue Tip DS-1 #11 Ring DS-1 #11 Blue/black Black/orange Tip DS-1 #12 Ring DS-1 #12 Orange/black Black/green Tip DS-1 #13 Ring DS-1 #13 Green/black Black/brown Tip DS-1 #14 Ring DS-1 #14 Brown/black Table 1-18 UBIC-V DS-3/EC-1 SCSI Connector Pin Out Port SCSI Pin SCSI Pin Port #1 1 26 #7 FGnd 2 27 FGnd FGnd 3 28 FGnd FGnd 4 29 FGnd #2 5 30 #8 FGnd 6 31 FGnd FGnd 7 32 FGnd FGnd 8 33 FGnd #3 9 34 #9 FGnd 10 35 FGnd FGnd 11 36 FGnd FGnd 12 37 FGnd #4 13 38 #10 FGnd 14 39 FGnd FGnd 15 40 FGnd FGnd 16 41 FGnd1-44 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.8 UBIC-V Cables Figure 1-27 shows the UBIC-V DS-3/EC-1 cable schematic diagram. #5 17 42 #11 FGnd 18 43 FGnd FGnd 19 44 FGnd FGnd 20 45 FGnd #6 21 46 #12 FGnd 22 47 FGnd FGnd 23 48 FGnd FGnd 24 49 FGnd Not connected 25 50 Not connected Table 1-18 UBIC-V DS-3/EC-1 SCSI Connector Pin Out (continued) Port SCSI Pin SCSI Pin Port1-45 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.9 UBIC-H Cables Figure 1-27 UBIC-V DS-3/EC-1 Cable Schematic Diagram 1.9 UBIC-H Cables The UBIC-H EIA is designed to support DS-1, DS-3, or EC-1 signals. The type of signal supported is determined by the UBIC-H cable assembly that you order. To support DS-1 signals, select the DS-1 UBIC-H cable assembly (part number 15454-CADS1-H-). DS-3 75Ω Port #1 DS-3 75Ω Port #2 FGND FGND FGND Pin 1 Pin 5 DS-3 75Ω Port #11 Pin 42 75Ω Signal To/From UBIC 75Ω Signal To/From 75Ω Signal To/From DS-3 75Ω Port #12 Pin 46 75Ω Signal To/From From/To Customer DSx 273811 DS-3/EC1 Cable Port #1 Port #2 Port #11 Port #12 75Ω DS-3/EC1 signal coming to/from Tyco SCSI connector and being placed on 735A (or 735C) Coax Frame GND from shield to connector1-46 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.9 UBIC-H Cables To support DS-3 or EC-1 signals, select the DS-3/EC-1 UBIC-H cable assembly (part number 15454-CADS3-H-). DS-1 cables for the UBIC-H have a maximum supported distance of 655 feet (199.6 m). DS-1 cables arrive with unterminated #24 AWG twisted pairs on the far end and are color coded as identified in Table 1-20. The following DS-1 cables are available from Cisco Systems for use with the UBIC-H EIA: • 25 feet: 15454-CADS1-H-25 • 50 feet: 15454-CADS1-H-50 • 75 feet: 15454-CADS1-H-75 • 100 feet: 15454-CADS1-H-100 • 150 feet: 15454-CADS1-H-150 • 200 feet: 15454-CADS1-H-200 • 250 feet: 15454-CADS1-H-250 • 350 feet: 15454-CADS1-H-350 • 450 feet: 15454-CADS1-H-450 • 550 feet: 15454-CADS1-H-550 • 655 feet: 15454-CADS1-H-655 DS-3/EC-1 cables for the UBIC-H have a maximum supported distance of 450 feet (137.2 m). DS-3/EC-1 cables arrive with unterminated coaxial cable at the far end and labeled with the respective port number. 75-ohm BNC connectors for each port (qty. 12) are supplied and require that they be crimped on. The following DS-3/EC-1 cables are available from Cisco Systems for use with the UBIC-H EIA: • 25 feet: 15454-CADS3-H-25 • 50 feet: 15454-CADS3-H-50 • 75 feet: 15454-CADS3-H-75 • 100 feet: 15454-CADS3-H-100 • 125 feet: 15454-CADS3-H-125 • 150 feet: 15454-CADS3-H-150 • 175 feet: 15454-CADS3-H-175 • 200 feet: 15454-CADS3-H-200 • 225 feet: 15454-CADS3-H-225 • 250 feet: 15454-CADS3-H-250 • 300 feet: 15454-CADS3-H-300 • 350 feet: 15454-CADS3-H-350 • 450 feet: 15454-CADS3-H-450 Figure 1-28 identifies the pin numbers for the DS-1 and DS-3/EC-1 cables as referenced from the SCSI connector.1-47 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.9 UBIC-H Cables Figure 1-28 Cable Connector Pins Table 1-19 identifies the UBIC-H SCSI connector pin assignments for the DS-1 cables as referenced from the EIA backplane to the SCSI connector. Note Conversion from the back plane’s single ended (unbalanced) 75-ohm signal to a differential (balanced) 100-ohm signal happens through the embedded transformer within the SCSI connector. The cable's shield is connected to the connector shell. This conversion is illustrated in Figure 1-29. 115171 Pin 1 Pin 25 Pin 26 Pin 50 Table 1-19 UBIC-H DS-1 SCSI Connector Pin Out Port SCSI Pin SCSI Pin Port #1 1 26 #7 FGnd 2 27 FGnd FGnd 3 28 FGnd FGnd 4 29 FGnd #2 5 30 #8 FGnd 6 31 FGnd FGnd 7 32 FGnd FGnd 8 33 FGnd #3 9 34 #9 FGnd 10 35 FGnd FGnd 11 36 FGnd FGnd 12 37 FGnd #4 13 38 #10 FGnd 14 39 FGnd FGnd 15 40 FGnd FGnd 16 41 FGnd #5 17 42 #11 FGnd 18 43 FGnd FGnd 19 44 FGnd FGnd 20 45 FGnd #6 21 46 #12 FGnd 22 47 FGnd1-48 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.9 UBIC-H Cables Figure 1-29 UBIC-H DS-1 Cable Schematic Diagram Table 1-20 shows the UBIC-H DS-1 Tip/Ring color coding. FGnd 23 48 FGnd FGnd 24 49 FGnd #13 25 50 #14 Table 1-19 UBIC-H DS-1 SCSI Connector Pin Out (continued) Port SCSI Pin SCSI Pin Port UBIC-H DS-1 Cable Shield to connector shell Tip DS1 #1 Ring DS1 #1 Tip DS1 #2 Ring DS1 #2 100Ω Differential DS-1 To/From DSx 100Ω Differential DS-1 To/From DSx Shield to connector shell Tip DS1 #13 Ring DS1 #13 Tip DS1 #14 Ring DS1 #14 100Ω Differential DS-1 To/From DSx DS1 75Ω Port #1 DS1 75Ω Port #2 FGND FGND FGND Pin 1 Pin 5 DS1 75Ω Port #13 Pin 25 Pin 2 — FGnd Pin 3 — FGnd Pin 4 — FGnd 75Ω Signal To/From UBIC-H 75Ω Signal To/From UBIC-H 75Ω Signal To/From UBIC-H FGND DS1 75Ω Port #14 Pin 50 75Ω Signal To/From UBIC-H 1:1.15 1:1.15 1:1.15 1:1.15 To/From Customer DSX 2738081-49 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.9 UBIC-H Cables Table 1-21 identifies the UBIC-H SCSI connector pin assignments for the DS-3/EC-1 cables as referenced from the EIA backplane to the SCSI connector. Table 1-20 UBIC-H DS-1 Tip/Ring Color Coding Wire Color Signal Signal Wire Color White/blue Tip DS-1 #1 Ring DS-1 #1 Blue/white White/orange Tip DS-1 #2 Ring DS-1 #2 Orange/white White/green Tip DS-1 #3 Ring DS-1 #3 Green/white White/brown Tip DS-1 #4 Ring DS-1 #4 Brown/white White/slate Tip DS-1 #5 Ring DS-1 #5 Slate/white Red/blue Tip DS-1 #6 Ring DS-1 #6 Blue/red Red/orange Tip DS-1 #7 Ring DS-1 #7 Orange/red Red/green Tip DS-1 #8 Ring DS-1 #8 Green/red Red/brown Tip DS-1 #9 Ring DS-1 #9 Brown/red Red/slate Tip DS-1 #10 Ring DS-1 #10 Slate/red Black/blue Tip DS-1 #11 Ring DS-1 #11 Blue/black Black/orange Tip DS-1 #12 Ring DS-1 #12 Orange/black Black/green Tip DS-1 #13 Ring DS-1 #13 Green/black Black/brown Tip DS-1 #14 Ring DS-1 #14 Brown/black Table 1-21 UBIC-H DS-3/EC-1 SCSI Connector Pin Out Port SCSI Pin SCSI Pin Port #1 1 26 #7 FGnd 2 27 FGnd FGnd 3 28 FGnd FGnd 4 29 FGnd #2 5 30 #8 FGnd 6 31 FGnd FGnd 7 32 FGnd FGnd 8 33 FGnd #3 9 34 #9 FGnd 10 35 FGnd FGnd 11 36 FGnd FGnd 12 37 FGnd #4 13 38 #10 FGnd 14 39 FGnd FGnd 15 40 FGnd FGnd 16 41 FGnd1-50 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.9 UBIC-H Cables Figure 1-30 shows the UBIC-H DS-3/EC-1 cable schematic diagram #5 17 42 #11 FGnd 18 43 FGnd FGnd 19 44 FGnd FGnd 20 45 FGnd #6 21 46 #12 FGnd 22 47 FGnd FGnd 23 48 FGnd FGnd 24 49 FGnd Not connected 25 50 Not connected Table 1-21 UBIC-H DS-3/EC-1 SCSI Connector Pin Out (continued) Port SCSI Pin SCSI Pin Port1-51 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.10 Ethernet Cables Figure 1-30 UBIC-H DS-3/EC-1 Cable Schematic Diagram 1.10 Ethernet Cables Ethernet cables use RJ-45 connectors, and are straight-through or crossover, depending on what is connected to them. Table 1-22 shows 100Base-TX connector pin assignments, used with E100 Ethernet cards in the ONS 15454. DS-3 75Ω Port #1 DS-3 75Ω Port #2 FGND FGND Pin 1 Pin 5 DS-3 75Ω Port #11 Pin 42 75Ω Signal To/From UBIC 75Ω Signal To/From 75Ω Signal To/From DS-3 75Ω Port #12 Pin 46 75Ω Signal To/From From/To Customer DSx 273809 DS-3/EC1 Cable Port #1 Port #2 Port #11 Port #12 75Ω DS-3/EC1 signal coming to/from Tyco SCSI connector and being placed on 735A (or 735C) Coax1-52 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.10 Ethernet Cables Figure 1-31 shows the pin locations on 100BaseT connector. Figure 1-31 100BaseT Connector Pins Figure 1-32 shows the straight-through Ethernet cable schematic. Use a straight-through cable when connecting to a router or a PC. Figure 1-32 Straight-Through Cable Table 1-22 E100-TX Connector Pinout Pin Cable Port 1 RD+ 2 RD– 3 TD+ 4 NC 5 NC 6 TD– 7 NC 8 NC 1 2 3 4 5 67 8 H5436 Switch 3 TD+ 6 TD– 1 RD+ 2 RD– Router or PC 3 RD+ 6 RD– 1 TD+ 2 TD– H55781-53 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.11 Cable Routing and Management Figure 1-33 shows the crossover Ethernet cable schematic. Use a crossover cable when connecting to a switch or hub. Figure 1-33 Crossover Cable 1.11 Cable Routing and Management The ONS 15454 cable management facilities include the following: • A cable-routing channel (behind the fold-down door) that runs the width of the shelf assembly (Figure 1-34) • Plastic horseshoe-shaped fiber guides at each side opening of the cable-routing channel that ensure the proper bend radius is maintained in the fibers (Figure 1-35) Note You can remove the fiber guide if necessary to create a larger opening (if you need to route CAT-5 Ethernet cables out the side, for example). To remove the fiber guide, take out the three screws that anchor it to the side of the shelf assembly. • A fold-down door that provides access to the cable-management tray • Cable tie-wrap facilities on EIAs that secure cables to the cover panel • A cable routing channel that enables you to route cables out either side • Jumper slack storage reels (2) on each side panel that reduce the amount of slack in cables that are connected to other devices Note To remove the jumper slack storage reels, take out the screw in the center of each reel. • Optional tie-down bar Figure 1-34 shows the cable management facilities that you can access through the fold-down front door, including the cable-routing channel and cable-routing channel posts. Switch 3 TD+ 6 TD– 1 RD+ 2 RD– Switch 3 TD+ 6 TD– 1 RD+ 2 RD– H55791-54 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.11.1 Fiber Management Figure 1-34 Managing Cables on the Front Panel 1.11.1 Fiber Management The jumper routing fins are designed to route fiber jumpers out of both sides of the shelf. Slots 1 to 6 exit to the left, and Slots 12 to 17 exit to the right. Figure 1-35 shows fibers routed from cards in the left slots, down through the fins, then exiting out the fiber channel to the left. The maximum capacity of the fiber routing channel depends on the size of the fiber jumpers. Table 1-23 gives the maximum capacity of the fiber channel for each side of the shelf, for the different fiber sizes. Figure 1-35 Fiber Capacity FAN FAIL CRIT MAJ MIN 145262 Cable-routing channel posts Fold down front door Fiber guides 965181-55 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.11.2 Fiber Management Using the Tie-Down Bar Table 1-23 provides the maximum capacity of the fiber channel for one side of a shelf, depending on fiber size and number of Ethernet cables running through that fiber channel. Plan your fiber size according to the number of cards/ports installed in each side of the shelf. For example, if your port combination requires 36 fibers, 3 mm (0.11 inch) fiber is adequate. If your port combination requires 68 fibers, you must use 2 mm(0.7 inch) or smaller fibers. 1.11.2 Fiber Management Using the Tie-Down Bar You can install an optional 5-inch (127 mm) tie-down bar on the rear of the ANSI chassis. You can use tie-wraps or other site-specific material to bundle the cabling and attach it to the bar so that you can more easily route the cable away from the rack. Figure 1-36 shows the tie-down bar, the ONS 15454, and the rack. Figure 1-36 Tie-Down Bar Table 1-23 Fiber Channel Capacity (One Side of the Shelf) Fiber Diameter Maximum Number of Fibers Exiting Each Side No Ethernet Cables One Ethernet Cable Two Ethernet Cables 1.6 mm (0.6 inch) 144 127 110 2 mm (0.7 inch) 90 80 70 3 mm (0.11 inch) 40 36 32 105012 Tie-down bar1-56 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.11.3 Coaxial Cable Management 1.11.3 Coaxial Cable Management Coaxial cables connect to EIAs on the ONS 15454 backplane using cable connectors. EIAs feature cable-management eyelets for tie wrapping or lacing cables to the cover panel. 1.11.4 DS-1 Twisted-Pair Cable Management Connect twisted pair/DS-1 cables to SMB EIAs on the ONS 15454 backplane using cable connectors and DS-1 EIAs (baluns). 1.11.5 AMP Champ Cable Management EIAs have cable management eyelets to tiewrap or lace cables to the cover panel. Tie wrap or lace the AMP Champ cables according to local site practice and route the cables. If you configure the ONS 15454 for a 23-inch (584.2 mm) rack, two additional inches (50.8 mm) of cable management area is available on each side of the shelf assembly. 1.12 Alarm Expansion Panel The optional ONS 15454 alarm expansion panel (AEP) can be used with the Alarm Interface Controller—International card (AIC-I) card to provide an additional 48 dry alarm contacts for the ONS 15454, 32 of which are inputs and 16 are outputs. The AEP is a printed circuit board assembly that is installed on the backplane. Figure 1-37 shows the AEP board; the left connector is the input connector and the right connector is the output connector. The AIC-I without an AEP already contains direct alarm contacts. These direct AIC-I alarm contacts are routed through the backplane to wire-wrap pins accessible from the back of the shelf. If you install an AEP, you cannot use the alarm contacts on the wire-wrap pins. For further information about the AIC-I, see the “2.8 AIC-I Card” section on page 2-29.1-57 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.12.1 Wire-Wrap and Pin Connections Figure 1-37 AEP Printed Circuit Board Assembly Figure 1-38 shows the AEP block diagram. Figure 1-38 AEP Block Diagram Each AEP alarm input port has provisionable label and severity. The alarm inputs have optocoupler isolation. They have one common 48-VDC output and a maximum of 2 mA per input. Each opto metal oxide semiconductor (MOS) alarm output can operate by definable alarm condition, a maximum open circuit voltage of 60 VDC, anda maximum current of 100 mA. See the “2.8.2 External Alarms and Controls” section on page 2-31 for further information. 1.12.1 Wire-Wrap and Pin Connections Figure 1-39 shows the wire-wrapping connections on the backplane. 78471 Input Connector Output Connector AIC-I Interface (wire wrapping) TIA/EIA 485 In Alarm Relays Out Alarm Relays Inventory data (EEPROM) AEP/AIE CPLD Power Supply 784061-58 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.12.1 Wire-Wrap and Pin Connections Figure 1-39 AEP Wire-Wrap Connections to Backplane Pins Table 1-24 shows the backplane pin assignments and corresponding signals on the AIC-I and AEP. Figure 1-40 is a circuit diagram of the alarm inputs (Inputs 1 and 32 are shown in the example). 1 2 3 4 A FG1 FG2 FG3 FG4 BITS LAN 1 2 3 4 B A 1 2 3 4 B A IN 1 2 3 4 B A IN/OUT FG5 FG6 7 8 5 9 6 10 B A B A ENVIRONMENTAL ALARMS IN ACO FG7 1 2 3 4 IN B A FG8 1 2 3 4 B A MODEM FG9 1 2 3 4 A CRAFT VIS AUD FG10 1 2 3 4 B A LOCAL ALARMS IN FG11 FG12 11 12 B B A 96618 White Black Blue Green Slate Violet Orange Yellow Red Brown Table 1-24 Pin Assignments for the AEP AEP Cable Wire Backplane Pin AIC-I Signal AEP Signal Black A1 GND AEP_GND White A2 AE_+5 AEP_+5 Slate A3 VBAT– VBAT– Violet A4 VB+ VB+ Blue A5 AE_CLK_P AE_CLK_P Green A6 AE_CLK_N AE_CLK_N Yellow A7 AE_DIN_P AE_DOUT_P Orange A8 AE_DIN_N AE_DOUT_N Red A9 AE_DOUT_P AE_DIN_P Brown A10 AE_DOUT_N AE_DIN_N1-59 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.12.1 Wire-Wrap and Pin Connections Figure 1-40 Alarm Input Circuit Diagram Table 1-25 lists the connections to the external alarm sources. 78473 Station 48 V max. 2 mA AEP/AIE GND VBAT– VBAT– Input 1 Input 48 Table 1-25 Alarm Input Pin Association AMP Champ Pin Number Signal Name AMP Champ Pin Number Signal Name 1 ALARM_IN_1– 27 GND 2 GND 28 ALARM_IN_2– 3 ALARM_IN_3– 29 ALARM_IN_4– 4 ALARM_IN_5– 30 GND 5 GND 31 ALARM_IN_6– 6 ALARM_IN_7– 32 ALARM_IN_8– 7 ALARM_IN_9– 33 GND 8 GND 34 ALARM_IN_10– 9 ALARM_IN_11– 35 ALARM_IN_12– 10 ALARM_IN_13– 36 GND 11 GND 37 ALARM_IN_14– 12 ALARM_IN_15– 38 ALARM_IN_16– 13 ALARM_IN_17– 39 GND 14 GND 40 ALARM_IN_18– 15 ALARM_IN_19– 41 ALARM_IN_20– 16 ALARM_IN_21– 42 GND 17 GND 43 ALARM_IN_22– 18 ALARM_IN_23– 44 ALARM_IN_24– 19 ALARM_IN_25– 45 GND1-60 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.12.1 Wire-Wrap and Pin Connections Figure 1-41 is a circuit diagram of the alarm outputs (Outputs 1 and 16 are shown in the example). Figure 1-41 Alarm Output Circuit Diagram Use the pin numbers in Table 1-26 to connect to the external elements being switched by external alarms. 20 GND 46 ALARM_IN_26– 21 ALARM_IN_27– 47 ALARM_IN_28– 22 ALARM_IN_29– 48 GND 23 GND 49 ALARM_IN_30– 24 ALARM_IN_31– 50 N.C. 25 ALARM_IN_+ 51 GND1 26 ALARM_IN_0– 52 GND2 Table 1-25 Alarm Input Pin Association (continued) AMP Champ Pin Number Signal Name AMP Champ Pin Number Signal Name 78474 Station max. 60 V/100 mA AEP/AIE Output 1 Output 16 Table 1-26 Pin Association for Alarm Output Pins AMP Champ Pin Number Signal Name AMP Champ Pin Number Signal Name 1 N.C. 27 COM_0 2 COM_1 28 N.C. 3 NO_1 29 NO_2 4 N.C. 30 COM_2 5 COM_3 31 N.C. 6 NO_3 32 NO_41-61 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.13 Filler Card 1.13 Filler Card Filler cards are designed to occupy empty multiservice and AIC-I slots in the Cisco ONS 15454 (Slots 1–6, 9, and 12 – 17). The filler card cannot operate in the XC slots (Slots 8 and 10) or TCC slots (7 and 11). When installed, the filler card aids in maintaining proper air flow and EMI requirements. Note There are two types of filler cards, a detectable version (Cisco P/N 15454-FILLER) and a non-detectable version (Cisco P/N 15454-BLANK). The detectable card has the label FILLER on the faceplate. The non-detectable card has no faceplate label. In Software Release 6.0 and greater, the former card is detectable through CTC when installed in the ONS 15454 shelf. Figure 1-42 shows the faceplate of the detectable filler card. The filler cards have no card-level LED indicators. 7 N.C. 33 COM_4 8 COM_5 34 N.C. 9 NO_5 35 NO_6 10 N.C. 36 COM_6 11 COM_7 37 N.C. 12 NO_7 38 NO_8 13 N.C. 39 COM_8 14 COM_9 40 N.C. 15 NO_9 41 NO_10 16 N.C. 42 COM_10 17 COM_11 43 N.C. 18 NO_11 44 NO_12 19 N.C. 45 COM_12 20 COM_13 46 N.C. 21 NO_13 47 NO_14 22 N.C. 48 COM_14 23 COM_15 49 N.C. 24 NO_15 50 N.C. 25 N.C. 51 GND1 26 NO_0 52 GND2 Table 1-26 Pin Association for Alarm Output Pins (continued) AMP Champ Pin Number Signal Name AMP Champ Pin Number Signal Name1-62 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.14 Filler Plus Cards Figure 1-42 Detectable Filler Card Faceplate 1.14 Filler Plus Cards The Filler Plus card is designed to occupy empty I/O and AIC slots in the Cisco ONS 15454 (Slots 1 – 6, 9, and 12 – 17). The Filler Plus card cannot operate in the TCC slots (Slots 7 and 11) and the XC slots (Slots 8 and 10). This card will be detectable through the management interfaces of the ONS 15454. When installed, the Filler Plus card aids in maintaining proper air flow and EMI requirements. The fiber storage bracket aids in fibers being already pulled and plugged in for card installation. The storage bracket also prevents fibers dangling around the card installation area. Figure 1-43 shows the faceplate of the Filler Plus card. 124234 FILLER1-63 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.14 Filler Plus Cards Figure 1-43 Filler Plus Card Faceplate This card is mounted with fiber storage brackets and fibers readymade for installation of an MRC-12 card in selected ONS 15454 nodes. The fiber storage bracket provides a holder for 12 LC fiber pairs suited for installing an MRC-12 card. Figure 1-44 shows the Filler Plus Card with the fiber storage bracket. The Filler Plus card has no card-level LED indicators. 2803081-64 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.15 Fan-Tray Assembly Figure 1-44 Filler Plus Card with Fiber Storage Bracket 1.15 Fan-Tray Assembly The fan-tray assembly is located at the bottom of the ONS 15454 bay assembly. The fan tray is a removable drawer that holds fans and fan-control circuitry for the ONS 15454. The front door can be left in place or removed before installing the fan-tray assembly. After you install the fan tray, you should only need to access it if a fan failure occurs or if you need to replace or clean the fan-tray air filter. The front of the fan-tray assembly has an LCD screen that provides slot- and port-level information for all ONS 15454 card slots, including the number of Critical, Major, and Minor alarms. For optical cards, you can use the LCD to determine if a port is in working or protect mode and is active or standby. The LCD also tells you whether the software load is SONET or SDH and the software version number. 2803091-65 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.15.1 Fan Tray Units for ONS 15454 Cards Note The 15454-SA-ANSI or 15454-SA-HD shelf assembly and 15454-FTA3 or 15454-CC-FTA fan-tray assembly are required with any ONS 15454 that has XC10G or XC-VXC-10G cards. Caution The 15454-FTA3-T fan-tray assembly can only be installed in ONS 15454 Release 3.1 and later shelf assemblies (15454-SA-ANSI, P/N: 800-19857; 15454-SA-HD, P/N: 800-24848). The fan-tray assembly has a pin that prevents it from being installed in ONS 15454 shelf assemblies released before ONS 15454 Release 3.1 (15454-SA-NEBS3E, 15454-SA-NEBS3, and 15454-SA-R1, P/N: 800-07149). Equipment damage can result from attempting to install the 15454-FTA3 in a noncompatible shelf assembly. Note 15454-CC-FTA is compatible with Software Release 2.2.2 and greater and shelf assemblies 15454-SA-HD and 15454-SA-ANSI. Note The 15454-FTA3 is not I-temp compliant. To obtain an I-temp tray, install the 15454-FTA3-T or 15454-CC-FTA fan-tray assembly in an ONS 15454 Release 3.1 shelf assembly (15454-SA-ANSI or 15454-SA-HD). However, do not install the ONS 15454 XC10G cross-connect cards with the 15454-FTA2 fan-tray assembly. 1.15.1 Fan Tray Units for ONS 15454 Cards Table 1-27 lists the applicable fan tray units supported for ONS 15454 cards in Release 9.1 Table 1-27 Fan Tray Units for ONS 15454 Cards ONS 15454 Cards 15454E-FTA-48V (ETSI shelf) /15454-FTA3-T(ANSI shelf) 15454E-CC-FTA (ETSI shelf)/ 15454-CC-FTA (ANSI shelf) TCC2/TCC2P Yes Yes XCVT Yes Yes XC10G Yes Yes XC-VXC-10G Yes Yes AIC-I Yes Yes EC1-12 Yes Yes DS1-14 Yes Yes DS1N-14 Yes Yes DS1/E1-56 Yes Yes DS3-12 Yes Yes DS3N-12 Yes Yes DS3/EC1-48 Yes Yes DS3i-N-12 Yes Yes DS3-12E Yes Yes DS3N-12E Yes Yes1-66 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.15.1 Fan Tray Units for ONS 15454 Cards DS3XM-6 Yes Yes DS3XM-12 Yes Yes OC3 IR 4 SH 1310 Yes Yes OC3 IR 4/ STM1 SH 1310 Yes Yes OC3 IR/ STM1 SH 1310-8 Yes Yes OC12 IR 1310 Yes Yes OC12 IR/STM4 SH 1310 Yes Yes OC12 LR 1310 Yes Yes OC12 LR/STM4 LH 1310 Yes Yes OC12 LR 1550 Yes Yes OC12 LR/STM4 LH 1550 Yes Yes OC12 IR/STM4 SH 1310-4 Yes Yes OC48 IR 1310 Yes Yes OC48 LR 1550 Yes Yes OC48 IR/STM16 SH AS 1310 Yes Yes OC48 LR/STM16 LH AS 1550 Yes Yes OC48 ELR/STM16 EH 100 GHz Yes Yes OC48 ELR 200 GHz Yes Yes OC192 SR/STM64 IO 1310 Yes Yes OC192 IR/STM64 SH 1550 Yes Yes OC192 LR/STM64 LH 1550 Yes Yes OC192 LR/ STM64 LH ITU 15xx.xx Yes Yes 15454_MRC-12 Yes Yes MRC-2.5G-4 Yes Yes OC192SR1/STM64IO Short Reach and OC192/STM64 Any Reach Yes Yes E100T-12 Yes Yes E100T-G Yes Yes E1000-2 Yes Yes E1000-2-G Yes Yes G1K-4 Yes Yes M100T-12 Yes Yes M100X-8 Yes Yes M1000-2 Yes Yes Table 1-27 Fan Tray Units for ONS 15454 Cards ONS 15454 Cards 15454E-FTA-48V (ETSI shelf) /15454-FTA3-T(ANSI shelf) 15454E-CC-FTA (ETSI shelf)/ 15454-CC-FTA (ANSI shelf)1-67 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.15.2 1Fan Speed 1.15.2 1Fan Speed Fan speed is controlled by TCC2/TCC2P card temperature sensors. The sensors measure the input air temperature at the fan-tray assembly. Fan speed options are low, medium, and high. If the TCC2/TCC2P card fails, the fans automatically shift to high speed. The temperature measured by the TCC/TCC2P2 sensors is displayed on the LCD screen. To view temperature displayed in CTC, see “1.17 Shelf Voltage and Temperature” section on page 1-69. 1.15.3 Fan Failure If one or more fans fail on the fan-tray assembly, replace the entire assembly. You cannot replace individual fans. The red Fan Fail LED on the front of the fan tray illuminates when one or more fans fail. For fan tray replacement instructions, refer to the Cisco ONS 15454 Troubleshooting Guide. The red Fan Fail LED clears after you install a working fan tray. Caution As with the FTA3, the 15454-CC-FTA Fan Fail LED on the front of the fan-tray assembly illuminates when one or more fans fail to indicate that a fan-tray assembly or AIP replacement is required. But the Fan Fail LED on the 15454-CC-FTA will also illuminate when only one power source is connected to the chassis, and or any fuse blows. In such conditions, the Fan Alarm is triggered and the fans run at maximum speed. 1.15.4 Air Filter The ONS 15454 contains a reusable air filter; Model 15454-FTF2, that is installed either beneath the fan-tray assembly or in the optional external filter brackets. Earlier versions of the ONS 15454 used a disposable air filter that is installed beneath the fan-tray assembly only. However, the reusable air filter is backward compatible. The reusable filter is made of a gray, open-cell, polyurethane foam that is specially coated to provide fire and fungi resistance. All versions of the ONS 15454 can use the reusable air filter. Spare filters should be kept in stock. Caution Do not operate an ONS 15454 without the mandatory fan-tray air filter. ML-MR-10 No Yes CE-100T-8 Yes Yes CE-MR-10 No Yes CE-1000-4 Yes Yes FC_MR-4 Yes Yes Table 1-27 Fan Tray Units for ONS 15454 Cards ONS 15454 Cards 15454E-FTA-48V (ETSI shelf) /15454-FTA3-T(ANSI shelf) 15454E-CC-FTA (ETSI shelf)/ 15454-CC-FTA (ANSI shelf)1-68 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.15.5 Pilot Fuse Caution Inspect the air filter every 30 days, and clean the filter every three to six months. Replace the air filter every two to three years. Avoid cleaning the air filter with harsh cleaning agents or solvents. Refer to the Cisco ONS 15454 Troubleshooting Guide for information about cleaning and maintaining the fan-tray air filter. 1.15.5 Pilot Fuse The Pilot Fuse in the Fan tray assembly allows you to blow a low rate fuse when the main fuse of the lower power battery is not installed in the equipment. CC-FTAs 15454-CC-FTA 800-27558-01 and 15454-CC-FTA 800-27561-01 can automatically generate an electrical pulse (without external commands) at power on and about every 25-35 minutes in order to drain extra current from both the batteries. The amount of current and the duration of the pulse that the CC-FTA can generate, is suitable to blow the fuses listed in the Table 1-28. Similar to CC-FTA, 15454-FTA3-T 800-23907-01 and 800-23907-05 can also operate the pilot fuses mentioned in Table 1-28 when the main fuse is missing. Unlike CC-FTA, FTA3-T alternatively drains the current from the two batteries every 50-100 msec to feed the fans. Table 1-28 Pilot Fuse Ratings This is accomplished in the I-temp range (-40°C to +65°C) in either of these conditions: • When the lower power battery is in the 43.0V to 60.0V range and the higher power battery is more than 1V greater than the lower power battery (or) • When the lower power battery is in the 40.0V to 60.0V range and the difference between the two batteries does not exceed 0.5V. 1.16 Power and Ground Description Ground the equipment according to Telcordia standards or local practices. Cisco recommends the following wiring conventions, but customer conventions prevail: • Red wire for battery connections (–48 VDC) • Black wire for battery return connections (0 VDC) • The battery return connection is treated as DC-I, as defined in GR-1089-CORE, issue 3. Note For detailed instructions on grounding the chassis, refer to the Cisco ONS Electrostatic Discharge (ESD) and Grounding Guide. Type of Fuse Current rating Bussmann GMT-18/100A 18/100A Bussmann GMT-1/4A 1/4A Bussmann 70E 18/100A Bussmann 70F 1/4A1-69 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.17 Shelf Voltage and Temperature The ONS 15454 has redundant –48 VDC #8 power terminals on the shelf-assembly backplane. The terminals are labeled BAT1, RET1, BAT2, and RET2 and are located on the lower section of the backplane behind a clear plastic cover. To install redundant power feeds, use four power cables and one ground cable. For a single power feed, only two power cables (#10 AWG, 2.588 mm² [0.1018 inch], copper conductor, 194°F [90°C]) and one ground cable (#6 AWG, 4.115 mm² [0.162 inch]) are required. Use a conductor with low impedance to ensure circuit overcurrent protection. However, the conductor must have the capability to safely conduct any faulty current that might be imposed. The existing ground post is a #10-32 bolt. The nut provided for a field connection is also a #10 AWG (2.588 mm² [0.1018 inch]), with an integral lock washer. The lug must be a dual-hole type and rated to accept the #6 AWG (4.115 mm² [0.162 inch]) cable. Two posts are provided on the Cisco ONS 15454 to accommodate the dual-hole lug. Figure 1-45 shows the location of the ground posts. Figure 1-45 Ground Posts on the ONS 15454 Backplane 1.17 Shelf Voltage and Temperature Note The temperature measured by the TCC2/TCC2P sensors appears on the LCD screen in the ONS 15454 chassis. The input voltages and temperature of the ONS 15454 chassis are displayed in the Shelf view > Provisioning > General > Voltage/Temperature pane in CTC. The voltage supplied to the shelf (in millivolts) is displayed in the Voltage area of the Voltage/Temperature pane. The temperature of the shelf (in degrees Celsius) is displayed in the Temperature area of the pane. The Voltage/Temperature pane retrieves the following values for the ONS 15454 chassis: • Voltage A—Voltage of the shelf that corresponds to power supply A, in millivolts. • Voltage B—Voltage of the shelf that corresponds to power supply B, in millivolts. • Chassis Temperature—Temperature of the shelf, in degrees Celsius. In multishelf configuration, the voltage and temperature of each shelf is displayed in the Shelf view > Provisioning > General > Voltage/Temperature pane. FRAME GROUND 61852 Attach #6 AWG1-70 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.18 Alarm, Timing, LAN, and Craft Pin Connections 1.18 Alarm, Timing, LAN, and Craft Pin Connections Caution Always use the supplied ESD wristband when working with a powered ONS 15454. For detailed instructions on how to wear the ESD wristband, refer to the Cisco ONS Electrostatic Discharge (ESD) and Grounding Guide. The ONS 15454 has a backplane pin field located at the bottom of the backplane. The backplane pin field provides 0.045 square inch (29 mm2 ) wire-wrap pins for enabling external alarms, timing input and output, and craft interface terminals. This section describes the backplane pin field and the pin assignments for the field. Figure 1-46 shows the wire-wrap pins on the backplane pin field. Beneath each wire-wrap pin is a frame ground pin. Frame ground pins are labeled FG1, FG2, FG3, etc. Install the ground shield of the cables connected to the backplane to the ground pin that corresponds to the pin field used. Note The AIC-I requires a shelf assembly running Software Release 3.4.0 or later. The backplane of the ANSI shelf contains a wire-wrap field with pin assignment according to the layout in Figure 1-46. The shelf assembly might be an existing shelf that has been upgraded to R3.4 or later. In this case the backplane pin labeling appears as indicated in Figure 1-47 on page 1-72. But you must use the pin assignments provided by the AIC-I as shown in Figure 1-46.1-71 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.18 Alarm, Timing, LAN, and Craft Pin Connections Figure 1-46 ONS 15454 Backplane Pinouts (Release 3.4 or Later) 1 2 3 4 A FG1 FG2 FG3 FG4 BITS LAN 1 2 3 4 B A 1 2 3 4 B A IN 1 2 3 4 B A IN/OUT FG5 FG6 7 8 5 9 6 10 B A B A ENVIRONMENTAL ALARMS IN ACO FG7 1 2 3 4 IN B A FG8 1 2 3 4 B A MODEM FG9 1 2 3 4 A CRAFT VIS AUD FG10 1 2 3 4 B A LOCAL ALARMS IN FG11 FG12 11 12 B B A 83020 Field Pin Function Field Pin Function BITS A1 BITS Output 2 negative (–) ENVIR ALARMS IN/OUT N/O A1/A13 Normally open output pair number 1 B1 BITS Output 2 positive (+) B1/B13 A2 BITS Input 2 negative (–) A2/A14 Normally open output pair number 2 B2 BITS Input 2 positive (+) B2/B14 A3 BITS Output 1 negative (–) A3/A15 Normally open output pair number 3 B3 BITS Output 1 positive (+) B3/B15 A4 BITS Input 1 negative (–) A4/A16 Normally open output pair number 4 B4 BITS Input 1 positive (+) B4/B16 LAN Connecting to a hub, or switch ACO A1 Normally open ACO pair A1 B1 B1 CRAFT A1 Receive (PC pin #2) A2 A2 Transmit (PC pin #3) B2 A3 Ground (PC pin #5) A4 DTR (PC pin #4) LOCAL ALARMS AUD (Audible) N/O N/O A1 Alarm output pair number 1: Remote audible alarm. B1 B1 ENVIR ALARMS IN A2 Alarm output pair number 2: Critical audible alarm. B2 A3 Alarm output pair number 3: Major audible alarm. A1 B1 B3 A4 Alarm output pair number 4: Minor audible alarm. A2 B2 B4 LOCAL ALARMS VIS (Visual) A1 Alarm output pair number 1: Remote visual alarm. A3 B1 A2 Alarm output pair number 2: Critical visual alarm. B2 A3 Alarm output pair number 3: Major visual alarm. B3 A4 Alarm output pair number 4: Minor visual alarm. B4 A1 A2 B3 A4 B4 RJ-45 pin 2 TX– RJ-45 pin 1 TX+ RJ-45 pin 2 RX– RJ-45 pin 1 RX+ RJ-45 pin 6 TX– Alarm input pair number 1: Reports closure on connected wires. Alarm input pair number 2: Reports closure on connected wires. Alarm input pair number 3: Reports closure on connected wires. Alarm input pair number 4: Reports closure on connected wires. A5 B5 Alarm input pair number 5: Reports closure on connected wires. A6 B6 Alarm input pair number 6: Reports closure on connected wires. A7 B7 Alarm input pair number 7: Reports closure on connected wires. A8 B8 Alarm input pair number 8: Reports closure on connected wires. A9 B9 Alarm input pair number 9: Reports closure on connected wires. A10 B10 Alarm input pair number 10: Reports closure on connected wires. A11 B11 Alarm input pair number 11: Reports closure on connected wires. A12 B12 Alarm input pair number 12: Reports closure on connected wires. Connecting to a PC/Workstation or router B2 RJ-45 pin 3 TX+ RJ-45 pin 3 RX+ RJ-45 pin 6 RX– If you are using an AIC-I card, contacts provisioned as OUT are 1-4. Contacts provisioned as IN are 13-16.1-72 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.18.1 Alarm Contact Connections Figure 1-47 ONS 15454 Backplane Pinouts 1.18.1 Alarm Contact Connections The alarm pin field supports up to 17 alarm contacts, including four audible alarms, four visual alarms, one alarm cutoff (ACO), and four user-definable alarm input and output contacts. Audible alarm contacts are in the LOCAL ALARM AUD pin field and visual contacts are in the LOCAL ALARM VIS pin field. Both of these alarms are in the LOCAL ALARMS category. User-definable contacts are in the ENVIR ALARM IN (external alarm) and ENVIR ALARM OUT (external control) pin fields. These alarms are in the ENVIR ALARMS category; you must have the AIC-I card installed to use the ENVIR ALARMS. Alarm contacts are Normally Open (N/O), meaning that the system closes the alarm contacts when the corresponding alarm conditions are present. Each alarm contact consists of two wire-wrap pins on the shelf assembly backplane. Visual and audible alarm contacts are classified as critical, major, minor, and remote. Figure 1-47 shows alarm pin assignments. Field Pin Function Field Pin Function BITS A1 BITS Output 2 negative (-) ENVIR ALARMS OUT N/O A1 Normally open output pair number 1 B1 BITS Output 2 positive (+) B1 A2 BITS Input 2 negative (-) A2 Normally open output pair number 2 B2 BITS Input 2 positive (+) B2 A3 BITS Output 1 negative (-) A3 Normally open output pair number 3 B3 BITS Output 1 positive (+) B3 A4 BITS Input 1 negative (-) A4 Normally open output pair number 4 B4 BITS Input 1 positive (+) B4 LAN Connecting to a hub, or switch ACO A1 Normally open ACO pair A1 B1 B1 CRAFT A1 Receive (PC pin #2) A2 A2 Transmit (PC pin #3) B2 A3 Ground (PC pin #5) A4 DTR (PC pin #4) LOCAL ALARMS AUD (Audible) N/O N/O A1 Alarm output pair number 1: Remote audible alarm. B1 B1 ENVIR ALARMS IN A2 Alarm output pair number 2: Critical audible alarm. B2 A3 Alarm output pair number 3: Major audible alarm. A1 B1 B3 A4 Alarm output pair number 4: Minor audible alarm. A2 B2 B4 LOCAL ALARMS VIS (Visual) A1 Alarm output pair number 1: Remote visual alarm. A3 B1 A2 Alarm output pair number 2: Critical visual alarm. B2 A3 Alarm output pair number 3: Major visual alarm. B3 A4 Alarm output pair number 4: Minor visual alarm. B4 A1 A2 B3 A4 B4 RJ-45 pin 2 TXRJ-45 pin 1 TX+ RJ-45 pin 2 RXRJ-45 pin 1 RX+ RJ-45 pin 6 TXAlarm input pair number 1: Reports closure on connected wires. Alarm input pair number 2: Reports closure on connected wires. Alarm input pair number 3: Reports closure on connected wires. Alarm input pair number 4: Reports closure on connected wires. Connecting to a PC/Workstation or router B2 RJ-45 pin 3 TX+ RJ-45 pin 3 RX+ RJ-45 pin 6 RXTBOS VIS AUD FG2 FG3 FG4 FG5 FG6 FG7 FG8 FG9 FG10 FG11 FG12 BITS LAN FG1 1 1 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 3 3 3 3 3 3 3 3 4 4 4 4 4 4 4 4 4 4 2 3 4 2 A B A B A B A B A B A B A B A A B A B A B ENVIR ALARMS ACO X . 25 MODEM CRAFT LOCAL ALARMS IN OUT 385331-73 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.18.2 Timing Connections Visual and audible alarms are typically wired to trigger an alarm light or bell at a central alarm collection point when the corresponding contacts are closed. You can use the Alarm Cutoff pins to activate a remote ACO for audible alarms. You can also activate the ACO function by pressing the ACO button on the TCC2/TCC2P card faceplate. The ACO function clears all audible alarm indications. After clearing the audible alarm indication, the alarm is still present and viewable in the Alarms tab in CTC. For more information, see the “2.8.2 External Alarms and Controls” section on page 2-31. 1.18.2 Timing Connections The ONS 15454 backplane supports two building integrated timing supply (BITS) clock pin fields. The first four BITS pins, rows 3 and 4, support output and input from the first external timing device. The last four BITS pins, rows 1 and 2, perform the identical functions for the second external timing device. Table 1-29 lists the pin assignments for the BITS timing pin fields. Note For timing connection, use 100-ohm shielded BITS clock cable pair #22 or #24 AWG (0.51 mm² [0.020 inch] or 0.64 mm² [0.0252 inch]), twisted-pair T1-type. Note Refer to Telcordia SR-NWT-002224 for rules about provisioning timing references. For more information, see Chapter 10, “Timing.” 1.18.3 LAN Connections Use the LAN pins on the ONS 15454 backplane to connect the ONS 15454 to a workstation or Ethernet LAN, or to a LAN modem for remote access to the node. You can also use the LAN port on the TCC2/TCC2P card faceplate to connect a workstation or to connect the ONS 15454 to the network. Table 1-30 shows the LAN pin assignments. Before you can connect an ONS 15454 to other ONS 15454s or to a LAN, you must change the default IP address that is shipped with each ONS 15454 (192.1.0.2). Table 1-29 BITS External Timing Pin Assignments External Device Contact Tip and Ring Function First external device A3 (BITS 1 Out) Primary ring (–) Output to external device B3 (BITS 1 Out) Primary tip (+) Output to external device A4 (BITS 1 In) Secondary ring (–) Input from external device B4 (BITS 1 In) Secondary tip (+) Input from external device Second external device A1 (BITS 2 Out) Primary ring (–) Output to external device B1 (BITS 2 Out) Primary tip (+) Output to external device A2 (BITS 2 In) Secondary ring (–) Input from external device B2 (BITS 2 In) Secondary tip (+) Input from external device1-74 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.18.4 TL1 Craft Interface Installation 1.18.4 TL1 Craft Interface Installation You can use the craft pins on the ONS 15454 backplane or the EIA/TIA-232 port on the TCC2/TCC2P card faceplate to create a VT100 emulation window to serve as a TL1 craft interface to the ONS 15454. Use a straight-through cable to connect to the EIA/TIA-232 port. Table 1-31 shows the pin assignments for the CRAFT pin field. Note You cannot use the craft backplane pins and the EIA/TIA-232 port on the TCC2/TCC2P card simultaneously. Note To use the serial port craft interface wire-wrap pins on the backplane, the DTR signal line on the backplane port wire-wrap pin must be connected and active. 1.19 Cards and Slots ONS 15454 cards have electrical plugs at the back that plug into electrical connectors on the shelf- assembly backplane. When the ejectors are fully closed, the card plugs into the assembly backplane. Figure 1-48 shows card installation. Table 1-30 LAN Pin Assignments Pin Field Backplane Pins RJ-45 Pins LAN 1 Connecting to data circuit-terminating equipment (DCE1 , a hub or switch) 1. The Cisco ONS 15454 is DCE. B2 1 A2 2 B1 3 A1 6 LAN 1 Connecting to data terminal equipment (DTE) (a PC/workstation or router) B1 1 A1 2 B2 3 A2 6 Table 1-31 Craft Interface Pin Assignments Pin Field Contact Function Craft A1 Receive A2 Transmit A3 Ground A4 DTR1-75 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.19.1 Card Slot Requirements Figure 1-48 Installing Cards in the ONS 15454 1.19.1 Card Slot Requirements The ONS 15454 shelf assembly has 17 card slots numbered sequentially from left to right. Slots 1 to 6 and 12 to 17 are multiservice slots that are used for electrical, optical, and Ethernet cards (traffic cards). Card compatibility depends on the EIA, protection scheme, and cross-connect card type used in the shelf. Refer to the “3.1.2 Card Compatibility” section on page 3-3 for more detailed compatibility information. Slots 7 and 11 are dedicated to TCC2/TCC2P cards. Slots 8 and 10 are dedicated to cross-connect (XCVT, XC10G, and XC-VXC-10G) cards. Slot 9 is reserved for the optional AIC-I card. Slots 3 and 15 can also host electrical cards that are used for 1:N protection. (See the “7.1 Electrical Card Protection” section on page 7-1 for a list of electrical cards that can operate as protect cards.) FAN FAIL CRIT MAJ MIN 39391 Ejector Guide rail1-76 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.19.1 Card Slot Requirements Caution Do not operate the ONS 15454 with a single TCC2/TCC2P card or a single XCVT/XC10G/XC-VXC-10G card installed. Always operate the shelf assembly with one working and one protect card of the same type. Shelf assembly slots have symbols indicating the type of cards that you can install in them. Each ONS 15454 card has a corresponding symbol. The symbol on the card must match the symbol on the slot. Table 1-32 shows the slot and card symbol definitions. Note Protection schemes and EIA types can affect slot compatibility. Table 1-33 lists the number of ports, line rates, connector options, and connector locations for ONS 15454 optical and electrical cards. Table 1-32 Slot and Card Symbols Symbol Color/Shape Definition Orange/Circle Slots 1 to 6 and 12 to 17. Only install ONS 15454 cards with a circle symbol on the faceplate. Blue/Triangle Slots 5, 6, 12, and 13. Only install ONS 15454 cards with circle or a triangle symbol on the faceplate. Purple/Square TCC2/TCC2P slot, Slots 7 and 11. Only install ONS 15454 cards with a square symbol on the faceplate. Green/Cross Cross-connect (XCVT/XC10G) slot, Slots 8 and 10. Only install ONS 15454 cards with a cross symbol on the faceplate. Red/P Protection slot in 1:N protection schemes. Red/Diamond AIC-I slot (Slot 9). Only install ONS 15454 cards with a diamond symbol on the faceplate. Gold/Star Slots 1 to 4 and 14 to 17. Only install ONS 15454 cards with a star symbol on the faceplate. Blue/Hexagon (Only used with the 15454-SA-HD shelf assembly) Slots 3 and 15. Only install ONS 15454 cards with a blue hexagon symbol on the faceplate.1-77 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.19.1 Card Slot Requirements Table 1-33 Card Ports, Line Rates, and Connectors Card Ports Line Rate per Port Connector Types Connector Location DS1-14 14 1.544 Mbps SMB w/wire wrap adapter, AMP Champ connector Backplane DS1N-14 14 1.544 Mbps SMB w/wire wrap 1 adapter, AMP Champ connector — DS1/E1-56 56 1.544 Mbps SMB w/wire wrap 2 adapter, AMP Champ connector — DS3-12 12 44.736 Mbps SMB or BNC 1 Backplane DS3N-12 12 44.736 Mbps SMB or BNC 1 — DS3-12E 12 44.736 Mbps SMB or BNC 1 Backplane DS3N-12E 12 44.736 Mbps SMB or BNC 1 — DS3XM-6 6 44.736 Mbps SMB or BNC 1 Backplane DS3XM-12 12 89.472 Mbps SMB or BNC 1 Backplane DS3/EC1-48 48 2.147 Gbps SMB or BNC Backplane EC1-12 12 51.84 Mbps SMB or BNC 1 Backplane E100T-12 12 100 Mbps RJ-45 Faceplate E1000-2 2 1 Gbps SC (GBIC) Faceplate E100T-G 12 100 Mbps RJ-45 Faceplate E1000-2-G 2 1 Gbps SC (GBIC) Faceplate G1K-4 4 1 Gbps SC (GBIC) Faceplate ML100T-12 12 100 Mbps RJ-45 Faceplate ML100X-8 8 100 Mbps SC (SFP) Faceplate ML-MR-10 10 10/100/1000 Mbps LC (SFP), Copper (SFP)-RJ45 Faceplate CE-100T-8 8 100 Mbps RJ-45 Faceplate CE-MR-10 10 1000 Mbps LC (SFP), Copper (SFP)-RJ45 Faceplate ML1000-2 2 1 Gbps LC (SFP) Faceplate1-78 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.19.1 Card Slot Requirements OC-3 IR 4 155.52 Mbps (STS-3) SC Faceplate OC3 IR/STM4 SH 1310-8 8 155.52 Mbps (STS-3) LC Faceplate OC-12/STM4-4 (IR/LR) 4 622.08 Mbps (STS-12) SC Faceplate OC-12 (IR/LR) 1 622.08 Mbps (STS-12) SC Faceplate OC-48 (IR/LR/ELR) 1 2488.32 Mbps (STS-48) SC Faceplate OC-48 AS (IR/LR) 1 2488.32 Mbps (STS-48) SC Faceplate OC-48 ELR (100GHz, 200GHz) 1 2488.32 Mbps (STS-48) SC Faceplate OC192 SR/STM64 IO 1310 1 9.95 Gbps (STS-192) SC Faceplate OC192 IR/STM64 SH 1550 1 9.95 Gbps (STS-192) SC Faceplate OC192 LR/STM64 LH 1550 1 9.95 Gbps (STS-192) SC Faceplate OC192 LR/STM64 LH ITU 15xx.xx 1 9.95 Gbps (STS-192) SC Faceplate FC_MR-4 4 (only 2 available in R4.6) 1.0625 Gbps SC Faceplate 15454_MRC-12 12 Up to 2488.32 Mbps (STM-48), depending on SFP LC Faceplate MRC-2.5G-4 4 Up to 2488.32 Mbps (STS-48), depending on SFP LC Faceplate OC192SR1/STM64 IO Short Reach/ OC192/STM64 Any Reach 3 1 9.95 Gbps (OC-192) LC Faceplate Table 1-33 Card Ports, Line Rates, and Connectors (continued) Card Ports Line Rate per Port Connector Types Connector Location1-79 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.19.2 Card Replacement 1.19.2 Card Replacement To replace an ONS 15454 card with another card of the same type, you do not need to make any changes to the database; remove the old card and replace it with a new card. To replace a card with a card of a different type, physically remove the card and replace it with the new card, then delete the original card from CTC. For specifics, refer to the “Install Cards and Fiber-Optic Cable” chapter in the Cisco ONS 15454 Procedure Guide. Caution Removing any active card from the ONS 15454 can result in traffic interruption. Use caution when replacing cards and verify that only inactive or standby cards are being replaced. If the active card needs to be replaced, switch it to standby prior to removing the card from the node. For traffic switching procedures, refer to the “Maintain the Node” chapter in the Cisco ONS 15454 Procedure Guide. Note An improper removal (IMPROPRMVL) alarm is raised whenever a card is removed and reinserted (reseated) is performed, unless the card is deleted in CTC first. The alarm clears after the card replacement is complete. Note In a path protection configuration, pulling the active XCVT/XC10G without a lockout causes path protection circuits to switch. 1.20 Software and Hardware Compatibility Table 1-34 shows ONS 15454 software and hardware compatibility for nodes configured with XC or XCVT cards for Releases 4.6, 4.7, 5.0, 6.0, 7.0, 7.2, 8.0, 8.5, 9.0, and 9.1. For software compatibility for a specific card, refer to the following URL: http://cisco.com/en/US/products/hw/optical/ps2006/prod_eol_notices_list.html Note Partially supported: Once a card has been through End Of Life(EOL), new features would not be supported for the card. However bug fixes would be available. 1. When used as a protect card, the card does not have a physical external connection. The protect card connects to the working card(s) through the backplane and becomes active when the working card fails. The protect card then uses the physical connection of the failed card. 2. When used as a protect card, the card does not have a physical external connection. The protect card connects to the working card(s) through the backplane and becomes active when the working card fails. The protect card then uses the physical connection of the failed card. 3. These cards are designated as OC192-XFP in CTC.1-80 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.20 Software and Hardware Compatibility Note TCC and TCC+ are only supported up to Release 4.x. Table 1-34 ONS 15454 Software and Hardware Compatibility—XC 1 and XCVT Configurations Hardware Shelf Assembly 2 4.6.0x (4.6) 5.0.0x (5.0) 6.0.0x (6.0) 7.0.0x (7.0) 7.2.0x (7.2) 8.0.0x (8.0) 8.5.0x (8.5) 9.0.0x (9.0) 9.1.0x (9.1) TCC2 All Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible TCC2P All Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible AIC All Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible AIC-I All Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible DS1-14 All Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible DS1N-14 All Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible DS1/E1-56 SA-HD Not supported Not supported Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible DS3-12 3 All Fully compatible Fully compatible Partially supported Partially supported Partially supported Partially supported Partially supported Partially supported Partially supported DS3N-12 All Fully compatible Fully compatible Partially supported Partially supported Partially supported Partially supported Partially supported Partially supported Partially supported DS3i-N-12 All Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible DS3-12E All Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible DS3N-12E All Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible DS3XM-6 All Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible DS3XM-12 SA-HD and SA-ANSI Not supported Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible1-81 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.20 Software and Hardware Compatibility EC1-12 All Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible E100T-12 All Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible E1000-2 All Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible E100T-12-G All Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible E1000-2-G All Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible G1000-4 All Fully compatible Fully compatible Partially supported Partially supported Partially supported Not supported Not supported Not supported Not supported G1K-4 All Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible ML100T-12 All Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible ML1000-2 All Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible ML100X-8 All Not supported Not supported Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible ML-MR-10 SA-HD and SA-ANSI Not supported Not supported Not supported Not supported Not supported Not supported Not supported Not supported Not supported CE-MR-10 SA-HD and SA-ANSI Not supported Not supported Not supported Not supported Not supported Not supported Not supported Not supported Not supported CE-100T-8 All Not Supported Fully Compatible Fully Compatible Fully Compatible Fully Compatible Fully Compatible Fully Compatibl e Fully Compatible Fully Compatible CE-1000-4 SA-HD and SA-ANSI Not Supported Not Supported Not Supported Fully Compatible Fully Compatible Fully Compatible Fully Compatibl e Fully Compatible Fully Compatible Table 1-34 ONS 15454 Software and Hardware Compatibility—XC 1 and XCVT Configurations (continued) Hardware Shelf Assembly 2 4.6.0x (4.6) 5.0.0x (5.0) 6.0.0x (6.0) 7.0.0x (7.0) 7.2.0x (7.2) 8.0.0x (8.0) 8.5.0x (8.5) 9.0.0x (9.0) 9.1.0x (9.1)1-82 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.20 Software and Hardware Compatibility OC3 IR 4/STM1 SH 1310 All Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible OC3IR/STM1S H 1310-8 All Not supported Not supported Not supported Not supported Not supported Not supported Not supported Not supported Not supported OC12 IR 1310 All Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible OC12 IR/4 1310 All Not supported Not supported Not supported Not supported Not supported Not supported Not supported Not supported Not supported OC12 LR 1310 All Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible OC12 LR 1550 All Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible OC48 IR 1310 All Fully compatible Fully compatible Fully compatible Partially supported Partially supported Not supported Partially supported Partially supported Partially supported OC48 LR 1550 All Fully compatible Fully compatible Fully compatible Partially supported Partially supported Partially supported Partially supported Partially supported Partially supported OC48 ELR DWDM All Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible OC48 IR/STM16 SH AS 1310 All Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible OC48 LR/STM16 LH AS 1550 All Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible OC192 SR/STM64 IO 1310 SA-HD and SA-ANSI Not supported Not supported Not supported Not supported Not supported Not supported Not supported Not supported Not supported OC192 IR/STM64 SH 1550 SA-HD and SA-ANSI Not supported Not supported Not supported Not supported Not supported Not supported Not supported Not supported Not supported OC192 LH/STM64 LH 1550 SA-HD and SA-ANSI Not supported Not supported Not supported Not supported Not supported Not supported Not supported Not supported Not supported Table 1-34 ONS 15454 Software and Hardware Compatibility—XC 1 and XCVT Configurations (continued) Hardware Shelf Assembly 2 4.6.0x (4.6) 5.0.0x (5.0) 6.0.0x (6.0) 7.0.0x (7.0) 7.2.0x (7.2) 8.0.0x (8.0) 8.5.0x (8.5) 9.0.0x (9.0) 9.1.0x (9.1)1-83 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.20 Software and Hardware Compatibility Table 1-35 shows ONS 15454 software and hardware compatibility for systems configured with XC10G or XC-VXC-10G cards for Releases 4.6, 4.7, 5.0, 6.0, 7.0, 7.2, 8.0, 8.5, and 9.0. The 15454-SA-ANSI or 15454-SA-HD shelf assembly is required to operate the XC10G or XC-VXC-10G card. XC-VXC-10G is only supported from Release 6.0. Refer to the older ONS 15454 documentation for compatibility with older software releases. Note Release 4.7 is for MSTP only. The cards supported in Release 4.7 are TCC2, TCC2P, and AIC, AIC-I. Note Partially supported: Once a card has been through End Of Life(EOL), new features would not be supported for the card. However bug fixes would be available. OC192 LR/STM64 LH ITU 15xx.xx SA-HD and SA-ANSI Not supported Not supported Not supported Not supported Not supported Not supported Not supported Not supported Not supported FC_MR-4 SA-HD and SA-ANSI Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible MRC-12 4 All Not supported Not supported Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible MRC-2.5G-4 4 All Not supported Not supported Not supported Not supported Not supported Fully compatible Fully compatible Fully compatible Fully compatible OC192SR1/ST M64IO Short Reach/ OC192/STM64 Any Reach 5 SA-HD and SA-ANSI Not supported Not supported Not supported Not supported Not supported Not supported Not supported Not supported Not supported 1. The XC card does not support features new to Release 5.0 and greater. 2. The shelf assemblies supported are 15454-SA-HD, 15454-SA-ANSI, and 15454-NEBS3E. 3. DS3 card having the part number 87-31-0001 does not work in Cisco ONS 15454 R8.0 and later. 4. Slots 1 to 4 and 14 to 17 give a total bandwidth of up to 622 Mb/s. Slots 5, 6 , 12 , and 13 give a total bandwidth of up to 2.5 Gb/s 5. These cards are designated as OC192-XFP in CTC. Table 1-34 ONS 15454 Software and Hardware Compatibility—XC 1 and XCVT Configurations (continued) Hardware Shelf Assembly 2 4.6.0x (4.6) 5.0.0x (5.0) 6.0.0x (6.0) 7.0.0x (7.0) 7.2.0x (7.2) 8.0.0x (8.0) 8.5.0x (8.5) 9.0.0x (9.0) 9.1.0x (9.1)1-84 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.20 Software and Hardware Compatibility Table 1-35 ONS 15454 Software and Hardware Compatibility—XC10G and XC-VXC-10G Configurations Hardware Shelf Assembly 1 4.6.0x (4.6) 5.0.0x (5.0) 6.0.0x (6.0) 7.0.0x (7.0) 7.2.0x (7.2) 8.0.0x (8.0) 8.5.0.x (8.5) 9.0.0.x (9.0) 9.1.0.x (9.1) TCC2 All Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible TCC2P All Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible XC10G SA-HD and SA-ANSI Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible AIC All Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible AIC-I All Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible DS1-14 All Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible DS1N-14 All Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible DS1/E1-56 SA-HD Not supported Not supported Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible DS3-12 2 All Fully compatible Fully compatible Partially supported Partially supported Partially supported Partially supported Partially supported Partially supported Partially supported DS3N-12 All Fully compatible Fully compatible Partially supported Partially supported Partially supported Partially supported Partially supported Partially supported Partially supported DS3i-N-12 All Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible DS3-12E All Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible DS3N-12E All Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible DS3/EC1-48 1 SA-HD Not supported Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible DS3XM-6 All Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible DS3XM-12 SA-HD and SA-ANSI Not supported Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible1-85 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.20 Software and Hardware Compatibility EC1-12 All Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible SVC-RAN SA-HD and SA-ANSI Not supported Not supported Not supported Not supported Fully compatible Not supported Not supported Not supported Not supported E100T SA-HD and SA-ANSI Not supported Not supported Not supported Not supported Not supported Not supported Not supported Not supported Not supported E1000 SA-HD and SA-ANSI Not supported Not supported Not supported Not supported Not supported Not supported Not supported Not supported Not supported E100T-12-G All Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible E1000-2-G All Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible G1000-4 All Fully compatible Fully compatible Partially supported Partially supported Partially supported Not supported Not supported Not supported Not supported G1K-4 SA-HD and SA-ANSI Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible ML100T-12 All Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible ML1000-2 All Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible ML100X-8 All Not supported Not supported Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible ML-MR-10 SA-HD and SA-ANSI Not supported Not supported Not supported Not supported Not supported Not supported Fully compatible Fully compatible Fully compatible CE-MR-10 SA-HD and SA-ANSI Not supported Not supported Not supported Not supported Not supported Not supported Fully compatible Fully compatible Fully compatible CE-100T-8 All Not supported Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible CE-1000-4 SA-HD and SA-ANSI Not supported Not supported Not supported Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible OC3 IR 4/STM1 SH 1310 All Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Table 1-35 ONS 15454 Software and Hardware Compatibility—XC10G and XC-VXC-10G Configurations (continued) Hardware Shelf Assembly 1 4.6.0x (4.6) 5.0.0x (5.0) 6.0.0x (6.0) 7.0.0x (7.0) 7.2.0x (7.2) 8.0.0x (8.0) 8.5.0.x (8.5) 9.0.0.x (9.0) 9.1.0.x (9.1)1-86 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.20 Software and Hardware Compatibility OC3IR/STM1SH 1310-8 SA-HD and SA-ANSI Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible OC12/STM4-4 SA-HD and SA-ANSI Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible OC12 IR 1310 All Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible OC12 LR 1310 All Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible OC12 LR 1550 All Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible OC48 IR 1310 All Fully compatible Fully compatible Fully compatible Partially supported Partially supported Not supported Partially supported Partially supported Partially supported OC48 LR 1550 All Fully compatible Fully compatible Fully compatible Partially supported Partially supported Partially supported Partially supported Partially supported Partially supported OC48 IR/STM16 SH AS 1310 SA-HD and SA-ANSI Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible OC48 LR/STM16 LH AS 1550 SA-HD and SA-ANSI Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible OC192 SR/STM64 IO 1310 SA-HD and SA-ANSI Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible OC192 IR/STM64 SH 1550 SA-HD and SA-ANSI Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible OC192 LH/STM64 LH 1550 SA-HD and SA-ANSI Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible OC192 LR/STM64 LH ITU 15xx.xx SA-HD and SA-ANSI Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible FC_MR-4 SA-HD and SA-ANSI Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Table 1-35 ONS 15454 Software and Hardware Compatibility—XC10G and XC-VXC-10G Configurations (continued) Hardware Shelf Assembly 1 4.6.0x (4.6) 5.0.0x (5.0) 6.0.0x (6.0) 7.0.0x (7.0) 7.2.0x (7.2) 8.0.0x (8.0) 8.5.0.x (8.5) 9.0.0.x (9.0) 9.1.0.x (9.1)1-87 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.20 Software and Hardware Compatibility If an upgrade is required for compatibility, contact the Cisco Technical Assistance Center (TAC). For contact information, go to http://www.cisco.com/tac. MRC-12 3 All Not supported Not supported Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible MRC-2.5G-4 All Not supported Not supported Not supported Not supported Not supported Fully compatible Fully compatible Fully compatible Fully compatible OC192SR1/STM 64IO Short Reach/ OC192/STM64 Any Reach 4 SA-HD and SA-ANSI Not supported Not supported Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible Fully compatible 1. The shelf assemblies supported are 15454-SA-HD and 15454-SA-ANSI. 2. DS3 card having the part number 87-31-0001 does not work in Cisco ONS 15454 R8.0 and later. 3. Slots 1 to 4 and 14 to 17 give a total bandwidth of up to 2.5 Gb/s. Slots 5, 6, 12 , and 13 give a total bandwidth of up to 10 Gb/s 4. These cards are designated as OC192-XFP in CTC. Table 1-35 ONS 15454 Software and Hardware Compatibility—XC10G and XC-VXC-10G Configurations (continued) Hardware Shelf Assembly 1 4.6.0x (4.6) 5.0.0x (5.0) 6.0.0x (6.0) 7.0.0x (7.0) 7.2.0x (7.2) 8.0.0x (8.0) 8.5.0.x (8.5) 9.0.0.x (9.0) 9.1.0.x (9.1)1-88 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 1 Shelf and Backplane Hardware 1.20 Software and Hardware CompatibilityCHAPTER 2-1 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 2 Common Control Cards Note The terms “Unidirectional Path Switched Ring” and “UPSR” may appear in Cisco literature. These terms do not refer to using Cisco ONS 15xxx products in a unidirectional path switched ring configuration. Rather, these terms, as well as “Path Protected Mesh Network” and “PPMN,” refer generally to Cisco's path protection feature, which may be used in any topological network configuration. Cisco does not recommend using its path protection feature in any particular topological network configuration. This chapter describes Cisco ONS 15454 common control card functions. For installation and turn-up procedures, refer to the Cisco ONS 15454 Procedure Guide. Chapter topics include: • 2.1 Common Control Card Overview, page 2-1 • 2.2 TCC2 Card, page 2-7 • 2.3 TCC2P Card, page 2-11 • 2.4 TCC3 Card, page 2-16 • 2.5 XCVT Card, page 2-16 • 2.6 XC10G Card, page 2-20 • 2.7 XC-VXC-10G Card, page 2-24 • 2.8 AIC-I Card, page 2-29 2.1 Common Control Card Overview The card overview section summarizes card functions and compatibility. Each card is marked with a symbol that corresponds to a slot (or slots) on the ONS 15454 shelf assembly. The cards are then installed into slots displaying the same symbols. See the “1.19.1 Card Slot Requirements” section on page 1-75 for a list of slots and symbols. 2.1.1 Cards Summary Table 2-1 lists the common control cards for the Cisco ONS 15454 and summarizes card functions.2-2 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 2 Common Control Cards 2.1.1 Cards Summary Table 2-1 Common Control Card Functions Card Description For Additional Information... TCC2 The Advanced Timing, Communications, and Control (TCC2) card is the main processing center for the ONS 15454 and provides system initialization, provisioning, alarm reporting, maintenance, and diagnostics. It has additional features including supply voltage monitoring, support for up to 84 data communications channel/generic communications channel (DCC/GCC) terminations, and an on-card lamp test. See the “2.2 TCC2 Card” section on page 2-7. TCC2P The Advanced Timing, Communications, and Control Plus (TCC2P) card is the main processing center for the ONS 15454 and provides system initialization, provisioning, alarm reporting, maintenance, and diagnostics. It also provides supply voltage monitoring, support for up to 84 DCC/GCC terminations, and an on-card lamp test. This card also has Ethernet security features and 64K composite clock building integrated timing supply (BITS) timing. See the “2.3 TCC2P Card” section on page 2-11. TCC3 The Timing Communications Control Three (TCC3) card is an enhanced version of the TCC2P card. The primary enhancements include the increase in memory size and compact flash space. See the “2.4 TCC3 Card” section on page 2-16. XCVT The Cross Connect Virtual Tributary (XCVT) card is the central element for switching; it establishes connections and performs time-division switching (TDS). The XCVT can manage STS and Virtual Tributary (VT) circuits up to 48c. See the “2.5 XCVT Card” section on page 2-16. XC10G The 10 Gigabit Cross Connect (XC10G) card is the central element for switching; it establishes connections and performs TDS. The XC10G can manage STS and VT circuits up to 192c. The XC10G allows up to four times the bandwidth of XC and XCVT cards. See the “2.6 XC10G Card” section on page 2-20. XC-VXC-10G The 10 Gigabit Cross Connect Virtual Tributary/Virtual Container (XC-VXC-10G) card serves as the switching matrix for the Cisco 15454 ANSI multiservice platform. The module operates as a superset of the XCVT or XC10G cross-connect module. The XC-VXC-10G card provides a maximum of 1152 STS-1 or 384 VC4 cross-connections and supports cards with speeds up to 10 Gbps. See the “2.7 XC-VXC-10G Card” section on page 2-24.2-3 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 2 Common Control Cards 2.1.2 Card Compatibility 2.1.2 Card Compatibility Table 2-2 lists the Cisco Transport Controller (CTC) software release compatibility for each common-control card. In the tables below, “Yes” means cards are compatible with the listed software versions. Table cells with dashes mean cards are not compatible with the listed software versions. 2.1.3 Cross-Connect Card Compatibility The following tables list the compatible cross-connect cards for each Cisco ONS 15454 common-control card. The tables are organized according to type of common-control card. In the tables below, “Yes” means cards are compatible with the listed cross-connect card. Table cells with dashes mean cards are not compatible with the listed cross-connect card. Table 2-3 lists the cross-connect card compatibility for each common-control card. AIC-I The Alarm Interface Card–International (AIC-I) provides customer-defined (environmental) alarms with its additional input/output alarm contact closures. It also provides orderwire, user data channels, and supply voltage monitoring. See the “2.8 AIC-I Card” section on page 2-29. AEP The alarm expansion panel (AEP) board provides 48 dry alarm contacts: 32 inputs and 16 outputs. It can be used with the AIC-I card. See the “1.12 Alarm Expansion Panel” section on page 1-56 Table 2-1 Common Control Card Functions (continued) Card Description For Additional Information... Table 2-2 Common-Control Card Software Release Compatibility Card R3.3 R3.4 R4.0 R4.1 R4.5 R4.6 R4.7 R5.0 R6.0 R7.0 R7.2 R8.0 R8.5 R9.0 R9.1 R9.2 R9.2.1 TCC+ Yes Yes Yes Yes — — — — — — — — — — — — — TCC2 — — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes TCC2P — — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes TCC31 1. The TCC3 card is backward compatible with software Release 9.1 and earlier releases. In the Release 9.1 and earlier releases, the TCC3 card boots up as the TCC2P card in the Cisco ONS 15454 DWDM systems. — — — — — — — — — — — — — — — Yes Yes XC Yes Yes Yes Yes — Yes — Yes2 2. The XC card does not support features new to Release 5.0 and later. Yes2 Yes2 Yes2 Yes2 Yes2 Yes2 Yes2 Yes2 Yes2 XCVT Yes Yes Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes XC10G Yes Yes Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes XC-VXC-10G — — — — — — — — Yes Yes Yes Yes Yes Yes Yes Yes Yes AIC Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes AIC-I — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes AEP — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes2-4 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 2 Common Control Cards 2.1.3 Cross-Connect Card Compatibility Table 2-3 Common-Control Card Cross-Connect Compatibility Card XCVT Card XC10G Card1 XC-VXC-10G Card1 TCC+2 Yes Yes — TCC2 Yes Yes Yes TCC2P Yes Yes Yes TCC3 Yes Yes Yes XC —3 —3 —3 XCVT Yes —3 —3 XC10G —3 Yes —3 XC-VXC-10G —3 —3 Yes AIC-I Yes Yes Yes2-5 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 2 Common Control Cards 2.1.3 Cross-Connect Card Compatibility Table 2-4 lists the cross-connect card compatibility for each electrical card. For electrical card software compatiblilty, see Table 3-2 on page 3-3. Note The XC card is compatible with most electrical cards, with the exception of the DS3i-N-12, DS3/EC1-48, DS1/E1-56, and transmux cards, but does not support features new to Release 5.0 and later. Table 2-5 lists the cross-connect card compatibility for each optical card. For optical card software compatibility, see Table 4-2 on page 4-5. Note The XC card is compatible with most optical cards, with the exception of those cards noted as incompatible with the XCVT card, but does not support features new to Release 5.0 and later. AEP Yes Yes Yes 1. Requires SA-ANSI or SA-HD shelf assembly. 2. The TCC+ is not compatible with Software R4.5 or greater. 3. These cross-connect cards are compatible only during an upgrade. Table 2-3 Common-Control Card Cross-Connect Compatibility (continued) Card XCVT Card XC10G Card1 XC-VXC-10G Card1 Table 2-4 Electrical Card Cross-Connect Compatibility Electrical Card XCVT Card XC10G Card1 1. Requires a 15454-SA-ANSI or 15454-SA-HD shelf assembly. XC-VXC-10G Card1 EC1-12 Yes Yes Yes DS1-14 Yes Yes Yes DS1N-14 Yes Yes Yes DS3-12 Yes Yes Yes DS3N-12 Yes Yes Yes DS3-12E Yes Yes Yes DS3N-12E Yes Yes Yes DS3/EC1-48 — Yes Yes DS3XM-6 (Transmux) Yes Yes Yes DS3XM-12 (Transmux) Yes Yes Yes DS3i-N-12 Yes Yes Yes DS1/E1-56 Yes Yes Yes2-6 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 2 Common Control Cards 2.1.3 Cross-Connect Card Compatibility Table 2-6 lists the cross-connect card compatibility for each Ethernet card. For Ethernet card software compatibility, see Table 5-2 on page 5-3. Note The XC card is compatible with most Ethernet cards, with the exception of the G1000-4, but does not support features new to Release 5.0 and later. Table 2-5 Optical Card Cross-Connect Compatibility Optical Card XCVT Card XC10G Card1 1. Requires a 15454-SA-ANSI or 15454-SA-HD shelf assembly. XC-VXC-10GCard1 OC3 IR 4 1310 Yes Yes Yes OC3 IR 4/STM1 SH 1310 Yes Yes Yes OC3 IR /STM1SH 1310-8 — Yes Yes OC12 IR 1310 Yes Yes Yes OC12 LR 1310 Yes Yes Yes OC12 LR 1550 Yes Yes Yes OC12 IR/STM4 SH 1310 Yes Yes Yes OC12 LR/STM4 LH 1310 Yes Yes Yes OC12 LR/STM4 LH 1550 Yes Yes Yes OC12 IR/STM4 SH 1310-4 — Yes Yes OC48 LR 1550 Yes Yes Yes OC48 IR/STM16 SH AS 1310 Yes2 2. Requires Software Release 3.2 and later in Slots 5, 6, 12, 13. Yes Yes OC48 LR/STM16 LH AS 1550 Yes2 Yes Yes OC48 ELR/STM16 EH 100 GHz Yes Yes Yes OC48 ELR 200 GHz Yes Yes Yes OC192 SR/STM64 IO 1310 — Yes Yes OC192 IR/STM64 SH 1550 — Yes Yes OC192 LR/STM64 LH 1550 — Yes Yes OC192 LR/STM64 LH ITU 15xx.xx — Yes Yes OC192SR1/STM64 IO Short Reach and OC192/STM64 Any Reach (OC192-XFP cards) — Yes Yes 15454_MRC-12 Yes Yes Yes MRC-2.5G-4 Yes Yes Yes Table 2-6 Ethernet Card Cross-Connect Compatibility Ethernet Cards XCVT Card XC10G Card1 XC-VXC-10G Card1 E100T-12 Yes — — E1000-2 Yes — —2-7 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 2 Common Control Cards 2.2 TCC2 Card Table 2-7 lists the cross-connect card compatibility for each storage area network (SAN) card. For SAN card software compatibility, see the “6.1.3 FC_MR-4 Compatibility” section on page 6-4. 2.2 TCC2 Card Note For hardware specifications, see the “A.4.1 TCC2 Card Specifications” section on page A-12. The TCC2 card performs system initialization, provisioning, alarm reporting, maintenance, diagnostics, IP address detection/resolution, SONET section overhead (SOH) DCC/GCC termination, and system fault detection for the ONS 15454. The TCC2 also ensures that the system maintains Stratum 3 (Telcordia GR-253-CORE) timing requirements. It monitors the supply voltage of the system. Note The TCC2 card requires Software Release 4.0.0 or later. Note The LAN interface of the TCC2 card meets the standard Ethernet specifications by supporting a cable length of 328 ft (100 m) at temperatures from 32 to 149 degrees Fahrenheit (0 to 65 degrees Celsius). The interfaces can operate with a cable length of 32.8 ft (10 m) maximum at temperatures from –40 to 32 degrees Fahrenheit (–40 to 0 degrees Celsius). Figure 2-1 shows the faceplate and block diagram for the TCC2 card. E100T-G Yes Yes Yes E1000-2-G Yes Yes Yes G1K-4 Yes, in Slots 5, 6, 12, 13 Yes Yes ML100T-12 Yes, in Slots 5, 6, 12, 13 Yes Yes ML1000-2 Yes, in Slots 5, 6, 12, 13 Yes Yes ML-MR-10 No Yes Yes ML100X-8 Yes, in Slots 5, 6, 12, 13 Yes Yes CE-100T-8 Yes Yes Yes CE-1000-4 Yes Yes Yes CE-MR-10 No Yes Yes 1. Requires a 15454-SA-ANSI or 15454-SA-HD shelf assembly. Table 2-6 Ethernet Card Cross-Connect Compatibility (continued) Ethernet Cards XCVT Card XC10G Card1 XC-VXC-10G Card1 Table 2-7 SAN Card Cross-Connect Compatibility SAN Cards XCVT Card XC10G Card1 1. Requires SA-ANSI or SA-HD shelf assembly XC-VXC-10G Card1 FC_MR-4 Yes Yes Yes2-8 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 2 Common Control Cards 2.2.1 TCC2 Card Functionality Figure 2-1 TCC2 Card Faceplate and Block Diagram 2.2.1 TCC2 Card Functionality The TCC2 card supports multichannel, high-level data link control (HDLC) processing for the DCC. Up to 84 DCCs can be routed over the TCC2 card and up to 84 section DCCs can be terminated at the TCC2 card (subject to the available optical digital communication channels). The TCC2 card selects and processes 84 DCCs to facilitate remote system management interfaces. FAIL A PWR B ACT/STBY ACO CRIT MIN REM SYNC RS-232 TCP/IP MAJ ACO TCC2 LAMP BACKPLANE Ethernet Repeater Mate TCC2 Ethernet Port Backplane Ethernet Port (Shared with Mate TCC2) SDRAM Memory & Compact Flash FPGA TCCA ASIC SCL Processor Serial Debug Modem Interface RS-232 Craft Interface Backplane RS-232 Port (Shared with Mate TCC2) Faceplate RS-232 Port Note: Only 1 RS-232 Port Can Be Active - Backplane Port Will Supercede Faceplate Port Faceplate Ethernet Port SCL Links to All Cards HDLC Message Bus Mate TCC2 HDLC Link Modem Interface (Not Used) 400MHz Processor Communications Processor SCC3 MCC1 FCC1 MCC2 SCC4 FCC2 SCC1 SCC2 DCC Processor System Timing BITS Input/ Output Ref Clocks (all I/O Slots) -48V PWR Monitors Real Time Clock 1376392-9 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 2 Common Control Cards 2.2.2 TCC2 Card-Level Indicators The TCC2 card also originates and terminates a cell bus carried over the module. The cell bus supports links between any two cards in the node, which is essential for peer-to-peer communication. Peer-to-peer communication accelerates protection switching for redundant cards. The node database, IP address, and system software are stored in TCC2 card nonvolatile memory, which allows quick recovery in the event of a power or card failure. The TCC2 card performs all system-timing functions for each ONS 15454. The TCC2 monitors the recovered clocks from each traffic card and two BITS ports (DS1, 1.544 MHz) for frequency accuracy. The TCC2 selects a recovered clock, a BITS, or an internal Stratum 3 reference as the system-timing reference. You can provision any of the clock inputs as primary or secondary timing sources. A slow-reference tracking loop allows the TCC2 to synchronize with the recovered clock, which provides holdover if the reference is lost. The TCC2 monitors both supply voltage inputs on the shelf. An alarm is generated if one of the supply voltage inputs has a voltage out of the specified range. Install TCC2 cards in Slots 7 and 11 for redundancy. If the active TCC2 fails, traffic switches to the protect TCC2. All TCC2 protection switches conform to protection switching standards when the bit error rate (BER) counts are not in excess of 1 * 10 exp – 3 and completion time is less than 50 ms. The TCC2 card has two built-in interface ports for accessing the system: an RJ-45 10BaseT LAN interface and an EIA/TIA-232 ASCII interface for local craft access. It also has a 10BaseT LAN port for user interfaces over the backplane. Note When using the LAN RJ-45 craft interface or back panel wirewrap LAN connection, the connection must be 10BASE T, half duplex. Full duplex and autonegotiate settings should not be used because they might result in a loss of visibility to the node. Note Cisco does not support operation of the ONS 15454 with only one TCC2 card. For full functionality and to safeguard your system, always operate with two TCC2 cards. Note When a second TCC2 card is inserted into a node, it synchronizes its software, its backup software, and its database with the active TCC2. If the software version of the new TCC2 does not match the version on the active TCC2, the newly inserted TCC2 copies from the active TCC2, taking about 15 to 20 minutes to complete. If the backup software version on the new TCC2 does not match the version on the active TCC2, the newly inserted TCC2 copies the backup software from the active TCC2 again, taking about 15 to 20 minutes. Copying the database from the active TCC2 takes about 3 minutes. Depending on the software version and backup version the new TCC2 started with, the entire process can take between 3 and 40 minutes. 2.2.2 TCC2 Card-Level Indicators The TCC2 faceplate has ten LEDs. Table 2-8 describes the two card-level LEDs on the TCC2 card faceplate.2-10 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 2 Common Control Cards 2.2.3 Network-Level Indicators 2.2.3 Network-Level Indicators Table 2-9 describes the six network-level LEDs on the TCC2 faceplate. Table 2-8 TCC2 Card-Level Indicators Card-Level LEDs Definition Red FAIL LED This LED is on during reset. The FAIL LED flashes during the boot and write process. Replace the card if the FAIL LED persists. ACT/STBY LED Green (Active) Amber (Standby) Indicates the TCC2 is active (green) or in standby (amber) mode. The ACT/STBY LED also provides the timing reference and shelf control. When the active TCC2 is writing to its database or to the standby TCC2 database, the card LEDs blink. To avoid memory corruption, do not remove the TCC2 when the active or standby LED is blinking. Table 2-9 TCC2 Network-Level Indicators System-Level LEDs Definition Red CRIT LED Indicates critical alarms in the network at the local terminal. Red MAJ LED Indicates major alarms in the network at the local terminal. Amber MIN LED Indicates minor alarms in the network at the local terminal. Red REM LED Provides first-level alarm isolation. The remote (REM) LED turns red when an alarm is present in one or more of the remote terminals. Green SYNC LED Indicates that node timing is synchronized to an external reference. Green ACO LED After pressing the alarm cutoff (ACO) button, the ACO LED turns green. The ACO button opens the audible alarm closure on the backplane. ACO is stopped if a new alarm occurs. After the originating alarm is cleared, the ACO LED and audible alarm control are reset.2-11 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 2 Common Control Cards 2.2.4 Power-Level Indicators 2.2.4 Power-Level Indicators Table 2-10 describes the two power-level LEDs on the TCC2 faceplate. 2.3 TCC2P Card Note For hardware specifications, see the “A.4.2 TCC2P Card Specifications” section on page A-13. The TCC2P card is an enhanced version of the TCC2 card. For Software Release 5.0 and later, the primary enhancements are Ethernet security features and 64K composite clock BITS timing. It also supports E1 SDH external timing sources so that a SONET shelf can be deployed in a network using SDH timing. SDH timing is typically used when the SONET platform is deployed for Au3 SDH applications. The TCC2P card performs system initialization, provisioning, alarm reporting, maintenance, diagnostics, IP address detection/resolution, SONET SOH DCC/GCC termination, and system fault detection for the ONS 15454. The TCC2P card also ensures that the system maintains Stratum 3 (Telcordia GR-253-CORE) timing requirements. It monitors the supply voltage of the system. The TCC2P card supports multi-shelf management. The TCC2P card acts as a shelf controller and node controller for the ONS 15454. The TCC2P card supports up to 12 subtended shelves through the MSM-ISC card or external switch. In a multi-shelf configuration, the TCC2P card allows the ONS 15454 node to be a node controller if an M6 shelf is subtended to it. Note The LAN interface of the TCC2P card meets the standard Ethernet specifications by supporting a cable length of 328 ft (100 m) at temperatures from 32 to 149 degrees Fahrenheit (0 to 65 degrees Celsius). The interfaces can operate with a cable length of 32.8 ft (10 m) maximum at temperatures from –40 to 32 degrees Fahrenheit (–40 to 0 degrees Celsius). Figure 2-2 shows the faceplate and block diagram for the TCC2P card. Table 2-10 TCC2 Power-Level Indicators Power-Level LEDs Definition Green/Amber/Red PWR A LED The PWR A LED is green when the voltage on supply input A is between the low battery voltage (LWBATVG) and high battery voltage (HIBATVG) thresholds. The LED is amber when the voltage on supply input A is between the high battery voltage and extremely high battery voltage (EHIBATVG) thresholds or between the low battery voltage and extremely low battery voltage (ELWBATVG) thresholds. The LED is red when the voltage on supply input A is above extremely high battery voltage or below extremely low battery voltage thresholds. Green/Amber/Red PWR B LED The PWR B LED is green when the voltage on supply input B is between the low battery voltage and high battery voltage thresholds. The LED is amber when the voltage on supply input B is between the high battery voltage and extremely high battery voltage thresholds or between the low battery voltage and extremely low battery voltage thresholds. The LED is red when the voltage on supply input B is above extremely high battery voltage or below extremely low battery voltage thresholds. 2-12 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 2 Common Control Cards 2.3.1 TCC2P Functionality Figure 2-2 TCC2P Faceplate and Block Diagram 2.3.1 TCC2P Functionality The TCC2P card supports multichannel, high-level data link control (HDLC) processing for the DCC. Up to 84 DCCs can be routed over the TCC2P card and up to 84 section DCCs can be terminated at the TCC2P card (subject to the available optical digital communication channels). The TCC2P selects and processes 84 DCCs to facilitate remote system management interfaces. FAIL A PWR B ACT/STBY ACO CRIT MIN REM SYNC RS-232 TCP/IP MAJ ACO TCC2P LAMP BACKPLANE Ethernet Switch Mate TCC2 Ethernet Port Backplane Ethernet Port (Shared with Mate TCC2) SDRAM Memory & Compact Flash FPGA TCCA ASIC SCL Processor Serial Debug Modem Interface RS-232 Craft Interface Backplane RS-232 Port (Shared with Mate TCC2) Faceplate RS-232 Port Note: Only 1 RS-232 Port Can Be Active - Backplane Port Will Supercede Faceplate Port Faceplate Ethernet Port SCL Links to All Cards HDLC Message Bus Mate TCC2 HDLC Link Modem Interface 400MHz (Not Used) Processor Communications Processor SCC3 MCC1 FCC1 MCC2 SCC4 FCC2 SMC1 SCC2 DCC Processor System Timing BITS Input/ Output Ref Clocks -48V PWR (all I/O Slots) Monitors Real Time Clock Ethernet Phy SCC1 1376402-13 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 2 Common Control Cards 2.3.1 TCC2P Functionality The TCC2P card also originates and terminates a cell bus carried over the module. The cell bus supports links between any two cards in the node, which is essential for peer-to-peer communication. Peer-to-peer communication accelerates protection switching for redundant cards. The node database, IP address, and system software are stored in TCC2P card nonvolatile memory, which allows quick recovery in the event of a power or card failure. The TCC2P card monitors both supply voltage inputs on the shelf. An alarm is generated if one of the supply voltage inputs has a voltage out of the specified range. Install TCC2P cards in Slots 7 and 11 for redundancy. If the active TCC2P card fails, traffic switches to the protect TCC2P card. All TCC2P card protection switches conform to protection switching standards when the BER counts are not in excess of 1 * 10 exp – 3 and completion time is less than 50 ms. The TCC2P card has two built-in Ethernet interface ports for accessing the system: one built-in RJ-45 port on the front faceplate for on-site craft access and a second port on the backplane. The rear Ethernet interface is for permanent LAN access and all remote access via TCP/IP as well as for Operations Support System (OSS) access. The front and rear Ethernet interfaces can be provisioned with different IP addresses using CTC. Two EIA/TIA-232 serial ports, one on the faceplate and a second on the backplane, allow for craft interface in TL1 mode. Note To use the serial port craft interface wire-wrap pins on the backplane, the DTR signal line on the backplane port wire-wrap pin must be connected and active. Note When using the LAN RJ-45 craft interface or back panel wirewrap LAN connection, the connection must be 10BASE T, half duplex. Full duplex and autonegotiate settings should not be used because they might result in a loss of visibility to the node. Note Cisco does not support operation of the ONS 15454 with only one TCC2P card. For full functionality and to safeguard your system, always operate with two TCC2P cards. Note When a second TCC2P card is inserted into a node, it synchronizes its software, its backup software, and its database with the active TCC2P card. If the software version of the new TCC2P card does not match the version on the active TCC2P card, the newly inserted TCC2P card copies from the active TCC2P card, taking about 15 to 20 minutes to complete. If the backup software version on the new TCC2P card does not match the version on the active TCC2P card, the newly inserted TCC2P card copies the backup software from the active TCC2P card again, taking about 15 to 20 minutes. Copying the database from the active TCC2P card takes about 3 minutes. Depending on the software version and backup version the new TCC2P card started with, the entire process can take between 3 and 40 minutes. 2.3.1.1 System Timing Functions The TCC2P card performs all system-timing functions for each ONS 15454. The TCC2P card monitors the recovered clocks from each traffic card and two BITS ports (BITS_IN_A and BITS_IN-B) for frequency accuracy. The TCC2P card selects a recovered clock, a BITS clock, or an internal Stratum 3 2-14 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 2 Common Control Cards 2.3.2 TCC2P Card-Level Indicators reference as the system-timing reference. You can provision any of the clock inputs as primary or secondary timing sources. A slow-reference tracking loop allows the TCC2P card to synchronize with the recovered clock, which provides holdover if the reference is lost. The minimum free-run accuracy, holdover stability, pull-in, and hold-in characteristics are as defined in ITU-T G.813 option I in Section 5, 6, and 10, ITU-T G.811 Section 5, and ITU-T G.812 Sections 6 and 7, as well as in ANSI EN 300 462-5-1. Note If SDH timing is selected (see the “2.3.1.1.2 SDH Timing Operation” section on page 2-14), it is not possible to select an E1 or DS1 port from the DS1/E1-56 high-density card as a timing reference. 2.3.1.1.1 SONET Timing Operation The TCC2P card supports a 64 kHz + 8 kHz composite clock BITS input (BITS IN) as well as a 6.312-MHz BITS OUT clock. The BITS clock on the system is configurable as DS1 (default), 1.544 MHz, or 64 kHz. The BITS OUT clock runs at a rate determined by the BITS IN clock, as follows: If BITS IN = DS1, then BITS OUT = DS1 (default) A BITS output interface configured as 6.312 MHz complies with ITU-T G.703, Appendix II, Table II.4, with a monitor level of –40 dBm +/– 4 dBm. 2.3.1.1.2 SDH Timing Operation The TCC2P card supports typical external E1 SDH timing sources so that the card can be provisioned to accept either an SDH or SONET timing standard. The initial default is for the card to use SONET timing; the default can be changed to SDH timing after the TCC2P card boots up. The BITS OUT clock runs at a rate determined by the BITS IN clock, as follows: • If BITS IN = E1, then BITS OUT = E1 • If BITS IN = 2.048 MHz (square wave clock), then BITS OUT = 2.048 MHz (square wave clock) • If BITS IN = 64 kHz, then BITS OUT = 6.312 MHz The TCC2P card supports the E1 BITS OUT signal as defined in ITU-T G.703 Section 9, and the BITS OUT 2.048 MHz signal as defined in ITU-T G.703 Section 13. All of the BITS OUT signals meet the output signal criteria (including jitter and wander) as defined in ITU-T G.813 Sections 5 and 6, ITU-T G.811 Section 5, and ITU-T G.812, Section 6. When SDH timing is selected, SDH Sync Status Messaging (SSM) is transmitted on the output ports and received on the input ports. SSM can be enabled or disabled. The following framing options are allowed when E1 2.048 MHz timing is selected: • Frame Alignment Signal (FAS) • Frame Alignment Signal plus Channel Associated Signal (FAS + CAS) • Frame Alignment Signal plus Cyclic Redundancy Check (FAS + CRC) • Frame Alignment Signal plus Channel Associated Signal plus Cyclic Redundancy Check (FAS + CAS + CRC) 2.3.2 TCC2P Card-Level Indicators The TCC2P faceplate has ten LEDs. Table 2-11 describes the two card-level LEDs on the TCC2P faceplate.2-15 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 2 Common Control Cards 2.3.3 Network-Level Indicators 2.3.3 Network-Level Indicators Table 2-12 describes the six network-level LEDs on the TCC2P faceplate. Table 2-11 TCC2P Card-Level Indicators Card-Level LEDs Definition Red FAIL LED This LED is on during reset. The FAIL LED flashes during the boot and write process. Replace the card if the FAIL LED persists. ACT/STBY LED Green (Active) Amber (Standby) Indicates the TCC2P is active (green) or in standby (amber) mode. The ACT/STBY LED also provides the timing reference and shelf control. When the active TCC2P is writing to its database or to the standby TCC2P database, the card LEDs blink. To avoid memory corruption, do not remove the TCC2P when the active or standby LED is blinking. Table 2-12 TCC2P Network-Level Indicators System-Level LEDs Definition Red CRIT LED Indicates critical alarms in the network at the local terminal. Red MAJ LED Indicates major alarms in the network at the local terminal. Amber MIN LED Indicates minor alarms in the network at the local terminal. Red REM LED Provides first-level alarm isolation. The REM LED turns red when an alarm is present in one or more of the remote terminals. Green SYNC LED Indicates that node timing is synchronized to an external reference. Green ACO LED After pressing the ACO button, the ACO LED turns green. The ACO button opens the audible alarm closure on the backplane. ACO is stopped if a new alarm occurs. After the originating alarm is cleared, the ACO LED and audible alarm control are reset.2-16 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 2 Common Control Cards 2.3.4 Power-Level Indicators 2.3.4 Power-Level Indicators Table 2-13 describes the two power-level LEDs on the TCC2P faceplate. 2.4 TCC3 Card The Timing Communications Control Three (TCC3) card is an enhanced version of the TCC2P card. The primary enhancements include the increase in memory size and compact flash space. The TCC3 card boots up as TCC2P card in older releases and as TCC3 card from Release 9.2 onwards. The TCC3 card supports multi-shelf management. The TCC3 card acts as a shelf controller and node controller for the ONS 15454. The TCC3 card supports up to 30 subtended shelves through the MSM-ISC card or external switch. In a multi-shelf configuration, the TCC3 card allows the ONS 15454 node to be a node controller if an M6 shelf is subtended to it. We recommend the use the TCC3 card as a node controller when the number of subtended shelves exceeds four. For more information on TCC3 card, see Cisco ONS 15454 DWDM Reference Manual, Release 9.2. 2.5 XCVT Card Note For hardware specifications, see the “A.4.3 XCVT Card Specifications” section on page A-14. The Cross Connect Virtual Tributary (XCVT) card establishes connections at the STS-1 and VT levels. The XCVT provides STS-48 capacity to Slots 5, 6, 12, and 13, and STS-12 capacity to Slots 1 to 4 and 14 to 17. Any STS-1 on any port can be connected to any other port, meaning that the STS cross-connections are nonblocking. Figure 2-3 shows the XCVT faceplate and block diagram. Table 2-13 TCC2P Power-Level Indicators Power-Level LEDs Definition Green/Amber/Red PWR A LED The PWR A LED is green when the voltage on supply input A is between the low battery voltage (LWBATVG) and high battery voltage (HIBATVG) thresholds. The LED is amber when the voltage on supply input A is between the high battery voltage and extremely high battery voltage (EHIBATVG) thresholds or between the low battery voltage and extremely low battery voltage (ELWBATVG) thresholds. The LED is red when the voltage on supply input A is above extremely high battery voltage or below extremely low battery voltage thresholds. Green/Amber/Red PWR B LED The PWR B LED is green when the voltage on supply input B is between the low battery voltage and high battery voltage thresholds. The LED is amber when the voltage on supply input B is between the high battery voltage and extremely high battery voltage thresholds or between the low battery voltage and extremely low battery voltage thresholds. The LED is red when the voltage on supply input B is above extremely high battery voltage or below extremely low battery voltage thresholds. 2-17 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 2 Common Control Cards 2.5.1 XCVT Functionality Figure 2-3 XCVT Faceplate and Block Diagram 2.5.1 XCVT Functionality The STS-1 switch matrix on the XCVT card consists of 288 bidirectional ports and adds a VT matrix that can manage up to 336 bidirectional VT1.5 ports or the equivalent of a bidirectional STS-12. The VT1.5-level signals can be cross connected, dropped, or rearranged. The TCC2/TCC2P card assigns bandwidth to each slot on a per STS-1 or per VT1.5 basis. The switch matrices are fully crosspoint and broadcast supporting. The XCVT card provides: • 288 STS bidirectional ports • 144 STS bidirectional cross-connects • 672 VT1.5 ports via 24 logical STS ports • 336 VT1.5 bidirectional cross-connects • Nonblocking at the STS level • STS-1/3c/6c/12c/48c cross-connects Input ports Output ports STS ASIC1 STS ASIC2 0 1 2 3 4 5 0 1 2 3 4 5 6 0 1 2 3 4 5 6 7 8 9 10 11 0 1 2 3 4 5 6 7 8 9 10 11 Ports Ports 61341 VT ASIC XCVT FAIL 33678 12931 ACT/STBY2-18 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 2 Common Control Cards 2.5.2 VT Mapping The XCVT card works with the TCC2/TCC2P cards to maintain connections and set up cross-connects within the node. The cross-connect cards (such as the XCVT and XC10G), installed in Slots 8 and 10, are required to operate the ONS 15454. You can establish cross-connect (circuit) information through CTC. The TCC2/TCC2P cards establish the proper internal cross-connect information and relay the setup information to the XCVT card. Caution Do not operate the ONS 15454 with only one cross-connect card. Two cross-connect cards of the same type (two XCVT or two XC10G cards) must always be installed. Figure 2-4 shows the cross-connect matrix. Figure 2-4 XCVT Cross-Connect Matrix 2.5.2 VT Mapping The VT structure is designed to transport and switch payloads below the DS-3 rate. The ONS 15454 performs VT mapping according to Telcordia GR-253-CORE standards. Table 2-14 shows the VT numbering scheme for the ONS 15454 as it relates to the Telcordia standard. 32125 1 2 3 4 5 Input Ports Output Ports 4X STS-12/48 8X STS-12 8X STS-12 4X STS-12/48 XCVT STS-1 Cross-connect ASIC (288x288 STS-1) VT 1.5 Cross-connect ASIC 1 2 3 4 5 6 VTXC 336 bidirectional VT 1.5 cross-connects Table 2-14 VT Mapping ONS 15454 VT Number Telcordia Group/VT Number VT1 Group1/VT1 VT2 Group2/VT1 VT3 Group3/VT1 VT4 Group4/VT1 VT5 Group5/VT1 VT6 Group6/VT1 VT7 Group7/VT1 VT8 Group1/VT22-19 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 2 Common Control Cards 2.5.3 XCVT Hosting DS3XM-6 or DS3XM-12 2.5.3 XCVT Hosting DS3XM-6 or DS3XM-12 A DS3XM card can demultiplex (map down to a lower rate) M13-mapped DS-3 signals into 28 DS-1s that are then mapped to VT1.5 payloads. The VT1.5s can then be cross-connected by the XCVT card. The XCVT card can host a maximum of 336 bidirectional VT1.5s. 2.5.4 XCVT Card-Level Indicators Table 2-15 shows the two card-level LEDs on the XCVT card faceplate. VT9 Group2/VT2 VT10 Group3/VT2 VT11 Group4/VT2 VT12 Group5/VT2 VT13 Group6/VT2 VT14 Group7/VT2 VT15 Group1/VT3 VT16 Group2/VT3 VT17 Group3/VT3 VT18 Group4/VT3 VT19 Group5/VT3 VT20 Group6/VT3 VT21 Group7/VT3 VT22 Group1/VT4 VT23 Group2/VT4 VT24 Group3/VT4 VT25 Group4/VT4 VT26 Group5/VT4 VT27 Group6/VT4 VT28 Group7/VT4 Table 2-14 VT Mapping (continued) ONS 15454 VT Number Telcordia Group/VT Number2-20 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 2 Common Control Cards 2.6 XC10G Card 2.6 XC10G Card Note For hardware specifications, see the “A.4.4 XC10G Card Specifications” section on page A-14. The 10 Gigabit Cross Connect (XC10G) card establishes connections at the STS-1 and VT levels. The XC10G provides STS-192 capacity to Slots 5, 6, 12, and 13, and STS-48 capacity to Slots 1 to 4 and 14 to 17. The XC10G allows up to four times the bandwidth of the XCVT cards. The XC10G provides a maximum of 576 STS-1 cross-connections through 1152 STS-1 ports. Any STS-1 on any port can be connected to any other port, meaning that the STS cross-connections are nonblocking. Figure 2-5 shows the XC10G faceplate and block diagram. Table 2-15 XCVT Card-Level Indicators Card-Level Indicators Definition Red FAIL LED Indicates that the cards processor is not ready. Replace the card if the red FAIL LED persists. ACT/STBY LED Green (Active) Amber (Standby) Indicates whether the XCVT card is active and carrying traffic (green) or in standby mode to the active XCVT card (amber).2-21 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 2 Common Control Cards 2.6.1 XC10G Functionality Figure 2-5 XC10G Faceplate and Block Diagram 2.6.1 XC10G Functionality The XC10G card manages up to 672 bidirectional VT1.5 ports and 1152 bidirectional STS-1 ports. The TCC2/TCC2P cards assign bandwidth to each slot on a per STS-1 or per VT1.5 basis. Two cross-connect cards, installed in Slots 8 and 10, are required to operate the ONS 15454. You can establish cross-connect (circuit) information through the CTC. The cross-connect card establishes the proper internal cross-connect information and sends the setup information to the cross-connect card. The XC10G card provides: • 1152 STS bidirectional ports • 576 STS bidirectional cross-connects • 672 VT1.5 ports via 24 logical STS ports • 336 VT1.5 bidirectional cross-connects • Nonblocking at STS level • STS-1/3c/6c/12c/48c/192c cross-connects Line 1 Line 2 Line 3 Line 4 Span 1 Span 2 Span 3 Span 4 Line 5 Line 6 Line 7 Line 8 Cross-Connect Main SCL Protect SCL Ref Clk A Ref Clk B TCCA ASIC SCL Link uP VT Cross-Connect Matrix uP Interface uP Interface Matrix FLASH RAM B a c k p l a n e 61342 FAIL ACT/STBY XC10G2-22 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 2 Common Control Cards 2.6.2 VT Mapping Caution Do not operate the ONS 15454 with only one XCVT or XC10G card. Two cross-connect cards of the same type (either two XCVT or two XC10G cards) must always be installed. Figure 2-6 shows the cross-connect matrix. Figure 2-6 XC10G Cross-Connect Matrix 2.6.2 VT Mapping The VT structure is designed to transport and switch payloads below the DS-3 rate. The ONS 15454 performs VT mapping according to Telcordia GR-253-CORE standards. Table 2-16 shows the VT numbering scheme for the ONS 15454 as it relates to the Telcordia standard. 1 2 . . . . 25 Input Ports Output Ports 4X STS-192 8X STS-48 8X STS-48 4X STS-192 XC10G STS-1 Cross-connect ASIC (1152x1152 STS-1) VT 1.5 Cross-connect ASIC 336 bidirectional VT 1.5 cross-connects 55386 1 2 . . . . 25 VTXC VT cross-connection occurs on the 25th port. Table 2-16 VT Mapping ONS 15454 VT Number Telcordia Group/VT Number VT1 Group1/VT1 VT2 Group2/VT1 VT3 Group3/VT1 VT4 Group4/VT1 VT5 Group5/VT1 VT6 Group6/VT1 VT7 Group7/VT1 VT8 Group1/VT2 VT9 Group2/VT2 VT10 Group3/VT2 VT11 Group4/VT22-23 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 2 Common Control Cards 2.6.3 XC10G Hosting DS3XM-6 or DS3XM-12 2.6.3 XC10G Hosting DS3XM-6 or DS3XM-12 A DS3XM card can demultiplex (map down to a lower rate) M13-mapped DS-3 signals into 28 DS-1s that are then mapped to VT1.5 payloads. The VT1.5s can then be cross-connected by the XC10G card. The XC10G card can host a maximum of 336 bidirectional VT1.5s. 2.6.4 XC10G Card-Level Indicators Table 2-17 describes the two card-level LEDs on the XC10G faceplate. VT12 Group5/VT2 VT13 Group6/VT2 VT14 Group7/VT2 VT15 Group1/VT3 VT16 Group2/VT3 VT17 Group3/VT3 VT18 Group4/VT3 VT19 Group5/VT3 VT20 Group6/VT3 VT21 Group7/VT3 VT22 Group1/VT4 VT23 Group2/VT4 VT24 Group3/VT4 VT25 Group4/VT4 VT26 Group5/VT4 VT27 Group6/VT4 VT28 Group7/VT4 Table 2-16 VT Mapping (continued) ONS 15454 VT Number Telcordia Group/VT Number Table 2-17 XC10G Card-Level Indicators Card-Level Indicators Definition Red FAIL LED Indicates that the cards processor is not ready. This LED illuminates during reset. The FAIL LED flashes during the boot process. Replace the card if the red FAIL LED persists. ACT/STBY LED Green (Active) Amber (Standby) Indicates whether the XC10G is active and carrying traffic (green), or in standby mode to the active XC10G card (amber).2-24 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 2 Common Control Cards 2.6.5 XCVT/XC10G/XC-VXC-10G Compatibility 2.6.5 XCVT/XC10G/XC-VXC-10G Compatibility The XC10G and XC-VXC-10G cards support the same features as the XCVT card. The XC10G or XC-VXC-10G cards are required for OC-192, OC-48 any-slot (AS), OC3-8, and OC12-4 operation. Do not use the XCVT card if you are using an OC-192, OC3-8, or OC12-4 card or if you install an OC-48 AS card in Slots 1 to 4 or 14 to 17. Note A configuration mismatch alarm occurs when an XCVT cross-connect card co-exists with an OC-192, OC3-8, or OC12-4 card placed in Slots 5, 6, 12, or 13 or with an OC-48 card placed in Slots 1 to 4 or 14 to 17. If you are using Ethernet cards, the E1000-2-G or the E100T-G must be used when the XC10G or XC-VXC-10G cross-connect card is in use. Do not pair an XCVT card with an XC10G or XC-VXC-10G card. When upgrading from an XCVT to the XC10G or XC-VXC-10G card, refer to the “Upgrade Cards and Spans” chapter in the Cisco ONS 15454 Procedure Guide for more information. 2.7 XC-VXC-10G Card Note For hardware specifications, see the “A.4.5 XC-VXC-10G Card Specifications” section on page A-15. The XC-VXC-10G card establishes connections at the STS and VT levels. The XC-VXC-10G provides STS-192 capacity to Slots 5, 6, 12, and 13, and STS-48 capacity to Slots 1 to 4 and 14 to 17. Any STS-1 on any port can be connected to any other port, meaning that the STS cross-connections are nonblocking. Figure 2-7 shows the XC-VXC-10G faceplate and block diagram. 2-25 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 2 Common Control Cards 2.7.1 XC-VXC-10G Functionality Figure 2-7 XC-VXC-10G Faceplate and Block Diagram 2.7.1 XC-VXC-10G Functionality The XC-VXC-10G card manages up to 1152 bidirectional high-order STS-1 ports. In addition, it is able to simultaneously manage one of the following low-order VT cross-connect arrangements: • 2688 bidirectional VT1.5 low-order ports, or • 2016 VT2 low-order ports, or • 1344 bidirectional VT1.5 ports and 1008 bidirectional VT2 ports (mixed grooming) The TCC2/TCC2P card assigns bandwidth to each slot on a per STS-1, per VT1.5, or per VT2 basis. The switch matrices are fully crosspoint and broadcast supporting. XC-VXC-10G Backplane Connectors IBPIA (2) EDVT Serial Port STS-1 Cross Connect ASIC TU Cross Connect ASIC VT Cross Connect ASIC IBPIA (2) TCCA CPLD CPU DDR SDRAM DETLEF DDR FPGA TARAN GDX1 TULA GDX2 FLASH Clock FPGA 2 VT Ports 2 VT Ports 2 VT Ports 2 VT Ports SCL Bus 6 AUX Ports 6 AUX Ports EEPROM 134364 XC-VXC- 10G FAIL ACT/STBY2-26 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 2 Common Control Cards 2.7.1 XC-VXC-10G Functionality At the STS level (high-order cross-connect), the XC-VXC-10G is always non-blocking (any STS-1 from the system can be cross-connected to any other STS-1 without limitation up to 1152 bidirectional STS-1 ports (576 STS-1 cross-connects). In addition, for “mixed” VT1.5 and VT2 grooming, 50% of the available VT resources (ports) are allocated to each VT circuit type. The following three modes are supported (only one mode is available at a time): • Mode 1: full VT1.5 cross-connect, which is 2688 bidirectional VT1.5 ports (1344 bidirectional VT1.5 cross-connects) • Mode 2: full VT2 cross-connect, which is 2016 bidirectional VT2 ports (1008 bidirectional VT2 cross-connects) • Mode 3 (mixed grooming): 50% VT1.5 and 50% VT2 XC, which is 1344 bidirectional VT1.5 ports and 1008 bidirectional VT2 ports (672 bidirectional VT1.5 and 504 VT2 bidirectional cross-connects) The XC-VXC-10G card provides: • 1152 STS bidirectional ports • 576 STS bidirectional cross-connects • 2688 VT1.5 ports via 96 logical STS ports • 1344 VT1.5 bidirectional cross-connects • 2016 VT2 ports via 96 logical STS ports • 1008 VT2 bidirectional cross-connects • Mixed grooming (50% VT1.5 and 50% VT2) • Nonblocking at the STS level • VT1.5, VT2, and STS-1/3c/6c/12c/48c/192c cross-connects Note VT 2 circuit provisioning works between optical cards and the DS3/EC1-48 card (EC1 ports, not the ports provisioned for DS3) The XC-VXC-10G supports errorless side switches (switching from one XC-VXC-10G on one side of the shelf to the other XC-VXC-10G on the other side of the shelf) when the switch is initiated through software and the shelf is equipped with TCC2/TCC2P cards. The XCVT and XC10G cards do not support errorless switching. Cross-connect and provisioning information is established through the user interface on the TCC2/TCC2P card. In turn, the TCC2/TCC2P card establishes the proper internal cross-connect information and relays the setup information to the XC-VXC-10G card so that the proper cross-connection is established within the system. The XC-VXC-10G card is deployed in Slots 8 or 10. Upgrading a system to an XC-VXC-10G from an earlier cross-connect module type is performed in-service, with hitless operation (less than 50-ms impact to any traffic). The XC-VXC-10G can be used with either the standard ANSI shelf assembly (15454-SA-ANSI) or high-density shelf assembly (15454-SA-HD). Caution Do not operate the ONS 15454 with only one XC-VXC-10G cross-connect card. Two cross-connect cards must always be installed. Figure 2-8 shows the XC-VXC-10G cross-connect matrix.2-27 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 2 Common Control Cards 2.7.2 VT Mapping Figure 2-8 XC-VXC-10G Cross-Connect Matrix 2.7.2 VT Mapping The VT structure is designed to transport and switch payloads below the DS-3 rate. The ONS 15454 performs VT mapping according to Telcordia GR-253-CORE standards. Table 2-16 shows the VT numbering scheme for the ONS 15454 as it relates to the Telcordia standard. 1 2 . . . . 20 Input Ports Output Ports 4X STS-192 8X STS-48 8X STS-48 4X STS-192 XC-XVC-10G STS-1 Cross-connect ASIC (1152x1152 STS-1) VT 1.5/VT 2 Cross-connect ASIC TU-3 Cross-connect ASIC (bypassed in SONETmode) 6X STS-48 2X STS-48 (VT Ports) 2X STS-48 (VT Ports) 1344 bidirectional VT 1.5 cross-connects, or 1008 bidirectional VT 2 cross-connects, or Mixed grooming (50% VT1.5 and 50% VT2) 1 2 . . . . 20 VTXC TUXC 134272 Table 2-18 VT Mapping ONS 15454 VT Number Telcordia Group/VT Number VT1 Group1/VT1 VT2 Group2/VT1 VT3 Group3/VT1 VT4 Group4/VT1 VT5 Group5/VT1 VT6 Group6/VT1 VT7 Group7/VT1 VT8 Group1/VT2 VT9 Group2/VT2 VT10 Group3/VT2 VT11 Group4/VT2 VT12 Group5/VT2 VT13 Group6/VT22-28 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 2 Common Control Cards 2.7.3 XC-VXC-10G Hosting DS3XM-6 or DS3XM-12 2.7.3 XC-VXC-10G Hosting DS3XM-6 or DS3XM-12 A DS3XM card can demultiplex (map down to a lower rate) M13-mapped DS-3 signals into 28 DS-1s that are then mapped to VT1.5 payloads. The VT1.5s can then be cross-connected by the XC-VXC-10G card. The XC-VXC-10G card can host a maximum of 1344 bidirectional VT1.5s. 2.7.4 XC-VXC-10G Card-Level Indicators Table 2-19 describes the two card-level LEDs on the XC-VXC-10G faceplate. VT14 Group7/VT2 VT15 Group1/VT3 VT16 Group2/VT3 VT17 Group3/VT3 VT18 Group4/VT3 VT19 Group5/VT3 VT20 Group6/VT3 VT21 Group7/VT3 VT22 Group1/VT4 VT23 Group2/VT4 VT24 Group3/VT4 VT25 Group4/VT4 VT26 Group5/VT4 VT27 Group6/VT4 VT28 Group7/VT4 Table 2-18 VT Mapping (continued) ONS 15454 VT Number Telcordia Group/VT Number Table 2-19 XC-VXC-10G Card-Level Indicators Card-Level Indicators Definition Red FAIL LED Indicates that the cards processor is not ready. This LED illuminates during reset. The FAIL LED flashes during the boot process. Replace the card if the red FAIL LED persists. ACT/STBY LED Green (Active) Amber (Standby) Indicates whether the XC10G is active and carrying traffic (green), or in standby mode to the active XC10G card (amber).2-29 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 2 Common Control Cards 2.7.5 XC-VXC-10G Compatibility 2.7.5 XC-VXC-10G Compatibility The XC-VXC-10G card supports the same features as the XC10G card. Either the XC10G or XC-VXC-10G card is required for OC-192, OC3-8, and OC12-4 operation and OC-48 AS operation. If you are using Ethernet cards, the E1000-2-G or the E100T-G must be used when the XC-VXC-10G cross-connect card is in use. When upgrading from an XC10G card to an XC-VXC-10G card, refer to the “Upgrade Cards and Spans” chapter in the Cisco ONS 15454 Procedure Guide for more information. Also refer to the “2.1.2 Card Compatibility” section on page 2-3. 2.8 AIC-I Card Note For hardware specifications, see the “A.4.6 AIC-I Card Specifications” section on page A-15. The optional Alarm Interface Controller–International (AIC-I) card provides customer-defined (environmental) alarms and controls and supports local and express orderwire. It provides 12 customer-defined input and 4 customer-defined input/output contacts. The physical connections are through the backplane wire-wrap pin terminals. If you use the additional AEP, the AIC-I card can support up to 32 inputs and 16 outputs, which are connected on the AEP connectors. A power monitoring function monitors the supply voltage (–48 VDC). Figure 2-9 shows the AIC-I faceplate and a block diagram of the card. 2-30 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 2 Common Control Cards 2.8.1 AIC-I Card-Level Indicators Figure 2-9 AIC-I Faceplate and Block Diagram 2.8.1 AIC-I Card-Level Indicators Table 2-20 describes the eight card-level LEDs on the AIC-I card faceplate. AIC-I Fail Express orderwire Local orderwire EEPROM LED x2 AIC-I FPGA SCL links 4 x IN/OUT Power Monitoring 12/16 x IN Ringer Act Ring Ring Input Output 78828 FAIL ACT ACC INPUT/OUTPUT EOW LOW RING AIC-1 (DTMF) (DTMF) UDC-A UDC-B DCC-A DCC-B ACC PWR A B RING DCC-B DCC-A UDC-B UDC-A Table 2-20 AIC-I Card-Level Indicators Card-Level LEDs Description Red FAIL LED Indicates that the cards processor is not ready. The FAIL LED is on during Reset and flashes during the boot process. Replace the card if the red FAIL LED persists. Green ACT LED Indicates the AIC-I card is provisioned for operation.2-31 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 2 Common Control Cards 2.8.2 External Alarms and Controls 2.8.2 External Alarms and Controls The AIC-I card provides input/output alarm contact closures. You can define up to twelve external alarm inputs and 4 external alarm inputs/outputs (user configurable). The physical connections are made using the backplane wire-wrap pins. See the “1.12 Alarm Expansion Panel” section on page 1-56 for information about increasing the number of input/output contacts. LEDs on the front panel of the AIC-I indicate the status of the alarm lines, one LED representing all of the inputs and one LED representing all of the outputs. External alarms (input contacts) are typically used for external sensors such as open doors, temperature sensors, flood sensors, and other environmental conditions. External controls (output contacts) are typically used to drive visual or audible devices such as bells and lights, but they can control other devices such as generators, heaters, and fans. You can program each of the twelve input alarm contacts separately. You can program each of the sixteen input alarm contacts separately. Choices include: • Alarm on Closure or Alarm on Open • Alarm severity of any level (Critical, Major, Minor, Not Alarmed, Not Reported) • Service Affecting or Non-Service Affecting alarm-service level • 63-character alarm description for CTC display in the alarm log. You cannot assign the fan-tray abbreviation for the alarm; the abbreviation reflects the generic name of the input contacts. The alarm condition remains raised until the external input stops driving the contact or you unprovision the alarm input. You cannot assign the fan-tray abbreviation for the alarm; the abbreviation reflects the generic name of the input contacts. The alarm condition remains raised until the external input stops driving the contact or you provision the alarm input. Green/Red PWR A LED The PWR A LED is green when a supply voltage within a specified range has been sensed on supply input A. It is red when the input voltage on supply input A is out of range. Green/Red PWR B LED The PWR B LED is green when a supply voltage within a specified range has been sensed on supply input B. It is red when the input voltage on supply input B is out of range. Amber INPUT LED The INPUT LED is amber when there is an alarm condition on at least one of the alarm inputs. Amber OUTPUT LED The OUTPUT LED is amber when there is an alarm condition on at least one of the alarm outputs. Green RING LED The RING LED on the local orderwire (LOW) side is flashing green when a call is received on the LOW. Green RING LED The RING LED on the express orderwire (EOW) side is flashing green when a call is received on the EOW. Table 2-20 AIC-I Card-Level Indicators (continued) Card-Level LEDs Description2-32 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 2 Common Control Cards 2.8.3 Orderwire The output contacts can be provisioned to close on a trigger or to close manually. The trigger can be a local alarm severity threshold, a remote alarm severity, or a virtual wire: • Local NE alarm severity: A hierarchy of Not Reported, Not Alarmed, Minor, Major, or Critical alarm severities that you set to cause output closure. For example, if the trigger is set to Minor, a Minor alarm or above is the trigger. • Remote NE alarm severity: Same as the local network element (NE) alarm severity but applies to remote alarms only. • Virtual wire entities: You can provision any environmental alarm input to raise a signal on any virtual wire on external outputs 1 through 4 when the alarm input is an event. You can provision a signal on any virtual wire as a trigger for an external control output. You can also program the output alarm contacts (external controls) separately. In addition to provisionable triggers, you can manually force each external output contact to open or close. Manual operation takes precedence over any provisioned triggers that might be present. Note The number of inputs and outputs can be increased using the AEP. The AEP is connected to the shelf backplane and requires an external wire-wrap panel. 2.8.3 Orderwire Orderwire allows a craftsperson to plug a phoneset into an ONS 15454 and communicate with craftspeople working at other ONS 15454s or other facility equipment. The orderwire is a pulse code modulation (PCM) encoded voice channel that uses E1 or E2 bytes in section/line overhead. The AIC-I allows simultaneous use of both local (section overhead signal) and express (line overhead signal) orderwire channels on an SDH ring or particular optics facility. Express orderwire also allows communication via regeneration sites when the regenerator is not a Cisco device. You can provision orderwire functions with CTC similar to the current provisioning model for DCC/GCC channels. In CTC, you provision the orderwire communications network during ring turn-up so that all NEs on the ring can reach one another. Orderwire terminations (that is, the optics facilities that receive and process the orderwire channels) are provisionable. Both express and local orderwire can be configured as on or off on a particular SONET facility. The ONS 15454 supports up to four orderwire channel terminations per shelf. This allows linear, single ring, dual ring, and small hub-and-spoke configurations. Keep in mind that orderwire is not protected in ring topologies such as bidirectional line switched rings (BLSRs) and path protection configurations. Caution Do not configure orderwire loops. Orderwire loops cause feedback that disables the orderwire channel. The ONS 15454 implementation of both local and express orderwire is broadcast in nature. The line acts as a party line. Anyone who picks up the orderwire channel can communicate with all other participants on the connected orderwire subnetwork. The local orderwire party line is separate from the express orderwire party line. Up to four OC-N facilities for each local and express orderwire are provisionable as orderwire paths. Note The OC3 IR 4/STM1 SH 1310 card does not support the express orderwire channel. 2-33 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 2 Common Control Cards 2.8.4 Power Monitoring The AIC-I supports selective dual tone multifrequency (DTMF) dialing for telephony connectivity, which causes one AIC-I card or all ONS 15454 AIC-I cards on the orderwire subnetwork to “ring.” The ringer/buzzer resides on the AIC-I. There is also a “ring” LED that mimics the AIC-I ringer. It flashes when a call is received on the orderwire subnetwork. A party line call is initiated by pressing *0000 on the DTMF pad. Individual dialing is initiated by pressing * and the individual four-digit number on the DTMF pad. Table 2-21 shows the pins on the orderwire connector that correspond to the tip and ring orderwire assignments. When provisioning the orderwire subnetwork, make sure that an orderwire loop does not exist. Loops cause oscillation and an unusable orderwire channel. Figure 2-10 shows the standard RJ-11 connectors used for orderwire ports. Use a shielded RJ-11 cable. Figure 2-10 RJ-11 Connector 2.8.4 Power Monitoring The AIC-I card provides a power monitoring circuit that monitors the supply voltage of –48 VDC for presence, undervoltage, or overvoltage. 2.8.5 User Data Channel The user data channel (UDC) features a dedicated data channel of 64 kbps (F1 byte) between two nodes in an ONS 15454 network. Each AIC-I card provides two user data channels, UDC-A and UDC-B, through separate RJ-11 connectors on the front of the AIC-I card. Use an unshielded RJ-11 cable. Each UDC can be routed to an individual optical interface in the ONS 15454. For UDC circuit provisioning, refer to the “Create Circuits and VT Tunnels” chapter in the Cisco ONS 15454 Procedure Guide. The UDC ports are standard RJ-11 receptacles. Table 2-22 lists the UDC pin assignments. Table 2-21 Orderwire Pin Assignments RJ-11 Pin Number Description 1 Four-wire receive ring 2 Four-wire transmit tip 3 Two-wire ring 4 Two-wire tip 5 Four-wire transmit ring 6 Four-wire receive tip 61077 Pin 1 Pin 6 RJ-112-34 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 2 Common Control Cards 2.8.6 Data Communications Channel 2.8.6 Data Communications Channel The DCC features a dedicated data channel of 576 kbps (D4 to D12 bytes) between two nodes in an ONS 15454 network. Each AIC-I card provides two DCCs, DCC-A and DCC-B, through separate RJ-45 connectors on the front of the AIC-I card. Use a shielded RJ-45 cable. Each DCC can be routed to an individual optical interface in the ONS 15454. The DCC ports are synchronous serial interfaces. The DCC ports are standard RJ-45 receptacles. Table 2-23 lists the DCC pin assignments. Table 2-22 UDC Pin Assignments RJ-11 Pin Number Description 1 For future use 2 TXN 3 RXN 4 RXP 5 TXP 6 For future use Table 2-23 DCC Pin Assignments RJ-45 Pin Number Description 1 TCLKP 2 TCLKN 3 TXP 4 TXN 5 RCLKP 6 RCLKN 7 RXP 8 RXNCHAPTER 3-1 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 3 Electrical Cards This chapter describes Cisco ONS 15454 electrical card features and functions. For installation and card turn-up procedures, refer to the Cisco ONS 15454 Procedure Guide. For information on the electrical interface assemblies (EIAs), see the “1.5 Electrical Interface Assemblies” section on page 1-15. Chapter topics include: • 3.1 Electrical Card Overview, page 3-1 • 3.2 Bit Error Rate Testing, page 3-4 • 3.3 EC1-12 Card, page 3-5 • 3.4 DS1-14 and DS1N-14 Cards, page 3-7 • 3.5 DS1/E1-56 Card, page 3-11 • 3.6 DS3-12 and DS3N-12 Cards, page 3-14 • 3.7 DS3/EC1-48 Card, page 3-17 • 3.8 DS3i-N-12 Card, page 3-20 • 3.9 DS3-12E and DS3N-12E Cards, page 3-22 • 3.10 DS3XM-6 Card, page 3-26 • 3.11 DS3XM-12 Card, page 3-28 • 3.12 Interoperability Rules for Electrical Cards, page 3-33 3.1 Electrical Card Overview Each card is marked with a symbol that corresponds to a slot (or slots) on the ONS 15454 shelf assembly. The cards are then installed into slots displaying the same symbols. See the “1.19 Cards and Slots” section on page 1-74 for a list of slots and symbols. 3.1.1 Card Summary Table 3-1 lists the Cisco ONS 15454 electrical cards.3-2 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 3 Electrical Cards 3.1.1 Card Summary Table 3-1 Cisco ONS 15454 Electrical Cards Card Name Description For Additional Information EC1-12 The EC1-12 card provides 12 Telcordia-compliant, GR-253 STS-1 electrical ports per card. Each port operates at 51.840 Mbps over a single 750-ohm, 728A or equivalent coaxial span. See the “3.3 EC1-12 Card” section on page 3-5. DS1-14 The DS1-14 card provides 14 Telcordia-compliant GR-499 DS-1 ports. Each port operates at 1.544 Mbps over a 100-ohm, twisted-pair copper cable. See the “3.4 DS1-14 and DS1N-14 Cards” section on page 3-7. DS1N-14 The DS1N-14 card supports the same features as the DS1-14 card but can also provide 1:N (N <= 5) protection. See the “3.4 DS1-14 and DS1N-14 Cards” section on page 3-7. DS1/E1-56 The DS1/E1-56 card provides 56 Telcordia- compliant, GR-499 DS-1 ports per card, or 56 E1 ports per card. Each port operates at 1.544 Mbps (DS-1) or 2.048 Mbps (E1). The DS1/E1-56 card operates as a working or protect card in 1:N protection schemes, where N <= 2. See the “3.5 DS1/E1-56 Card” section on page 3-11. DS3-12 The DS3-12 card provides 12 Telcordia-compliant GR-499 DS-3 ports per card. Each port operates at 44.736 Mbps over a single 75-ohm, 728A or equivalent coaxial span. See the “3.6 DS3-12 and DS3N-12 Cards” section on page 3-14. DS3N-12 The DS3N-12 card supports the same features as the DS3-12 but can also provide 1:N (N <= 5) protection. See the “3.6 DS3-12 and DS3N-12 Cards” section on page 3-14. DS3/EC1-48 The DS3/EC1-48 provides 48 Telcordia-compliant ports per card. Each port operates at 44.736 Mbps over a single 75-ohm, 728A or equivalent coaxial span. See the “3.7 DS3/EC1-48 Card” section on page 3-17. DS3i-N-12 The DS3i-N-12 card provides 12 ITU-T G.703, ITU-T G.704, and Telcordia GR-499-CORE compliant DS-3 ports per card. Each port operates at 44.736 Mbps over a 75-ohm coaxial cable. See the “3.8 DS3i-N-12 Card” section on page 3-20 DS3-12E The DS3-12E card provides 12 Telcordia-compliant ports per card. Each port operates at 44.736 Mbps over a single 75-ohm, 728A or equivalent coaxial span. The DS3-12E card provides enhanced performance monitoring functions. See the “3.9 DS3-12E and DS3N-12E Cards” section on page 3-22. DS3N-12E The DS3N-12E card supports the same features as the DS3-12E but can also provide 1:N (N <= 5) protection. See the “3.9 DS3-12E and DS3N-12E Cards” section on page 3-22.3-3 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 3 Electrical Cards 3.1.2 Card Compatibility 3.1.2 Card Compatibility Table 3-2 lists the CTC software compatibility for each electrical card. See Table 2-4 on page 2-5 for a list of cross-connect cards that are compatible with each electrical card. Note “Yes” indicates that this card is fully or partially supported by the indicated software release. Refer to the individual card reference section for more information about software limitations for this card. DS3XM-6 (Transmux) The DS3XM-6 card provides six Telcordia- compliant GR-499-CORE M13 multiplexing functions. The DS3XM-6 converts six framed DS-3 network connections to 28x6 or 168 VT1.5s. See the “3.10 DS3XM-6 Card” section on page 3-26. DS3XM-12 (Transmux) The DS3XM-12 card provides 12 Telcordia- compliant GR-499-CORE M13 multiplexing functions. The DS3XM-12 converts twelve framed DS-3 network connections to 28x12 or 168 VT1.5s. See the “3.11 DS3XM-12 Card” section on page 3-28. Table 3-1 Cisco ONS 15454 Electrical Cards (continued) Card Name Description For Additional Information Table 3-2 Electrical Card Software Release Compatibility Electrical Card R3.0.1 R3.1 R3.2 R3.3 R3.4 R4.0 R4.1 R4.5 R4.6 R4.7 R5.0 R6.0 R7.0 R7.2 R8.0 R8.5 R9.0 R9.1 R9.2 R9.2.1 EC1-12 Yes Yes Yes Yes Yes Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes DS1-14 Yes Yes Yes Yes Yes Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes DS1N-14 Yes Yes Yes Yes Yes Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes DS1/E1-56 — — — — — — — — — — — Yes Yes Yes Yes Yes Yes Yes Yes Yes DS3-12 Yes Yes Yes Yes Yes Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes DS3N-12 Yes Yes Yes Yes Yes Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes DS3-12E Yes Yes Yes Yes Yes Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes DS3N-12E Yes Yes Yes Yes Yes Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes DS3XM-6 (Transmux) Yes Yes Yes Yes Yes Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes DS3XM-12 (Transmux) — — — — — — — — — — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes3-4 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 3 Electrical Cards 3.2 Bit Error Rate Testing Note The DS3-12 card does not boot properly for Software Release 8.0 and later due to memory limitations. If you are upgrading to Software Release 8.0 or later, use any other DS3 card listed in the above table. 3.2 Bit Error Rate Testing The bit error rate testing (BERT) feature can be used to test the connectivity, error rate, and error count of the traffic running on an electrical input/output (I/O) card port. The BERT feature is currently supported for ONS 15454 DS1/E1-56 and DS3XM-12 electrical cards only. BERT is broadly classified into two components—Test Pattern Generator (TPG) and Test Pattern Monitor (TPM) and is called Test Pattern Generator and Monitor (TPGM) when referring to Test Pattern Generator and Monitor. TPG generates test patterns like PRBS15, PRBS20, PRBS23, QRSS and ATL1s0s (alternating ones and zeroes). TPM monitors test patterns like PRBS15, PRBS20, PRBS23, QRSS and ALT1s0s. TPG and TPM inject and monitor errors in the test pattern for both single bit and multirate (1.0E-3, 1.0E-4, 1.0E-5 and 1.0E-6) errors. TPGM-L enables test pattern generation and monitoring on the line side. This option is not available for the DS1 port in the DS3XM-12 card because you can configure DS1 port on the backplane side only. TPGM-B enables test pattern generation and monitoring on the backplane side. You can enable TPGM-B on a port only if the port has a bidirectional circuit. Note The port must be in Out-of-Service and Maintenance (OOS-MT) state before enabling TPGM-L or TPGM-B. OOS-MT state puts the circuit cross-connects to a service state. This service state does not interrupt traffic flow and allows loopbacks to be performed on the circuit. OOS-MT however, suppresses any alarms and conditions. Change the administrative state to IS, OOS, or IS-AINS when testing is complete. For information on how to set the port to OOS-MT state, see the “DLP-A230 Change a Circuit Service State” task in the Cisco ONS 15454 Procedure Guide, Release 9.1 and Release 9.2. Note To enable TPGM-L or TPGM-B on a DS1 port, the line framing type must be D4, ESF, or unframed. DS3/EC1-48 — — — — — — — — — — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes DS3i-N-12 — — — — — — Yes (4.1. 2) — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Table 3-2 Electrical Card Software Release Compatibility (continued) Electrical Card R3.0.1 R3.1 R3.2 R3.3 R3.4 R4.0 R4.1 R4.5 R4.6 R4.7 R5.0 R6.0 R7.0 R7.2 R8.0 R8.5 R9.0 R9.1 R9.2 R9.2.13-5 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 3 Electrical Cards 3.3 EC1-12 Card Note At any given time, you can enable BERT mode only on a single port of a card. The following table summarizes if BERT can be enabled on the line side or backplane side for DS1/E1-56 and DS3XM-12 electrical cards. Note “Yes” indicates that BERT can be enabled on the line side (TPGM-L) or backplane side (TPGM-B). For information on how to enable BERT on the DS1/E1-56 and DS3XM-12 cards, see the Cisco ONS 15454 Procedure Guide, Release 9.1 and Release 9.2. BERT Alarms The BERT feature can raise the following two alarms in CTC: • BERT_ENABL—Specifies that BERT feature is enabled. • BERT_SYNC_FAIL—Synchronization is necessary and occurs when the errors injected by the TPG reach the TPM and connectivity is established. The BERT_SYNC_FAIL alarm occurs when synchronization fails. Both the alarms are non-reportable conditions, non-service affecting, and no severity is associated with these two conditions. 3.3 EC1-12 Card Note For hardware specifications, see the “A.5.1 EC1-12 Card Specifications” section on page A-17. The EC1-12 card provides 12 Telcordia-compliant, GR-253 STS-1 electrical ports per card. Each port operates at 51.840 Mbps over a single 75-ohm, 728A or equivalent coaxial span. STS path selection for UNEQ-P, AIS-P, and bit error rate (BER) thresholds is done on the SONET ring interfaces (optical cards) in conjunction with the STS cross-connect. The EC1-12 terminates but does not select the 12 working STS-1 signals from the backplane. The EC1-12 maps each of the 12 received EC1 signals into 12 STS-1s with visibility into the SONET path overhead. An EC1-12 card can be 1:1 protected with another EC1-12 card but cannot protect more than one EC1-12 card. You must install the EC1-12 in an even-numbered slot to serve as a working card and in an odd-numbered slot to serve as a protect card. Table 3-3 Enabling BERT on Line Side and Backplane Side DS1/E1-56 card TPGM-L TPGM-B DS1 Port Yes Yes DS3XM-12 card DS1 Port No Yes DS3 Port Yes No3-6 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 3 Electrical Cards 3.3.1 EC1-12 Slots and Connectors 3.3.1 EC1-12 Slots and Connectors You can install the EC1-12 card in Slots 1 to 6 or 12 to 17 on the ONS 15454. Each EC1-12 interface features DSX-level (digital signal cross-connect frame) outputs supporting distances up to 450 feet (137 meters) depending on facility conditions. See the “7.2 Electrical Card Protection and the Backplane” section on page 7-5 for more information about electrical card slot protection and restrictions. 3.3.2 EC1-12 Faceplate and Block Diagram Figure 3-1 shows the EC1-12 faceplate and a block diagram of the card. Figure 3-1 EC1-12 Faceplate and Block Diagram Line Interface Unit main STS1 protect STS1 STS-12/ 12xSTS-1 Mux/Demux ASIC BTC ASIC STS-1 Framer x12 61344 B a c k p l a n e FAIL ACT/STBY SF EC1 123-7 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 3 Electrical Cards 3.3.3 EC1-12 Hosted by XCVT, XC10G, or XC-VXC-10G 3.3.3 EC1-12 Hosted by XCVT, XC10G, or XC-VXC-10G All 12 STS-1 payloads from an EC1-12 card are carried to the XCVT, XC10G, or XC-VXC-10G card where the payload is further aggregated for efficient transport. XCVT cards can host a maximum of 288 bidirectional STS-1s. The XC10G and XC-VXC-10G cards can host up to 1152 bidirectional STS-1s. 3.3.4 EC1-12 Card-Level Indicators Table 3-4 describes the three card-level LEDs on the EC1-12 card. 3.3.5 EC1-12 Port-Level Indicators You can obtain the status of the EC1-12 card ports by using the LCD screen on the ONS 15454 fan tray. Use the LCD to view the status of any port or card slot; the screen displays the number and severity of alarms for a given port or slot. 3.4 DS1-14 and DS1N-14 Cards Note For hardware specifications, see the “A.5.2 DS1-14 and DS1N-14 Card Specifications” section on page A-18. The ONS 15454 DS1-14 card provides 14 Telcordia-compliant, GR-499 DS-1 ports. Each port operates at 1.544 Mbps over a 100-ohm, twisted-pair copper cable. The DS1-14 card can function as a working or protect card in 1:1 protection schemes and as a working card in 1:N protection schemes. Each DS1-14 port has digital signal cross-connect frame (DSX)-level outputs supporting distances up to 655 feet (200 meters). The DS1-14 card supports 1:1 protection. The DS1-14 can be a working card in a 1:N protection scheme with the proper backplane EIA and wire-wrap or AMP Champ connectors. You can also provision the DS1-14 to monitor for line and frame errors in both directions. You can group and map DS1-14 card traffic in STS-1 increments to any other card in an ONS 15454 except DS-3 cards. Each DS-1 is asynchronously mapped into a SONET VT1.5 payload and the card carries a DS-1 payload intact in a VT1.5. For performance monitoring purposes, you can gather bidirectional DS-1 frame-level information (LOF, parity errors, cyclic redundancy check [CRC] errors, and so on). Table 3-4 EC1-12 Card-Level Indicators Card-Level Indicators Description Red FAIL LED The red FAIL LED indicates that the EC1-12 card processor is not ready. Replace the unit if the FAIL LED persists. Green ACT LED The green ACT LED indicates that the EC1-12 card is operational and ready to carry traffic. Amber SF LED The amber SF LED indicates a signal failure or condition such as loss of signal (LOS), loss of frame (LOF) or high BER on one or more card ports. 3-8 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 3 Electrical Cards 3.4.1 DS1N-14 Features and Functions 3.4.1 DS1N-14 Features and Functions The DS1N-14 card supports the same features as the DS1-14 card in addition to enhanced protection schemes. The DS1N-14 is capable of 1:N (N <= 5) protection with the proper backplane EIA and wire-wrap or AMP Champ connectors. The DS1N-14 card can function as a working or protect card in 1:1 or 1:N protection schemes. If you use the DS1N-14 as a standard DS-1 card in a 1:1 protection group, you can install the DS1N-14 card in Slots 1 to 6 or 12 to 17 on the ONS 15454. If you use the card’s 1:N functionality, you must install a DS1N-14 card in Slots 3 and 15. Each DS1N-14 port features DS-n-level outputs supporting distances of up to 655 feet (200 meters) depending on facility conditions. 3.4.2 DS1-14 and DS1N-14 Slot Compatibility You can install the DS1-14 card in Slots 1 to 6 or 12 to 17 on the ONS 15454. 3.4.3 DS1-14 and DS1N-14 Faceplate and Block Diagram Figure 3-2 shows the DS1-14 faceplate and the block diagram of the card.3-9 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 3 Electrical Cards 3.4.3 DS1-14 and DS1N-14 Faceplate and Block Diagram Figure 3-2 DS1-14 Faceplate and Block Diagram Figure 3-3 shows the DS1N-14 faceplate and a block diagram of the card. Cross Connect 14 Line Interface Units STS1 to 14 DS1 Mapper Matrix DRAM FLASH Mux/Demux ASIC Protection Relay Matrix STS-1 / STS-12 uP BTC ASIC 61345 B a c k p l a n e FAIL ACT/STBY DS1- 14 SF 33678 129313-10 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 3 Electrical Cards 3.4.4 DS1-14 and DS1N-14 Hosted by XCVT, XC10G, or XC-VXC-10G Figure 3-3 DS1N-14 Faceplate and Block Diagram 3.4.4 DS1-14 and DS1N-14 Hosted by XCVT, XC10G, or XC-VXC-10G All 14 VT1.5 payloads from DS1-14 and DSIN-14 cards are carried in a single STS-1 to the XCVT, XC10G, or XC-VXC-10G cards, where the payload is further aggregated for efficient STS-1 transport. The XC10G and XCVT cards manage up to 336 bidirectional VT1.5 ports. The XC-VXC-10G card can manage up to 2688 bidirectional VT1.5 ports 3.4.5 DS1-14 and DS1N-14 Card-Level Indicators Table 3-5 describes the three card-level LEDs on the DS1-14 and DS1N-14 card faceplates. 14 Line Interface Units STS1 to 14 DS1 Mapper DRAM FLASH Mux/Demux ASIC Protection Relay Matrix STS-1 / STS-12 uP 61346 BTC ASIC B a c k p l a n e FAIL ACT/STBY SF DS1N- 14 33678 129313-11 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 3 Electrical Cards 3.4.6 DS1-14 and DS1N-14 Port-Level Indicators 3.4.6 DS1-14 and DS1N-14 Port-Level Indicators You can obtain the status of the DS1-14 and DS1N-14 card ports by using the LCD screen on the ONS 15454 fan-tray assembly. Use the LCD to view the status of any port or card slot; the screen displays the number and severity of alarms for a given port or slot. 3.5 DS1/E1-56 Card Note For hardware specifications, see the “A.5.3 DS1/E1-56 Card Specifications” section on page A-19. The ONS 15454 DS1/E1-56 card provides 56 Telcordia-compliant, GR-499 DS-1 ports per card, or 56 E1 ports per card. Each port operates at 1.544 Mbps (DS-1) or 2.048 Mbps (E1). The DS1/E1-56 card operates as a working or protect card in 1:N protection schemes, where N <= 2. The DS1/E1-56 card can be used with the XCVT, XC10G, or XC-VXC-10G cross-connect cards. Note The DS1/E1-56 card does not support VT-2 (virtual tributary-2) circuit creation on E1 ports. Caution When a protection switch moves traffic from the active (or working) DS1/E1-56 card to the standby (or protect) DS1/E1-56 card, ports on the now standby (or protect) card cannot be moved to Out of Service state. Traffic is dropped if the ports are in Out of Service state. 3.5.1 DS1/E1-56 Slots and Connectors For SONET applications, the DS1/E1-56 card requires a high-density (HD) shelf (15454-SA-HD), UBIC EIA, and Software Release 6.0 or greater. Note The UBIC-H EIA supports the termination of both DS-1 and E-1 signals when used with the appropriate cables. The UBIC-V EIA only supports the termination of DS-1 signals. Table 3-5 DS1-14 and DS1N-14 Card-Level Indicators Card-Level Indicators Description Red FAIL LED The red FAIL LED indicates that the card processor is not ready. Replace the card if the red FAIL LED persists. ACT/STBY LED Green (Active) Amber (Standby) The green/amber ACT/STBY LED indicates whether the card is operational and ready to carry traffic (green) or in standby mode (amber). Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS, LOF, or high BERs on one or more card ports.3-12 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 3 Electrical Cards 3.5.2 DS1/E1-56 Faceplate and Block Diagram Note The DS1/E1-56 card supports an errorless software-initiated cross-connect card switch when used in a shelf equipped with XC-VXC-10G and TCC2/TCC2P cards. You can install the DS1/E1-56 card in Slots 1 to 3 or 15 to 17 on the ONS 15454, but installing this card in certain slots will block the use of other slots. Table 3-6 shows which slots become unusable for other electrical cards when the DS1/E1-56 card is installed in a particular slot. With the proper backplane EIA, the card supports SCSI (UBIC) connectors. See the “7.2 Electrical Card Protection and the Backplane” section on page 7-5 for more information about electrical card slot protection and restrictions. Connectivity, error rate, and error count of the traffic running on an Electrical IO card ports can be tested by using BERT. For more information on BERT, see 3.2 Bit Error Rate Testing, page 3-4. 3.5.2 DS1/E1-56 Faceplate and Block Diagram Figure 3-4 shows the DS1/E1-56 faceplate and a block diagram of the card. Table 3-6 DS1/E1-56 Slot Restrictions Slot Additional Unusable Slots for Electrical Cards 1 5 and 6 2 3 or 4 (except another DS1/E1-56 protect card can be installed in Slot 3) 3 — 15 — 16 14 and 15 (except another DS1/E1-56 protect card can be installed in Slot 15) 17 12 and 133-13 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 3 Electrical Cards 3.5.3 DS1/E1-56 Card-Level Indicators Figure 3-4 DS1/E1-56 Faceplate and Block Diagram 3.5.3 DS1/E1-56 Card-Level Indicators The DS1/E1-56 card has three card-level LED indicators (Table 3-7). 131201 U B I C DS1 x56 ports XFMR/ MUX DS1 Analog x8 ports DS1 Digital x8 ports DS1 Digital x8 ports DS1 Digital x8 ports DS1 Analog x8 ports DS1 Analog x8 ports DS1/E1 Octal LIU #1 DS1/E1 Octal LIU #2 DS1/E1 Octal LIU #7 LIUs 3 thru 6 not shown Agere Ultramapper AD BUS to PROC SCL LINK to TCC 622MHz Ref 38MHz Ref’s STS-12 Data TSWC Clock Synth MAIN Data PROT Data Stingray FPGA 4 Bit 155Mhz STS-12 4 Bit 155Mhz STS-12 B a c k p l a n e3-14 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 3 Electrical Cards 3.5.4 DS1/E1-56 Port-Level Indicators 3.5.4 DS1/E1-56 Port-Level Indicators You can obtain the status of the DS1/E1-56 card ports by using the LCD screen on the ONS 15454 fan-tray assembly. Use the LCD to view the status of any port or card slot; the screen displays the number and severity of alarms for a given port or slot. 3.6 DS3-12 and DS3N-12 Cards Note For hardware specifications, see the “A.5.5 DS3-12 and DS3N-12 Card Specifications” section on page A-22. Note Any new features that are available as part of this software release are not enabled for this card. The ONS 15454 DS3-12 card provides 12 Telcordia-compliant, GR-499 DS-3 ports per card. Each port operates at 44.736 Mbps over a single 75-ohm 728A or equivalent coaxial span. The DS3-12 card operates as a working or protect card in 1:1 protection schemes and as a working card in 1:N protection schemes. The DS3-12 card supports 1:1 protection with the proper backplane EIA. EIAs are available with BNC, SMB, or SCSI (UBIC) connectors. Caution When a protection switch moves traffic from the DS3-12 working/active card to the DS3-12 protect/standby card, ports on the now active/standby card cannot be taken out of service. Lost traffic can result if you take a port out of service, even if the DS3-12 standby card no longer carries traffic. Other than protection capabilities, the DS3-12 and DS3N-12 cards are identical. The DS3N-12 can operate as the protect card in a 1:N (N <= 5) DS3 protection group. It has additional circuitry that is not present on the basic DS3-12 card that allows it to protect up to five working DS3-12 cards. The basic DS3-12 card can only function as the protect card for one other DS3-12 card. Table 3-7 DS1/E1-56 Card-Level Indicators Card-Level Indicators Description Red FAIL LED Indicates that the card processor is not ready. This LED is on during reset. The FAIL LED flashes during the boot process. Replace the card if the red FAIL LED persists in flashing. ACT/STBY LED Green (Active) Amber (Standby) When the ACT/STBY LED is green, the card is operational and ready to carry traffic. When the ACT/STBY LED is amber, the card is operational and in standby (protect) mode. Amber SF LED Indicates a signal failure or condition such as LOS or LOF on one or more card ports.3-15 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 3 Electrical Cards 3.6.1 DS3-12 and DS3N-12 Slots and Connectors 3.6.1 DS3-12 and DS3N-12 Slots and Connectors You can install the DS3-12 or DS3N-12 card in Slots 1 to 6 or 12 to 17 on the ONS 15454. Each DS3-12 or DS3N-12 card port features DSX-level outputs supporting distances up to 137 meters (450 feet) depending on facility conditions. With the proper backplane EIA, the card supports BNC or SMB connectors. See the “7.2 Electrical Card Protection and the Backplane” section on page 7-5 for more information about electrical card slot protection and restrictions. 3.6.2 DS3-12 and DS3N-12 Faceplate and Block Diagram Figure 3-5 shows the DS3-12 faceplate and a block diagram of the card. Figure 3-5 DS3-12 Faceplate and Block Diagram BTC ASIC DS3A ASIC 61347 Protection Relay Matrix B a c k p l a n e 12 Line Interface Units FAIL ACT/STBY SF DS3 12 33678 129313-16 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 3 Electrical Cards 3.6.3 DS3-12 and DS3N-12 Card-Level Indicators Figure 3-6 shows the DS3N-12 faceplate and a block diagram of the card. Figure 3-6 DS3N-12 Faceplate and Block Diagram 3.6.3 DS3-12 and DS3N-12 Card-Level Indicators Table 3-8 describes the three card-level LEDs on the DS3-12 and DS3N-12 card faceplates. BTC ASIC DS3A ASIC 61348 Protection Relay Matrix B a c k p l a n e 12 Line Interface Units FAIL ACT/STBY SF DS3N 12 1345987 Table 3-8 DS3-12 and DS3N-12 Card-Level Indicators Card-Level Indicators Description Red FAIL LED The red FAIL LED indicates that the card processor is not ready. Replace the card if the red FAIL LED persists. ACT/STBY LED Green (Active) Amber (Standby) When the ACT/STBY LED is green, the card is operational and ready to carry traffic. When the ACT/STBY LED is amber, the card is operational and in standby (protect) mode. Amber SF LED The amber SF LED indicates a signal failure or condition such as port LOS.3-17 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 3 Electrical Cards 3.6.4 DS3-12 and DS3N-12 Port-Level Indicators 3.6.4 DS3-12 and DS3N-12 Port-Level Indicators You can find the status of the 12 DS3-12 and 12 DS3N-12 card ports by using the LCD screen on the ONS 15454 fan-tray assembly. Use the LCD to view the status of any port or card slot; the screen displays the number and severity of alarms for a given port or slot. 3.7 DS3/EC1-48 Card Note For hardware specifications, see the “A.5.4 DS3/EC1-48 Card Specifications” section on page A-21. The ONS 15454 DS3/EC1-48 card provides 48 Telcordia-compliant, GR-499 DS-3 ports per card. Each port operates at 44.736 Mbps over a single 75-ohm 728A or equivalent coaxial span. The DS3/EC1-48 card operates as a working or protect card in 1:N protection schemes, where N <= 2. Caution When a protection switch moves traffic from the DS3/EC1-48 working/active card to the DS3/EC1-48 protect/standby card, ports on the now active/standby card cannot be taken out of service. Lost traffic can result if you take a port out of service, even if the DS3/EC1-48 standby card no longer carries traffic. 3.7.1 DS3/EC1-48 Slots and Connectors For SONET applications, the DS3/EC1-48 card requires an HD shelf (15454-SA-HD) and EIA (UBIC, MiniBNC); Software Release 5.0 or greater; and XC10G or XC-VXC-10G cards. Note The DS3/EC1-48 card supports an errorless software-initiated cross-connect card switch when used in a shelf equipped with XC-VXC-10G and TCC2/TCC2P cards. You can install the DS3/EC1-48 card in Slots 1 to 3 or 15 to 17 on the ONS 15454, but installing this card in certain slots will block the use of other slots. Table 3-9 shows which slots become unusable for other electrical cards when the DS3/EC1-48 card is installed in a particular slot. Caution Do not install low-density DS-1 cards in the same side of the shelf as DS3/EC1-48 cards. Table 3-9 DS3/EC1-48 Slot Restrictions Slot Additional Unusable Slots for Electrical Cards 1 5 and 6 2 3 or 4 (except another DS3/EC1-48 card can be installed in Slot 3) 3 — 15 — 16 14 and 15 (except another DS3/EC1-48 card can be installed in Slot 15) 17 12 and 133-18 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 3 Electrical Cards 3.7.2 DS3/EC1-48 Faceplate and Block Diagram Caution Do not install a DS3/EC1-48 card in Slots 1 or 2 if you have installed an MXP_2.5G_10G card in Slot 3. Likewise, do not install a DS3/EC1-48 card in Slots 16 or 17 if you have installed an MXP_2.5G_10G card in Slot 15. If you do, the cards will interact and cause DS-3 bit errors. With the proper backplane EIA, the card supports BNC or SCSI (UBIC) connectors. See the “7.2 Electrical Card Protection and the Backplane” section on page 7-5 for more information about electrical card slot protection and restrictions. 3.7.2 DS3/EC1-48 Faceplate and Block Diagram Figure 3-7 shows the DS3/EC1-48 faceplate and a block diagram of the card.3-19 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 3 Electrical Cards 3.7.3 DS3/EC1-48 Card-Level Indicators Figure 3-7 DS3/EC1-48 Faceplate and Block Diagram 3.7.3 DS3/EC1-48 Card-Level Indicators The DS3/EC1-48 card has three card-level LED indicators (Table 3-10). 115955 FAIL ACT/STBY SF DS3 EC1 48 Main & Protect SCL Bus’s Processor 48 DS3/EC1 Ports (UBIC-V, UBIC-H, or HD MiniBNC) Transformers & Protection Mux/Relays 4x DS3/EC1 Framer/ Mapper/ LIU STS-48 Mapper FPGA B a c k p l a n e MAIN IBPIA ASIC PROTECT IBPIA ASIC3-20 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 3 Electrical Cards 3.7.4 DS3/EC1-48 Port-Level Indicators 3.7.4 DS3/EC1-48 Port-Level Indicators You can obtain the status of the DS3/EC1-48 card ports by using the LCD screen on the ONS 15454 fan-tray assembly. Use the LCD to view the status of any port or card slot; the screen displays the number and severity of alarms for a given port or slot. 3.8 DS3i-N-12 Card Note For hardware specifications, see the “A.5.6 DS3i-N-12 Card Specifications” section on page A-23. The 12-port ONS 15454 DS3i-N-12 card provides 12 ITU-T G.703, ITU-T G.704, and Telcordia GR-499-CORE compliant DS-3 ports per card. Each port operates at 44.736 Mbps over a 75-ohm coaxial cable. The DS3i-N-12 card supports 1:1 or 1:N protection with the proper backplane EIA. The DS3i-N-12 card works with the XCVT, XC10G, and XC-VXC-10G cross-connect cards. Four sets of three adjacent DS-3 signals (Port 1 through Port 3, Port 4 through Port 6, Port 7 through Port 9, and Port 10 through Port 12) are mapped to VC3s into a VC4 and transported as an STC-3c. The DS3i-N-12 can also aggregate DS3 and E1 traffic and transport it between SONET and SDH networks through AU4/STS 3 trunks, with the ability to add and drop DS3s to an STS3 trunk at intermediate nodes. 3.8.1 DS3i-N-12 Slots and Connectors You can install the DS3i-N-12 card in Slots 1 to 6 and 12 to 17. The DS3i-N-12 can operate as the protect card in a 1:N (N <= 5) DS-3 protection group on a half-shelf basis, with protection cards in Slots 3 and 15. It has circuitry that allows it to protect up to five working DS3i-N-12 cards. With the proper backplane EIA, the card supports BNC or SMB connectors. See the “7.2 Electrical Card Protection and the Backplane” section on page 7-5 for more information about electrical card slot protection and restrictions. Figure 3-8 shows the DS3i-N-12 faceplate and block diagram. Table 3-10 DS3/EC1-48 Card-Level Indicators Card-Level Indicators Description Red FAIL LED Indicates that the card processor is not ready. This LED is on during reset. The FAIL LED flashes during the boot process. Replace the card if the red FAIL LED persists in flashing. ACT/STBY LED Green (Active) Amber (Standby) When the ACT/STBY LED is green, the card is operational and ready to carry traffic. When the ACT/STBY LED is amber, the card is operational and in standby (protect) mode. Amber SF LED Indicates a signal failure or condition such as LOS or LOF on one or more card ports.3-21 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 3 Electrical Cards 3.8.1 DS3i-N-12 Slots and Connectors Figure 3-8 DS3i-N-12 Faceplate and Block Diagram The following list summarizes the DS3i-N-12 card features: • Provisionable framing format (M23, C-bit, or unframed) • Autorecognition and provisioning of incoming framing • VC-3 payload mapping as per ITU-T G.707, mapped into VC-4 and transported as STS-3c • Idle signal (“1100”) monitoring as per Telcordia GR-499-CORE • P-bit monitoring • C-bit parity monitoring • X-bit monitoring • M-bit monitoring • F-bit monitoring • Far-end block error (FEBE) monitoring • Far-end alarm and control (FEAC) status and loop code detection • Path trace byte support with TIM-P alarm generation 134365 B a c k p l a n e DS3 ASIC Flash uP bus SDRAM BTC ASIC Line Interface Unit #1 main DS3-m1 protect DS3-p1 Line Interface Unit #1 main DS3-m12 protect DS3-p12 Processor OHP FPGA BERT FPGA FAIL ACT/STBY SF DS3I- N 123-22 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 3 Electrical Cards 3.8.2 DS3i-N-12 Card-Level Indicators 3.8.2 DS3i-N-12 Card-Level Indicators Table 3-11 describes the three LEDs on the DS3i-N-12 card faceplate. 3.8.3 DS3i-N-12 Port-Level Indicators You can find the status of the DS3i-N-12 card ports by using the LCD screen on the ONS 15454 fan-tray assembly. Use the LCD to view the status of any port or card slot; the screen displays the number and severity of alarms for a given port or slot. Refer to the Cisco ONS 15454 Troubleshooting Guide for a complete description of the alarm messages. 3.9 DS3-12E and DS3N-12E Cards Note For hardware specifications, see the “A.5.7 DS3-12E and DS3N-12E Card Specifications” section on page A-24. The ONS 15454 DS3-12E card provides 12 Telcordia-compliant GR-499 DS-3 ports per card. Each port operates at 44.736 Mbps over a single 75-ohm 728A or equivalent coaxial span. The DS3-12E card provides enhanced performance monitoring functions. The DS3-12E can detect several different errored logic bits within a DS3 frame. This function allows the ONS 15454 to identify a degrading DS3 facility caused by upstream electronics (DS3 Framer). In addition, DS3 frame format autodetection and J1 path trace are supported. By monitoring additional overhead in the DS3 frame, subtle network degradations can be detected. The following list summarizes DS3-12E card features: • Provisionable framing format M23, C-bit or unframed • Autorecognition and provisioning of incoming framing • P-bit monitoring • C-bit parity monitoring • X-bit monitoring • M-bit monitoring • F-bit monitoring Table 3-11 DS3i-N-12 Card-Level Indicators Card-Level LEDs Description Red FAIL LED Indicates that the card processor is not ready. This LED is on during reset. The FAIL LED flashes during the boot process. Replace the card if the red FAIL LED persists in flashing. ACT/STBY LED Green (Active) Amber (Standby) When the ACT/STBY LED is green, the DS3i-N-12 card is operational and ready to carry traffic. When the ACT/STBY LED is amber, the DS3i-N-12 card is operational and in standby (protect) mode. Amber SF LED Indicates a signal failure or condition such as LOS or LOF on one or more card ports.3-23 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 3 Electrical Cards 3.9.1 DS3-12E and DS3N-12E Slots and Connectors • FEBE monitoring • FEAC status and loop code detection • Path trace byte support with TIM-P alarm generation The DS3-12E supports a 1:1 protection scheme, meaning it can operate as the protect card for one other DS3-12E card. The DS3N-12E can operate as the protect card in a 1:N (N <= 5) DS3 protection group. It has additional circuitry not present on the basic DS3-12E card that allows it to protect up to five working DS3-12E cards. The basic DS3-12E card can only function as the protect card for one other DS3-12E card. 3.9.1 DS3-12E and DS3N-12E Slots and Connectors You can install the DS3-12E and DS3N-12E cards in Slots 1 to 6 or 12 to 17 on the ONS 15454. Each DS3-12E and DS3N-12E port features DSX-level outputs supporting distances up to 137 meters (450 feet). With the proper backplane EIA, the card supports BNC or SMB connectors. See the “7.2 Electrical Card Protection and the Backplane” section on page 7-5 for more information about electrical card slot protection and restrictions. 3.9.2 DS3-12E Faceplate and Block Diagram Figure 3-9 shows the DS3-12E faceplate and a block diagram of the card.3-24 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 3 Electrical Cards 3.9.2 DS3-12E Faceplate and Block Diagram Figure 3-9 DS3-12E Faceplate and Block Diagram Figure 3-10 shows the DS3N-12E faceplate and a block diagram of the card. 61349 B a c k p l a n e DS3 ASIC Flash uP bus SDRAM BTC ASIC Line Interface Unit #1 main DS3-m1 protect DS3-p1 Line Interface Unit #1 main DS3-m12 protect DS3-p12 Processor OHP FPGA BERT FPGA FAIL ACT SF DS3 12E3-25 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 3 Electrical Cards 3.9.3 DS3-12E and DS3N-12E Card-Level Indicators Figure 3-10 DS3N-12E Faceplate and Block Diagram 3.9.3 DS3-12E and DS3N-12E Card-Level Indicators Table 3-12 describes the three card-level LEDs on the DS3-12E and DS3N-12E card faceplates. 61350 B a c k p l a n e DS3 ASIC Flash uP bus SDRAM BTC ASIC Line Interface Unit #1 main DS3-m1 protect DS3-p1 Line Interface Unit #1 main DS3-m12 protect DS3-p12 Processor OHP FPGA BERT FPGA FAIL ACT/STBY SF DS3 N 12E Table 3-12 DS3-12E and DS3N-12E Card-Level Indicators Card-Level Indicators Description Red FAIL LED The red FAIL LED indicates that the card processor is not ready. Replace the card if the red FAIL LED persists. ACT/STBY LED Green (Active) Amber (Standby) When the ACT/STBY LED is green, the card is operational and ready to carry traffic. When the ACT/STBY LED is amber, the card is operational and in standby (protect) mode. Amber SF LED The amber SF LED indicates a signal failure or condition such as port LOS or AIS.3-26 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 3 Electrical Cards 3.9.4 DS3-12E and DS3N-12E Port-Level Indicators 3.9.4 DS3-12E and DS3N-12E Port-Level Indicators You can find the status of the DS3-12E and DS3N-12E card ports by using the LCD screen on the ONS 15454 fan-tray assembly. Use the LCD to quickly view the status of any port or card slot; the screen displays the number and severity of alarms for a given port or slot. 3.10 DS3XM-6 Card Note For hardware specifications, see the “A.5.9 DS3XM-6 Card Specifications” section on page A-26. The DS3XM-6 card, commonly referred to as a transmux card, provides six Telcordia-compliant, GR-499-CORE M13 multiplexing ports. The DS3XM-6 converts six framed DS-3 network connections to 28 x6 or 168 VT1.5s. DS3XM-6 cards operate at the VT1.5 level. 3.10.1 DS3XM-6 Slots and Connectors The DS3XM-6 card supports 1:1 protection with the proper backplane EIA. EIAs are available with BNC or SMB connectors. You can install the DS3XM-6 in Slots 1 to 6 or 12 to 17. Each DS3XM-6 port features DSX-level outputs supporting distances up to 137 meters (450 feet) depending on facility conditions. See “7.2 Electrical Card Protection and the Backplane” section on page 7-5 for more information about electrical card slot protection and restrictions. 3.10.2 DS3XM-6 Faceplate and Block Diagram Figure 3-11 shows the DS3XM-6 faceplate and a block diagram of the card.3-27 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 3 Electrical Cards 3.10.3 DS3XM-6 Hosted By XCVT, XC10G, or XC-VXC-10G Figure 3-11 DS3XM-6 Faceplate and Block Diagram 3.10.3 DS3XM-6 Hosted By XCVT, XC10G, or XC-VXC-10G The DS3XM-6 card works in conjunction with the XCVT card. A single DS3XM-6 can demultiplex six DS-3 signals into 168 VT1.5s that the XCVT card then manages and cross connects. XCVT cards host a maximum of 336 bidirectional VT1.5s on two DS3XM-6 cards. In most network configurations, two DS3XM-6 cards are paired together as working and protect cards. 3.10.4 DS3XM-6 Card-Level Indicators Table 3-13 describes the three card-level LEDs on the DS3XM-6 card faceplate. BTC ASIC 6 x Line Interface Units 6 STS1 to 28 DS1 Mapper FLASH DC/DC unit DRAM Mux/Demux ASIC Protection Relay Matrix 6 STS-1 / STS-12 uP 6 x M13 Units 61351 Mapper unit B a c k p l a n e FAIL ACT SF DS3XM 6 13459873-28 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 3 Electrical Cards 3.10.5 DS3XM-6 Port-Level Indicators 3.10.5 DS3XM-6 Port-Level Indicators You can find the status of the six DS3XM-6 card ports by using the LCD screen on the ONS 15454 fan-tray assembly. Use the LCD to quickly view the status of any port or card slot; the screen displays the number and severity of alarms for a given port or slot. 3.11 DS3XM-12 Card Note For hardware specifications, see the “A.5.8 DS3XM-12 Card Specifications” section on page A-25. The DS3XM-12 card, commonly referred to as a transmux card, provides twelve Telcordia-compliant, GR-499-CORE M13 multiplexing ports. The DS3XM-12 converts up to 12 framed DS-3 network connections to 12 x 28 VT1.5s. 3.11.1 Backplane Configurations The DS3XM-12 card has 12 framed DS-3 physical ports (known as “ported” mode). The card also supports a maximum of 12 “portless” DS3-mapped STS1 interfaces depending on the type of cross-connect used. Each physical port corresponds to two portless ports. If a circuit is provisioned to a physical port, its associated portless pair becomes unavailable and vice versa. See the “12.4 Portless Transmux” section on page 12-15 for more information. The DS3XM-12 card is compatible with the XCVT, XC10G, and XC-VXC-10G cross-connect cards. Note The DS3XM-12 card supports an errorless software-initiated cross-connect card switch when used in a shelf equipped with XC-VXC-10G and TCC2/TCC2P cards. Caution During an upgrade of the DS3XM-6 card to DS3XM-12 card, the DS-3XM-12 card (in slots 1 to 5) encounters an insufficient cable loss of margin when the LBO setting on the DS-3 input ports are set between 225 to 450 feet cable lengths. Table 3-13 DS3XM-6 Card-Level Indicators Card-Level Indicators Description Red FAIL LED The red FAIL LED indicates that the card processor is not ready. Replace the card if the red FAIL LED persists. ACT/STBY LED Green (Active) Amber (Standby) When the ACT/STBY LED is green, the DS3XM-6 card is operational and ready to carry traffic. When the ACT/STBY LED is amber, the DS3XM-6 card is operational and in standby in a 1:1 protection group. Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS, LOF, or high BER on one or more card ports.3-29 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 3 Electrical Cards 3.11.2 Ported Mode The DS3XM-12 supports three different backplane throughput configurations: • STS-48 when an XC10G or XC-VXC-10G card is used. This configuration supports the OC-48 rate in any slot. • STS-48 for the Slots 5, 6, 12, and 13 when an XCVT card is used. • STS-12 for Slot 1 through 4, and 7 through 12 slots when an XCVT card is used. This configuration is bandwidth-limiting in the portless mode of operation. The backplane throughput configuration is selected in CTC card view using the Maintenance > Card tab. 3.11.2 Ported Mode The “ported” mode supports up to 12 framed DS-3 bidirectional mapped signals to each DS3XM-12 card, where the traffic is demultiplexed and mapped into a VT1.5 payload. This payload is then mapped and multiplexed up to a bidirectional STS-1. 3.11.3 Portless Mode The “portless” mode allows for IXC hand off connections through a standard SONET fiber optical interface with DS-3-mapped STS-1s as a payload. This physical connection is accomplished with any of the OC-N cards. The system cross-connect grooms the DS-3 mapped STS1 traffic to the appropriate DS3XM-12 card, where the traffic is demultiplexed and mapped into a VT1.5 payload. This payload is then mapped and multiplexed up to a higher rate STS-1. See the “12.4 Portless Transmux” section on page 12-15 for more information. 3.11.4 Shelf Configurations The DS3XM-12 card supports the XCVT, XC10G, and XC-VXC-10G cards. The DS3XM-12 card is supported in any of the multiservice slots (Slots 1 through 6 and 12 through 17). The DS3XM-12 card operates at the VT1.5 level and supports a maximum of 6 or 12 ports of “portless” (DS-3-mapped STS1s) interface, depending on the shelf configuration (see Table 3-14). Caution Do not install low-density DS-1 cards in the same side of the shelf as DS3XM-12 cards. Table 3-14 DS3XM-12 Shelf Configurations Port Maximums Slots 1 through 4, and 14 through 17 (XCVT Card) Slots 5, 6, 12, and 13 (XCVT, XC10G, or XC-VXC-10G Cards) XC10G/XC-VXC-10G Shelf (any multiservice slot) Portless Ports 6 12 12 Ported Ports 12 12 123-30 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 3 Electrical Cards 3.11.5 Protection Modes 3.11.5 Protection Modes The DS3XM-12 card supports 1:1 and 1:N protection groups, where N <= 5. However, N <= 7 if one of the following conditions is true: • Only portless connections are used. • A combination of ported and portless connections is used but all the ported cards being protected are on the same side of the chassis as the protecting card. These protection groups can be implemented in the ONS 15454 SONET platform for both the A and B sides and do not require a special protect card. In 1:N protection, the protect card must be in Slot 3 or 15. In 1:1 protection, the working and protect cards must be in adjacent slots. The protection switches cause a traffic hit of no more than 50 ms. See the “7.2 Electrical Card Protection and the Backplane” section on page 7-5 for more information about electrical card slot protection and restrictions. In 1:1 or 1:N protection group with DS3XM12 cards having different backplane bandwidths, when a protection switch moves traffic from the working/active card to the protect/standby card or vice versa, it causes a traffic hit of greater than 50ms. 3.11.6 Card Features Table 3-15 summarizes the DS3XM-12 features. Table 3-15 DS3XM-12 Features Feature Description Protection 1:1 and 1:N protection (“ported” and “portless”) Upgrade • Errorless software upgrade • In-service upgrade of legacy DS3XM-6 to DS3XM-12 (> 60 ms hit) Performance Monitoring • DS-3 M2-3 near-end performance monitoring (PM) parameters • DS-3 C-bit near end and far end PM parameters • DS-1 near end PM parameters • DS-1 Extended Super Frame (ESF) PM far end parameters based on FDL PRM messages • 1989 AT&T TR 54016 DS1 ESF PM • SPRM and NPRM DS1 PM parameters Loopbacks • DS3 terminal and facility • DS1 facility • DS1 terminal • FEAC based DS1 and DS3 loopbacks (TX and RX) • DS1 ESF-FDL TX line and payload loopbacks • DS1 SF (D4) “in-band” TX loopbacks • AT&T TR 54016 ESF DS1 TX line and payload loopbacks3-31 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 3 Electrical Cards 3.11.7 DS3XM-12 Slots and Connectors 3.11.7 DS3XM-12 Slots and Connectors The DS3XM-12 card can be used with BNC, SMB, SCSI (UBIC), or MiniBNC EIA connectors. The card can be installed in Slots 1 to 6 or 12 to 17. Each DS3XM-12 port features DSX-level outputs supporting distances up to 137 meters (450 feet) depending on facility conditions. 3.11.8 DS3XM-12 Faceplate and Block Diagram Figure 3-12 shows the DS3XM-12 faceplate and a block diagram of the card. DS1 Auto-Frame Detection DS1 frame autodetection and autoprovisioning Manual DS1 frame provisioning Works in conjunction with the DS1 autoframe detection and gives you override capability Manual DS3 frame provisioning Legacy feature (C-Bit and M23 frame formats are supported) J1 Legacy feature (extended to 6 additional ports) J2 336 J2 strings are supported Portless Supports DS3 data from the backplane in addition to the DS3 data from the line interface unit Diagnostics Power-up diagnostics on working and protect cards Testing Connectivity, error rate, and error count of the traffic running on an Electrical IO card ports can be tested by using BERT. For more information on BERT, see 3.2 Bit Error Rate Testing, page 3-4. Table 3-15 DS3XM-12 Features Feature Description3-32 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 3 Electrical Cards 3.11.9 DS3XM-12 Card-Level Indicators Figure 3-12 DS3XM-12 Faceplate and Block Diagram 3.11.9 DS3XM-12 Card-Level Indicators Table 3-16 describes the three card-level LEDs on the DS3XM-12 card faceplate. 115956 Main & Protect SCL Bus’s Processor 12 DS3 Ports Transformers & Protection Mux/Relays 4x DS3/VT1.5 Framer/ Mapper 12 Port DS3 LIU STS-24 Mapper FPGA B a c k p l a n e MAIN IBPIA ASIC PROTECT IBPIA ASIC FAIL ACT/STBY SF DS3XM 12 DS3 Mapped STS’1s (Portless Mode) VT1.5 Mapped STS-1's (Both Modes)3-33 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 3 Electrical Cards 3.11.10 DS3XM-12 Port-Level Indicators 3.11.10 DS3XM-12 Port-Level Indicators You can find the status of the twelve DS3XM-12 card ports by using the LCD screen on the ONS 15454 fan-tray assembly. Use the LCD to quickly view the status of any port or card slot; the screen displays the number and severity of alarms for a given port or slot. 3.12 Interoperability Rules for Electrical Cards The interoperability rules for DS3XM-12 and DS3/EC1-48 is as follows: • DS1/DS1-E1-56 cards cannot co-exist with high-density (HD) DS3/EC1-48 cards in the same half shelf. • MXP_2.5G_10G cards cannot co-exist with high-density DS3/EC1-48 or DS1/E1-56 in the HD electrical slots. • DS3XM-12 card cannot co-exit with DS1/DS1N- DS1/E1-56 cards. • DS3i and E1 line card is allowed only in protect slots. 3.12.1 Half Shelf Compatibility The DS3/EC1-48 card cannot be provisioned in slots 1 to 6 if: • DS1 card is present in any slot from 1 to 6 • DS1N or MXP_2.5G_10G card is present in slot 3 • DS1/E1-56 card is present in any slot from 1 to 3 The DS3/EC1-48- card cannot be provisioned in slots 12 to 17 if: • DS1 card is present in any slot from 12 to 17 • DS1 or MXP_2.5G_10G card is present in slot 15 • DS1/E1-56 card is present in any slot from 15 to 17 Table 3-16 DS3XM-12 Card-Level Indicators Card-Level Indicators Description Red FAIL LED The red FAIL LED indicates that the card processor is not ready. It is steady while the self-test runs, and blinks during provisioning. Replace the card if the red FAIL LED persists. ACT/STBY LED Green (Active) Amber (Standby) When the ACT/STBY LED is green, the DS3XM-12 card is operational and ready to carry traffic. When the ACT/STBY LED is amber, the DS3XM-12 card is operational and in standby in a 1:1 protection group. Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS, LOF, or high BER on one or more card ports.3-34 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 3 Electrical Cards 3.12.2 Slot Compatibility The DS3XM-12 card cannot be provisioned in slots 1 to 6 if: • DS1 card is present in any slot from 1 to 6 • DS1N card is present in slot 3 • DS1/E1-56 card is present in any slot from 1 to 3 The DS3XM-12 card cannot be provisioned in slots 12 to 17 if: • DS1 card is present in any slot from 12 to 17 • DS1N card is present in slot 15 • DS1/E1-56 card is present in any slot from 15 to 17 The DS1 or DS1N cards cannot be provisioned in slots 1 to 6 if: • DS3/EC1-48 card is present in any slot from 1 to 3 • DS3XM-12 card is present in any slot from 1 to 6 The DS1 or DS1N cards cannot be provisioned in slots 12 to 17 if: • DS3/EC1-48 card is present in any slot from 15 to 17 • DS3XM-12 card is present in any slot from 12 to 17 The DS1/E1-56 card cannot be provisioned in slots 1 to 6 if: • DS3/EC1-48 card is present in any slot from 1 to 3 • DS3XM-12 card is present in any slot from 1 to 6 • MXP_2.5G_10G card is present in slot 3 The DS1/E1-56 card cannot be provisioned in slots 12 to 17 if: • DS3/EC1-48 card is present in any slot from 15 to 17 • DS3XM-12 card is present in any slot from 12 to 17 • MXP_2.5G_10G card is present in slot 15 The MXP_2.5G_10G card cannot be provisioned in slot 3 if the DS3/EC1-48 or DS1/E1-56 card is present in slots 1 or 2. The MXP_2.5G_10G card cannot be provisioned in slot 15 if the DS3/EC1-48 or DS1/E1-56 card is present in slots 16 or 17. 3.12.2 Slot Compatibility The DS3/EC1-48 or DS1/E1-56 card cannot be provisioned in slot 1 if any electrical card is present in slots 5 or 6. The DS3/EC1-48 or DS1/E1-56 card cannot be provisioned in slot 2 if any low-density (LD) electrical card, except DS3/EC1-48 or DS1/E1-56, is present in slots 3 or 4. High-density (HD) DS3/EC1-48 or DS1/E1-56 cards cannot be provisioned in slot 3 if:3-35 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 3 Electrical Cards 3.12.2 Slot Compatibility • It is in a 1:N low-density electrical protection group and slot 3 protects any card on slot 4, 5, or 6. • A low-density electrical card in slot 1 is the working card • Slots 5 and 6 have low-density cards • Slots 2 and 4 have low-density cards and if slot 2 is in a protection group No electrical cards can be provisioned in slot 3 if slot 2 has a DS3/EC1-48 or DS1/E1-56 card. DS3/EC1-48 or DS1/E1-56 cannot be provisioned in slot 17 if any electrical card is present in slot 12 or 13. DS3/EC1-48 or DS1/E1-56 cannot be provisioned in slot 16 if any electrical card other than DS3/EC1-48 or DS1/E1-56 card is present in slots 14 or 15. Slot 15 cannot be upgraded to high-density DS3/EC1-48 or DS1/E1-56 card if: • It is in a 1:N low-density electrical protection group and slot 15 protects any card on slot 12, 13, or 14. • If slot 17 low-density card is the working card, slot 15 can not upgrade to HD DS3/EC1-48 or DS1/E1-56 if slot 12 and 13 have low-density cards. • If slot 16 and 14 have low-density cards and if slot 16 is in a protection group, slot 15 cannot upgrade to HD DS3/EC1-48 or DS1/E1-56 card. No electrical cards can be provisioned in slot 15 if slot 16 has a DS3/EC1-48 or DS1/E1-56 card. DS3/EC1-48 or DS1/E1-56 cannot be provisioned in slot 4. No low-density electrical cards can be provisioned in slot 4 if: • Slot 2 has a DS3/EC1-48 or DS1/E1-56 card • Slot 3 has a DS3/EC1-48 or DS1/E1-56 card and 1:N (N=2) protection group is present. • Slot 3 has a DS3/EC1-48 or DS1/E1-56 card and 1:N (N=1) protection group is present with slot 2 as working slot. A DS3/EC1-48 or DS1/E1-56 card cannot be provisioned in slots 5 or 6. No low-density electrical cards can be provisioned in slots 5 or 6 if: • Slot 1 has a DS3/EC1-48 or DS1/E1-56 card • Slot 3 has a DS3/EC1-48 or DS1/E1-56 and 1:N (N=2) protection group is present. • Slot 3 has a DS3/EC1-48 or DS1/E1-56 and 1:N (N=1) protection group is present with slot 1 as working slot. A DS3/EC1-48 or DS1/E1-56 card cannot be provisioned in slots 12 or 13. No low-density electrical cards can be provisioned in slots 12 or 13 if: • Slot 17 has a DS3/EC1-48 or DS1/E1-56 card. • Slot 15 has a DS3/EC1-48 or DS1/E1-56 card and 1:N (N=2) protection group is present • Slot 15 has a DS3/EC1-48 or DS1/E1-56 card and 1:N (N=1) protection group is present with slot 17 as working slot. A DS3/EC1-48 or DS1/E1-56 card cannot be provisioned in slot 14. No low-density electrical cards can be provisioned in slot 14 if: Slot 16 has a DS3/EC1-48 or DS1/E1-56 card. Slot 15 has a DS3/EC1-48 or DS1/E1-56 card and 1:N (N=2) protection group is present.3-36 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 3 Electrical Cards 3.12.2 Slot Compatibility Slot 15 has a DS3/EC1-48 or DS1/E1-56 card and 1:N (N=1) protection group is present with slot 16 as working slot.CHAPTER 4-1 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 4 Optical Cards Note The terms “Unidirectional Path Switched Ring” and “UPSR” may appear in Cisco literature. These terms do not refer to using Cisco ONS 15xxx products in a unidirectional path switched ring configuration. Rather, these terms, as well as “Path Protected Mesh Network” and “PPMN,” refer generally to Cisco's path protection feature, which may be used in any topological network configuration. Cisco does not recommend using its path protection feature in any particular topological network configuration. This chapter describes the Cisco ONS 15454 optical card features and functions. It includes descriptions, hardware specifications, and block diagrams for each optical card. For installation and card turn-up procedures, refer to the Cisco ONS 15454 Procedure Guide. Chapter topics include: • 4.1 Optical Card Overview, page 4-2 • 4.2 OC3 IR 4/STM1 SH 1310 Card, page 4-6 • 4.3 OC3 IR/STM1 SH 1310-8 Card, page 4-8 • 4.4 OC12 IR/STM4 SH 1310 Card, page 4-10 • 4.5 OC12 LR/STM4 LH 1310 Card, page 4-12 • 4.6 OC12 LR/STM4 LH 1550 Card, page 4-14 • 4.7 OC12 IR/STM4 SH 1310-4 Card, page 4-16 • 4.8 OC48 IR 1310 Card, page 4-18 • 4.9 OC48 LR 1550 Card, page 4-20 • 4.10 OC48 IR/STM16 SH AS 1310 Card, page 4-22 • 4.11 OC48 LR/STM16 LH AS 1550 Card, page 4-24 • 4.12 OC48 ELR/STM16 EH 100 GHz Cards, page 4-26 • 4.13 OC48 ELR 200 GHz Cards, page 4-28 • 4.14 OC192 SR/STM64 IO 1310 Card, page 4-30 • 4.15 OC192 IR/STM64 SH 1550 Card, page 4-32 • 4.16 OC192 LR/STM64 LH 1550 Card, page 4-34 • 4.17 OC192 LR/STM64 LH ITU 15xx.xx Card, page 4-39 • 4.18 15454_MRC-12 Multirate Card, page 4-42 • 4.19 MRC-2.5G-4 Multirate Card, page 4-474-2 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 4 Optical Cards 4.1 Optical Card Overview • 4.20 OC192SR1/STM64IO Short Reach and OC192/STM64 Any Reach Cards, page 4-51 • 4.21 Optical Card SFPs and XFPs, page 4-53 4.1 Optical Card Overview Each card is marked with a symbol that corresponds to a slot (or slots) on the ONS 15454 shelf assembly. The cards are then installed into slots displaying the same symbols. See the “1.19 Cards and Slots” section on page 1-74 for a list of slots and symbols. 4.1.1 Card Summary Table 4-1 lists the Cisco ONS 15454 optical cards. Table 4-1 Optical Cards for the ONS 15454 Card Port Description For Additional Information... OC3 IR 4 SH 1310 The OC3 IR 4 SH 1310 card provides four intermediate- or short-range OC-3 ports and operates at 1310 nm. Note The OC3 IR 4 SH 1310 and OC3 IR 4/STM1 SH 1310 cards are functionally the same. See the “4.2 OC3 IR 4/STM1 SH 1310 Card” section on page 4-6. OC3 IR 4/ STM1 SH 1310 The OC3 IR 4/STM1 SH 1310 card provides four intermediate- or short-range OC-3 ports and operates at 1310 nm. See the “4.2 OC3 IR 4/STM1 SH 1310 Card” section on page 4-6. OC3 IR/ STM1 SH 1310-8 The OC3 IR/STM1 SH 1310-8 card provides eight intermediate- or short-range OC-3 ports and operates at 1310 nm. See the “4.3 OC3 IR/STM1 SH 1310-8 Card” section on page 4-8. OC12 IR 1310 The OC12 IR 1310 card provides one intermediate- or short-range OC-12 port and operates at 1310 nm. Note The OC12 IR 1310 and OC12/STM4 SH 1310 cards are functionally the same. See the “4.4 OC12 IR/STM4 SH 1310 Card” section on page 4-10. OC12 IR/STM4 SH 1310 The OC12 IR/STM4 SH 1310 card provides one intermediate- or short-range OC-12 port and operates at 1310 nm. See the “4.4 OC12 IR/STM4 SH 1310 Card” section on page 4-10. OC12 LR 1310 The OC12 LR 1310 card provides one long-range OC-12 port and operates at 1310 nm. Note The OC12 LR 1310 and OC12 LR/STM4 LH 1310 cards are functionally the same. See the “4.5 OC12 LR/STM4 LH 1310 Card” section on page 4-12. OC12 LR/STM4 LH 1310 The OC12 LR/STM4 LH 1310 card provides one long-range OC-12 port and operates at 1310 nm. See the “4.5 OC12 LR/STM4 LH 1310 Card” section on page 4-12. OC12 LR 1550 The OC12 LR 1550 card provides one long-range OC-12 port and operates at 1550 nm. Note The OC12 LR 1550 and OC12 LR/STM4 LH 1550 cards are functionally the same. See the “4.6 OC12 LR/STM4 LH 1550 Card” section on page 4-14.4-3 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 4 Optical Cards 4.1.1 Card Summary OC12 LR/STM4 LH 1550 The OC12 LR/STM4 LH 1550 card provides one long-range OC-12 port and operates at 1550 nm. See the “4.6 OC12 LR/STM4 LH 1550 Card” section on page 4-14. OC12 IR/STM4 SH 1310-4 The OC12 IR/STM4 SH 1310-4 card provides four intermediate- or short-range OC-12 ports and operates at 1310 nm. See the “4.7 OC12 IR/STM4 SH 1310-4 Card” section on page 4-16. OC48 IR 1310 The OC48 IR 1310 card provides one intermediate-range OC-48 port and operates at 1310 nm. See the “4.8 OC48 IR 1310 Card” section on page 4-18. OC48 LR 1550 The OC48 LR 1550 card provides one long-range OC-48 port and operates at 1550 nm. See the “4.9 OC48 LR 1550 Card” section on page 4-20. OC48 IR/STM16 SH AS 1310 The OC48 IR/STM16 SH AS 1310 card provides one intermediate- or short-range OC-48 port at 1310 nm. See the “4.10 OC48 IR/STM16 SH AS 1310 Card” section on page 4-22. OC48 LR/STM16 LH AS 1550 The OC48 LR/STM16 LH AS 1550 card provides one long-range OC-48 port at 1550 nm. See the “4.11 OC48 LR/STM16 LH AS 1550 Card” section on page 4-24. OC48 ELR/STM16 EH 100 GHz The OC48 ELR/STM16 EH 100 GHz card provides one long-range (enhanced) OC-48 port and operates in Slot 5, 6, 12, or 13. This card is available in 18 different wavelengths (9 in the blue band and 9 in the red band) in the 1550-nm range, every second wavelength in the ITU grid for 100-GHz spacing dense wavelength division multiplexing (DWDM). See the “4.12 OC48 ELR/STM16 EH 100 GHz Cards” section on page 4-26. OC48 ELR 200 GHz The OC48 ELR 200 GHz card provides one long-range (enhanced) OC-48 port and operates in Slot 5, 6, 12, or 13. This card is available in 18 different wavelengths (9 in the blue band and 9 in the red band) in the 1550-nm range, every fourth wavelength in the ITU grid for 200-GHz spacing DWDM. See the “4.13 OC48 ELR 200 GHz Cards” section on page 4-28. OC192 SR/STM64 IO 1310 The OC192 SR/STM64 IO 1310 card provides one intra-office-haul OC-192 port at 1310 nm. See the “4.14 OC192 SR/STM64 IO 1310 Card” section on page 4-30. OC192 IR/STM64 SH 1550 The OC192 IR/STM64 SH 1550 card provides one intermediate-range OC-192 port at 1550 nm. See the “4.15 OC192 IR/STM64 SH 1550 Card” section on page 4-32. OC192 LR/STM64 LH 1550 The OC192 LR/STM64 LH 1550 card provides one long-range OC-192 port at 1550 nm. See the “4.16 OC192 LR/STM64 LH 1550 Card” section on page 4-34. OC192 LR/ STM64 LH ITU 15xx.xx The OC192 LR/STM64 LH ITU 15xx.xx card provides one extended long-range OC-192 port. This card is available in multiple wavelengths in the 1550-nm range of the ITU grid for 100-GHz-spaced DWDM. See the “4.17 OC192 LR/STM64 LH ITU 15xx.xx Card” section on page 4-39. Table 4-1 Optical Cards for the ONS 15454 (continued) Card Port Description For Additional Information...4-4 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 4 Optical Cards 4.1.2 Card Compatibility Note The Cisco OC3 IR/STM1 SH, OC12 IR/STM4 SH, and OC48 IR/STM16 SH interface optics, all working at 1310 nm, are optimized for the most widely used SMF-28 fiber, available from many suppliers. Corning MetroCor fiber is optimized for optical interfaces that transmit at 1550 nm or in the C and L DWDM windows, and targets interfaces with higher dispersion tolerances than those found in OC3 IR/STM1 SH, OC12 IR/STM4 SH, and OC48 IR/STM16 SH interface optics. If you are using Corning MetroCor fiber, OC3 IR/STM1 SH, OC12 IR/STM4 SH, and OC48 IR/STM16 SH interface optics become dispersion limited before they become attenuation limited. In this case, consider using OC12 LR/STM4 LH and OC48 LR/STM16 LH cards instead of OC12 IR/STM4 SH and OC48 IR/STM16 SH cards. With all fiber types, network planners/engineers should review the relative fiber type and optics specifications to determine attenuation, dispersion, and other characteristics to ensure appropriate deployment. 4.1.2 Card Compatibility Table 4-2 lists the CTC software compatibility for each optical card. See Table 2-5 on page 2-6 for a list of cross-connect cards that are compatible with each optical card. Note “Yes” indicates that this card is fully or partially supported by the indicated software release. Refer to the individual card reference section for more information about software limitations for this card. 15454_MRC-12 The 15454_MRC-12 card provides up to twelve OC-3 or OC-12 ports, or up to four OC-48 ports. The card operates in Slots 1 to 6 and 12 to 17. See the “4.18 15454_MRC-12 Multirate Card” section on page 4-42. MRC-2.5G-4 The MRC-2.5G-4 card provides up to four OC-3/STM-1 or OC-12/STM-4 ports, or one OC-48/STM-16 ports. The card operates in Slots 1 to 6 and 12 to 17. See the “4.19 MRC-2.5G-4 Multirate Card” section on page 4-47. OC192SR1/STM6 4IO Short Reach and OC192/STM64 Any Reach1 The OC192SR1/STM64IO Short Reach and OC192/STM64 Any Reach cards each provide a single OC-192/STM-64 interface capable of operating with SR-1, IR-2, and LR-2 XFP modules (depending on the card) at 1310 nm and 1550 nm. The cards operate in Slot 5, 6, 12, or 13 with the XC10G and XC-VXC-10G cards. See the “4.20 OC192SR1/STM64I O Short Reach and OC192/STM64 Any Reach Cards” section on page 4-51. 1. In the Cisco Transport Controller (CTC) GUI, these cards are known as OC192-XFP. Table 4-1 Optical Cards for the ONS 15454 (continued) Card Port Description For Additional Information...4-5 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 4 Optical Cards 4.1.2 Card Compatibility Table 4-2 Optical Card Software Release Compatibility Optical Card R3.3 R3.4 R4.0 R4.1 R4.5 1 1. DWDM-only release. R4.6 R4.7 1 R5.0 R6.0 R7.0 R7.2 R8.0 R8.5 R9.0 R9.1 R9.2 R9.2.1 OC3 IR 4 1310 Yes Yes Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes OC3 IR 4/STM1 SH 1310 Yes Yes Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes OC3 IR /STM1 SH 1310-8 — — Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes OC12 IR/STM4 SH 1310 Yes Yes Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes OC12 IR 1310 Yes Yes Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes OC12 LR 1310 Yes Yes Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes OC12 LR 1550 Yes Yes Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes OC12 LR/STM4 LH 1310 Yes Yes Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes OC12 LR/STM4 LH 1550 Yes Yes Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes OC12 IR/STM4 SH 1310-4 Yes Yes Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes OC48 IR 1310 Yes Yes Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes OC48 LR 1550 Yes Yes Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes OC48 IR/STM16 SH AS 1310 2 2. To enable OC-192 and OC-48 any-slot card operation, use the XC10G or XC-VXC-10G card, the TCC+/TCC2/TCC2P card, Software R3.1 or later, and the 15454-SA-ANSI or 154545-SA-HD shelf assembly. Note that the TCC+ card is not compatible with Software 4.5 or later. Yes Yes Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes OC48 LR/STM16 LH AS 1550 3 Yes Yes Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes OC48 ELR/STM16 EH 100 GHz Yes Yes Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes OC48 ELR 200 GHz Yes Yes Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes OC192 SR/STM64 IO 1310 — — Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes OC192 IR/STM64 SH 1550 — — Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes OC192 LR/STM64 LH 1550 (15454-OC192LR1550) Yes Yes Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes OC192 LR/STM64 LH 1550 (15454-OC192-LR2) — — Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes OC192 LR/STM64 LH ITU 15xx.xx — — Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes 15454_MRC-12 — — — — — — — — Yes Yes Yes Yes Yes Yes Yes Yes Yes MRC-2.5G-4 — — — — — — — — — — — Yes Yes Yes Yes Yes Yes OC192SR1/STM64IO Short Reach and OC192/STM64 Any Reach 4 — — — — — — — — Yes Yes Yes Yes Yes Yes Yes Yes Yes4-6 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 4 Optical Cards 4.2 OC3 IR 4/STM1 SH 1310 Card 4.2 OC3 IR 4/STM1 SH 1310 Card Note For hardware specifications, see the “A.6.1 OC3 IR 4/STM1 SH 1310 Card Specifications” section on page A-28. See Table 4-2 on page 4-5 for optical card compatibility. The OC3 IR 4/STM1 SH 1310 card provides four intermediate or short range SONET/SDH OC-3 ports compliant with ITU-T G.707, ITU-T G.957, and Telcordia GR-253-CORE. Each port operates at 155.52 Mbps over a single-mode fiber span. The card supports Virtual Tributary (VT), nonconcatenated (STS-1), or concatenated (STS-1 or STS-3c) payloads. Figure 4-1 shows the OC3 IR 4/STM1 SH 1310 faceplate and a block diagram of the card. Warning The laser is on when the optical card is booted. The port does not have to be in service for the laser to be on. Note The OC3 IR 4 SH 1310 and OC3 IR 4/STM1 SH 1310 cards are functionally the same. 3. To enable OC-192 and OC-48 any-slot card operation, use the XC10G or XC-VXC-10G card, the TCC+/TCC2/TCC2P card, Software R3.1 or later, and the 15454-SA-ANSI or 154545-SA-HD shelf assembly. Note that the TCC+ card is not compatible with Software 4.5 or later. 4. These cards are designated as OC192-XFP in CTC.4-7 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 4 Optical Cards 4.2.1 OC3 IR 4/STM1 SH 1310 Card-Level Indicators Figure 4-1 OC3 IR 4/STM1 SH 1310 Faceplate and Block Diagram You can install the OC3 IR 4/STM1 SH 1310 card in Slots 1 to 6 and 12 to 17. The card can be provisioned as part of a path protection or a linear add/drop multiplexer (ADM) configuration. Each interface features a 1310-nm laser and contains a transmit and receive connector (labeled) on the card faceplate. The card uses SC connectors. The OC3 IR 4/STM1 SH 1310 card supports 1+1 unidirectional or bidirectional protection switching. You can provision protection on a per port basis. The OC3 IR 4/STM1 SH 1310 card detects loss of signal (LOS), loss of frame (LOF), loss of pointer (LOP), line-layer alarm indication signal (AIS-L), and line-layer remote defect indication (RDI-L) conditions. Refer to the Cisco ONS 15454 Troubleshooting Guide for a description of these conditions. The card also counts section and line bit interleaved parity (BIP) errors. To enable automatic protection switching (APS), the OC3 IR 4/STM1 SH 1310 card extracts the K1 and K2 bytes from the SONET overhead to perform appropriate protection switches. The data communication channel/general communication channel (DCC/GCC) bytes are forwarded to the TCC2/TCC2P card, which terminates the DCC/GCC. 4.2.1 OC3 IR 4/STM1 SH 1310 Card-Level Indicators Table 4-3 describes the three card-level LED indicators on the OC3 IR 4/STM1 SH 1310 card. uP bus uP Flash RAM BTC ASIC B a c k p l a n e STS-12 STS-12/ STS-3 Mux/Demux Optical Transceiver Optical Transceiver Optical Transceiver Optical Transceiver STS-3 termination/ framing STS-3 termination/ framing STS-3 termination/ framing STS-3 termination/ framing OC-3 61352 1 33678 12931 Tx Rx 2 Tx Rx 4 Tx Rx 3 Tx Rx FAIL ACT SF OC3IR4 STM1SH 13104-8 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 4 Optical Cards 4.2.2 OC3 IR 4/STM1 SH 1310 Port-Level Indicators 4.2.2 OC3 IR 4/STM1 SH 1310 Port-Level Indicators Eight bicolor LEDs show the status per port. The LEDs are green if the port is available to carry traffic, is provisioned as in-service, and is part of a protection group, in the active mode. You can find the status of the four card ports by using the LCD screen on the ONS 15454 fan-tray assembly. Use the LCD to view the status of any port or card slot; the screen displays the number and severity of alarms for a given port or slot. Refer to the Cisco ONS 15454 Troubleshooting Guide for a complete description of the alarm messages. 4.3 OC3 IR/STM1 SH 1310-8 Card Note For hardware specifications, see the “A.6.2 OC3 IR/STM1SH 1310-8 Card Specifications” section on page A-29. See Table 4-2 on page 4-5 for optical card compatibility. The OC3 IR/STM1 SH 1310-8 card provides eight intermediate or short range SONET/SDH OC-3 ports compliant with ITU-T G.707, ITU-T G.957, and Telcordia GR-253-CORE. Each port operates at 155.52 Mbps over a single-mode fiber span. The card supports VT, nonconcatenated (STS-1), or concatenated (STS-3C) payloads. Warning The laser is on when the optical card is booted. The port does not have to be in service for the laser to be on. Figure 4-2 shows the card faceplate and block diagram. Table 4-3 OC3 IR 4/STM1 SH 1310 Card-Level Indicators Card-Level Indicators Description Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready. This LED is on during reset. The FAIL LED flashes during the boot process. Replace the card if the red FAIL LED persists. Green ACT LED The green ACT LED indicates that the card is carrying traffic or is traffic-ready. Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS, LOF, AIS-L, or high bit error rate (BER) on one or more of the card’s ports. The amber SF LED is also on if the transmit and receive fibers are incorrectly connected. If the fibers are properly connected and the links are working, the light turns off.4-9 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 4 Optical Cards 4.3 OC3 IR/STM1 SH 1310-8 Card Figure 4-2 OC3IR/STM1 SH 1310-8 Faceplate and Block Diagram You can install the OC3 IR/STM1 SH 1310-8 card in Slots 1 to 4 and 14 to 17. The card can be provisioned as part of a path protection or an ADM configuration. Each interface features a 1310-nm laser and contains a transmit and receive connector (labeled) on the card faceplate. The card uses LC connectors on the faceplate that are angled downward 12.5 degrees. The OC3 IR/STM1 SH 1310-8 card supports 1+1 unidirectional and bidirectional protection switching. You can provision protection on a per port basis. The OC3 IR/STM1 SH 1310-8 card detects LOS, LOF, LOP, AIS-L, and RDI-L conditions. Refer to the Cisco ONS 15454 Troubleshooting Guide for a description of these conditions. The card also counts section and line BIP errors. To enable APS, the OC3 IR/STM1 SH 1310-8 card extracts the K1 and K2 bytes from the SONET overhead to perform appropriate protection switches. The OC3 IR/STM1 SH 1310-8 card supports full DCC/GCC connectivity for remote network management. uP bus Flash RAM uP B a c k p l a n e Optical Transceiver #1 Optical Transceiver #2 Optical Transceiver #3 Optical Transceiver #4 134369 BPIA RX Prot BPIA RX Main BPIA TX Prot BPIA TX Main OCEAN ASIC STM-1 STM-1 STM-1 STM-1 Optical Transceiver #5 Optical Transceiver #6 Optical Transceiver #7 Optical Transceiver #8 STM-1 STM-1 STM-1 STM-1 FAIL ACT SF OC3IR STM1SH 1310-84-10 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 4 Optical Cards 4.3.1 OC3 IR/STM1 SH 1310-8 Card-Level Indicators 4.3.1 OC3 IR/STM1 SH 1310-8 Card-Level Indicators Table 4-4 describes the three card-level LEDs on the eight-port OC3 IR/STM1 SH 1310-8 card. 4.3.2 OC3 IR/STM1 SH 1310-8 Port-Level Indicators Eight bicolor LEDs show the status per port. The LEDs show green if the port is available to carry traffic, is provisioned as in-service, is part of a protection group, or is in the active mode. You can also find the status of the eight card ports by using the LCD screen on the ONS 15454 fan-tray assembly. Use the LCD to view the status of any port or card slot; the screen displays the number and severity of alarms for a given port or slot. Refer to the Cisco ONS 15454 Troubleshooting Guide for a complete description of the alarm messages. 4.4 OC12 IR/STM4 SH 1310 Card Note For hardware specifications, see the “A.6.3 OC12 IR/STM4 SH 1310 Card Specifications” section on page A-30. See Table 4-2 on page 4-5 for optical card compatibility. The OC12 IR/STM4 SH 1310 card provides one intermediate or short range SONET OC-12 port compliant with ITU-T G.707, ITU-T G.957, and Telcordia GR-253-CORE. The port operates at 622.08 Mbps over a single-mode fiber span. The card supports VT, nonconcatenated (STS-1), or concatenated (STS-3c, STS-6c, or STS-12c) payloads. Figure 4-3 shows the OC12 IR/STM4 SH 1310 faceplate and a block diagram of the card. Note The OC12 IR 1310 and OC12/STM4 SH 1310 cards are functionally the same. Warning The laser is on when the optical card is booted. The port does not have to be in service for the laser to be on. Table 4-4 OC3IR/STM1 SH 1310-8 Card-Level Indicators Card-Level LED Description Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready. This LED is on during reset. The FAIL LED flashes during the boot process. Replace the card if the red FAIL LED persists. Green ACT LED The green ACT LED indicates that the card is carrying traffic or is traffic-ready. Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS, LOF, AIS-L, or high BER on one or more of the card’s ports. The amber SF LED is also on if the transmit and receive fibers are incorrectly connected. If the fibers are properly connected and the links are working, the light turns off.4-11 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 4 Optical Cards 4.4.1 OC12 IR/STM4 SH 1310 Card-Level Indicators Figure 4-3 OC12 IR/STM4 SH 1310 Faceplate and Block Diagram You can install the OC12 IR/STM4 SH 1310 card in Slots 1 to 6 and 12 to 17, and provision the card as a drop card or span card in a two-fiber BLSR, path protection, or ADM (linear) configuration. The OC12 IR/STM4 SH 1310 card interface features a 1310-nm laser and contains a transmit and receive connector (labeled) on the card faceplate. The OC12 IR/STM4 SH 1310 card uses SC optical connections and supports 1+1 unidirectional and bidirectional protection. The OC12 IR/STM4 SH 1310 detects LOS, LOF, LOP, AIS-L, and RDI-L conditions. Refer to the Cisco ONS 15454 Troubleshooting Guide for a description of these conditions. The card also counts section and line BIT errors. To enable APS, the OC12 IR/STM4 SH 1310 card extracts the K1 and K2 bytes from the SONET overhead to perform appropriate protection switches. The DCC/GCC bytes are forwarded to the TCC2/TCC2P card, which terminates the DCC/GCC. 4.4.1 OC12 IR/STM4 SH 1310 Card-Level Indicators Table 4-5 describes the three card-level LEDs on the OC12 IR/STM4 SH 1310 card. uP bus uP Flash RAM STS-12 Mux/ Optical Demux Transceiver OC-12 Main SCI Protect SCI BTC ASIC STS-12 B a c k p l a n e 61353 FAIL ACT SF OC12IR STM4SH 1310 1 33678 12931 Tx Rx4-12 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 4 Optical Cards 4.4.2 OC12 IR/STM4 SH 1310 Port-Level Indicators 4.4.2 OC12 IR/STM4 SH 1310 Port-Level Indicators You can find the status of the OC-12 IR/STM4 SH 1310 card port by using the LCD screen on the ONS 15454 fan-tray assembly. Use the LCD to view the status of any port or card slot; the screen displays the number and severity of alarms for a given port or slot. Refer to the Cisco ONS 15454 Troubleshooting Guide for a complete description of the alarm messages. 4.5 OC12 LR/STM4 LH 1310 Card Note For hardware specifications, see the “A.6.4 OC12 LR/STM4 LH 1310 Card Specifications” section on page A-31. See Table 4-2 on page 4-5 for optical card compatibility. The OC12 LR/STM4 LH 1310 card provides one long-range SONET OC-12 port per card compliant with ITU-T G.707, ITU-T G.957, and Telcordia GR-253-CORE. The port operates at 622.08 Mbps over a single-mode fiber span. The card supports VT, nonconcatenated (STS-1), or concatenated (STS-3c, STS-6c, or STS-12c) payloads. Figure 4-4 shows the OC12 LR/STM4 LH 1310 faceplate and a block diagram of the card. Note The OC12 LR 1310 and OC12 LR/STM4 LH 1310 cards are functionally the same. Warning The laser is on when the optical card is booted. The port does not have to be in service for the laser to be on. Table 4-5 OC12 IR/STM4 SH 1310 Card-Level Indicators Card-Level Indicators Description Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready. This LED is on during reset. The FAIL LED flashes during the boot process. Replace the card if the red FAIL LED persists. Green/Amber ACT LED The green ACT LED indicates that the card is operational and is carrying traffic or is traffic-ready. The amber ACT LED indicates that the card is part of an active ring switch (BLSR). Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS, LOF, AIS-L, or high BERs on one or more of the card’s ports. The amber SF LED is also on if the transmit and receive fibers are incorrectly connected. If the fibers are properly connected and the link is working, the light turns off.4-13 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 4 Optical Cards 4.5.1 OC12 LR/STM4 LH 1310 Card-Level Indicators Figure 4-4 OC12 LR/STM4 LH 1310 Faceplate and Block Diagram You can install the OC12 LR/STM4 LH 1310 card in Slots 1 to 6 and 12 to 17, and provision the card as a drop card or span card in a two-fiber BLSR, path protection, or ADM (linear) configuration. The OC12 LR/STM4 LH 1310 card interface features a 1310-nm laser and contains a transmit and receive connector (labeled) on the card faceplate. The card uses SC optical connections and supports 1+1 unidirectional and bidirectional protection. The OC12 LR/STM4 LH 1310 card detects LOS, LOF, LOP, AIS-L, and RDI-L conditions. Refer to the Cisco ONS 15454 Troubleshooting Guide for a description of these conditions. The card also counts section and line BIT errors. To enable APS, the OC12 LR/STM4 LH 1310 card extracts the K1 and K2 bytes from the SONET overhead to perform appropriate protection switches. The DCC/GCC bytes are forwarded to the TCC2/TCC2P card, which terminates the DCC/GCC. 4.5.1 OC12 LR/STM4 LH 1310 Card-Level Indicators Table 4-6 describes the three card-level LEDs on the OC12 LR/STM4 LH 1310 card. uP bus uP Flash RAM BTC ASIC STS-12 Mux/ Optical Demux Transceiver OC-12 Main SCI Protect SCI STS-12 B a c k p l a n e 61354 FAIL ACT SF OC12LR STM4LH 1310 1 33678 12931 Tx Rx4-14 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 4 Optical Cards 4.5.2 OC12 LR/STM4 LH 1310 Port-Level Indicators 4.5.2 OC12 LR/STM4 LH 1310 Port-Level Indicators You can find the status of the OC12 LR/STM4 LH 1310 card port by using the LCD screen on the ONS 15454 fan-tray assembly. Use the LCD to quickly view the status of any port or card slot; the screen displays the number and severity of alarms for a given port or slot. 4.6 OC12 LR/STM4 LH 1550 Card Note For hardware specifications, see the “A.6.5 OC12 LR/STM4 LH 1550 Card Specifications” section on page A-32. See Table 4-2 on page 4-5 for optical card compatibility. The OC12 LR/STM4 LH 1550 card provides one long-range SONET/SDH OC-12 port compliant with ITU-T G.707, ITU-T G.957, and Telcordia GR-253-CORE. The port operates at 622.08 Mbps over a single-mode fiber span. The card supports VT, nonconcatenated (STS-1), or concatenated (STS-3c, STS-6c, or STS-12c) payloads. Figure 4-5 shows the OC12 LR/STM4 LH 1550 faceplate and a block diagram of the card. Note The OC12 LR 1550 and OC12 LR/STM4 LH 1550 cards are functionally the same. Warning The laser is on when the optical card is booted. The port does not have to be in service for the laser to be on. Table 4-6 OC12 LR/STM4 LH 1310 Card-Level Indicators Card-Level Indicators Description Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready. Replace the card if the red FAIL LED persists. Green/Amber ACT LED The green ACT LED indicates that the card is operational and is carrying traffic or is traffic-ready. The amber ACT LED indicates that the card is part of an active ring switch (BLSR). Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS, LOF, AIS-L, or high BERs on the card’s port. The amber SF LED is also on if the transmit and receive fibers are incorrectly connected. If the fibers are properly connected, the light turns off.4-15 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 4 Optical Cards 4.6.1 OC12 LR/STM4 LH 1550 Card-Level Indicators Figure 4-5 OC12 LR/STM4 LH 1550 Faceplate and Block Diagram You can install the OC12 LR/STM4 LH 1550 card in Slots 1 to 4 and 14 to 17. The OC12 LR/STM4 LH 1550 can be provisioned as part of a two-fiber BLSR, path protection, or linear ADM. The OC12 LR/STM4 LH 1550 uses long-reach optics centered at 1550 nm and contains a transmit and receive connector (labeled) on the card faceplate. The OC12 LR/STM4 LH 1550 uses SC optical connections and supports 1+1 bidirectional or unidirectional protection switching. The OC12 LR/STM4 LH 1550 detects LOS, LOF, LOP, AIS-L, and RDI-L conditions. The card also counts section and line BIT errors. 4.6.1 OC12 LR/STM4 LH 1550 Card-Level Indicators Table 4-7 describes the three card-level LEDs on the OC12 LR/STM4 LH 1550 card. uP bus uP Flash RAM BTC ASIC STS-12 Mux/ Optical Demux Transceiver OC-12 Main SCI Protect SCI STS-12 B a c k p l a n e 61355 FAIL ACT SF OC12LR STM4LH 1550 1 Tx Rx 33678 129314-16 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 4 Optical Cards 4.6.2 OC12 LR/STM4 LH 1550 Port-Level Indicators 4.6.2 OC12 LR/STM4 LH 1550 Port-Level Indicators You can find the status of the OC12 LR/STM4 LH 1550 card port by using the LCD screen on the ONS 15454 fan-tray assembly. Use the LCD to view the status of any port or card slot; the screen displays the number and severity of alarms for a given port or slot. 4.7 OC12 IR/STM4 SH 1310-4 Card Note For hardware specifications, see the “A.6.6 OC12 IR/STM4 SH 1310-4 Specifications” section on page A-33. See Table 4-2 on page 4-5 for optical card compatibility. The OC12 IR/STM4 SH 1310-4 card provides four intermediate or short range SONET/SDH OC-12/STM-4 ports compliant with the ITU-T G.707, ITU-T G.957, and Telcordia GR-253-CORE. Each port operates at 622.08 Mbps over a single-mode fiber span. The card supports VT, nonconcatenated (STS-1), or concatenated (STS-1, STS-3c, STS-6c, or STS-12c) payloads. Warning The laser is on when the optical card is booted. The port does not have to be in service for the laser to be on. Figure 4-6 shows the OC12 IR/STM4 SH 1310-4 faceplate and a block diagram of the card. Table 4-7 OC12 LR/STM4 LH 1550 Card-Level Indicators Card-Level Indicators Description Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready. Replace the card if the red FAIL LED persists. Green/Amber ACT LED The green ACT LED indicates that the card is operational and ready to carry traffic. The amber ACT LED indicates that the card is part of an active ring switch (BLSR). Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS, LOF, AIS-L, or high BERs on the card’s port. The amber SF LED is also on if the transmit and receive fibers are incorrectly connected. If the fibers are properly connected, the light turns off.4-17 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 4 Optical Cards 4.7 OC12 IR/STM4 SH 1310-4 Card Figure 4-6 OC12 IR/STM4 SH 1310-4 Faceplate and Block Diagram You can install the OC12 IR/STM4 SH 1310-4 card in Slots 1 to 4 and 14 to 17. Each interface features a 1310-nm laser and contains a transmit and receive connector (labeled) on the card faceplate. The card uses SC connectors. The OC12 IR/STM4 SH 1310-4 card supports 1+1 unidirectional and bidirectional protection switching. You can provision protection on a per port basis. The OC12 IR/STM4 SH 1310-4 card detects LOS, LOF, LOP, MS-AIS, and MS-FERF conditions. Refer to the Cisco ONS 15454 Troubleshooting Guide for a description of these conditions. The card also counts section and line BIP errors. To enable BLSR, the OC12 IR/STM4 SH 1310-4 card extracts the K1 and K2 bytes from the SONET overhead and processes them to switch accordingly. The DCC/GCC bytes are forwarded to the TCC2/TCC2P card, which terminates the DCC/GCC. Note If you ever expect to upgrade an OC-12/STM-4 ring to a higher bit rate, you should not put an OC12 IR/STM4 SH 1310-4 card in that ring. The four-port card is not upgradable to a single-port card. The reason is that four different spans, possibly going to four different nodes, cannot be merged to a single span. uP bus uP Flash RAM ASIC B a c k p l a n e STS-12 Optical Transceiver Optical Transceiver Optical Transceiver Optical Transceiver STS-12/STM-4 termination/ framing STS-12/STM-4 termination/ framing STS-12/STM-4 termination/ framing STS-12/STM-4 termination/ framing OC-12 STM-4 78095 1 33678 12931 Tx Rx 2 Tx Rx 4 Tx Rx 3 Tx Rx FAIL ACT SF OC12IR STM4SH 1310-44-18 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 4 Optical Cards 4.7.1 OC12 IR/STM4 SH 1310-4 Card-Level Indicators 4.7.1 OC12 IR/STM4 SH 1310-4 Card-Level Indicators Table 4-8 describes the three card-level LEDs on the OC12 IR/STM4 SH 1310-4 card. 4.7.2 OC12 IR/STM4 SH 1310-4 Port-Level Indicators You can find the status of the four card ports by using the LCD screen on the ONS 15454 fan-tray assembly. Use the LCD to view the status of any port or card slot; the screen displays the number and severity of alarms for a given port or slot. 4.8 OC48 IR 1310 Card Note For hardware specifications, see the “A.6.7 OC48 IR 1310 Card Specifications” section on page A-34. See Table 4-2 on page 4-5 for optical card compatibility. Note Any new features that are available as part of this software release are not enabled for this card. The OC48 IR 1310 card provides one intermediate-range, SONET OC-48 port per card, compliant with Telcordia GR-253-CORE. Each port operates at 2.49 Gbps over a single-mode fiber span. The card supports VT, nonconcatenated (STS-1), or concatenated (STS-3c, STS-6c, STS-12c, or STS-48c) payloads. Warning The laser is on when the optical card is booted. The port does not have to be in service for the laser to be on. Figure 4-7 shows the OC48 IR 1310 faceplate and a block diagram of the card. Table 4-8 OC12 IR/STM4 SH 1310-4 Card-Level Indicators Card-Level Indicators Description Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready. Replace the card if the red FAIL LED persists. Green ACT LED The green ACT LED indicates that the card is carrying traffic or is traffic-ready. Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS, LOF, AIS-L, or high BER on one or more of the card’s ports. The amber SF LED is also on if the transmit and receive fibers are incorrectly connected. If the fibers are properly connected, the light turns off.4-19 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 4 Optical Cards 4.8.1 OC48 IR 1310 Card-Level Indicators Figure 4-7 OC48 IR 1310 Faceplate and Block Diagram You can install the OC48 IR 1310 card in Slots 5, 6, 12, and 13, and provision the card as a drop or span card in a two-fiber or four-fiber BLSR, path protection, or in an ADM (linear) configuration. The OC-48 port features a 1310-nm laser and contains a transmit and receive connector (labeled) on the card faceplate. The OC48 IR 1310 uses SC connectors. The card supports 1+1 unidirectional and bidirectional protection switching. The OC48 IR 1310 detects LOS, LOF, LOP, AIS-L, and RDI-L conditions. The card also counts section and line BIP errors. 4.8.1 OC48 IR 1310 Card-Level Indicators Table 4-9 describes the three card-level LEDs on the OC48 IR 1310 card. uP bus uP Flash RAM BTC ASIC Optical Transceiver OC-48 Main SCI Protect SCI STS-48 61356 Mux/ Demux B a c k p l a n e FAIL ACT SF OC48 IR 1310 1 33678 12931 Tx Rx4-20 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 4 Optical Cards 4.8.2 OC48 IR 1310 Port-Level Indicators 4.8.2 OC48 IR 1310 Port-Level Indicators You can find the status of the OC48 IR 1310 card port by using the LCD screen on the ONS 15454 fan-tray assembly. Use the LCD to view the status of any port or card slot; the screen displays the number and severity of alarms for a given port or slot. 4.9 OC48 LR 1550 Card Note For hardware specifications, see the “A.6.8 OC48 LR 1550 Card Specifications” section on page A-35. See Table 4-2 on page 4-5 for optical card compatibility. Note Any new features that are available as part of this software release are not enabled for this card. The OC48 LR 1550 card provides one long-range, SONET OC-48 port per card, compliant with Telcordia GR-253-CORE. Each port operates at 2.49 Gbps over a single-mode fiber span. The card supports VT, nonconcatenated (STS-1), or concatenated (STS-3c, STS-6c, STS-12c, or STS-48c) payloads. Warning The laser is on when the optical card is booted. The port does not have to be in service for the laser to be on. Figure 4-8 shows the OC48 LR 1550 faceplate and a block diagram of the card. Table 4-9 OC48 IR 1310 Card-Level Indicators Card-Level Indicators Description Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready. Replace the card if the red FAIL LED persists. Green/Amber ACT LED The green ACT LED indicates that the card is carrying traffic or is traffic-ready. The amber ACT LED indicates that the card is part of an active ring switch (BLSR). Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS, LOF, AIS-L, or high BERs on the card’s port. The amber SF LED is also on if the transmit and receive fibers are incorrectly connected. If the fibers are properly connected, the light turns off.4-21 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 4 Optical Cards 4.9.1 OC48 LR 1550 Card-Level Indicators Figure 4-8 OC48 LR 1550 Faceplate and Block Diagram You can install OC48 LR 1550 cards in Slots 5, 6, 12, and 13 and provision the card as a drop or span card in a two-fiber or four-fiber BLSR, path protection, or ADM (linear) configuration. The OC48 LR 1550 port features a 1550-nm laser and contains a transmit and receive connector (labeled) on the card faceplate. The card uses SC connectors, and it supports 1+1 unidirectional and bidirectional protection switching. The OC48 LR 1550 detects LOS, LOF, LOP, AIS-L, and RDI-L conditions. The card also counts section and line BIP errors. 4.9.1 OC48 LR 1550 Card-Level Indicators Table 4-10 describes the three card-level LEDs on the OC48 LR 1550 card. uP bus uP Flash RAM BTC ASIC Optical Transceiver OC-48 Main SCI Protect SCI STS-48 61359 Mux/ Demux B a c k p l a n e FAIL ACT SF OC48 LR 1550 1 33678 12931 Tx Rx4-22 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 4 Optical Cards 4.9.2 OC48 LR 1550 Port-Level Indicators 4.9.2 OC48 LR 1550 Port-Level Indicators You can find the status of the OC48 LR 1550 card port by using the LCD screen on the ONS 15454 fan-tray assembly. Use the LCD to view the status of any port or card slot; the screen displays the number and severity of alarms for a given port or slot. 4.10 OC48 IR/STM16 SH AS 1310 Card Note For hardware specifications, see the “A.6.9 OC48 IR/STM16 SH AS 1310 Card Specifications” section on page A-36. See Table 4-2 on page 4-5 for optical card compatibility. The OC48 IR/STM16 SH AS 1310 card provides one intermediate-range SONET/SDH OC-48 port compliant with ITU-T G.707, ITU-T G.957, and Telcordia GR-253-CORE. The port operates at 2.49 Gbps over a single-mode fiber span. The card supports VT, nonconcatenated (STS-1), or concatenated (STS-3c, STS-6c, STS-12c, or STS-48c) payloads. Warning The laser is on when the optical card is booted. The port does not have to be in service for the laser to be on. Figure 4-9 shows the OC48 IR/STM16 SH AS 1310 faceplate and a block diagram of the card. Table 4-10 OC48 LR 1550 Card-Level Indicators Card-Level Indicators Description Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready. Replace the card if the red FAIL LED persists. Green/Amber ACT LED The green ACT LED indicates that the card is carrying traffic or is traffic-ready. The amber ACT LED indicates that the card is part of an active ring switch (BLSR). Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS, LOF, or high BERs on the card’s port. The amber SF LED is also on if the transmit and receive fibers are incorrectly connected. If the fibers are properly connected, the light turns off.4-23 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 4 Optical Cards 4.10.1 OC48 IR/STM16 SH AS 1310 Card-Level Indicators Figure 4-9 OC48 IR/STM16 SH AS 1310 Faceplate and Block Diagram You can install the OC48 IR/STM16 SH AS 1310 card in Slots 1 to 6 and 12 to 17 and provision the card as a drop or span card in a two-fiber or four-fiber BLSR, path protection, or ADM (linear) configuration. The OC-48 port features a 1310-nm laser and contains a transmit and receive connector (labeled) on the card faceplate. The OC48 IR/STM16 SH AS 1310 uses SC connectors. The card supports 1+1 unidirectional and bidirectional protection switching. The OC48 IR/STM16 SH AS 1310 detects LOS, LOF, LOP, AIS-L, and RDI-L conditions. The card also counts section and line BIP errors. 4.10.1 OC48 IR/STM16 SH AS 1310 Card-Level Indicators Table 4-11 lists the three card-level LEDs on the OC48 IR/STM16 SH AS 1310 card. uP bus uP Flash RAM BTC ASIC Optical Transceiver OC-48 Main SCI Protect SCI STS-48 61357 Mux/ Demux B a c k p l a n e FAIL ACT SF TX 1 RX OC48IR STM16SH AS 13104-24 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 4 Optical Cards 4.10.2 OC48 IR/STM16 SH AS 1310 Port-Level Indicators 4.10.2 OC48 IR/STM16 SH AS 1310 Port-Level Indicators You can find the status of the OC48 IR/STM16 SH AS 1310 card port by using the LCD screen on the ONS 15454 fan-tray assembly. Use the LCD to view the status of any port or card slot; the screen displays the number and severity of alarms for a given port or slot. 4.11 OC48 LR/STM16 LH AS 1550 Card Note For hardware specifications, see the “A.6.10 OC48 LR/STM16 LH AS 1550 Card Specifications” section on page A-37. See Table 4-2 on page 4-5 for optical card compatibility. The OC48 LR/STM16 LH AS 1550 card provides one long-range SONET/SDH OC-48 port compliant with ITU-T G.707, ITU-T G.957, and Telcordia GR-253-CORE. Each port operates at 2.49 Gbps over a single-mode fiber span. The card supports VT, nonconcatenated (STS-1), or concatenated (STS-3c, STS-6c, STS-12c, or STS-48c) payloads. Warning The laser is on when the optical card is booted. The port does not have to be in service for the laser to be on. Figure 4-10 shows a block diagram and the faceplate of the OC48 LR/STM16 LH AS 1550 card. Table 4-11 OC48 IR/STM16 SH AS 1310 Card-Level Indicators Card-Level Indicators Description Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready. Replace the card if the red FAIL LED persists. Green/Amber ACT LED The green ACT LED indicates that the card is carrying traffic or is traffic-ready. The amber ACT LED indicates that the card is part of an active ring switch (BLSR). Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS, LOF, AIS-L, or high BERs on the card’s port. The amber SF LED is also on if the transmit and receive fibers are incorrectly connected. If the fibers are properly connected, the light turns off.4-25 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 4 Optical Cards 4.11.1 OC48 LR/STM16 LH AS 1550 Card-Level Indicators Figure 4-10 OC48 LR/STM16 LH AS 1550 Faceplate and Block Diagram You can install OC48 LR/STM16 LH AS 1550 cards in Slots 1 to 6 and 12 to 17 and provision the card as a drop or span card in a two-fiber or four-fiber BLSR, path protection, or ADM (linear) configuration. The OC48 LR/STM16 LH AS 1550 port features a 1550-nm laser and contains a transmit and receive connector (labeled) on the card faceplate. The card uses SC connectors, and it supports 1+1 unidirectional and bidirectional protection switching. The OC48 LR/STM16 LH AS 1550 detects LOS, LOF, LOP, AIS-L, and RDI-L conditions. The card also counts section and line BIP errors. 4.11.1 OC48 LR/STM16 LH AS 1550 Card-Level Indicators Table 4-12 describes the three card-level LEDs on the OC48 LR/STM16 LH AS 1550 card. uP bus uP Flash RAM BTC ASIC Optical Transceiver OC-48 Main SCI Protect SCI STS-48 61358 Mux/ Demux B a c k p l a n e FAIL ACT SF TX 1 RX OC48LR STM16LH AS 15504-26 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 4 Optical Cards 4.11.2 OC48 LR/STM16 LH AS 1550 Port-Level Indicators 4.11.2 OC48 LR/STM16 LH AS 1550 Port-Level Indicators You can find the status of the OC48 LR/STM16 LH AS 1550 card port by using the LCD screen on the ONS 15454 fan-tray assembly. Use the LCD to view the status of any port or card slot; the screen displays the number and severity of alarms for a given port or slot. 4.12 OC48 ELR/STM16 EH 100 GHz Cards Note For hardware specifications, see the “A.6.11 OC48 ELR/STM 16 EH 100 GHz Card Specifications” section on page A-38. See Table 4-2 on page 4-5 for optical card compatibility. Thirty-seven distinct OC48 ELR/STM16 EH 100 GHz cards provide the ONS 15454 DWDM channel plan. Each OC48 ELR/STM16 EH 100 GHz card has one SONET OC-48/SDH STM-16 port that complies with Telcordia GR-253-CORE, ITU-T G.692, and ITU-T G.958. The port operates at 2.49 Gbps over a single-mode fiber span. The card carries VT, concatenated (STS-1), and nonconcatenated (STS-1, STS-3c, STS-6c, STS-12c, or STS-48c) payloads. Warning The laser is on when the optical card is booted. The port does not have to be in service for the laser to be on. Figure 4-11 shows the OC48 ELR/STM16 EH 100 GHz faceplate and a block diagram of the card. Table 4-12 OC48 LR/STM16 LH AS 1550 Card-Level Indicators Card-Level Indicators Description Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready. Replace the card if the red FAIL LED persists. Green/Amber ACT LED The green ACT LED indicates that the card is carrying traffic or is traffic-ready. The amber ACT LED indicates that the card is part of an active ring switch (BLSR). Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS, LOF, or high BERs on the card’s port. The amber SF LED is also on if the transmit and receive fibers are incorrectly connected. If the fibers are properly connected, the light turns off.4-27 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 4 Optical Cards 4.12 OC48 ELR/STM16 EH 100 GHz Cards Figure 4-11 OC48 ELR/STM16 EH 100 GHz Faceplate and Block Diagram Nineteen of the cards operate in the blue band with spacing of 100 GHz on the ITU grid (1528.77 nm, 1530.33 nm, 1531.12 nm, 1531.90 nm, 1532.68 nm, 1533.47 nm, 1534.25 nm, 1535.04 nm, 1535.82 nm, 1536.61 nm, 1538.19 nm, 1538.98 nm, 1539.77 nm, 1540.56 nm, 1541.35 nm, 1542.14 nm, 1542.94 nm, 1543.73 nm, and 1544.53 nm). ITU spacing conforms to ITU-T G.692 and Telcordia GR-2918-CORE, Issue 2. The other eighteen cards operate in the red band with spacing of 100 GHz on the ITU grid (1546.12 nm, 1546.92 nm, 1547.72 nm, 1548.51 nm,1549.32 nm, 1550.12 nm, 1550.92 nm, 1551.72 nm, 1552.52 nm, 1554.13 nm, 1554.94 nm, 1555.75 nm, 1556.55 nm, 1557.36 nm, 1558.17 nm, 1558.98 nm, 1559.79 nm, and 1560.61 nm). These cards are also designed to interoperate with the Cisco ONS 15216 DWDM solution. You can install the OC48 ELR/STM16 EH 100 GHz cards in Slots 5, 6, 12, and 13 and provision the card as a drop or span card in a two-fiber or four-fiber BLSR, path protection, or ADM (linear) configuration. Each OC48 ELR/STM16 EH 100 GHz card uses extended long-reach optics operating individually within the ITU-T 100-GHz grid. The OC-48 DWDM cards are intended to be used in applications with long unregenerated spans of up to 300 km (186 miles) (with mid-span amplification). These transmission distances are achieved through the use of inexpensive optical amplifiers (flat gain amplifiers) such as Cisco ONS 15216 erbium-doped fiber amplifiers (EDFAs). Maximum system reach in filterless applications is 26 dB without the use of optical amplifiers or regenerators. However, system reach also depends on the condition of the facilities, the number of splices and connectors, and other performance-affecting factors. When used in combination with uP bus uP Flash RAM BTC ASIC Optical Transceiver OC-48 Main SCI Protect SCI STS-48 61613 Mux/ Demux B a c k p l a n e FAIL ACT/STBY SF TX 1 RX OC48ELR STM16EH 100GHz 1560.614-28 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 4 Optical Cards 4.12.1 OC48 ELR 100 GHz Card-Level Indicators ONS 15216 100-GHz filters, the link budget is reduced by the insertion loss of the filters plus an additional 2-dB power penalty. The wavelength stability of the OC48 ELR/STM16 EH 100 GHz cards is +/– 0.12 nm for the life of the product and over the full range of operating temperatures. Each interface contains a transmitter and receiver. The OC48 ELR/STM16 EH 100 GHz cards detect LOS, LOF, LOP, and AIS-L conditions. The cards also count section and line BIP errors. 4.12.1 OC48 ELR 100 GHz Card-Level Indicators Table 4-13 lists the three card-level LEDs on the OC48 ELR/STM16 EH 100 GHz cards. 4.12.2 OC48 ELR 100 GHz Port-Level Indicators You can find the status of the OC48 ELR/STM16 EH 100 GHz card ports by using the LCD screen on the ONS 15454 fan-tray assembly. Use the LCD to quickly view the status of any port or card slot; the screen displays the number and severity of alarms for a given port or slot. 4.13 OC48 ELR 200 GHz Cards Note For hardware specifications, see the “A.6.12 OC48 ELR 200 GHz Card Specifications” section on page A-38. See Table 4-2 on page 4-5 for optical card compatibility. Eighteen distinct OC48 ELR 200 GHz cards provide the ONS 15454 DWDM channel plan. Each OC48 ELR 200 GHz card provides one SONET OC-48 port that is compliant with Telcordia GR-253-CORE. The port operates at 2.49 Gbps over a single-mode fiber span. The card carries VT, concatenated (STS-1), or nonconcatenated (STS-3c, STS-6c, STS-12c, or STS-48c) payloads. Warning The laser is on when the optical card is booted. The port does not have to be in service for the laser to be on. Figure 4-12 shows the OC48 ELR 200 GHz faceplate and a block diagram of the card. Table 4-13 OC48 ELR/STM16 EH 100 GHz Card-Level Indicators Card-Level Indicators Description Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready. Replace the card if the red FAIL LED persists. Green/Amber ACT LED The green ACT LED indicates that the card is carrying traffic or is traffic-ready. The amber ACT LED indicates that the card is part of an active ring switch (BLSR). Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS, LOF, or high BERs on the card’s port. The amber SF LED is also on if the transmit and receive fibers are incorrectly connected. If the fibers are properly connected, the light turns off.4-29 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 4 Optical Cards 4.13 OC48 ELR 200 GHz Cards Figure 4-12 OC48 ELR 200 GHz Faceplate and Block Diagram Nine of the cards operate in the blue band with spacing of 200 GHz on the ITU grid (1530.33 nm, 1531.90 nm, 1533.47 nm, 1535.04 nm, 1536.61 nm, 1538.19 nm, 1539.77 nm, 1541.35 nm, and 1542.94 nm). The other nine cards operate in the red band with spacing of 200 GHz on the ITU grid (1547.72 nm, 1549.32 nm, 1550.92 nm, 1552.52 nm, 1554.13 nm, 1555.75 nm, 1557.36 nm, 1558.98 nm, and 1560.61 nm). These cards are also designed to interoperate with the Cisco ONS 15216 DWDM solution. You can install the OC48 ELR 200 GHz cards in Slots 5, 6, 12, and 13, and provision the card as a drop or span card in a two-fiber or four-fiber BLSR, path protection, or ADM (linear) configuration. Each OC48 ELR 200 GHz card uses extended long-reach optics operating individually within the ITU-T 200-GHz grid. The OC48 ELR 200 GHz cards are intended to be used in applications with long unregenerated spans of up to 200 km (124 miles) (with mid-span amplification). These transmission distances are achieved through the use of inexpensive optical amplifiers (flat gain amplifiers) such as EDFAs. Using collocated amplification, distances up to 200 km (124 miles) can be achieved for a single channel, 160 km (99 miles) for 8 channels. Maximum system reach in filterless applications is 24 dB or approximately 80 km (50 miles) without the use of optical amplifiers or regenerators. However, system reach also depends on the condition of the facilities, the number of splices and connectors, and other performance-affecting factors. The OC48 ELR DWDM cards feature wavelength stability of +/–0.25 nm. Each interface contains a transmitter and receiver. uP bus uP Flash RAM BTC ASIC Optical Transceiver OC-48 Main SCI Protect SCI STS-48 61360 Mux/ Demux B a c k p l a n e FAIL ACT/STBY SF TX 1 RX OC48 ELR 1530.334-30 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 4 Optical Cards 4.13.1 OC48 ELR 200 GHz Card-Level Indicators The OC48 ELR 200 GHz cards support extended long-reach applications in conjunction with optical amplification. Using electro-absorption technology, the OC48 DWDM cards provide a solution at the lower extended long-reach distances. The OC48 ELR 200 GHz interface features a 1550-nm laser and contains a transmit and receive connector (labeled) on the card faceplate. The card uses SC connectors and supports 1+1 unidirectional and bidirectional protection switching. The OC48 ELR 200 GHz cards detect LOS, LOF, LOP, AIS-L, and RDI-L conditions. The cards also count section and line BIP errors. To enable APS, the OC48 ELR 200 GHz cards extract the K1 and K2 bytes from the SONET overhead. The DCC bytes are forwarded to the TCC2/TCC2P card; the TCC2/TCC2P terminates the DCC/GCC. 4.13.1 OC48 ELR 200 GHz Card-Level Indicators Table 4-14 describes the three card-level LEDs on the OC48 ELR 200 GHz cards. 4.13.2 OC48 ELR 200 GHz Port-Level Indicators You can find the status of the OC48 ELR 200 GHz card ports by using the LCD screen on the ONS 15454 fan-tray assembly. Use the LCD to quickly view the status of any port or card slot; the screen displays the number and severity of alarms for a given port or slot. 4.14 OC192 SR/STM64 IO 1310 Card Note For hardware specifications, see the “A.6.13 OC192 SR/STM64 IO 1310 Card Specifications” section on page A-39. See Table 4-2 on page 4-5 for optical card compatibility. The OC192 SR/STM64 IO 1310 card provides one intra-office haul SONET/SDH OC-192 port in the 1310-nm wavelength range, compliant with ITU-T G.707, ITU-T G.691, ITU-T G.957, and Telcordia GR-253-CORE. The port operates at 9.95328 Gbps over unamplified distances up to 2 km (1.24 miles). The card supports VT, nonconcatenated (STS-1), or concatenated payloads. Table 4-14 OC48 ELR 200 GHz Card-Level Indicators Card-Level Indicators Description Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready. Replace the card if the red FAIL LED persists. Green/Amber ACT LED The green ACT LED indicates that the card is carrying traffic or is traffic-ready. The amber ACT LED indicates that the card is part of an active ring switch (BLSR). Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS, LOF, or high BERs on the card’s port. The amber SF LED is also on if the transmit and receive fibers are incorrectly connected. If the fibers are properly connected, the light turns off.4-31 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 4 Optical Cards 4.14.1 OC192 SR/STM64 IO 1310 Card-Level Indicators Warning The laser is on when the optical card is booted. The port does not have to be in service for the laser to be on. Figure 4-13 shows the OC192 SR/STM64 IO 1310 faceplate and block diagram. Figure 4-13 OC192 SR/STM64 IO 1310 Faceplate and Block Diagram You can install OC192 SR/STM64 IO 1310 cards in Slot 5, 6, 12, or 13. You can provision this card as part of a BLSR, a path protection, a linear configuration, or as a regenerator for longer span reaches. The OC192 SR/STM64 IO 1310 port features a 1310-nm laser and contains a transmit and receive connector (labeled) on the card faceplate. The card uses a dual SC connector for optical cable termination. The card supports 1+1 unidirectional and bidirectional facility protection. It also supports 1:1 protection in four-fiber BLSR applications where both span switching and ring switching might occur. The OC192 SR/STM64 IO 1310 card detects SF, LOS, or LOF conditions on the optical facility. Refer to the Cisco ONS 15454 Troubleshooting Guide for a description of these conditions. The card also counts section and line BIP errors from B1 and B2 byte registers in the section and line overhead. 4.14.1 OC192 SR/STM64 IO 1310 Card-Level Indicators Table 4-15 describes the three card-level LEDs on the OC192 SR/STM64 IO 1310 card. Demux CDR SRAM Flash Optical transceiver ADC x 8 Demux BTC ASIC STM-64/ OC-192 STM-64/ OC-192 STM-64 / OC192 STM-64 / OC192 SCL Processor 134367 B a c k p l a n e Mux CK Mpy Optical transceiver Mux SCL FAIL ACT SF 1 Tx Rx OC192SR STM64IO 13104-32 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 4 Optical Cards 4.14.2 OC192 SR/STM64 IO 1310 Port-Level Indicators 4.14.2 OC192 SR/STM64 IO 1310 Port-Level Indicators You can find the status of the OC192 SR/STM64 IO 1310 card ports by using the LCD screen on the ONS 15454 fan-tray assembly. Use the LCD to view the status of any port or card slot; the screen displays the number and severity of alarms for a given port or slot. Refer to the Cisco ONS 15454 Troubleshooting Guide for a complete description of the alarm messages. 4.15 OC192 IR/STM64 SH 1550 Card Note For hardware specifications, see the “A.6.14 OC192 IR/STM64 SH 1550 Card Specifications” section on page A-40. See Table 4-2 on page 4-5 for optical card compatibility. The OC192 IR/STM64 SH 1550 card provides one intermediate reach SONET/SDH OC-192 port in the 1550-nm wavelength range, compliant with ITU-T G.707,ITU-T G.691, ITU-T G.957, and Telcordia GR-253-CORE. The port operates at 9.95328 Gbps over unamplified distances up to 40 km (25 miles) with SMF-28 fiber limited by loss and/or dispersion. The card supports VT, nonconcatenated (STS-1), or concatenated payloads. Warning The laser is on when the optical card is booted. The port does not have to be in service for the laser to be on. Figure 4-14 shows the OC192 IR/STM64 SH 1550 faceplate and block diagram. Table 4-15 OC192 SR/STM64 IO 1310 Card-Level Indicators Card-Level LED Description Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready. This LED is on during reset. The FAIL LED flashes during the boot process. Replace the card if the red FAIL LED persists. ACT/STBY LED Green (Active) Amber (Standby) If the ACT/STBY LED is green, the card is operational and ready to carry traffic. The amber ACT LED indicates that the card in standby mode or is part of an active ring switch (BLSR). Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS, LOF, or high BERs on one or more of the card’s ports. The amber SF LED is also on if the transmit and receive fibers are incorrectly connected. If the fibers are properly connected and the link is working, the light turns off.4-33 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 4 Optical Cards 4.15.1 OC192 IR/STM64 SH 1550 Card-Level Indicators Figure 4-14 OC192 IR/STM64 SH 1550 Faceplate and Block Diagram Note You must use a 3 to 15 dB fiber attenuator (5 dB recommended) when working with the OC192 IR/STM64 SH 1550 card in a loopback. Do not use fiber loopbacks with the OC192 IR/STM64 SH 1550 card. Using fiber loopbacks can cause irreparable damage to the card. You can install OC192 IR/STM64 SH 1550 cards in Slot 5, 6, 12, or 13. You can provision this card as part of a BLSR, path protection, or linear configuration, or also as a regenerator for longer span reaches. The OC192 IR/STM64 SH 1550 port features a 1550-nm laser and contains a transmit and receive connector (labeled) on the card faceplate. The card uses a dual SC connector for optical cable termination. The card supports 1+1 unidirectional and bidirectional facility protection. It also supports 1:1 protection in four-fiber BLSR applications where both span switching and ring switching might occur. The OC192 IR/STM64 SH 1550 card detects SF, LOS, or LOF conditions on the optical facility. Refer to the Cisco ONS 15454 Troubleshooting Guide for a description of these conditions. The card also counts section and line BIP errors from B1 and B2 byte registers in the section and line overhead. 4.15.1 OC192 IR/STM64 SH 1550 Card-Level Indicators Table 4-16 describes the three card-level LEDs on the OC192 IR/STM64 SH 1550 card. Demux CDR SRAM Flash Optical transceiver ADC x 8 Demux BTC ASIC STM-64/ OC-192 STM-64/ OC-192 STM-64 / OC192 STM-64 / OC192 SCL Processor 134368 B a c k p l a n e Mux CK Mpy Optical transceiver Mux SCL FAIL ACT SF 1 Tx Rx OC192IR STM64SH 15504-34 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 4 Optical Cards 4.15.2 OC192 IR/STM64 SH 1550 Port-Level Indicators 4.15.2 OC192 IR/STM64 SH 1550 Port-Level Indicators You can find the status of the OC192 IR/STM64 SH 1550 card ports by using the LCD screen on the ONS 15454 fan-tray assembly. Use the LCD to view the status of any port or card slot; the screen displays the number and severity of alarms for a given port or slot. Refer to the Cisco ONS 15454 Troubleshooting Guide for a complete description of the alarm messages. 4.16 OC192 LR/STM64 LH 1550 Card Note For hardware specifications, see the “A.6.15 OC192 LR/STM64 LH 1550 Card Specifications” section on page A-41. See Table 4-2 on page 4-5 for optical card compatibility. Note Any new features that are available as part of this software release are not enabled for this card. The OC192 LR/STM64 LH 1550 card provides one long-range SONET/SDH OC-192 port compliant with ITU-T G.707, ITU-T G.691, ITU-T G.957, and Telcordia GR-253-CORE (except minimum and maximum transmit power, and minimum receive power). The card port operates at 9.95328 Gbps over unamplified distances up to 80 km (50 miles) with different types of fiber such as C-SMF or dispersion compensated fiber limited by loss and/or dispersion. The card supports VT, nonconcatenated (STS-1), or concatenated payloads. There are two versions of the OC192 LR/STM64 LH 1550. The earliest version has the product ID 15454-OC192LR1550, and the latest card’s product ID is 15454-OC192-LR2. These cards have slight specification differences that are noted throughout this description. Note You can differentiate this OC-192/STM-64 card (15454-OC192-LR2, 15454E-L64.2-1) from the OC-192/STM-64 card with the product ID 15454-OC192LR1550 by looking at the faceplate. This card does not have a laser on/off switch. Table 4-16 OC192 IR/STM64 SH 1550 Card-Level Indicators Card-Level LED Description Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready. This LED is on during reset. The FAIL LED flashes during the boot process. Replace the card if the red FAIL LED persists. ACT/STBY LED Green (Active) Amber (Standby) If the ACT/STBY LED is green, the card is operational and ready to carry traffic. If the ACT/STBY LED is amber, the card is operational and in standby (protect) mode or is part of an active ring switch (BLSR). Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS, LOF, or high BERs on one or more of the card’s ports. The amber SF LED is also on if the transmit and receive fibers are incorrectly connected. If the fibers are properly connected and the link is working, the light turns off.4-35 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 4 Optical Cards 4.16 OC192 LR/STM64 LH 1550 Card Warning The laser is on when the optical card is booted. The port does not have to be in service for the laser to be on. Figure 4-15 shows the OC192 LR/STM64 LH 1550 (15454-OC192LR1550) faceplate and a block diagram of the card. Figure 4-15 OC192 LR/STM64 LH 1550 (15454-OC192LR1550) Faceplate and Block Diagram Figure 4-16 shows an enlarged view of the faceplate warning for 15454-OC192-LR2. Demux CDR SRAM Flash Optical transceiver DAC x 8 ADC x 8 Dig Pol x 2 Mux BTC ASIC OC-192 STS SCL Processor 61361 B a c k p l a n e Mux CK Mpy Optical transceiver Mux OC-192 STS SCL FAIL ACT/STBY SF DANGER - INVISIBLE LASER RADIATION MAY BE EMITTED FROM THE END OF UNTERMINATED FIBER CABLE OR CONNECTOR. DO NOT STARE INTO BEAM OR VIEW DIRECTLY WITH OPTICAL INSTRUMENTS. TX TX 1 RX OC192LR STM64LH 1550 0 MAX INPUT POWER LEVEL - 10dBm RX ! 1 Class 1M (IEC) Class 1 (CDRH)4-36 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 4 Optical Cards 4.16 OC192 LR/STM64 LH 1550 Card Figure 4-16 Enlarged Section of the OC192 LR/STM64 LH 1550 (15454-OC192LR1550) Faceplate Figure 4-17 shows the OC192 LR/STM64 LH 1550 (15454-OC192-LR2) faceplate and a block diagram of the card. DANGER - INVISIBLE LASER RADIATION MAY BE EMITTED FROM THE END OF UNTERMINATED FIBER CABLE OR CONNECTOR. DO NOT STARE INTO BEAM OR VIEW DIRECTLY WITH OPTICAL INSTRUMENTS. TX MAX INPUT POWER LEVEL - 10dBm RX ! 67465 Class 1M (IEC) Class 1 (CDRH)4-37 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 4 Optical Cards 4.16 OC192 LR/STM64 LH 1550 Card Figure 4-17 OC192 LR/STM64 LH 1550 (15454-OC192-LR2) Faceplate and Block Diagram Figure 4-18 shows an enlarged view of the faceplate warning on 15454-OC192LR1550. Demux CDR SRAM Flash Optical transceiver ADC x 8 Mux BTC ASIC OC-192/STM-64 STS SCL Processor 115222 B a c k p l a n e Mux CK Mpy Optical transceiver Mux OC-192/STM-64 STS SCL FAIL ACT/STBY SF TX 1 RX ! MAX INPUT POWER LEVEL -7 dBm RX 15504-38 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 4 Optical Cards 4.16 OC192 LR/STM64 LH 1550 Card Figure 4-18 Enlarged Section of the OC192 LR/STM64 LH 1550 (15454-OC192-LR2) Faceplate Caution You must use a 19 to 24 dB (14 to 28 dB for 15454-OC192-LR2) (20 dB recommended) fiber attenuator when connecting a fiber loopback to an OC192 LR/STM64 LH 1550 card. Never connect a direct fiber loopback. Using fiber loopbacks causes irreparable damage to the card. A transmit-to-receive (Tx-to-Rx) connection that is not attenuated damages the receiver. You can install OC192 LR/STM64 LH 1550 cards in Slots 5, 6, 12, and 13 and provision the card as a drop or span card in a two-fiber or four-fiber BLSR, path protection, ADM (linear) configuration, or as a regenerator for longer span reaches. COMPLIES WITH 21 CFR 1040.10 AND 1040.11 EXCEPT FOR DEVIATIONS PURSUANT TO LASER NOTICE No.50, DATED JULY 26, 2001 ! MAX INPUT POWER LEVEL -7 dBm RX 115226 COMPLIES WITH 21 CFR 1040.10 AND 1040.11 EXCEPT FOR DEVIATIONS PURSUANT TO LASER NOTICE No.50, DATED JULY 26, 2001 FAIL ACT/STBY SF TX 1 RX ! MAX INPUT POWER LEVEL -7 dBm RX 15504-39 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 4 Optical Cards 4.16.1 OC192 LR/STM64 LH 1550 Card-Level Indicators The card port features a 1550-nm laser and contains a transmit and receive connector (labeled) on the card faceplate.The card uses a dual SC connector for optical cable termination. The card supports 1+1 unidirectional and bidirectional facility protection. It also supports 1:1 protection in four-fiber BLSR applications where both span switching and ring switching might occur. The OC192 LR/STM64 LH 1550 card detects SF, LOS, or LOF conditions on the optical facility. The card also counts section and line BIT errors from B1 and B2 byte registers in the section and line overhead. 4.16.1 OC192 LR/STM64 LH 1550 Card-Level Indicators Table 4-17 describes the three card-level LEDs on the OC192 LR/STM64 LH 1550 card. 4.16.2 OC192 LR/STM64 LH 1550 Port-Level Indicators You can find the status of the OC192 LR/STM64 LH 1550 card port by using the LCD screen on the ONS 15454 fan-tray assembly. Use the LCD to view the status of the port or card slot; the screen displays the number and severity of alarms for a given port or slot. Note The optical output power of the OC192 LR/STM64 LH 1550 (+4 dBm to +7 dBm) is 6 dB lower than in L-64.2b of the 10/2000 prepublished unedited version of ITU-T G.691 (+10 dBm to +13 dBm). However, the total attenuation range of the optical path, 22 to 16 dB, is maintained by the optical receiver sensitivity range of the OC192 LR/STM64 LH 1550 (–7 dBm to –24 dBm). This sensitivity range outperforms the specification in L-64.2b of the 10/2000 prepublished unedited version of ITU-T G.691. The resulting link budget of the card is 26 dBm. 4.17 OC192 LR/STM64 LH ITU 15xx.xx Card Note For hardware specifications, see the “A.6.16 OC192 LR/STM64 LH ITU 15xx.xx Card Specifications” section on page A-43. See Table 4-2 on page 4-5 for optical card compatibility. Table 4-17 OC192 LR/STM64 LH 1550 Card-Level Indicators Card-Level Indicators Description Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready. Replace the card if the red FAIL LED persists. ACT/STBY LED Green (Active) Amber (Standby) If the ACT/STBY LED is green, the card is operational and ready to carry traffic. If the ACT/STBY LED is amber, the card is operational and in standby (protect) mode or is part of an active ring switch (BLSR). Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS, LOF, or high BERs on the card’s port. The amber SF LED is also on if the transmit and receive fibers are incorrectly connected. If the fibers are properly connected, the light turns off.4-40 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 4 Optical Cards 4.17 OC192 LR/STM64 LH ITU 15xx.xx Card Sixteen distinct OC-192/STM-64 ITU 100 GHz DWDM cards comprise the ONS 15454 DWDM channel plan. Each OC192 LR/STM64 LH ITU 15xx.xx card provides one long-reach STM-64/OC-192 port per card, compliant with ITU-T G.707, ITU-T G.957, and Telcordia GR-253-CORE (except minimum and maximum transmit power, and minimum receive power). The port operates at 9.95328 Gbps over unamplified distances up to 60 km (37 miles) with different types of fiber such as C-SMF or dispersion compensated fiber limited by loss and/or dispersion. Note Longer distances are possible in an amplified system using dispersion compensation. Warning The laser is on when the optical card is booted. The port does not have to be in service for the laser to be on. The card supports VT, nonconcatenated (STS-1), or concatenated payloads. Figure 4-19 shows the OC192 LR/STM64 LH ITU 15xx.xx faceplate. Figure 4-19 OC192 LR/STM64 LH ITU 15xx.xx Faceplate Figure 4-20 shows a block diagram of the OC192 LR/STM64 LH ITU 15xx.xx card. FAIL ACT SF 83646 1 33678 12931 Tx Rx OC192LR STM64LH ITU RX MAX INPUT POWER LEVEL -8 dBm RX MAX INPUT POWER LEVEL -8 dBm4-41 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 4 Optical Cards 4.17.1 OC192 LR/STM64 LH ITU 15xx.xx Card-Level Indicators Figure 4-20 OC192 LR/STM64 LH ITU 15xx.xx Block Diagram Note You must use a 20-dB fiber attenuator (15 to 25 dB) when working with the OC192 LR/STM64 LH 15xx.xx card in a loopback. Do not use fiber loopbacks with the OC192 LR/STM64 LH 15xx.xx card. Using fiber loopbacks causes irreparable damage to this card. Eight of the cards operate in the blue band with a spacing of 100 GHz in the ITU grid (1534.25 nm, 1535.04 nm, 1535.82 nm, 1536.61 nm, 1538.19 nm, 1538.98 nm, 1539.77 nm, and 1540.56 nm). The other eight cards operate in the red band with a spacing of 100 GHz in the ITU grid (1550.12 nm, 1550.92 nm, 1551.72 nm, 1552.52 nm, 1554.13 nm, 1554.94 nm, 1555.75 nm, and 1556.55 nm). You can install OC192 LR/STM64 LH ITU 15xx.xx cards in Slot 5, 6, 12, or 13. You can provision this card as part of an BLSR, path protection, or linear configuration or also as a regenerator for longer span reaches. The OC192 LR/STM64 LH ITU 15xx.xx port features a laser on a specific wavelength in the 1550-nm range and contains a transmit and receive connector (labeled) on the card faceplate. The card uses a dual SC connector for optical cable termination. The card supports 1+1 unidirectional and bidirectional facility protection. It also supports 1:1 protection in four-fiber BLSR applications where both span switching and ring switching might occur. The OC192 LR/STM64 LH ITU 15xx.xx card detects SF, LOS, or LOF conditions on the optical facility. Refer to the Cisco ONS 15454 Troubleshooting Guide for a description of these conditions. The card also counts section and line BIP errors from B1 and B2 byte registers in the section and line overhead. 4.17.1 OC192 LR/STM64 LH ITU 15xx.xx Card-Level Indicators Table 4-18 describes the three card-level LEDs on the OC192 LR/STM64 LH ITU 15xx.xx card. Demux CDR SRAM Flash Optical transceiver ADC x 8 Demux BTC ASIC STM-64/ OC-192 STM-64/ OC-192 STM-64 / OC192 STM-64 / OC192 SCL Processor B a c k p l a n e Mux CK Mpy Optical transceiver Mux SCL4-42 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 4 Optical Cards 4.17.2 OC192 LR/STM64 LH ITU 15xx.xx Port-Level Indicators 4.17.2 OC192 LR/STM64 LH ITU 15xx.xx Port-Level Indicators You can find the status of the OC192 LR/STM64 LH ITU 15xx.xx card ports by using the LCD screen on the ONS 15454 fan-tray assembly. Use the LCD to view the status of any port or card slot; the screen displays the number and severity of alarms for a given port or slot. Refer to the Cisco ONS 15454 Troubleshooting Guide for a complete description of the alarm messages. 4.18 15454_MRC-12 Multirate Card Note For hardware specifications, see the “A.6.17 15454_MRC-12 Card Specifications” section on page A-44. See Table 4-2 on page 4-5 for optical card compatibility. The 15454_MRC-12 multirate card provides up to twelve OC-3/STM-1 ports, twelve OC-12/STM-4 ports, or four OC-48/STM-16 ports using small form-factor pluggables (SFPs), in any combination of line rates. All ports are Telcordia GR-253 compliant. The SFP optics can use SR, IR, LR, coarse wavelength division multiplexing (CWDM), and DWDM SFPs to support unrepeated spans. See the “4.21 Optical Card SFPs and XFPs” section on page 4-53 for more information about SFPs. The ports operate at up to 2488.320 Mbps over a single-mode fiber. The 15454_MRC-12 card has twelve physical connector adapters with two fibers per connector adapter (Tx and Rx). The card supports VT payloads, STS-1 payloads, and concatenated payloads at STS-3c, STS-6c, STS-9c, STS-12c, STS-18c, STS-24c, STS-36c, or STS-48c signal levels. It is fully interoperable with the ONS 15454 G-Series Ethernet cards. The 15454_MRC-12 port contains a transmit and receive connector (labeled) on the card faceplate. The card supports 1+1 unidirectional and bidirectional facility protection. It also supports 1+1 protection in four-fiber BLSR applications where both span switching and ring switching might occur. You can provision this card as part of an BLSR, path protection, or 1+1 linear configuration. Note Longer distances are possible in an amplified system using dispersion compensation. Figure 4-21 shows the 15454_MRC-12 faceplate and block diagram. Table 4-18 OC192 LR/STM64 LH ITU 15xx.xx Card-Level Indicators Card-Level LED Description Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready. This LED is on during reset. The FAIL LED flashes during the boot process. Replace the card if the red FAIL LED persists. ACT/STBY LED Green (Active) Amber (Standby) If the ACT/STBY LED is green, the card is operational and ready to carry traffic. If the ACT/STBY LED is amber, the card is operational and in standby (protect) mode or is part of an active ring switch (BLSR). Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS, LOF, or high BERs on one or more of the card’s ports. The amber SF LED is also on if the transmit and receive fibers are incorrectly connected. If the fibers are properly connected and the link is working, the light turns off.4-43 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 4 Optical Cards 4.18.1 Slot Compatibility by Cross-Connect Card Figure 4-21 15454_MRC-12 Card Faceplate and Block Diagram 4.18.1 Slot Compatibility by Cross-Connect Card You can install 15454_MRC-12 cards in Slots 1 through 6 and 12 through 17 with an XCVT, XC10G, or XC-VXC-10G. Note The 15454_MRC-12 card supports an errorless software-initiated cross-connect card switch when used in a shelf equipped with XC-VXC-10G and TCC2/TCC2P cards. 131788 COMPLIES WITH 21 CFR 1040.10 AND 1040.11 EXCEPT FOR DEVIATIONS PURSUANT TO LASER NOTICE No. 50, DATED JULY 26, 2001 OC-3/12/48 (STM-1/4/16) Port 1 SFP Optical XCVR OC-3/12 (STM-1/4/) Port 2 SFP Optical XCVR OC-3/12 (STM-1/4) Port 3 SFP Optical XCVR OC-3/12/48 (STM-1/4/16) Port 4 SFP Optical XCVR OC-3/12 (STM-1/4) Port 5 SFP Optical XCVR OC-3/12 (STM-1/4) Port 6 SFP Optical XCVR OC-3/12/48 (STM-1/4/16) Port 7 SFP Optical XCVR OC-3/12 (STM-1/4) Port 8 SFP Optical XCVR OC-3/12 (STM-1/4) Port 9 SFP Optical XCVR OC-3/12/48 (STM-1/4/16) Port 0 SFP Optical XCVR OC-3/12 (STM-1/4) Port 11 SFP Optical XCVR OC-3/12 (STM-1/4) Port 12 SFP Optical XCVR Main SCL Intfc. Protect SCL Intfc. Amazon ASIC B a c k p l a n e Main iBPIA Protect iBPIA Processor Flash Memory4-44 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 4 Optical Cards 4.18.2 Ports and Line Rates The maximum bandwidth of the 15454_MRC-12 card is determined by the cross-connect card, as shown in Table 4-19. 4.18.2 Ports and Line Rates Each port on the 15454_MRC-12 card can be configured as OC-3/STM-1, OC-12/STM-4, or OC-48/STM-16, depending on the available bandwidth and existing provisioned ports. Based on the cross-connect card and slot limitations shown in Table 4-19, the following rules apply for various synchronous transport signal (STS) available bandwidths. (Table 4-20 shows the same information in tabular format.) • STS-12 – Port 1 is the only port that is usable as an OC-12. If Port 1 is used as an OC-12, all other ports are disabled. – Ports 1, 4, 7, and 10 are the only ports usable as OC-3. If any of these ports is used as an OC-3, Ports 2, 3, 5, 6, 8, 9, 11, and 12 are disabled. • STS-48 – Port 1 is the only port usable as an OC-48. If Port 1 is used as an OC-48, all other ports are disabled. – Ports 1, 4, 7, and 10 are the only ports usable as OC-12. – If Port 4 is used as an OC-12, Ports 2 and 3 are disabled. – If Port 7 is used as an OC-12, Ports 5, 6, and 8 are disabled. – If Port 10 is used as an OC-12, Ports 9, 11, and 12 are disabled. – Any port can be used as an OC-3 as long as all of the above rules are followed. • STS-192 – Ports 1, 4, 7, and 10 are the only ports usable as OC-48. – If Port 4 is used as an OC-48, Ports 2 and 3 are disabled. – If Port 7 is used as an OC-48, Ports 5, 6, and 8 are disabled. – If Port 10 is used as an OC-48, Ports 9, 11, and 12 are disabled. – If Port 4 is used as an OC-12, Ports 2 and 3 can be used as an OC-12 or OC-3. – If Port 7 is used as an OC-12, Ports 5, 6, and 8 can be used as an OC-12 or OC-3. – If Port 10 is as used as an OC-12, Ports 9, 11, and 12 can be used as an OC-12 or OC-3. – If Port 4 is used as an OC-3, Ports 2 and 3 can be used as an OC-3 or OC-12. – If Port 7 is used as an OC-3, Ports 5, 6, and 8 can be used as an OC-3 or OC-12. Table 4-19 Maximum Bandwidth by Shelf Slot for the 15454_MRC-12 in Different Cross-Connect Configurations XC Card Type Maximum Bandwidth in Slots 1 through 4 and 14 through 17 Maximum Bandwidth in Slots 5, 6, 12, or 13 XCVT OC-12 OC-48 XC10G/XC-VXC-10G OC-48 OC-1924-45 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 4 Optical Cards 4.18.2 Ports and Line Rates – If Port 10 is used as an OC-3, Ports 9, 11, and 12 can be used as an OC-3 or OC-12. – Any port can be used as an OC-12 or OC-3, as long as all of the above rules are followed. Table 4-20 shows the 15454_MRC-12 port availability and line rate for each port, based on total available bandwidth. To use the table, go to the rows for the bandwidth that you have available, as determined in Table 4-19. Each row indicates what line rate can be provisioned for each port (identified in the MCR-12 Port Number row). The Ports Used column shows the total number of ports that can be used with each bandwidth scheme. Table 4-20 Line Rate Configurations Per 15454_MRC-12 Port, Based on Available Bandwidth MRC-12 Port Number 1 2 3 4 5 6 7 8 9 10 11 12 Ports Used Total STSs Permitted Rate(s) OC-3 OC-1 2 OC-4 8 OC-3 OC-1 2 OC-3 OC-1 2 OC-3 OC-12 OC-48 OC-3 OC-1 2 OC-3 OC-1 2 OC-3 OC-12 OC-48 OC-3 OC-1 2 OC-3 OC-1 2 OC-3 OC-12 OC-48 OC-3 OC-1 2 OC-3 OC-1 2 — — STS-12 Available Bandwidth 12 — — — — — — — — — — — 1 12 3 — — 3 — — 3 — — 3 — — 4 12 STS-48 Available Bandwidth 3 3 3 3 3 3 3 3 3 3 3 3 12 36 3 — — 12 3 3 3 3 3 3 3 3 10 39 3 — — 12 — — 12 — 3 3 3 3 7 39 3 — — 12 — — 12 — — 12 — — 4 39 12 3 3 3 3 3 3 3 3 3 3 3 12 45 12 — — 12 3 3 3 3 3 3 3 3 10 48 12 — — 12 — — 12 — 3 3 3 3 7 48 12 — — 12 — — 12 — — 12 — — 4 48 12 3 3 3 — — 12 — 3 3 3 3 9 45 12 3 3 3 3 3 3 3 — 12 — — 9 45 3 3 3 3 3 3 3 3 — 12 — — 9 36 3 3 3 3 — — 12 — — 12 — — 6 36 48 — — — — — — — — — — — 1 48 48 3 3 — 12 12 12 12 3 3 3 3 11 1144-46 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 4 Optical Cards 4.18.3 15454_MRC-12 Card-Level Indicators 4.18.3 15454_MRC-12 Card-Level Indicators Table 4-21 describes the three card-level LEDs on the 15454_MRC-12 card. STS-192 Available Bandwidth (when installing additional SFPs from the top port to the bottom port)1 48 3 3 3 3 3 3 3 3 3 3 3 12 81 48 12 12 12 3 3 3 3 3 3 3 3 12 108 48 12 12 12 12 12 12 12 3 3 3 3 12 144 48 12 12 12 12 12 12 12 12 12 12 12 12 180 48 3 3 3 12 12 12 12 12 12 12 12 12 153 48 3 3 3 3 3 3 3 12 12 12 12 12 117 48 — — 48 3 3 3 3 3 3 3 3 10 120 48 — — 48 12 12 12 12 3 3 3 3 10 156 48 — — 48 12 12 12 12 12 12 12 12 10 192 48 — — 48 — — 48 — 3 3 3 3 7 156 48 — — 48 — — 48 — 12 12 12 12 7 192 48 — — 48 — — 48 — — 48 — — 4 192 STS-192 Available Bandwidth (when installing additional SFPs from the bottom port to the top port)1 3 3 3 3 3 3 3 3 — 48 — — 9 72 3 3 3 3 12 12 12 12 — 48 — — 9 108 3 12 12 12 12 12 12 12 — 48 — — 9 135 12 12 12 12 12 12 12 12 — 48 — — 9 144 12 12 12 12 3 3 3 3 — 48 — — 9 108 12 3 3 3 3 3 3 3 — 48 — — 9 81 3 3 3 3 — — 48 — — 48 — — 6 108 3 12 12 12 — — 48 — — 48 — — 6 135 12 12 12 12 — — 48 — — 48 — — 6 144 12 3 3 3 — — 48 — — 48 — — 6 117 3 — — 48 — — 48 — — 48 — — 4 147 12 — — 48 — — 48 — — 48 — — 4 156 1. If the MRC-12 card is initially populated with OC-3/12 on all its 12 ports, you can later add OC-48 SFPs on that card from top port to bottom port or from bottom port to top port. The maximum available bandwidth usage is different for these two cases. Table 4-20 Line Rate Configurations Per 15454_MRC-12 Port, Based on Available Bandwidth (continued) MRC-12 Port Number 1 2 3 4 5 6 7 8 9 10 11 12 Ports Used Total STSs4-47 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 4 Optical Cards 4.18.4 15454_MRC-12 Port-Level Indicators 4.18.4 15454_MRC-12 Port-Level Indicators Each port has an Rx indicator. The LED flashes green if the port is receiving a signal, and it flashes red if the port is not receiving a signal. You can also find the status of the 15454_MRC-12 card ports by using the LCD screen on the ONS 15454 fan-tray assembly. Use the LCD to view the status of any port or card slot; the screen displays the number and severity of alarms for a given port or slot. Refer to the Cisco ONS 15454 Troubleshooting Guide for a complete description of the alarm messages. 4.19 MRC-2.5G-4 Multirate Card Note For hardware specifications, see the “A.6.17 15454_MRC-12 Card Specifications” section on page A-44. See Table 4-2 on page 4-5 for optical card compatibility. The MRC-2.5G-4 multirate card provides up to four OC-3/STM-1 ports, four OC-12/STM-4 ports, or one OC-48/STM-16 ports using small form-factor pluggables (SFPs), in various combinations of line rates. All ports are Telcordia GR-253 compliant. The SFP optics can use SR, IR, LR, coarse wavelength division multiplexing (CWDM), and DWDM SFPs to support unrepeated spans. See the “4.21 Optical Card SFPs and XFPs” section on page 4-53 for more information about SFPs. The ports operate at up to 2488.320 Mbps over a single-mode fiber. The MRC-2.5G-4 card has four physical connector adapters with two fibers per connector adapter (Tx and Rx). The card supports VT payloads, STS-1 payloads, and concatenated payloads at STS-3c, STS-6c, STS-9c, STS-12c, STS-18c, STS-24c, STS-36c, or STS-48c signal levels. It is fully interoperable with the ONS 15454 G-Series Ethernet cards. Each MRC-2.5G-4 port contains a transmit and receive connector (labeled) on the card faceplate. The card supports 1+1 unidirectional and bidirectional facility protection. It also supports 1+1 protection in four-fiber BLSR applications where both span switching and ring switching might occur. You can provision this card as part of an BLSR, path protection, or 1+1 linear configuration. The MRC-2.5G-4 card also supports optimized 1+1 protection when used with OC-3 SFPs. Table 4-21 15454_MRC-12 Card-Level Indicators Card-Level LED Description Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready. This LED is on during reset. The FAIL LED flashes during the boot process. Replace the card if the red FAIL LED persists. ACT/STBY LED Green (Active) Amber (Standby) If the ACT/STBY LED is green, the card is operational and ready to carry traffic. If the ACT/STBY LED is amber, the card is operational and in standby (protect) mode or is part of an active ring switch (BLSR). Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS, LOF, or high BERs on one or more of the card’s ports. The amber SF LED is also on if the transmit and receive fibers are incorrectly connected. If the fibers are properly connected and the link is working, the light turns off.4-48 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 4 Optical Cards 4.19 MRC-2.5G-4 Multirate Card Note 1+1 protection must be configured between the same equipment type, using the same port number and line rate. Note Longer distances are possible in an amplified system using dispersion compensation. Figure 4-22 shows the MRC-2.5G-4 faceplate and block diagram. Figure 4-22 MRC-2.5G-4 Card Faceplate and Block Diagram 159815 OC-3/12/48 (STM-1/4/16) Port 1 SFP Optical XCVR OC-3/12 (STM-1/4/) Port 2 SFP Optical XCVR OC-3/12 (STM-1/4) Port 3 SFP Optical XCVR OC-3/12 (STM-1/4/16) Port 4 SFP Optical XCVR Main SCL Intfc. Protect SCL Intfc. Amazon ASIC B a c k p l a n e Main iBPIA Protect iBPIA Processor Flash Memory 2 3 4 14-49 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 4 Optical Cards 4.19.1 Slot Compatibility by Cross-Connect Card 4.19.1 Slot Compatibility by Cross-Connect Card You can install MRC-2.5G-4 cards in Slots 1 through 6 and 12 through 17 with an XCVT, XC10G, or XC-VXC-10G. Note The MRC-2.5G-4 card supports an errorless software-initiated cross-connect card switch when used in a shelf equipped with XC-VXC-10G and TCC2/TCC2P cards. The maximum bandwidth of the MRC-2.5G-4 card is determined by the cross-connect card, as shown in Table 4-22. 4.19.2 Ports and Line Rates Total MRC-2.5G-4 card bandwidth cannot exceed OC-48/STM-16, so there are some limitations on which SFP ports can be used as OC-3/STM-1, OC-12/STM-4, and OC-48/STM-16. The following rules apply for port bandwidth allocation: • STS-12 maximum backplane bandwidth – Port 1 is the only port that is usable as an OC-12/STM-4. If Port 1 is used as an OC-12/STM-4, all other ports are disabled. – Each of the four ports can be used as OC-3/STM-1. • STS-48 maximum backplane bandwidth – Port 1 is the only port that is usable as an OC-48/STM-16. If Port 1 is used as an OC-48/STM-16, all other ports are disabled. – Mixed OC-3/STM-1 and OC-12/STM-4 configurations are supported. All possible permutations are not covered in this reference section. Table 4-22 Maximum Bandwidth by Shelf Slot for the MRC-2.5G-4 in Different Cross-Connect Configurations XC Card Type Maximum Bandwidth in Slots 1 through 4 and 14 through 17 Maximum Bandwidth in Slots 5, 6, 12, or 13 XCVT OC-12 OC-48 XC10G/XC-VXC-10G OC-48 OC-484-50 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 4 Optical Cards 4.19.3 MRC-2.5G-4 Card-Level Indicators Table 4-23 shows the 15454_MRC-4 port availability and line rate for each port, based on total available bandwidth. To use the table, go to the rows for the bandwidth that you have available, as determined in Table 4-22. Each row indicates what line rate can be provisioned for each port (identified in the MCR-4 Port Number row). The Ports Used column shows the total number of ports that can be used with each bandwidth scheme. With the MRC-4 card, you can have a maximum of 16 combinations of STS-48 available bandwidths with the OC-12 and OC-3 port rates. 4.19.3 MRC-2.5G-4 Card-Level Indicators Table 4-21 describes the three card-level LEDs on the MRC-2.5G-4 card. 4.19.4 MRC-2.5G-4 Port-Level Indicators Each port has an Rx indicator. The LED flashes green if the port is receiving a signal, and it flashes red if the port is not receiving a signal. You can also find the status of the MRC-2.5G-4 card ports by using the LCD screen on the ONS 15454 fan-tray assembly. Use the LCD to view the status of any port or card slot; the screen displays the number and severity of alarms for a given port or slot. Refer to the Cisco ONS 15454 Troubleshooting Guide for a complete description of the alarm messages. Table 4-23 Line Rate Configurations Per 15454_MRC- 4 Port, Based on Available Bandwidth MRC-4 Port Number 1 2 3 4 Ports Used Total STSs Permitted Rate(s) OC-3 OC-12 OC-48 OC-3 OC-12 OC-3 OC-12 OC-3 OC-12 — — STS-12 Available Bandwidth 12 3 — 3 — 3 — 3 1 4 12 12 STS-48 Available Bandwidth 48 12/3 — 12/3 — 12/3 — 12/3 1 4 48 Table 4-24 MRC-2.5G-4 Card-Level Indicators Card-Level LED Description Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready. This LED is on during reset. The FAIL LED flashes during the boot process. Replace the card if the red FAIL LED persists. ACT/STBY LED Green (Active) Amber (Standby) If the ACT/STBY LED is green, the card is operational and ready to carry traffic. If the ACT/STBY LED is amber, the card is operational and in standby (protect) mode or is part of an active ring switch (BLSR). Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS, LOF, or high BERs on one or more of the card’s ports. The amber SF LED is also on if the transmit and receive fibers are incorrectly connected. If the fibers are properly connected and the link is working, the light turns off.4-51 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 4 Optical Cards 4.20 OC192SR1/STM64IO Short Reach and OC192/STM64 Any Reach Cards 4.20 OC192SR1/STM64IO Short Reach and OC192/STM64 Any Reach Cards Note For hardware specifications, see the “A.6.19 OC192SR1/STM64IO Short Reach Card Specifications” section on page A-47 and the “A.6.20 OC192/STM64 Any Reach Card Specifications” section on page A-48. See Table 4-2 on page 4-5 for optical card compatibility. The OC192SR1/STM64IO Short Reach and OC192/STM64 Any Reach cards each provide a single OC-192/STM-64 interface, as follows: • OC192SR1/STM64IO Short Reach card (SR-1) • OC192/STM-64 Any Reach card (SR-1, IR-2, and LR-2) In CTC, these cards are referred to as “OC192-XFP” cards. The interface operates at 9.952 Gbps over single-mode fiber spans and can be provisioned for both concatenated and nonconcatenated payloads on a per STS-1/VC-4 basis. Specification references can be found for the OC-192/STM-64 interface in ITU-T G.691, ITU-T G.693, and ITU-T G.959.1, and Telcordia GR-253. The optical interface uses a 10-Gbps Form-factor Pluggable (XFP) optical transceiver that plugs into a receptacle on the front of the card. The OC192SR1/STM64IO Short Reach card is used only with an SR-1 XFP, while the OC192/STM-64 Any Reach card can be provisioned for use with an SR-1, IR-2, LR-2, or DWDM XFP module. The XFP SR, IR, and LR interfaces each provide one bidirectional OC192/STM64 interface compliant with the recommendations defined by ITU-T G.91. SR-1 is compliant with ITU-T I-64.1, IR-2 is compliant with ITU G.691 S-64.2b, and LR-2 is compliant with ITU G.959.1 P1L1-2D2. The cards are used only in Slots 5, 6, 12, and 13. and only with 10-Gbps cross-connect cards, such as the XC10G and XC-VXC-10G. Note The OC192SR1/STM64IO Short Reach and OC192/STM64 Any Reach cards support an errorless software-initiated cross-connect card switch when used in a shelf equipped with XC-VXC-10G and TCC2/TCC2P cards. Figure 4-23 shows the faceplates and block diagram for the two cards.4-52 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 4 Optical Cards 4.20 OC192SR1/STM64IO Short Reach and OC192/STM64 Any Reach Cards Figure 4-23 OC192SR1/STM64IO Short Reach and OC192/STM64 Any Reach Card Faceplates and Block Diagram The cards’ spans depend on the XFP module that is used: • A card using the SR-1 XFP is intended to be used in applications requiring 10-Gbps transport with unregenerated spans of up to 2.0 km. • A card using the IR-2 XFP is intended to be used in applications requiring 10-Gbps transport with unregenerated spans of up to 40 km. • A card using the LR-2 XFP is intended to be used in applications requiring 10-Gbps transport with unregenerated spans of up to 80 km. XFP Serial EEPROM FLASH DDR SDRAM Transport OH Processor and Backplane I/F uP ID Main IBPIA OC-192 B a c k p l a n e FAIL ACT/STBY OC192 STM64 ANY REACH OC192SR1 STM64IO SHORT REACH SF T x 1 R x FAIL ACT/STBY SF T x 1 R x Protect IBPIA I2C Mux 1343474-53 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 4 Optical Cards 4.20.1 OC192SR1/STM64IO Short Reach and OC192/STM64 Any Reach Card-Level Indicators 4.20.1 OC192SR1/STM64IO Short Reach and OC192/STM64 Any Reach Card-Level Indicators Table 4-25 describes the three card-level LEDs on the OC192SR1/STM64IO Short Reach and OC192/STM64 Any Reach cards. 4.20.2 OC192SR1/STM64IO Short Reach and OC-192/STM-64 Any Reach Port-Level Indicators You can find the status of the OC192SR1/STM64IO Short Reach and OC192/STM64 Any Reach card ports by using the LCD screen on the ONS 15454 fan-tray assembly. Use the LCD to view the status of any port or card slot; the screen displays the number and severity of alarms for a given port or slot. Refer to the Cisco ONS 15454 Troubleshooting Guide for a complete description of the alarm messages. 4.21 Optical Card SFPs and XFPs The ONS 15454 optical cards use industry-standard SFPs and XFP modular receptacles. Currently, the only optical cards that use SFPs and XFPs are the 15454_MRC-12, MRC-2.5G-4, OC192SR1/STM64IO Short Reach, and OC192/STM64 Any Reach cards. For all optical cards, the type of SFP or XFP plugged into the card is displayed in CTC and TL1. Cisco offers SFPs and XFPs as separate orderable products. 4.21.1 Compatibility by Card Table 4-26 lists Cisco ONS 15454 optical cards and their compatible SFPs and XFPs. Caution Only use SFPs and XFPs certified for use in Cisco Optical Networking Systems (ONSs). The qualified Cisco SFP and XFP pluggable module’s top assembly numbers (TANs) are provided in Table 4-26. Table 4-25 OC192SR1/STM64IO Short Reach and OC192/STM64 Any Reach Card-Level Indicators Card-Level LED Description Red FAIL LED The red FAIL LED indicates that the card’s processor is not ready. This LED is on during reset. The FAIL LED flashes during the boot process. Replace the card if the red FAIL LED persists. ACT/STBY LED Green (Active) Amber (Standby) If the ACT/STBY LED is green, the card is operational and ready to carry traffic. If the ACT/STBY LED is amber, the card is operational and in standby (protect) mode or is part of an active ring switch (BLSR). Amber SF LED The amber SF LED indicates a signal failure or condition such as LOS, LOF, or high BERs on one or more of the card’s ports. The amber SF LED is also on if the transmit and receive fibers are incorrectly connected. If the fibers are properly connected and the link is working, the light turns off.4-54 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 4 Optical Cards 4.21.1 Compatibility by Card Table 4-26 SFP and XFP Card Compatibility Card Compatible SFPs and XFPs (Cisco Product ID) Cisco Top Assembly Number (TAN)1 1. The TAN indicated for the pluggables are backward compatible. For example, TAN 10-2307-02 is compatible with 10-2307-01. 15454_MRC-12 and MRC-2.5G-4 (ONS 15454 SONET/SDH) ONS-SC-2G-28.7=2 through ONS-SC-2G-60.6= ONS-SE-155-1470= through ONS-SE-155-1610 ONS-SE-622-1470= through ONS-SE-622-1610= ONS-SI-155-I1= ONS-SI-155-L1= ONS-SI-155-L2= ONS-SI-2G-S1= ONS-SI-2G-I1= ONS-SI-2G-L1= ONS-SI-2G-L2= ONS-SI-622-I1= ONS-SI-622-L1= ONS-SI-622-L2= ONS-SI-155-SR-MM= ONS-SI-622-SR-MM= ONS-SC-Z3-1470= through ONS-SC-Z3-1610= ONS-SE-Z1= ONS-SC-155-EL= 2. ONS-SC-2G-28.7, ONS-SC-2G-33.4, ONS-SC-2G-41.3, ONS-SC-2G-49.3, and ONS-SC-2G-57.3 are supported from Release 8.5 and later. 10-2307-02, 10-2155-02 through 10-2184-02 10-1996-02 through 10-2003-02 10-2004-02 through 10-2011-02 10-1938-02 10-1957-02 10-1937-02 10-1992-02 10-1993-02 10-2102-02 10-1990-02 10-1956-02 10-1958-02 10-1936-02 10-2279-01 10-2280-01 10-2285-01 through 10-2292-01 10-1971-02 10-2363-01 OC192SR1/STM64IO Short Reach (ONS 15454 SONET/SDH)3 3. This card is designated as OC192-XFP in CTC. Table 4-27 lists the LED based SFPs. SFPs that are LED based do not support the Optical power transmitted (OPT) and laser bias current (LBC) optical parameters. ONS-XC-10G-S1 ONS-XC-10G-30.3= through ONS-XC-10G-61.4= 10-2012-02 10-2347-01 through 10-2309-01 OC192/STM64 Any Reach (ONS 15454 SONET/SDH)3 ONS-XC-10G-C= ONS-XC-10G-S1 ONS-XC-10G-I2 ONS-XC-10G-L2 ONS-XC-10G-30.3= through ONS-XC-10G-61.4= 10-2480-01 10-2012-02 10-2193-02 10-2194-02 10-2347-01 through 10-2309-01 Table 4-27 LED Based SFPs SFPs (Cisco Product ID) Cisco Top Assembly Number (TAN) ONS-SI-155-SR-MM SFP 10-2279-01 ONS-SI-622-SR-MM SFP 10-2280-014-55 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 4 Optical Cards 4.21.2 SFP Description 4.21.2 SFP Description SFPs are integrated fiber optic transceivers that provide high-speed serial links from a port or slot to the network. Various latching mechanisms can be utilized on the modules. There is no correlation between the type of latch to the model type (such as SX or LX/LH) or technology type (such as Gigabit Ethernet). See the label on the SFP for technology type and model. Three latch types are available: mylar (Figure 4-24), actuator/button (Figure 4-25), and bail clasp (Figure 4-26). Figure 4-24 Mylar Tab SFP Figure 4-25 Actuator/Button SFP Figure 4-26 Bail Clasp SFP SFP dimensions are: • Height 0.03 in. (8.5 mm) • Width 0.53 in. (13.4 mm) • Depth 2.22 in. (56.5 mm) ONS-SE-100-FX 10-2212-01 ONS-SI-100-FX 10-2350-01 Table 4-27 LED Based SFPs SFPs (Cisco Product ID) Cisco Top Assembly Number (TAN) 63065 63066 630674-56 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 4 Optical Cards 4.21.3 XFP Description SFP temperature ranges are: • COM—Commercial operating temperature range: 23 to 158 degrees Fahrenheit (–5 to 70 degrees Celsius) • EXT—Extended operating temperature range: 23 to185 degrees Fahrenheit (–5to 85 degrees Celsius) • IND—Industrial operating temperature range: –40 to 185 degrees Fahrenheit (–40 to 85 degrees Celsius) 4.21.3 XFP Description The 10-Gbps 1310-nm and 1550-nm XFP transceivers are integrated fiber optic transceivers that provide high-speed serial links at the following signaling rates: 9.95 Gbps, 10.31 Gbps, and 10.51 Gbps. The XFP integrates the receiver and transmit path. The transmit side recovers and retimes the 10-Gbps serial data and passes it to a laser driver. The laser driver biases and modulates a 1310-nm or 1550-nm distributed feedback (DFB) laser, enabling data transmission over single-mode fiber (SMF) through an LC connector. The receive side recovers and retimes the 10-Gbps optical data stream from a positive-intrinsic-negative (PIN) photodetector, transimpedance amplifier and passes it to an output driver. The XFP module uses the bail clasp latching mechanism, shown unlatched in Figure 4-27 and latched in Figure 4-28. See the label on the XFP for technology type and model. Figure 4-27 Bail Clasp XFP (Unlatched) Figure 4-28 Bail Clasp XFP (Latched) XFP dimensions are: • Height 0.33 in. (8.5 mm) • Width 0.72 in. (18.3 mm) • Depth 3.1 in. (78 mm) XFP temperature ranges are: 115720 1157194-57 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 4 Optical Cards 4.21.4 PPM Provisioning • COM—Commercial operating temperature range: 23 to 158 degrees Fahrenheit (–5 to 70 degrees Celsius) • EXT—Extended operating temperature range: 23 to185 degrees Fahrenheit (–5to 85 degrees Celsius) • IND—Industrial operating temperature range: –40 to 185 degrees Fahrenheit (–40 to 85 degrees Celsius) 4.21.4 PPM Provisioning SFPs and XFPs are known as pluggable-port modules (PPMs) in CTC. Multirate PPMs for the 15454_MRC-12 card can be provisioned for different line rates in CTC. For more information about provisioning PPMs, refer to the Cisco ONS 15454 Procedure Guide.4-58 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 4 Optical Cards 4.21.4 PPM ProvisioningCHAPTER 5-1 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 5 Ethernet Cards Note The terms “Unidirectional Path Switched Ring” and “UPSR” may appear in Cisco literature. These terms do not refer to using Cisco ONS 15xxx products in a unidirectional path switched ring configuration. Rather, these terms, as well as “Path Protected Mesh Network” and “PPMN,” refer generally to Cisco's path protection feature, which may be used in any topological network configuration. Cisco does not recommend using its path protection feature in any particular topological network configuration. The Cisco ONS 15454 integrates Ethernet into a SONET platform through the use of Ethernet cards. This chapter describes the E-Series, G-Series, ML-Series, and CE-Series Ethernet cards. For installation and card turn-up procedures, refer to the Cisco ONS 15454 Procedure Guide. For ML-Series configuration information, refer to the Cisco ONS 15454 and Cisco ONS 15454 SDH Ethernet Card Software Feature and Configuration Guide. Chapter topics include: • 5.1 Ethernet Card Overview, page 5-2 • 5.2 E100T-12 Card, page 5-4 • 5.3 E100T-G Card, page 5-6 • 5.4 E1000-2 Card, page 5-9 • 5.5 E1000-2-G Card, page 5-11 • 5.6 G1K-4 Card, page 5-14 • 5.7 ML100T-12 Card, page 5-16 • 5.8 ML100X-8 Card, page 5-18 • 5.9 ML1000-2 Card, page 5-20 • 5.10 ML-MR-10 Card, page 5-22 • 5.11 CE-100T-8 Card, page 5-25 • 5.12 CE-1000-4 Card, page 5-27 • 5.13 CE-MR-10 Card, page 5-30 • 5.14 Ethernet Card GBICs and SFPs, page 5-345-2 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 5 Ethernet Cards 5.1 Ethernet Card Overview 5.1 Ethernet Card Overview The card overview section summarizes the Ethernet card functions and provides the software compatibility for each card. Note Each card is marked with a symbol that corresponds to a slot (or slots) on the ONS 15454 shelf assembly. The cards are then installed into slots displaying the same symbols. Refer to the Cisco ONS 15454 Procedure Guide for a list of slots and symbols. 5.1.1 Ethernet Cards Table 5-1 lists the Cisco ONS 15454 Ethernet cards. Table 5-1 Ethernet Cards for the ONS 15454 Card Port Description For Additional Information... E100T-12 The E100T-12 card provides 12 switched, autosensing, 10/100BaseT Ethernet ports and is compatible with the XCVT card. See the “5.2 E100T-12 Card” section on page 5-4. E100T-G The E100T-G card provides 12 switched, autosensing, 10/100BaseT Ethernet ports and is compatible with the XC10G and XC-VXC-10G cards. See the “5.3 E100T-G Card” section on page 5-6. E1000-2 The E1000-2 card provides two IEEE-compliant, 1000-Mbps ports. Gigabit Interface Converters (GBICs) are separate. See the “5.4 E1000-2 Card” section on page 5-9. E1000-2-G The E1000-2-G card provides two IEEE-compliant, 1000-Mbps ports. GBICs are separate. The E1000-2-G card is compatible with the XC10G and XC-VXC-10G cards. See the “5.5 E1000-2-G Card” section on page 5-11. G1K-4 The G1K-4 card provides four IEEE-compliant, 1000-Mbps ports. GBICs are separate. The G1K-4 card can operate with XCVT, XC10G and XC-VXC-10G cross-connect cards. See the “5.6 G1K-4 Card” section on page 5-14. M100T-12 The ML100T-12 card provides 12 switched, autosensing, 10/100Base-T Ethernet ports. See the “5.7 ML100T-12 Card” section on page 5-16. M100X-8 The ML100X-8 card provides eight switched, 100BaseFX Ethernet ports. See the “5.8 ML100X-8 Card” section on page 5-18. M1000-2 The ML1000-2 card provides two IEEE-compliant, 1000-Mbps ports. Small Form-factor Pluggable (SFP) connectors are separate. See the “5.9 ML1000-2 Card” section on page 5-20. ML-MR-10 The ML-MR-10 card is a ten-port multilayer Ethernet card. The Ethernet ports support speeds of 10 Mbps, 100 Mbps, or 1000 Mbps through pluggable SFPs. See the “5.10 ML-MR-10 Card” section on page 5-22.5-3 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 5 Ethernet Cards 5.1.2 Card Compatibility 5.1.2 Card Compatibility Table 5-2 lists the CTC software compatibility for each Ethernet card. Note “Yes” indicates that this card is fully or partially supported by the indicated software release. Refer to the individual card reference section for more information about software limitations for this card. CE-100T-8 The CE-100T-8 card provides eight IEEE-compliant, 10/100-Mbps ports. The CE-100T-8 can operate with the XC10G, XC-VXC-10G, or XCVT cross-connect cards. See the “5.11 CE-100T-8 Card” section on page 5-25. CE-MR-10 The CE-MR-10 card is a ten-port Ethernet card. The Ethernet ports support speeds of 10 Mbps, 100 Mbps, or 1000 Mbps through pluggable SFPs. See the “5.13 CE-MR-10 Card” section on page 5-30. CE-1000-4 The CE-1000-4 card provides four IEEE-compliant, 1000-Mbps ports. The CE-1000-4 card can operate with the XC10G, XC-VXC-10G, or XCVT cross-connect cards. See the “5.12 CE-1000-4 Card” section on page 5-27. CE-MR-10 The CE-MR-10 card provides ten IEEE-compliant, 10/100/1000-Mbps ports. The CE-MR-10 card can operate with the XC10G, XC-VXC-10G, or XCVT cross-connect cards. See the “5.13 CE-MR-10 Card” section on page 5-30. Table 5-1 Ethernet Cards for the ONS 15454 (continued) Card Port Description For Additional Information... Table 5-2 Ethernet Card Software Compatibility Ethernet Cards R3.0.1 R3.1 R3.2 R3.3 R3.4 R4.0 R4.1 R4.5 R4.6 R4.7 R5.0 R6.0 R7.0 R7.2 R8.0 R8.5 R9.0 R9.1 R9.2 R9.2.1 E100T-12 Yes Yes Yes Yes Yes Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes E1000-2 Yes Yes Yes Yes Yes Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes E100T-G Yes Yes Yes Yes Yes Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes E1000-2-G Yes Yes Yes Yes Yes Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes G1000-4 — — Yes Yes Yes Yes Yes — Yes — Yes Yes Yes Yes — — — — — — G1K-4 — — Yes Yes Yes Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes5-4 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 5 Ethernet Cards 5.2 E100T-12 Card 5.2 E100T-12 Card Note For hardware specifications, see the “A.7.1 E100T-12 Card Specifications” section on page A-49. The ONS 15454 uses E100T-12 cards for Ethernet (10 Mbps) and Fast Ethernet (100 Mbps). Each card provides 12 switched, IEEE 802.3-compliant, 10/100BaseT Ethernet ports that can independently detect the speed of an attached device (autosense) and automatically connect at the appropriate speed. The ports autoconfigure to operate at either half or full duplex and determine whether to enable or disable flow control. You can also configure Ethernet ports manually. Figure 5-1 shows the faceplate and a block diagram of the card. ML100T-12 — — — — — Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes ML100X-8 — — — — — — — — — — — Yes Yes Yes Yes Yes Yes Yes Yes Yes ML1000-2 — — — — — Yes Yes — Yes — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes ML-MR-10 — — — — — — — — — — — — — — — Yes Yes Yes Yes Yes CE-100T-8 — — — — — — — — — — Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes CE-1000-4 — — — — — — — — — — — — Yes Yes Yes Yes Yes Yes Yes Yes CE-MR-10 — — — — — — — — — — — — — — — Yes Yes Yes Yes Yes Table 5-2 Ethernet Card Software Compatibility (continued) Ethernet Cards R3.0.1 R3.1 R3.2 R3.3 R3.4 R4.0 R4.1 R4.5 R4.6 R4.7 R5.0 R6.0 R7.0 R7.2 R8.0 R8.5 R9.0 R9.1 R9.2 R9.2.15-5 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 5 Ethernet Cards 5.2.1 Slot Compatibility Figure 5-1 E100T-12 Faceplate and Block Diagram The E100T-12 Ethernet card provides high-throughput, low-latency packet switching of Ethernet traffic across a SONET network while providing a greater degree of reliability through SONET self-healing protection services. This Ethernet capability enables network operators to provide multiple 10/100-Mbps access drops for high-capacity customer LAN interconnects, Internet traffic, and cable modem traffic aggregation. It enables the efficient transport and co-existence of traditional time-division multiplexing (TDM) traffic with packet-switched data traffic. Each E100T-12 card supports standards-based, wire-speed, Layer 2 Ethernet switching between its Ethernet interfaces. The IEEE 802.1Q tag logically isolates traffic (typically subscribers). IEEE 802.1Q also supports multiple classes of service. 5.2.1 Slot Compatibility You can install the E100T-12 card in Slots 1 to 6 and 12 to 17. Multiple E-Series Ethernet cards installed in an ONS 15454 can act independently or as a single Ethernet switch. You can create logical SONET ports by provisioning synchronous transport signal (STS) channels to the packet switch entity within the ONS 15454. Logical ports can be created with a bandwidth granularity of STS-1. The E100T-12 supports STS-1, STS-3c, STS-6c, and STS-12c circuit sizes. 10/100 PHYS A/D Mux Flash DRAM CPU Buffer memory Control memory Ethernet MACs/switch 61362 FPGA BTC B a c k p l a n e 1 2 3 4 5 6 7 8 9 10 11 12 FAIL ACT SF E100T 125-6 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 5 Ethernet Cards 5.2.2 E100T-12 Card-Level Indicators Note When making an STS-12c Ethernet circuit, the E-Series cards must be configured as single-card EtherSwitch. 5.2.2 E100T-12 Card-Level Indicators The E100T-12 card faceplate has two card-level LED indicators, described in Table 5-3. 5.2.3 E100T-12 Port-Level Indicators The E100T-12 card has 12 pairs of LEDs (one pair for each port) to indicate port conditions. Table 5-4 lists the port-level indicators. You can find the status of the E100T-12 card port using the LCD on the ONS 15454 fan-tray assembly. Use the LCD to view the status of any port or card slot; the screen displays the number and severity of alarms for a given port or slot. 5.2.4 Cross-Connect Compatibility The E100T-12 card is compatible with the XCVT card. Do not use the E100T-12 card with the XC10G and XC-VXC-10G cards. 5.3 E100T-G Card Note For hardware specifications, see the “A.7.2 E100T-G Card Specifications” section on page A-49. Table 5-3 E100T-12 Card-Level Indicators Card-Level Indicators Description FAIL LED (Red) The red FAIL LED indicates that the card processor is not ready or that a catastrophic software failure occurred on the E100T-12 card. As part of the boot sequence, the FAIL LED is on until the software deems the card operational. ACT LED (Green) The green ACT LED provides the operational status of the E100T-12. If the ACT LED is green, it indicates that the E100T-12 card is active and the software is operational. SF LED Not used. Table 5-4 E100T-12 Port-Level Indicators LED State Description Amber The port is active (transmitting and receiving data). Solid green The link is established. Off The connection is inactive, or traffic is unidirectional. 5-7 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 5 Ethernet Cards 5.3 E100T-G Card The ONS 15454 uses E100T-G cards for Ethernet (10 Mbps) and Fast Ethernet (100 Mbps). Each card provides 12 switched, IEEE 802.3-compliant, 10/100BaseT Ethernet ports that can independently detect the speed of an attached device (autosense) and automatically connect at the appropriate speed. The ports autoconfigure to operate at either half or full duplex and determine whether to enable or disable flow control. You can also configure Ethernet ports manually. Figure 5-2 shows the faceplate and a block diagram of the card. Figure 5-2 E100T-G Faceplate and Block Diagram The E100T-G Ethernet card provides high-throughput, low-latency packet switching of Ethernet traffic across a SONET network while providing a greater degree of reliability through SONET self-healing protection services. This Ethernet capability enables network operators to provide multiple 10/100 Mbps access drops for high-capacity customer LAN interconnects, Internet traffic, and cable modem traffic aggregation. It enables the efficient transport and co-existence of traditional TDM traffic with packet-switched data traffic. Each E100T-G card supports standards-based, wire-speed, Layer 2 Ethernet switching between its Ethernet interfaces. The IEEE 802.1Q tag logically isolates traffic (typically subscribers). IEEE 802.1Q also supports multiple classes of service. Note When making an STS-12c Ethernet circuit, the E-Series cards must be configured as single-card EtherSwitch. 10/100 PHYS A/D Mux Flash DRAM CPU Buffer memory Control memory Ethernet MACs/switch 61877 FPGA BTC B a c k p l a n e 1 2 3 4 5 6 7 8 9 10 11 12 FAIL ACT SF E100T-G5-8 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 5 Ethernet Cards 5.3.1 Slot Compatibility 5.3.1 Slot Compatibility You can install the E100T-G card in Slots 1 to 6 and 12 to 17. Multiple E-Series Ethernet cards installed in an ONS 15454 can act independently or as a single Ethernet switch. You can create logical SONET ports by provisioning a number of STS channels to the packet switch entity within the ONS 15454. Logical ports can be created with a bandwidth granularity of STS-1. The ONS 15454 supports STS-1, STS-3c, STS-6c, or STS-12c circuit sizes. 5.3.2 E100T-G Card-Level Indicators The E100T-G card faceplate has two card-level LED indicators, described in Table 5-5. 5.3.3 E100T-G Port-Level Indicators The E100T-G card has 12 pairs of LEDs (one pair for each port) to indicate port conditions (Table 5-6). You can find the status of the E100T-G card port using the LCD screen on the ONS 15454 fan-tray assembly. Use the LCD to view the status of any port or card slot; the screen displays the number and severity of alarms for a given port or slot. 5.3.4 Cross-Connect Compatibility The E100T-G card is compatible with the XCVT, XC10G and XC-VXC-10G cards. Table 5-5 E100T-G Card-Level Indicators Card-Level Indicators Description FAIL LED (Red) The red FAIL LED indicates that the card processor is not ready or that a catastrophic software failure occurred on the E100T-G card. As part of the boot sequence, the FAIL LED is turned on until the software deems the card operational. ACT LED (Green) The green ACT LED provides the operational status of the E100T-G. If the ACT LED is green it indicates that the E100T-G card is active and the software is operational. SF LED Not used. Table 5-6 E100T-G Port-Level Indicators LED State Description Yellow (Active) Port is active (transmitting or receiving data). By default, indicates the transmitter is active but can be software controlled to indicate link status, duplex status, or receiver active. Solid Green (Link) Link is established. By default, indicates the link for this port is up, but can be software controlled to indicate duplex status, operating speed, or collision.5-9 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 5 Ethernet Cards 5.4 E1000-2 Card 5.4 E1000-2 Card Note For hardware specifications, see the “A.7.3 E1000-2 Card Specifications” section on page A-49. The ONS 15454 uses E1000-2 cards for Gigabit Ethernet (1000 Mbps). The E1000-2 card provides two IEEE-compliant, 1000-Mbps ports for high-capacity customer LAN interconnections. Each port supports full-duplex operation. The E1000-2 card uses GBIC modular receptacles for the optical interfaces. For details, see the “5.14 Ethernet Card GBICs and SFPs” section on page 5-34. Figure 5-3 shows the card faceplate and a block diagram of the card. Figure 5-3 E1000-2 Faceplate and Block Diagram The E1000-2 Gigabit Ethernet card provides high-throughput, low-latency packet switching of Ethernet traffic across a SONET network while providing a greater degree of reliability through SONET self-healing protection services. This enables network operators to provide multiple 1000-Mbps access drops for high-capacity customer LAN interconnects. It enables efficient transport and co-existence of traditional TDM traffic with packet-switched data traffic. Gigabit Ethernet PHYS A/D Mux Flash DRAM CPU Buffer memory Control memory Ethernet MACs/switch 61363 FPGA BTC B a c k p l a n e E1000 2 FAIL ACT 1 SF 33678 12931 2 RX TX RX TX ACT/LINK ACT/LINK5-10 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 5 Ethernet Cards 5.4.1 Slot Compatibility Each E1000-2 card supports standards-based, Layer 2 Ethernet switching between its Ethernet interfaces and SONET interfaces on the ONS 15454. The IEEE 802.1Q VLAN tag logically isolates traffic (typically subscribers). Multiple E-Series Ethernet cards installed in an ONS 15454 can act together as a single switching entity or as independent single switches supporting a variety of SONET port configurations. You can create logical SONET ports by provisioning STS channels to the packet switch entity within the ONS 15454. Logical ports can be created with a bandwidth granularity of STS-1. The ONS 15454 supports STS-1, STS-3c, STS-6c, or STS-12c circuit sizes. Note When making an STS-12c circuit, the E-Series cards must be configured as single-card EtherSwitch. 5.4.1 Slot Compatibility You can install the E1000-2 card in Slots 1 to 6 and 12 to 17. The E1000-2 is compatible with the XCVT card but not the XC10G or and XC-VXC-10G cards. The E1000-2-G is compatible with the XC10G and XC-VXC-10G. 5.4.2 E1000-2 Card-Level Indicators The E1000-2 card faceplate has two card-level LED indicators, described in Table 5-7. 5.4.3 E1000-2 Port-Level Indicators The E1000-2 card has one bicolor LED per port (Table 5-8). When the LED is solid green, it indicates that carrier is detected, meaning an active network cable is installed. When the LED is off, it indicates that an active network cable is not plugged into the port, or the card is carrying unidirectional traffic. When the LED flashes amber, it does so at a rate proportional to the level of traffic being received and transmitted over the port. Table 5-7 E1000-2 Card-Level Indicators Card-Level Indicators Description FAIL LED (Red) The red FAIL LED indicates that the card processor is not ready or that a catastrophic software failure occurred on the E1000-2 card. As part of the boot sequence, the FAIL LED is turned on until the software deems the card operational. ACT LED (Green) The green ACT LED provides the operational status of the E1000-2. When the ACT LED is green it indicates that the E1000-2 card is active and the software is operational. SF LED Not used.5-11 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 5 Ethernet Cards 5.4.4 Cross-Connect Compatibility 5.4.4 Cross-Connect Compatibility The E1000-2 is compatible with XCVT cards. The XC10G and XC-VXC-10G cards require the E1000-2-G card. 5.5 E1000-2-G Card Note For hardware specifications, see the “A.7.4 E1000-2-G Card Specifications” section on page A-50. The ONS 15454 uses E1000-2-G cards for Gigabit Ethernet (1000 Mbps). The E1000-2-G card provides two IEEE-compliant, 1000-Mbps ports for high-capacity customer LAN interconnections. Each port supports full-duplex operation. The E1000-2-G card uses GBIC modular receptacles for the optical interfaces. For details, see the “5.14 Ethernet Card GBICs and SFPs” section on page 5-34. Figure 5-4 shows the card faceplate and a block diagram of the card. Table 5-8 E1000-2 Port-Level Indicators LED State Description Amber The port is active (transmitting and receiving data). Solid green The link is established. Off The connection is inactive, or traffic is unidirectional. 5-12 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 5 Ethernet Cards 5.5 E1000-2-G Card Figure 5-4 E1000-2-G Faceplate and Block Diagram The E1000-2-G Gigabit Ethernet card provides high-throughput, low-latency packet switching of Ethernet traffic across a SONET network while providing a greater degree of reliability through SONET self-healing protection services. This enables network operators to provide multiple 1000-Mbps access drops for high-capacity customer LAN interconnects. It enables efficient transport and co-existence of traditional TDM traffic with packet-switched data traffic. Each E1000-2-G card supports standards-based, Layer 2 Ethernet switching between its Ethernet interfaces and SONET interfaces on the ONS 15454. The IEEE 802.1Q VLAN tag logically isolates traffic (typically subscribers). Multiple E-Series Ethernet cards installed in an ONS 15454 can act together as a single switching entity or as independent single switches supporting a variety of SONET port configurations. Gigabit Ethernet PHYS A/D Mux Flash DRAM CPU Buffer memory Control memory Ethernet MACs/switch 61878 FPGA BTC B a c k p l a n e E1000-2-G FAIL ACT 1 SF 33678 12931 2 RX TX RX TX ACT/LINK ACT/LINK5-13 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 5 Ethernet Cards 5.5.1 E1000-2-G Card-Level Indicators You can create logical SONET ports by provisioning STS channels to the packet switch entity within the ONS 15454. Logical ports can be created with a bandwidth granularity of STS-1. The ONS 15454 supports STS-1, STS-3c, STS-6c, or STS-12c circuit sizes. Note When making an STS-12c Ethernet circuit, the E-Series cards must be configured as a single-card EtherSwitch. 5.5.1 E1000-2-G Card-Level Indicators The E1000-2-G card faceplate has two card-level LED indicators, described in Table 5-9. 5.5.2 E1000-2-G Port-Level Indicators The E1000-2-G card has one bicolor LED per port (Table 5-10). When the green LINK LED is on, carrier is detected, meaning an active network cable is installed. When the green LINK LED is off, an active network cable is not plugged into the port, or the card is carrying unidirectional traffic. The amber port ACT LED flashes at a rate proportional to the level of traffic being received and transmitted over the port. 5.5.3 Cross-Connect Compatibility The E1000-2-G is compatible with the XCVT, XC10G, and XC-VXC-10G cards. You can install the card in Slots 1 to 6 and 12 to 17. Table 5-9 E1000-2-G Card-Level Indicators Card-Level Indicators Description FAIL LED (Red) The red FAIL LED indicates that the card processor is not ready or that a catastrophic software failure occurred on the E1000-2-G card. As part of the boot sequence, the FAIL LED is turned on until the software deems the card operational. ACT LED (Green) The green ACT LED provides the operational status of the E1000-2-G. If the ACT LED is green it indicates that the E1000-2-G card is active and the software is operational. SF LED The SF LED is not used in the current release. Table 5-10 E1000-2-G Port-Level Indicators LED State Description Amber The port is active (transmitting and receiving data). Solid green The link is established. Off The connection is inactive, or traffic is unidirectional. 5-14 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 5 Ethernet Cards 5.6 G1K-4 Card 5.6 G1K-4 Card Note For hardware specifications, see the “A.7.8 G1K-4 Card Specifications” section on page A-51. The G1K-4 card is the functional equivalent of the earlier G1000-4 card and provides four ports of IEEE-compliant, 1000-Mbps interfaces. Each interface supports full-duplex operation for a maximum bandwidth of 1 Gbps or 2 Gbps bidirectional per port, and 2.5 Gbps or 5 Gbps bidirectional per card. Each port autonegotiates for full duplex and IEEE 802.3x flow control. The G1K-4 card uses GBIC modular receptacles for the optical interfaces. For details, see the “5.14 Ethernet Card GBICs and SFPs” section on page 5-34. Figure 5-5 shows the card faceplate and the block diagram of the card. Figure 5-5 G1K-4 Faceplate and Block Diagram The G1K-4 Gigabit Ethernet card provides high-throughput, low-latency transport of Ethernet encapsulated traffic (IP and other Layer 2 or Layer 3 protocols) across a SONET network while providing a greater degree of reliability through SONET self-healing protection services. Carrier-class Ethernet transport is achieved by hitless (< 50 ms) performance in the event of any failures or protection Flash DRAM CPU 83649 B a c k p l a n e GBICs Decode PLD Transceivers Ethernet MACs/switch Mux/ Demux FPGA Interface FPGA BTC POS function Buffer memory Protect/ Main Rx/Tx BPIAs Power Clock generation To FPGA, BTC, MACs FAIL ACT G1K RX 1 TX RX 2 TX RX 3 TX RX 4 TX ACT/LINK ACT/LINK ACT/LINK ACT/LINK5-15 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 5 Ethernet Cards 5.6.1 STS-24c Restriction switches (such as 1+1 APS, path protection, BLSR, or optical equipment protection) and by full provisioning and manageability, as in SONET service. Full provisioning support is possible through CTC or CTM. Each G1K-4 card performs independently of the other cards in the same shelf. 5.6.1 STS-24c Restriction Due to hardware constraints, the card imposes an additional restriction on the combinations of circuits that can be dropped onto a G-Series card. These restrictions are transparently enforced by the ONS 15454, and you do not need to keep track of restricted circuit combinations. When a single STS-24c terminates on a card, the remaining circuits on that card can be another single STS-24c or any combination of circuits of STS-12c size or less that add up to no more than 12 STSs (that is a total of 36 STSs on the card). If STS-24c circuits are not being dropped on the card, the full 48 STSs bandwidth can be used with no restrictions (for example, using either a single STS-48c or 4 STS-12c circuits). Note The STS-24c restriction only applies when a single STS-24c circuit is dropped; therefore, you can easily minimize the impact of this restriction. Group the STS-24c circuits together on a card separate from circuits of other sizes. The grouped circuits can be dropped on other G-Series cards on the ONS 15454. 5.6.2 G1K-4 Compatibility The G1K-4 card operates with the XCVT, XC10G or XC-VXC-10G cards. With the XC10G or XC-VXC-10G cards, you can install the G1K-4 card in Slots 1 to 6 and 12 to 17, for a total shelf capacity of 48 Gigabit Ethernet ports. (The practical limit is 40 ports because at least two slots are typically populated by optical cards such as OC-192). When used with the XCVT cards, the G1K-4 is limited to Slots 5, 6, 12, and 13. 5.6.3 G1K-4 Card-Level Indicators The G1K-4 card faceplate has two card-level LED indicators, described in Table 5-11. Table 5-11 G1K-4 Card-Level Indicators Card-Level LEDs Description FAIL LED (Red) The red FAIL LED indicates that the card processor is not ready or that a catastrophic software failure occurred on the G1K-4 card. As part of the boot sequence, the FAIL LED is turned on, and it goes off when the software is deemed operational. The red FAIL LED blinks when the card is loading software. ACT LED (Green) The green ACT LED provides the operational status of the G1K-4. If the ACT LED is green, it indicates that the G1K-4 card is active and the software is operational.5-16 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 5 Ethernet Cards 5.6.4 G1K-4 Port-Level Indicators 5.6.4 G1K-4 Port-Level Indicators The G1K-4 card has four bicolor LEDs (one LED per port). Table 5-12 describes the status that each color represents. 5.7 ML100T-12 Card Note For hardware specifications, see the “A.7.9 ML100T-12 Card Specifications” section on page A-52. The ML100T-12 card provides 12 ports of IEEE 802.3-compliant, 10/100 interfaces. Each interface supports full-duplex operation for a maximum bandwidth of 200 Mbps per port and 2.488 Gbps per card. Each port independently detects the speed of an attached device (autosenses) and automatically connects at the appropriate speed. The ports autoconfigure to operate at either half or full duplex and can determine whether to enable or disable flow control. For ML-Series configuration information, see the Cisco ONS 15454 and Cisco ONS 15454 SDH Ethernet Card Software Feature and Configuration Guide. Figure 5-6 shows the card faceplate and block diagram. Caution Shielded twisted-pair cabling should be used for inter-building applications. Table 5-12 G1K-4 Port-Level Indicators Port-Level LED Status Description Off No link exists to the Ethernet port. Steady amber A link exists to the Ethernet port, but traffic flow is inhibited. For example, a lack of circuit setup, an error on the line, or a nonenabled port might inhibit traffic flow. Solid green A link exists to the Ethernet port, but no traffic is carried on the port. Flashing green A link exists to the Ethernet port, and traffic is carried on the port. The LED flash rate reflects the traffic rate for the port. 5-17 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 5 Ethernet Cards 5.7.1 ML100T-12 Card-Level Indicators Figure 5-6 ML100T-12 Faceplate and Block Diagram The card features two virtual packet over SONET (POS) ports with a maximum combined bandwidth of STS-48. The ports function in a manner similar to OC-N card ports, and each port carries an STS circuit with a size of STS-1, STS-3c, STS-6c, STS-9c, STS-12c, or STS-24c. To configure an ML-Series card SONET STS circuit, refer to the “Create Circuits and VT Tunnels” chapter of the Cisco ONS 15454 Procedure Guide. The ML-Series POS ports supports virtual concatenation (VCAT) of SONET circuits and a software link capacity adjustment scheme (SW-LCAS). The ML-Series card supports a maximum of two VCAT groups with each group corresponding to one of the POS ports. Each VCAT group must be provisioned with two circuit members. An ML-Series card supports STS-1c-2v, STS-3c-2v and STS-12c-2v. To configure an ML-Series card SONET VCAT circuit, refer to the “Create Circuits and VT Tunnels” chapter of the Cisco ONS 15454 Procedure Guide. 5.7.1 ML100T-12 Card-Level Indicators The ML00T-12 card supports two card-level LED indicators. The card-level indicators are described in Table 5-13. 1 2 3 4 5 6 7 8 9 10 11 ACT FAIL ML100T 12 134621 0 DOS FPGA BTC192 port 1 4xMag. 12 x RJ45 Octal PHY port 0 SMII RGGI Octal PHY 4xMag. 4xMag. 4 6 port A port B port 3 port 2 port 0 port 1 ch0-1 ch4-5 6 RGGI SCL B a c k p l a n e BPIA Main Rx BPIA Protect Rx BPIA Main Tx BPIA Protect Tx Processor Daughter Card 128MB SDRAM 16MB FLASH 8KB NVRAM Packet Buffer 6MB Packet Buffer 6MB Packet Buffer 4MB 4 2 2 4 4 2 2 Control Mem 2MB Control Mem 2MB Result Mem 2MB5-18 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 5 Ethernet Cards 5.7.2 ML100T-12 Port-Level Indicators 5.7.2 ML100T-12 Port-Level Indicators The ML100T-12 card provides a pair of LEDs for each Fast Ethernet port: an amber LED for activity (ACT) and a green LED for LINK. The port-level indicators are described in Table 5-14. 5.7.3 Cross-Connect and Slot Compatibility The ML100T-12 card works in Slots 1 to 6 or 12 to 17 with the XC10G or XC-VXC-10G card. It works only in Slots 5, 6, 12, or 13 with the XCVT card. 5.8 ML100X-8 Card Note For hardware specifications, see the “A.7.11 ML100X-8 Card Specifications” section on page A-53. The ML100X-8 card provides eight ports with 100BaseFX interfaces. The FX interfaces support one of two connectors, an LX SFP or an FX SFP. The LX SFP is a 100 Mbps 802.3-compliant SFP that operates over a pair of single-mode optical fibers and includes LC connectors. The FX SFP is a 100 Mbps 802.3- compliant SFP that operates over a pair of multimode optical fibers and includes LC connectors. For more information on SFPs, see the “5.14 Ethernet Card GBICs and SFPs” section on page 5-34. Each interface supports full-duplex operation for autonegotiation and a maximum bandwidth of 200 Mbps per port and 2.488 Gbps per card. For ML-Series configuration information, see the Cisco ONS 15454 and Cisco ONS 15454 SDH Ethernet Card Software Feature and Configuration Guide. Table 5-13 ML100T-12 Card-Level Indicators Card-Level LEDs Description FAIL LED (Red) The red FAIL LED indicates that the card processor is not ready or that a catastrophic software failure occurred on the ML100T-12 card. As part of the boot sequence, the FAIL LED is turned on until the software deems the card operational. ACT LED (Green) The green ACT LED provides the operational status of the ML100T-12. If the ACT LED is green, it indicates that the ML100T-12 card is active and the software is operational. Table 5-14 ML100T-12 Port-Level Indicators Port-Level Indicators Description ACT LED (Amber) A steady amber LED indicates a link is detected, but there is an issue inhibiting traffic. A blinking amber LED means traffic is flowing. LINK LED (Green) A steady green LED indicates that a link is detected, but there is no traffic. A blinking green LED flashes at a rate proportional to the level of traffic being received and transmitted over the port. Both ACT and LINK LED Unlit green and amber LEDs indicate no traffic.5-19 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 5 Ethernet Cards 5.8 ML100X-8 Card Figure 5-7 shows the card faceplate and block diagram. Figure 5-7 ML100X-8 Faceplate and Block Diagram The card features two virtual packet over SONET (POS) ports with a maximum combined bandwidth of STS-48. The ports function in a manner similar to OC-N card ports, and each port carries an STS circuit with a size of STS-1, STS-3c, STS-6c, STS-9c, STS-12c, or STS-24c. To configure an ML-Series card SONET STS circuit, refer to the “Create Circuits and VT Tunnels” chapter of the Cisco ONS 15454 Procedure Guide. The ML-Series POS ports supports virtual concatenation (VCAT) of SONET circuits and a software link capacity adjustment scheme (SW-LCAS). The ML-Series cards support a maximum of two VCAT groups with each group corresponding to one of the POS ports. Each VCAT group must be provisioned with two circuit members. An ML-Series card supports STS-1c-2v, STS-3c-2v and STS-12c-2v. To configure an ML-Series-card SONET VCAT circuit, refer to the “Create Circuits and VT Tunnels” chapter of the Cisco ONS 15454 Procedure Guide. 131786 ML 100X- 8 FAIL ACT Tx 0 Rx Tx 1 Rx Tx 2 Rx Tx 3 Rx Tx 4 Rx Tx 5 Rx Tx 6 Rx Tx 7 Rx PHY SFP SFP SFP SFP SFP SFP SFP SFP Network Processor Unit TCAM SONET Framer Packet Memory B a c k p l a n e5-20 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 5 Ethernet Cards 5.8.1 ML100X-8 Card-Level Indicators 5.8.1 ML100X-8 Card-Level Indicators The ML100X-8 card supports two card-level LED indicators. Table 5-15 describes the card-level indicators. 5.8.2 ML100X-8 Port-Level Indicators The ML100X-8 card provides a pair of LEDs for each Fast Ethernet port: an amber LED for activity (ACT) and a green LED for LINK. Table 5-16 describes the port-level indicators. 5.8.3 Cross-Connect and Slot Compatibility The ML100X-8 card operates in Slots 1 to 6 or 12 to 17 with the XC10G or XC-VXC-10G cards. It operates only in Slots 5, 6, 12, or 13 with the XCVT card. 5.9 ML1000-2 Card Note For hardware specifications, see the “A.7.10 ML1000-2 Card Specifications” section on page A-52. The ML1000-2 card provides two ports of IEEE-compliant, 1000-Mbps interfaces. Each interface supports full-duplex operation for a maximum bandwidth of 2 Gbps per port and 4 Gbps per card. Each port autoconfigures for full duplex and IEEE 802.3x flow control. Table 5-15 ML100X-8 Card-Level Indicators Card-Level LEDs Description FAIL LED (Red) The red FAIL LED indicates that the card processor is not ready or that a catastrophic software failure occurred on the ML100-FX card. As part of the boot sequence, the FAIL LED is turned on until the software deems the card operational. ACT LED (Green) The green ACT LED provides the operational status of the ML100-FX. If the ACT LED is green, it indicates that the ML100-FX card is active and the software is operational. Table 5-16 ML100X-8 Port-Level Indicators Port-Level Indicators Description ACT LED (Amber) A steady amber LED indicates a link is detected, but there is an issue inhibiting traffic. A blinking amber LED means traffic is flowing. LINK LED (Green) A steady green LED indicates that a link is detected, but there is no traffic. A blinking green LED flashes at a rate proportional to the level of traffic being received and transmitted over the port. Both ACT and LINK LED Unlit green and amber LEDs indicate no traffic.5-21 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 5 Ethernet Cards 5.9 ML1000-2 Card SFP modules are offered as separate orderable products for maximum customer flexibility. For details, see the “5.14 Ethernet Card GBICs and SFPs” section on page 5-34. Figure 5-8 shows the ML1000-2 card faceplate and block diagram. Figure 5-8 ML1000-2 Faceplate and Block Diagram The card features two virtual packet over SONET (POS) ports with a maximum combined bandwidth of STS-48. The ports function in a manner similar to OC-N card ports, and each port carries an STS circuit with a size of STS-1, STS-3c, STS-6c, STS-9c, STS-12c, or STS-24c. To configure an ML-Series card SONET STS circuit, refer to the “Create Circuits and VT Tunnels” chapter of the Cisco ONS 15454 Procedure Guide. The ML-Series POS ports supports VCAT of SONET circuits and a software link capacity adjustment scheme (SW-LCAS). The ML-Series card supports a maximum of two VCAT groups with each group corresponding to one of the POS ports. Each VCAT group must be provisioned with two circuit members. An ML-Series card supports STS-1c-2v, STS-3c-2v and STS-12c-2v. To configure an ML-Series card SONET VCAT circuit, refer to the “Create Circuits and VT Tunnels” chapter of the Cisco ONS 15454 Procedure Guide. 134622 BTC192 B a c k p l a n e BPIA Main Rx BPIA Protect Rx BPIA Main Tx BPIA Protect Tx Processor Daughter Card (FLASHs, SDRAMs) Packet Buffer 512Kx96 Packet Buffer 512Kx96 SSRAM 2x512Kx36 Control Mem ch0-1 ch4-5 512Kx32 Control Mem 512Kx32 Result Mem 512Kx32 DOS FPGA port 2 port 3 GMII RGGI RGGI RGGI RGGI port A port B port 3 port 2 port 0 port 1 Serdes Serdes SFP GBIC Module SFP GBIC Module MAC 1 MAC 2 port 0 port 1 GMII Panel Port 0 Panel Port 1 FAIL ACT TX 1 RX TX 0 RX LINK ACT LINK ACT CONSOLE5-22 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 5 Ethernet Cards 5.9.1 ML1000-2 Card-Level Indicators 5.9.1 ML1000-2 Card-Level Indicators The ML1000-2 card faceplate has two card-level LED indicators, described in Table 5-17. 5.9.2 ML1000-2 Port-Level Indicators The ML1000-2 card has three LEDs for each of the two Gigabit Ethernet ports, described in Table 5-18. 5.9.3 Cross-Connect and Slot Compatibility The ML1000-2 card is compatible in Slots 1 to 6 or 12 to 17 with the XC10G or XC-VXC-10G card. It is only compatible in Slots 5, 6, 12, or 13 with the XCVT card. 5.10 ML-MR-10 Card Note For hardware specifications, see the “A.7.12 ML-MR-10 Card Specifications” section on page A-53. The ML-MR-10 card is a ten-port multilayer Ethernet card. The Ethernet ports support speeds of 10 Mbps, 100 Mbps, or 1000 Mbps through pluggable SFPs. SFP modules are offered as separate orderable products for flexibility. For details, see the “5.14 Ethernet Card GBICs and SFPs” section on page 5-34. Table 5-17 ML1000-2 Card-Level Indicators Card-Level LEDs Description SF LED (Red) The red FAIL LED indicates that the card processor is not ready or that a catastrophic software failure occurred on the ML1000-2 card. As part of the boot sequence, the FAIL LED is turned on until the software deems the card operational. ACT LED (Green) The green ACT LED provides the operational status of the ML1000-2. When the ACT LED is green, it indicates that the ML1000-2 card is active and the software is operational. Table 5-18 ML1000-2 Port-Level Indicators Port-Level Indicators Description ACT LED (Amber) A steady amber LED indicates a link is detected, but there is an issue inhibiting traffic. A blinking amber LED means traffic flowing. LINK LED (Green) A steady green LED indicates that a link is detected, but there is no traffic. A blinking green LED flashes at a rate proportional to the level of traffic being received and transmitted over the port. Both ACT and LINK LED Unlit green and amber LEDs indicate no traffic.5-23 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 5 Ethernet Cards 5.10 ML-MR-10 Card The ML-MR-10 card has two RPR ports, which function in a manner similar to OC-N card ports. Each Ethernet port carries an STS circuit with a size of STS-12c, STS-24c, STS-48c, or STS-96c. The two RPR port interfaces combine to support a resilient packet ring (RPR) interface. The ML-MR-10 supports only frame-mapped generic framing procedure (GFP-F) encapsulation for SONET. In addition to this, the ML-MR-10 can be configured to support up to 26 POS ports, each one terminating a SONET GFP-F encapsulated circuit. To configure a ML-MR-10 card SONET STS circuit, refer to the “Create Circuits and Tunnels” chapter in the Cisco ONS 15454 Procedure Guide. Cisco IOS is used to provision the Layer 2 functions of the card. The ML-MR-10 card provides management for Layer 1 operations through CTC. You can use CTM for Layer 1 and Layer 2 monitoring and fault detection, and TL1 supports card inventory and equipment alarming. Figure 5-9 shows the ML-MR-10 card faceplate and block diagram. Figure 5-9 ML-MR-10 Faceplate and Block Diagram FAIL ACT/STBY CONSOLE 1 2 3 4 5 6 7 8 9 10 SF TX RX TX RX TX RX TX RX TX RX TX RX TX RX TX RX TX RX TX RX 240352 B a c k p l a n e SFP SFP SFP SFP SFP SFP SFP SFP SFP SFP Serdes 10x GE MAC Ingress PPE+ RPR TM+ Ingress PPE+ RPR TM+ Queues SDH Framer Backplane I/F Instruction+ Statistics MEM MEM Reassembly+ MEM Statistics MEM 10/100/1000 CPU interface SFPs CPU interface CPU MEM TCAM ML-MR 105-24 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 5 Ethernet Cards 5.10.1 ML-MR-10 Card-Level Indicators The ML-MR-10 card supports 1:1 protection at the port level. It also supports 1:1 card protection with redundant cards installed. For more information on ML-MR-10 card protection, refer to the Cisco ONS 15454 and Cisco ONS 15454 SDH Ethernet Card Software Feature and Configuration Guide. The ML-MR-10 card supports the Version Up feature, which allows a user to independently upgrade ML-MR-10 cards as part of an overall software upgrade process. With this feature enabled, the user first upgrades all the cards in the node that are not ML-MR-10 cards, then in a second pass updates the ML-MR-10 cards. For more information on the Version Up feature, refer to the Cisco ONS 15454 and Cisco ONS 15454 SDH Ethernet Card Software Feature and Configuration Guide. The ML-MR-10 card supports an Ethernet Virtual Connection (EVC), which is an instance of an association of two or more user network interfaces (UNI) for Ethernet services. For more information on EVC, refer to the Cisco ONS 15454 and Cisco ONS 15454 SDH Ethernet Card Software Feature and Configuration Guide. 5.10.1 ML-MR-10 Card-Level Indicators The ML-MR-10 card faceplate has two card-level LED indicators, described in Table 5-23. 5.10.2 ML-MR-10 Port-Level Indicators The ML-MR-10 card provides a pair of LEDs for each Ethernet port: an amber LED for activity (ACT) and a green LED for link status (LINK). Table 5-24 describes the status that each color represents. Table 5-19 ML-MR-10 Card-Level Indicators Card-Level LEDs Description FAIL LED (Red) The red FAIL LED indicates that the card processor is not ready or that a catastrophic software failure occurred on the ML-MR-10 card. As part of the boot sequence, the FAIL LED is turned on until the software deems the card operational. ACT LED (Green) The green ACT LED provides the operational status of the ML-MR-10 card. When the ACT LED is green, it indicates that the ML-MR-10 card is active and the software is operational. Table 5-20 ML-MR-10 Port-Level Indicators Port-Level Indicators Description Off No link exists to the Ethernet port. Steady amber A link exists to the Ethernet port, but traffic flow is inhibited. For example, a lack of circuit setup, an error on the line, or a disabled port might inhibit traffic flow. Solid green A link exists to the Ethernet port, but no traffic is carried on the port. Flashing green A link exists to the Ethernet port, and traffic is carried on the port. The LED flash rate reflects the traffic rate for that port.5-25 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 5 Ethernet Cards 5.10.3 Cross-Connect and Slot Compatibility 5.10.3 Cross-Connect and Slot Compatibility The ML-MR-10 card can be installed in Slots 1 to 6 and 12 to 17 when used with the XC10G and XC-VXC-10G cards. It is not compatible with the XCVT card. Caution Fan-tray assembly 15454-CC-FTA (ANSI shelf) must be installed in a shelf where an ML-MR-10 card is installed. 5.10.4 ML-MR-10 Card-Differential Delay The differential delay has been hardcoded to 55ms for high-order circuits in high speed slots and 175ms for low-order circuits in high speed slots. For all other slots and circuit combinations, it has been hardcoded to 135ms. 5.11 CE-100T-8 Card Note For hardware specifications, see the “A.7.6 CE-100T-8 Card Specifications” section on page A-51. The CE-100T-8 card provides eight RJ-45 10/100 Mbps Ethernet ports and an RJ-45 console port on the card faceplate. The CE-100T-8 card provides mapping of 10/100 Mbps Ethernet traffic into SONET STS-12 payloads, making use of low-order (VT1.5) virtual concatenation, high-order (STS-1) virtual concatenation, GFP, and point-to-point protocol/high-level data link control (PPP/HDLC) framing protocols. The CE-100T-8 card also supports the link capacity adjustment scheme (LCAS), which allows hitless dynamic adjustment of SONET link bandwidth. The CE-100T-8 card’s LCAS is hardware-based, but the CE-100T-8 also supports SW-LCAS. This makes it compatible with the ONS 15454 SDH ML-Series card, which supports only SW-LCAS and does not support the standard hardware-based LCAS. SW-LCAS is supported when a circuit from the CE-100T-8 terminates on the ONS 15454 SDH ML-Series card. Note The SW-LCAS is not supported on CE-100T-8 cards for interoperation with the CE-MR-10, CE-MR-6, and ML-MR-10 cards. The circuit types supported are: • HO-CCAT • LO-VCAT with no HW-LCAS • LO-VCAT with HW-LCAS • STS-1-2v SW-LCAS with ML only Each 10/100 Ethernet port can be mapped to a SONET channel in increments of VT1.5 or STS-1 granularity, allowing efficient transport of Ethernet and IP over the SONET infrastructure. Figure 5-10 shows the CE-100T-8 card faceplate and block diagram.5-26 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 5 Ethernet Cards 5.11 CE-100T-8 Card Figure 5-10 CE-100T-8 Faceplate and Block Diagram The following paragraphs describe the general functions of the CE-100T-8 card and relate to the block diagram. In the ingress direction, (Ethernet-to-SONET), the PHY, which performs all of the physical layer interface functions for 10/100 Mbps Ethernet, sends the frame to the network processor for queuing in the respective packet buffer memory. The network processor performs packet processing, packet switching, and classification. The Ethernet frames are then passed to the Ethermap where Ethernet traffic is terminated and is encapsulated using HDLC or GFP framing on a per port basis. The encapsulated Ethernet frames are then mapped into a configurable number of virtual concatenated low and high order payloads, such as VT1.5 synchronous payload envelope (SPE), STS-1 SPE, or a contiguous concatenated payload such as STS-3c SPE. Up to 64 VT1.5 SPEs or 3 STS-1 SPEs can be virtually concatenated. The SONET SPE carrying encapsulated Ethernet frames are passed onto the qMDM FPGA, where four STS-3 frames are multiplexed to form a STS-12 frame for transport over the SONET network by means of the Bridging Convergence Transmission (BTC) ASIC. In the Egress direction (SONET-to-Ethernet), the FPGA extracts four STS-3 SPEs from the STS-12 frame it receives from the BTC and sends each of the STS-3s to the ET3 mappers. The STS-3 SONET SPE carrying GFP or PPP/HDLC encapsulated Ethernet frames is then extracted and buffered in Ethermap’s external memory. This memory is used for providing alignment and differential delay compensation for the received low-order and high-order virtual concatenated payloads. After alignment and delay compensation have been done, the Ethernet frames are decapsulated with one of the framing protocols (GFP or HDLC). Decapsulated Ethernet frames are then passed onto the network processor for QoS queuing and traffic scheduling. The network processor switches the frame to one of the corresponding PHY channels and then to the Ethernet port for transmission to the external client(s). CE100T 8 FAIL ACT CONSOLE 1 2 3 4 5 6 7 8 134366 Packet Buffer 3x0.5MB Control Mem 1x2MB ETS #1 SDRAM qMDM FPGA Packet Processor/ Switch Fabric qMDM FPGA Octal PHY SMII 8 8x 10/100BaseT RJ45 Part of qMDM FPGA FCC3 SMII MII 4 SMII STS3 STS3 STS3 ETS #2 SDRAM SDRAM STS3 SCC1 60x Flash 8MB SDRAM 128MB CPLD SDRAM 1 4 SMII ETS #3 4 SMII STS12 Add_Bus Drop_Bus ETS #4 3 SMII BTC CPU nVRAM B a c k p l a n e Option5-27 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 5 Ethernet Cards 5.11.1 CE-100T-8 Card-Level Indicators For information on the CE-100T-8 QoS features, refer to the “CE-100T-8 Operations” chapter of the Cisco ONS 15454 and Cisco ONS 15454 SDH Ethernet Card Software Feature and Configuration Guide. 5.11.1 CE-100T-8 Card-Level Indicators The CE-100T-8 card faceplate has two card-level LED indicators, described in Table 5-21. 5.11.2 CE-100T-8 Port-Level Indicators The CE-100T-8 card has two LEDs embedded into each of the eight Ethernet port RJ-45 connectors. The LEDs are described in Table 5-22. 5.11.3 Cross-Connect and Slot Compatibility The CE-100T-8 card is compatible in Slots 1 to 6 or 12 to 17 with the XC10G, XC-VXC-10G, or XCVT cards. 5.12 CE-1000-4 Card Note For hardware specifications, see the “A.7.5 CE-1000-4 Card Specifications” section on page A-50. Table 5-21 CE-100T-8 Card-Level Indicators Card-Level LEDs Description SF LED (Red) The red FAIL LED indicates that the card processor is not ready or that a catastrophic software failure occurred on the CE-100T-8 card. As part of the boot sequence, the FAIL LED is turned on until the software deems the card operational. ACT LED (Green) The green ACT LED provides the operational status of the CE-100T-8. When the ACT LED is green, it indicates that the CE-100T-8 card is active and the software is operational. Table 5-22 CE-100T-8 Port-Level Indicators Port-Level Indicators Description ACT LED (Amber) A steady amber LED indicates a link is detected, but there is an issue inhibiting traffic. A blinking amber LED means traffic flowing. LINK LED (Green) A steady green LED indicates that a link is detected, but there is no traffic. A blinking green LED flashes at a rate proportional to the level of traffic being received and transmitted over the port. Both ACT and LINK LED OFF Unlit green and amber LEDs indicate no traffic.5-28 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 5 Ethernet Cards 5.12 CE-1000-4 Card The CE-1000-4 card uses pluggable GBICs to transport Ethernet traffic over a SONET network. The CE-1000-4 provides four IEEE 802.3-compliant, 1000-Mbps Gigabit Ethernet ports at the ingress. At the egress, the CE-1000-4 card provides an integrated Ethernet over SONET mapper with four virtual ports to transfer Ethernet packets over a SONET network. The Ethernet ports automatically configure to operate at either half or full duplex and can determine whether to enable or disable flow control. The Ethernet ports can also be oversubscribed using flow control. The Ethernet frames are encapsulated using the ITU-T generic framing procedure (GFP) (with or without CRC) or LEX, the point-to-point protocol (PPP) with high-level data link control (HDLC). The CE-1000-4 card can interoperate with G1K-4 cards (using LEX encapsulation), CE-100T-8 cards (using LEX or GFP-F), and ML-Series cards (using LEX or GFP-F). The Ethernet frames can be mapped into: • T1X1 G.707-based high-order virtual concatenated (HO VCAT) payloads: – STS-3c – STS-1 • Contiguously concatenated (CCAT) SONET payloads: – Standard CCAT sizes (STS-1, STS-3c, STS-12c, STS-24c, STS-48c) – Non-standard CCAT sizes (STS-6c, STS-9c, STS-18c). To configure a CE-1000-4 card SONET STS or VCAT circuit, refer to the “Create Circuits and Tunnels” chapter in the Cisco ONS 15454 Procedure Guide. The CE-1000-4 card provides multiple management options through Cisco Transport Controller (CTC), Cisco Transport Manager (CTM), Transaction Language 1 (TL1), and Simple Network Management Protocol (SNMP). The CE-1000-4 card supports the software link capacity adjustment scheme (SW-LCAS). This makes it compatible with the ONS 15454 CE-100T-8 and ML-Series cards. The CE-1000-4 card supports VCAT groups (VCGs) that are reconfigurable when SW-LCAS is enabled (flexible VCGs). The CE-1000-4 card does not support the standard hardware-based LCAS. The following guidelines apply to flexible VCGs: • Members can be added or removed from VCGs. • Members can be put into or out of service. • Cross-connects can be added or removed from VCGs. • Errored members will be automatically removed from VCGs. • Adding or removing members from the VCG is service affecting. • Adding or removing cross connects from the VCG is not service affecting if the associated members are not in group. The CE-1000-4 card supports a non link capacity adjustment scheme (no-LCAS). This also makes it compatible with the ONS 15454 CE-100T-8 and ML-Series cards. The CE-1000-4 card supports VCAT groups (VCGs) that are fixed and not reconfigurable when no-LCAS is enabled (fixed VCGs). The following guidelines apply to fixed VCGs: • Members can be added or removed from VCGs using CTC or TL1. • Members cannot be put into or out of service unless the force command mode is instantiated. 5-29 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 5 Ethernet Cards 5.12.1 CE-1000-4 Card-Level Indicators Note This is possible with CTC as it assumes the force command mode by default. However, to put members into or out of service using TL1, the force command mode must be set. • Cross-connects can be added or removed from VCGs using CTC or TL1. This is service affecting as long as the VCG size (TXCOUNT) is not realigned with the loss of connections. The CE-1000-4 card supports VCAT differential delay and provides these associated features: • Supports a maximum VCG differential delay of 122 ms in each direction. • Supports all protection schemes (path protection, two-fiber BLSR, four-fiber BLSR) on VCAT circuits that are split-fiber routed. • Supports 2-fiber on VCAT circuits that are common-fiber routed. • Differential delay compensation is automatically enabled on VCAT circuits that are diverse (split fiber) routed and disabled on VCAT circuits that are common-fiber routed. Figure 5-11 shows the CE-1000-4 card faceplate and block diagram. Figure 5-11 CE-1000-4 Faceplate and Block Diagram 5.12.1 CE-1000-4 Card-Level Indicators The CE-1000-4 card faceplate has two card-level LED indicators, described in Table 5-23. 145231 1 Rx Tx 2 Rx Tx 4 Rx Tx 3 Rx Tx FAIL ACT CE-1000-4 ACT/LNK ACT/LNK ACT/LNK ACT/LNK 4 ports: GigE GBIC GBIC GBIC GBIC SERDES CLOCK Generation SERDES SERDES SERDES Malena FPGA TADM Altera 8260 Processor, SDRAM Flash and DecodePLD 50MHz,100Mhz 125Mhz,155MHz BUFFER MEMORY CDR Framer Quicksilver FPGA BTC 192 POWER 5V, 3.3V, 2.5V, 1.8V, -1.7V -48V Diff. Delay. Mem. Main RX BPIA Protect TX BPIA Protect RX BPIA Main TX BPIA STS48 BACKPLANE Interface5-30 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 5 Ethernet Cards 5.12.2 CE-1000-4 Port-Level Indicators Note If the CE-1000-4 card is inserted in a slot that has been preprovisioned for a different type of card, the red FAIL LED and the green ACT LED will flash alternately until the configuration mismatch is resolved. 5.12.2 CE-1000-4 Port-Level Indicators The CE-1000-4 card provides a pair of LEDs for each Gigabit Ethernet port: an amber LED for activity (ACT) and a green LED for link status (LINK). Table 5-24 describes the status that each color represents. 5.12.3 Cross-Connect and Slot Compatibility The CE-1000-4 card can be installed in Slots 1 to 6 and 12 to 17 when used with the XC10G and XC-VXC-10G cards. When the shelf uses the XCVT card, the CE-1000-4 card can only be installed in Slots 5, 6, 12, and 13. 5.13 CE-MR-10 Card Note For hardware specifications, see the “A.7.7 CE-MR-10 Card Specifications” section on page A-51. Table 5-23 CE-1000-4 Card-Level Indicators Card-Level LEDs Description FAIL LED (Red) The red FAIL LED indicates that the card processor is not ready or that a catastrophic software failure occurred on the CE-1000-4 card. As part of the boot sequence, the FAIL LED is turned on until the software deems the card operational. ACT LED (Green) The green ACT LED provides the operational status of the CE-1000-4 card. When the ACT LED is green, it indicates that the CE-1000-4 card is active and the software is operational. Table 5-24 CE-1000-4 Port-Level Indicators Port-Level Indicators Description Off No link exists to the Ethernet port. Steady amber A link exists to the Ethernet port, but traffic flow is inhibited. For example, a lack of circuit setup, an error on the line, or a disabled port might inhibit traffic flow. Solid green A link exists to the Ethernet port, but no traffic is carried on the port. Flashing green A link exists to the Ethernet port, and traffic is carried on the port. The LED flash rate reflects the traffic rate for that port.5-31 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 5 Ethernet Cards 5.13 CE-MR-10 Card The CE-MR-10 card provides ten IEEE 802.3-compliant 10/100/1000-Mbps Gigabit Ethernet ports at the ingress. At the egress, the CE-MR-10 card provides an integrated Ethernet-over-SONET mapper with ten virtual ports to transfer Ethernet packets over a SONET network. The CE-MR-10 card uses pluggable SFPs to transport Ethernet traffic over a SONET network. SFP modules are offered as separate orderable products for flexibility. For details, see the “5.14 Ethernet Card GBICs and SFPs” section on page 5-34. The Ethernet frames are encapsulated using the ITU-T generic framing procedure (GFP) (with or without CRC) or LEX, the Point-to-Point Protocol (PPP) with high-level data link control (HDLC). The Ethernet ports automatically configure to operate at either half or full duplex and can determine whether to enable or disable flow control. The Ethernet ports can also be oversubscribed using flow control. The CE-MR-10 card supports the link capacity adjustment scheme (LCAS), which allows hitless dynamic adjustment of SONET link bandwidth. The CE-MR-10 card's LCAS is hardware-based, but the CE-MR-10 also supports software LCAS (SW-LCAS). This makes it compatible with ML-Series cards, which support only SW-LCAS, along with G-Series and CE-Series cards. The CE-MR-10 card also supports the non link capacity adjustment scheme (non-LCAS). The CE-MR-10 card supports both flexible and fixed VCAT groups (VCG). Note The SW-LCAS is not supported on CE-MR-10 cards for interoperation with the CE-100T-8 and ML-MR-10 cards. Note The CE-MR-10 card does not support interoperation between the LCAS and non-LCAS circuits. The Ethernet frames can be mapped into: • T1X1 G.707-based high-order virtual concatenated (HO VCAT) payloads – STS-3c-nv, where n is 1 to 7 – STS-1-nv, where n is 1 to 21 • T1X1 G.707-based low-order virtual concatenated (LO VCAT) payloads – VT1.5-nv, where n is 1 to 64 • Contiguously concatenated (CCAT) SONET payloads – Standard CCAT sizes (STS-1, STS-3c, STS-12c, STS-24c, and STS-48c) – Non-standard CCAT sizes (STS-6c and STS-9c) To configure a CE-MR-10 card circuit, refer to the “Create Circuits and Tunnels” chapter in the Cisco ONS 15454 Procedure Guide. The CE-MR-10 card provides multiple management options through CTC, CTM, TL1, and SNMP. Figure 5-12 shows the CE-MR-10 card faceplate and block diagram.5-32 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 5 Ethernet Cards 5.13.1 CE-MR-10 Card-Level Indicators Figure 5-12 CE-MR-10 Faceplate and Block Diagram Note The backplane capacity of the CE-MR-10 card is 10 Gigabit Ethernet ports in slots 5, 6, 12, and 13 and 2.5 Gigabit Ethernet ports in slots 1 to 4 and 14 to 17. 5.13.1 CE-MR-10 Card-Level Indicators The CE-MR-10 card faceplate has two card-level LED indicators, described in Table 5-25. 159724 Marvell 10G MAC MV82119 35mm SP14 FCC (2x) SP14 SP14 MP41 FPGA B a c k p l a n e BCM5482S PHY SFP SFP SFP SFP SFP SFP SFP SFP SFP SFP BCM5482S PHY BCM5482S PHY BCM5482S PHY BCM5482S PHY FCC (2x) SP14 MPC8555 Subsystem Super Carrera ASIC MEM QDR2 1Mx36 IBPIA IBPIA MP4E FPGA MEM QDR2 1Mx36 MEM RLDRAM2 8Mx36 MEM RLDRAM2 8Mx36 FAIL ACT LINK ACT T X 1 R X LINK ACT T X 2 R X LINK ACT T X 3 R X LINK ACT T X 4 R X LINK ACT T X 5 R X LINK ACT T X 6 R X LINK ACT T X 7 R X LINK ACT T X 8 R X LINK ACT T X 9 R X LINK ACT T X 10 R X CE-MR 105-33 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 5 Ethernet Cards 5.13.2 CE-MR-10 Port-Level Indicators 5.13.2 CE-MR-10 Port-Level Indicators The CE-MR-10 card provides a pair of LEDs for each port: an amber LED for activity (ACT) and a green LED for link status (LINK). Table 5-26 describes the status that each color represents. 5.13.3 Cross-Connect and Slot Compatibility The CE-MR-10 card can be installed in Slots 1 to 6 and 12 to 17 when used with the XC10G and XC-VXC-10G cards. It is not compatible with the XVT card. Caution Fan-tray assembly 15454-CC-FTA (ANSI shelf) must be installed in a shelf where a CE-MR-10 card is installed. 5.13.4 CE-MR-10 Card- Differential Delay The differential delay has been hardcoded to 55ms for high-order circuits in high speed slots and 175ms for low-order circuits in high speed slots. For all other slots and circuit combinations, it has been hardcoded to 135ms. Table 5-25 CE-MR-10 Card-Level Indicators Card-Level LEDs Description FAIL LED (Red) The red FAIL LED indicates that the card processor is not ready or that a catastrophic software failure occurred on the card. As part of the boot sequence, the FAIL LED is turned on until the software deems the card operational. ACT LED (Green) The green ACT LED provides the operational status of the CE-1000-4 card. When the ACT LED is green, it indicates that the CE-1000-4 card is active and the software is operational. Table 5-26 CE-MR-10 Port-Level Indicators Port-Level Indicators Description Off No link exists to the Ethernet port. Steady amber A link exists to the Ethernet port, but traffic flow is inhibited. For example, a lack of circuit setup, an error on the line, or a disabled port might inhibit traffic flow. Solid green A link exists to the Ethernet port, but no traffic is carried on the port. Flashing green A link exists to the Ethernet port, and traffic is carried on the port. The LED flash rate reflects the traffic rate for that port.5-34 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 5 Ethernet Cards 5.14 Ethernet Card GBICs and SFPs 5.14 Ethernet Card GBICs and SFPs This section describes the GBICs and SFPs used with the Ethernet cards. The ONS 15454 Ethernet cards use industry standard SFPs and GBIC modular receptacles. The ML-MR-10, ML100X-8, ML1000-2, and CE-MR-10 cards use standard Cisco SFPs. The Gigabit E-Series, G-1K-4, and CE-1000-4 cards use standard Cisco GBICs. With Software Release 4.1 and later, G-Series cards can also be equipped with dense wavelength division multiplexing (DWDM) and coarse wavelength division multiplexing (CWDM) GBICs to function as Gigabit Ethernet transponders. For all Ethernet cards, the type of GBIC or SFP plugged into the card is displayed in CTC and TL1. Cisco offers SFPs and GBICs as separate orderable products. 5.14.1 Compatibility by Card Table 5-27 shows the GBICs for the E1000-2-G, G1K-4, or CE-1000-4 cards. Note The GBICs are very similar in appearance. Check the GBIC label carefully before installing it. Table 5-28 shows the available SFPs and XFPs for Ethernet cards. Table 5-27 Available GBICs GBIC Associated Cards Application Fiber Product Number 1000BASE-S X E1000-2-G G1K-4 CE-1000-4 Short reach Multimode fiber up to 550 m long 15454E-GBIC-SX= 15454-GBIC-SX ONS-GC-GE-SX 1000BASE-L X E1000-2-G G1K-4 CE-1000-4 Long reach Single-mode fiber up to 5 km long 15454E-GBIC-LX= 15454-GBIC-LX ONS-GC-GE-LX 1000BASE-Z X G1K-4 CE-1000-4 Extra long reach Single-mode fiber up to 70 km long 15454E-GBIC-ZX= 15454-GBIC-ZX ONS-GC-GE-ZX Table 5-28 Available SFPs and XFPs SFP/XFP Associated Cards Application Fiber Product Number 1000BASE-SX ML1000-2 Short reach Multimode fiber up to 550 m long ONS-SC-GE-SX ML1000-2 ML-MR-10 CE-MR-10 Short reach 850 nm multimode fiber up to 500 m long ONS-SI-GE-SX5-35 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 5 Ethernet Cards 5.14.2 Speed-Duplex Combinations on SFPs 5.14.2 Speed-Duplex Combinations on SFPs Table 5-29 through Table 5-33 provides information on the speed-duplex combination supported on different SFP types for ML-MR-10 and CE-MR-10 cards. 1000BASE-LX ML1000-2 Long reach Single-mode fiber up to 5 km long ONS-SC-GE-LX ML1000-2 ML-MR-10 CE-MR-10 Long reach 1310 nm single-mode fiber up to 10 km long ONS-SI-GE-LX 1000BASE-ZX ML1000-2 ML-MR-10 CE-MR-10 Extra long reach 1550 nm single-mode fiber ONS-SI-GE-ZX 100BASE-FX ML100X-8 Short reach 1310 nm multimode fiber up to 2 km long ONS-SE-100-FX ML100X-8 ML-MR-10 CE-MR-10 Short reach 1310 nm multimode fiber ONS-SI-100-FX 100BASE-LX10 ML100X-8 Long reach 1310 nm single-mode fiber ONS-SE-100-LX10 ML100X-8 ML-MR-10 CE-MR-10 Long reach 1310 nm single-mode fiber ONS-SI-100-LX10 10/100/1000BAS E-T ML-MR-10 CE-MR-10 Short reach RJ45 ONS-SE-ZE-EL 100BASE-BX ML100X-8 ML-MR-10 CE-MR-10 Short reach 1550 nm RX ONS-SE-100-BX10U 100BASE-BX ML100X-8 ML-MR-10 CE-MR-10 Short reach 1310 nm RX ONS-SE-100-BX10D E1/DS1 over Fast Ethernet ML-MR-10 CE-MR-10 — — ONS-SC-E1-T1-PW (Release 9.2 only) E3/DS3 PDH over Fast Ethernet ML-MR-10 CE-MR-10 — — ONS-SC-E3-T3-PW (Release 9.2 only) Table 5-28 Available SFPs and XFPs (continued) SFP/XFP Associated Cards Application Fiber Product Number Table 5-29 Speed-Duplex Matrix for Electrical 10/100/1000Base-T SFPs Speed Configuration Duplex Configuration (Y- Supported, N-Not supported) Full Half Auto5-36 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 5 Ethernet Cards 5.14.2 Speed-Duplex Combinations on SFPs 10 Mbps Y Y Y 100 Mbps YY Y 1000 Mbps Y N Y Auto YY Y Table 5-29 Speed-Duplex Matrix for Electrical 10/100/1000Base-T SFPs Table 5-30 Speed-Duplex Matrix for Optical 1000BaseSX/LX/ZX SFPs Speed Configuration Duplex Configuration (Y- Supported, N-Not supported) Full Half Auto 10 Mbps NN N 100 Mbps NN N 1000 Mbps YN Y Auto YN Y Table 5-31 Speed-Duplex Matrix for Optical 100Base FX/LX10/BX-D/BX-U SFPs Speed Configuration Duplex Configuration (Y- Supported, N-Not supported) Full Half Auto 10 Mbps NN N 100 Mbps YN N 1000 Mbps NN N Auto NN N Table 5-32 Speed-Duplex Matrix for E1/DS1 over Fast Ethernet SFP Speed Configuration Duplex Configuration (Y- Supported, N-Not supported) Full Half Auto 10 Mbps NN N 100 Mbps YN N 1000 Mbps NN N Auto NN N5-37 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 5 Ethernet Cards 5.14.3 GBIC Description 5.14.3 GBIC Description GBICs are integrated fiber optic transceivers that provide high-speed serial links from a port or slot to the network. Various latching mechanisms can be utilized on the GBIC pluggable modules. There is no correlation between the type of latch and the model type (such as SX or LX/LH) or technology type (such as Gigabit Ethernet). See the label on the GBIC for technology type and model. One GBIC model has two clips (one on each side of the GBIC) that secure the GBIC in the slot on the Ethernet card; the other has a locking handle. Both types are shown in Figure 5-13. GBIC dimensions are: • Height 0.39 in. (1 cm) • Width 1.18 in. (3 cm) • Depth 2.56 in. (6.5 cm) GBIC temperature ranges are: • COM—Commercial operating temperature range –5 degrees C to 70 degrees C (23 degrees F to 158 degrees F) • EXT—Extended operating temperature range –5 degrees C to 85 degrees C (23 degrees F to 185 degrees F) • IND—Industrial operating temperature range –40 degrees C to 85 degrees C (-40 degrees F to 185 degrees F) Figure 5-13 GBICs with Clips (left) and with a Handle (right) Table 5-33 Speed-Duplex Matrix for E3/DS3 PDH over Fast Ethernet SFP Speed Configuration Duplex Configuration (Y- Supported, N-Not supported) Full Half Auto 10 Mbps NN N 100 Mbps YN N 1000 Mbps NN N Auto NN N Receiver Clip Handle Transmitter Receiver Transmitter 511785-38 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 5 Ethernet Cards 5.14.4 G1K-4 DWDM and CWDM GBICs 5.14.4 G1K-4 DWDM and CWDM GBICs DWDM (15454-GBIC-xx.x, 15454E-GBIC-xx.x) and CWDM (15454-GBIC-xxxx, 15454E-GBIC-xxxx) GBICs operate in an ONS 15454 G-Series card when the card is configured in Gigabit Ethernet Transponding mode or in Ethernet over SONET mode. DWDM and CWDM GBICs are both wavelength division multiplexing (WDM) technologies and operate over single-mode fibers with SC connectors. Cisco CWDM GBIC technology uses a 20 nm wavelength grid and Cisco ONS 15454 DWDM GBIC technology uses a 1 nm wavelength grid. CTC displays the specific wavelengths of the installed CWDM or DWDM GBICs. DWDM wavelengths are spaced closer together and require more precise lasers than CWDM. The DWDM spectrum allows for optical signal amplification. For more information on G-Series card transponding mode, refer to the Cisco ONS 15454 and Cisco ONS 15454 SDH Ethernet Card Software Feature and Configuration Guide. The DWDM and CWDM GBICs receive across the full 1300 nm and 1500 nm bands, which includes all CWDM, DWDM, LX/LH, ZX wavelengths, but transmit on one specified wavelength. This capability can be exploited in some of the G-Series transponding modes by receiving wavelengths that do not match the specific transmission wavelength. Note G1K-4 cards with the Common Language Equipment Identification (CLEI) code of WM5IRWPCAA (manufactured after August 2003) support CWDM and DWDM GBICs. G1K-4 cards manufactured prior to August 2003 do not support CWDM or DWDM GBICs. The ONS 15454-supported CWDM GBICs reach up to 100 to 120 km over single-mode fiber and support eight wavelengths as shown in Table 5-34. The ONS 15454-supported DWDM GBICs reach up to 100 to 120 km over single-mode fiber and support 32 different wavelengths in the red and blue bands. Paired with optical amplifiers, such as the Cisco ONS 15216, the DWDM GBICs allow maximum unregenerated spans of approximately 300 km (Table 5-35). CWDM or DWDM GBICs for the G-Series card come in set wavelengths and are not provisionable. The wavelengths are printed on each GBIC, for example, CWDM-GBIC-1490. The user must insert the specific GBIC transmitting the wavelength required to match the input of the CWDM/DWDM device for successful operation (Figure 5-14). Follow your site plan or network diagram for the required wavelengths. Table 5-34 Supported Wavelengths for CWDM GBICs CWDM GBIC Wavelengths 1470 nm 1490 nm 1510 nm 1530 nm 1550 nm 1570 nm 1590 nm 1610 nm Corresponding GBIC Colors Gray Violet Blue Green Yellow Orange Red Brown Band 47 49 51 53 55 57 59 61 Table 5-35 Supported Wavelengths for DWDM GBICs Blue Band 1530.33 nm 1531.12 nm 1531.90 nm 1532.68 nm 1534.25 nm 1535.04 nm 1535.82 nm 1536.61 nm 1538.19 nm 1538.98 nm 1539.77 nm 1540.56 nm 1542.14 nm 1542.94 nm 1543.73 nm 1544.53 nm Red Band 1546.12 nm 1546.92 nm 1547.72 nm 1548.51 nm 1550.12 nm 1550.92 nm 1551.72 nm 1552.52 nm 1554.13 nm 1554.94 nm 1555.75 nm 1556.55 nm 1558.17 nm 1558.98 nm 1559.79 nm 1560.61 nm5-39 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 5 Ethernet Cards 5.14.5 SFP Description Figure 5-14 CWDM GBIC with Wavelength Appropriate for Fiber-Connected Device A G-Series card equipped with CWDM or DWDM GBICs supports the delivery of unprotected Gigabit Ethernet service over Metro DWDM (Figure 5-15). It can be used in short-haul and long-haul applications. Figure 5-15 G-Series with CWDM/DWDM GBICs in Cable Network 5.14.5 SFP Description SFPs are integrated fiber-optic transceivers that provide high-speed serial links from a port or slot to the network. Various latching mechanisms can be utilized on the SFP modules. There is no correlation between the type of latch and the model type (such as SX or LX/LH) or technology type (such as Gigabit Ethernet). See the label on the SFP for technology type and model. One type of latch available is a mylar tab (Figure 5-16), a second type of latch available is an actuator/button (Figure 5-17), and a third type of latch is a bail clasp (Figure 5-18). SFP dimensions are: • Height 0.03 in. (8.5 mm) FAIL ACT G1K RX 1 TX RX 2 TX RX 3 TX RX 4 TX ACT/LINK ACT/LINK ACT/LINK ACT/LINK CWDM Mux 1470-nm Input CWDM-GBIC-1470 90957 Fiber Optic Connection CWDM/DWDM Mux only ONS Node with G-Series Cards with CWDM/DWDM GBICs QAM 90954 VoD HFC Conventional GigE signals CWDM/DWDM Demux only GigE / GigE / GigE over 's = Lambdas5-40 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 5 Ethernet Cards 5.14.5 SFP Description • Width 0.53 in. (13.4 mm) • Depth 2.22 in. (56.5 mm) SFP temperature ranges for are: • COM—Commercial operating temperature range –5 degrees C to 70 degrees C (23 degrees F to 158 degrees F) • EXT—Extended operating temperature range –5 degrees C to 85 degrees C (23 degrees F to 185 degrees F) • IND—Industrial operating temperature range –40 degrees C to 85 degrees C (-40 degrees F to 185 degrees F) Figure 5-16 Mylar Tab SFP Figure 5-17 Actuator/Button SFP Figure 5-18 Bail Clasp SFP 63065 63066 63067CHAPTER 6-1 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 6 Storage Access Networking Cards Note The terms “Unidirectional Path Switched Ring” and “UPSR” may appear in Cisco literature. These terms do not refer to using Cisco ONS 15xxx products in a unidirectional path switched ring configuration. Rather, these terms, as well as “Path Protected Mesh Network” and “PPMN,” refer generally to Cisco's path protection feature, which may be used in any topological network configuration. Cisco does not recommend using its path protection feature in any particular topological network configuration. The Fibre Channel Multirate 4-Port (FC_MR-4) card is a 1.0625- or 2.125-Gbps Fibre Channel/fiber connectivity (FICON) card that integrates non-SONET framed protocols into a SONET time-division multiplexing (TDM) platform through virtually concatenated payloads. For installation and step-by-step circuit configuration procedures, refer to the Cisco ONS 15454 Procedure Guide. Chapter topics include: • 6.1 FC_MR-4 Card Overview, page 6-1 • 6.2 FC_MR-4 Card Modes, page 6-4 • 6.3 FC_MR-4 Card Application, page 6-7 • 6.4 FC_MR-4 Card GBICs and SFPs, page 6-8 6.1 FC_MR-4 Card Overview Note For hardware specifications, see the “A.8 Storage Access Networking Card Specifications” section on page A-53. The FC_MR-4 card uses pluggable Gigabit Interface Converters (GBICs) to transport non-SONET/SDH-framed, block-coded protocols over SONET/SDH. The FC_MR-4 enables four client Fibre Channel (FC) ports to be transported over SONET/SDH, encapsulating the frames using the ITU-T generic framing procedure (GFP) format and mapping them into either T1X1 G.707-based virtual concatenated (VCAT) payloads or standard contiguously concatenated SONET payloads. The FC_MR-4 card has the following features: • Four FICON ports operating at 1 Gbps or 2 Gbps – All four ports can be operational at any time due to subrate support – Advanced distance extension capability (buffer-to-buffer credit spoofing) • Pluggable GBIC optics6-2 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 6 Storage Access Networking Cards 6.1 FC_MR-4 Card Overview – Dual rate (1G/2G): MM (550 m) and SM (10 km) – Single rate (1G): SX (550 m) and LX (10 km) • SONET/SDH support – Four 1.0625-Gbps FC channels can be mapped into one of the following: SONET containers as small as STS1-1v (subrate) SDH containers as small as VC4-1v (subrate) SONET/SDH containers as small as STS-18c/VC4-6v (full rate) – Four 2.125-Gbps FC channels can be mapped into one of the following: SONET containers as small as STS1-1v (subrate) SDH containers as small as VC4-1v (subrate) SONET/SDH containers as small as STS-36c/VC4-12v (full rate) • Frame encapsulation: ITU-T G.7041 transparent generic framing procedure (GFP-T) • High-order SONET/SDH VCAT support (STS1-Xv and STS-3c-Xv/VC4-Xv) • Differential delay support for VCAT circuits • Interoperation with the Cisco MDS 9000 switches Figure 6-1 shows the FC_MR-4 faceplate and block diagram. 6-3 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 6 Storage Access Networking Cards 6.1.1 FC_MR-4 Card-Level Indicators Figure 6-1 FC_MR-4 Faceplate and Block Diagram 6.1.1 FC_MR-4 Card-Level Indicators Table 6-1 describes the two card-level LEDs on the FC_MR-4 card. FLASH SDRAM MPC8250 TADM IBPIA QDR MEMORY SERDES IBPIA 110595 BTC 192 CDR + SONET FRAMER DDR MEMORY QUICKSILVER VCAT PROCESSOR Decode and Control PLD GBIC OPTICS GBIC OPTICS GBIC OPTICS GBIC OPTICS RUDRA FPGA 1 Rx Tx 2 Rx Tx 4 Rx Tx 3 Rx Tx FAIL ACT FC_MR-4 ACT/LNK ACT/LNK ACT/LNK ACT/LNK B A C K P L A N E Table 6-1 FC_MR-4 Card-Level Indicators Card-Level Indicators Description FAIL LED (Red) The red FAIL LED indicates that the card processor is not ready. Replace the card if the red FAIL LED persists. ACT LED (Green) If the ACT/STBY LED is green, the card is operational and ready to carry traffic. ACT LED (Amber) If the ACT/STBY LED is amber, the card is rebooting.6-4 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 6 Storage Access Networking Cards 6.1.2 FC_MR-4 Port-Level Indicators 6.1.2 FC_MR-4 Port-Level Indicators Each FC_MR-4 port has a corresponding ACT/LNK LED. The ACT/LNK LED is solid green if the port is available to carry traffic, is provisioned as in-service, and is in the active mode. The ACT/LNK LED is flashing green if the port is carrying traffic. The ACT/LNK LED is steady amber if the port is not enabled and the link is connected, or if the port is enabled and the link is connected but there is a SONET/SDH transport error. The ACT/LNK LED is not lit if there is no link. You can find the status of the card ports using the LCD screen on the ONS 15454 SDH fan-tray assembly. Use the LCD to view the status of any port or card slot; the screen displays the number and severity of alarms for a given port or slot. Refer to the Cisco ONS 15454 Troubleshooting Guide for a complete description of the alarm messages. 6.1.3 FC_MR-4 Compatibility The FC_MR-4 cards can be installed in Slots 1 to 6 and 12 to 17 when used with the XC10G and XC-VXC-10G cards. When the shelf uses the XCVT card, the FC_MR-4 can be used in only the high-speed (slots 5/6 and 12/13). The FC_MR-4 card can be provisioned as part of any valid ONS 15454 SONET/SDH network topology, such as a path protection, bidirectional line switched ring (BLSR), or linear network topologies. The FC_MR-4 card is compatible with Software Release 4.6 and greater. 6.2 FC_MR-4 Card Modes The FC_MR-4 card can operate in two different modes: • Line rate mode—This mode is backward compatible with the Software R4.6 Line Rate mode. • Enhanced mode—This mode supports subrate, distance extension, differential delay, and other enhancements. The FC_MR-4 card reboots when a card mode changes (a traffic hit results). The Field Programmable Gate Array (FPGA) running on the card upgrades to the required image. However, the FPGA image in the card’s flash memory is not modified. 6.2.1 Line-Rate Card Mode The mapping for the line rate card mode is summarized here. • 1 Gbps Fibre Channel/FICON is mapped into: – STS-24c, STS-48c – VC4-8c, VC4-16c – STS1-Xv where X is 19 to 24 – STS3c-Xv where X is 6 to 8 – VC4-Xv where X is 6 to 8 • 2 Gbps Fibre Channel/FICON is mapped into: – STS-48c – VC4-16c6-5 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 6 Storage Access Networking Cards 6.2.2 Enhanced Card Mode – STS-1-Xv where X is 37 to 48 – STS-3c-Xv where X is 12 to 16 – VC4-Xv where X is 12 to 16 6.2.2 Enhanced Card Mode The features available in enhanced card mode are given in this section. 6.2.2.1 Mapping 1 Gbps Fibre Channel/FICON is mapped into: – STS-1, STS-3c, STS-6c, STS-9c, STS-12c, STS-18c, STS-24c, STS-48c – VC4-1c, VC4-2c, VC4-3c, VC4-4c, VC4-6c, VC4-8c, VC4-16c – STS-1-Xv where X is 1 to 24 – STS-3c-Xv where X is 1 to 8 – VC4-Xv where X is 1 to 8 2 Gbps Fibre Channel/FICON is mapped into: – STS-1, STS-3c, STS-6c, STS-9c, STS-12c, STS-18c, STS-24c, STS-36c, STS-48c – VC4-1c, VC4-2c, VC4-3c, VC4-4c, VC4-6c, VC4-8c, VC4-12c, VC4-16c – STS-1-Xv where X is 1 to 48 – STS-3c-Xv where X is 1 to 16 – VC4-Xv where X is 1 to 16 6.2.2.2 SW -LCAS VCAT group (VCG) is reconfigurable when the software link capacity adjustment scheme (SW-LCAS) is enabled, as follows: • Out-of-service (OOS) and out-of-group (OOG) members can be removed from VCG • Members with deleted cross-connects can be removed from VCGs • Errored members can be autonomously removed from VCGs • Degraded bandwidth VCGs are supported • VCG is flexible with SW-LCAS enabled (VCG can run traffic as soon as the first cross-connect is provisioned on both sides of the transport) 6.2.2.3 Distance Extension This following list describes the FC_MR-4 card distance extension capabilities: • Enabling of a storage access networking (SAN) extension over long distances through buffer-to-buffer (B2B) credit spoofing. – 2300 km for 1G ports (longer distances supported with lesser throughput) – 1150 km for 2G ports (longer distances supported with lesser throughput)6-6 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 6 Storage Access Networking Cards 6.2.2 Enhanced Card Mode • Negotiation mechanism to identify whether a far-end FC-over-SONET card supports the Cisco proprietary B2B mechanism • Auto detection of FC switch B2B credits from FC-SW standards-based exchange link parameters (ELP) frames • Support for manual provisioning of credits based on FC switch credits • Automatic GFP buffers adjustment based on roundtrip latency between two SL ports • Automatic credits recovery during SONET switchovers/failures • Insulation for FC switches from any SONET switchovers; no FC fabric reconvergences for SONET failures of less than or equal to 60 ms 6.2.2.4 Differential Delay Features The combination of VCAT, SW-LCAS, and GFP specifies how to process information for data and storage clients. The resulting operations introduce delays. Their impact depends on the type of service being delivered. For example, storage requirements call for very low latency, as opposed to traffic such as e-mail where latency variations are not critical. With VCAT, SONET paths are grouped to aggregate bandwidth to form VCGs. Because each VCG member can follow a unique physical route through a network, there are differences in propagation delay, and possibly processing delays between members. The overall VCG propagation delay corresponds to that of the slowest member. The VCAT differential delay is the relative arrival time measurement between members of a VCG. The FC_MR-4 card is able to handle VCAT differential delay and provides these associated features: • Supports a maximum of 122 ms of delay difference between the shortest and longest paths. • Supports diverse fiber routing for VCAT circuit. • All protection schemes are supported (path protection, automatic protection switching [APS], 2-fiber BLSR, 4-fiber BLSR). • Supports routing of VCAT group members through different nodes in the SONET network. • Differential delay compensation is automatically enabled on VCAT circuits that are diverse (split fiber) routed, and disabled on VCAT circuits that are common fiber routed. Note Differential delay support for VCAT circuits is supported by means of a TL1 provisioning parameter (EXTBUFFERS) in the ENT-VCG command. 6.2.2.5 Interoperability Features The interoperability features are as follows: • Maximum frame size setting to prevent accumulation of oversized performance monitoring parameters for virtual SAN (VSAN) frames • Ingress filtering disable for attachment to third-party GFP-over-SONET/SDH equipment • String (port name) provisioning for each fiber channel and FICON interface on the FC_MR-4 card to allow the MDS Fabric Manager to create link association between a SAN port on a Cisco MDS 9000 switch and the FC_MR-4 SAN port.6-7 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 6 Storage Access Networking Cards 6.2.3 Link Integrity 6.2.3 Link Integrity The link integrity features are as follows: • Data port disabled if upstream data port is not able to send over SONET/SDH transport • Data port disabled if SONET/SDH transport is errored 6.2.4 Link Recovery Link recovery has the following features: • Reduces the impact of SONET/SDH disruptions on attached Fibre Channel equipment • Speeds up the recovery of Inter-Switch Links (ISLs) • Allows monitoring of B2B credit depletion due to SONET outage and full recovery of the credits, thus preventing the slow decay of bandwidth/throughput Note Distance extension and link recovery cannot be enabled at the same time. 6.3 FC_MR-4 Card Application The FC_MR-4 card reliably transports carrier-class, private-line Fibre Channel/FICON transport service. Each FC_MR-4 card can support up to four 1-Gbps circuits or four 2-Gbps circuits. Four 1.0625-Gbps FC channels can be mapped into containers as small as STS-1 (subrate), with a minimum of STS-18c/VC4-6v for full rate. Four 2.125-Gbps FC channels can be mapped into containers as small as STS-1 (sub-rate), with a minimum of STS-36c/VC4-12v for full rate. The FC_MR-4 card incorporates features optimized for carrier-class applications such as: • Carrier-class Fibre Channel/FICON • 50 ms of switch time through SONET/SDH protection as specified in Telcordia GR-253-CORE Note Protection switch traffic hit times of less than 60 ms are not guaranteed with differential delay in effect. • Hitless software upgrades Note Hitless software upgrades are not possible with an activation from Software R5.0 to Software R6.0 or higher in enhanced card mode. This is because the FPGA must be upgraded to support differential delay in enhanced mode. Upgrades are still hitless with the line rate mode. • Remote Fibre Channel/FICON circuit bandwidth upgrades through integrated Cisco Transport Controller (CTC) • Multiple management options through CTC, Cisco Transport Manager (CTM), TL1, and Simple Network Management Protocol (SNMP) • Differential delay compensation of up to 122 ms for diversely routed VCAT circuits The FC_MR-4 payloads can be transported over the following protection types:6-8 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 6 Storage Access Networking Cards 6.4 FC_MR-4 Card GBICs and SFPs • Path protection • BLSR • Unprotected • Protection channel access (PCA) The FC_MR-4 payloads can be transported over the following circuit types: • STS • STSn • STS-V Note Virtual Tributary (VT) and VT-V circuits are not supported. The FC_MR-4 card supports VCAT. See the “12.18 Virtual Concatenated Circuits” section on page 12-34 for more information about VCAT circuits. 6.4 FC_MR-4 Card GBICs and SFPs The FC_MR-4 uses pluggable GBICs and SFPs for client interfaces. Table 6-2 lists GBICs and SFPs that are compatible with the FC_MR-4 card. See the 5.14.3 GBIC Description and 5.14.5 SFP Description sections for more information. Table 6-2 GBIC and SFP Compatibility Card Compatible GBIC or SFP (Cisco Product ID) Cisco Top Assembly Number (TAN) FC_MR-4 (ONS 15454 SONET/SDH) 15454-GBIC-SX 15454E-GBIC-SX 15454-GBIC-LX/LH 15454E-GBIC-LX/LH ONS-GX-2FC-MMI ONS-GX-2FC-SML ONS-SI-GE-ZX ONS-SC-Z3-1470 through ONS-SC-Z3-1610 30-0759-01 800-06780-01 10-1743-01 30-0703-01 10-2015-01 10-2016-01 10-2296-01 10-2285-01 through 10-2292-01CHAPTER 7-1 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 7 Card Protection This chapter explains the Cisco ONS 15454 card protection configurations. To provision card protection, refer to the Cisco ONS 15454 Procedure Guide. Chapter topics include: • 7.1 Electrical Card Protection, page 7-1 • 7.2 Electrical Card Protection and the Backplane, page 7-5 • 7.3 OC-N Card Protection, page 7-13 • 7.4 Unprotected Cards, page 7-14 • 7.5 External Switching Commands, page 7-14 7.1 Electrical Card Protection The ONS 15454 provides a variety of electrical card protection methods. This section describes the protection options. Figure 7-1 on page 7-2 shows a 1:1 protection configuration and Figure 7-2 on page 7-3 shows a 1:N protection configuration. This section covers the general concept of electrical card protection. Specific electrical card protection schemes depend on the type of electrical card as well as the electrical interface assembly (EIA) type used on the ONS 15454 backplane. Table 7-4 on page 7-6 details the specific electrical card protection schemes. Note See Table 1-1 on page 1-16 and Table 1-2 on page 1-17 for the EIA types supported by the 15454-SA-ANSI and 15454-SA-HD (high-density) shelf assemblies. Caution When a protection switch moves traffic from the working/active electrical card to the protect/standby electrical card, ports on the new active/standby card cannot be placed out of service as long as traffic is switched. Lost traffic can result when a port is taken out of service, even if the standby card no longer carries traffic.7-2 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 7 Card Protection 7.1.1 1:1 Protection 7.1.1 1:1 Protection In 1:1 protection, a working card is paired with a protect card of the same type. If the working card fails, the traffic from the working card switches to the protect card. You can provision 1:1 to be revertive or nonrevertive. If revertive, traffic automatically reverts to the working card after the failure on the working card is resolved. Figure 7-1 shows an example of the ONS 15454 in a 1:1 protection configuration. Each working card in an even-numbered slot is paired with a protect card in an odd-numbered slot: Slot 1 is protecting Slot 2, Slot 3 is protecting Slot 4, Slot 5 is protecting Slot 6, Slot 17 is protecting Slot 16, Slot 15 is protecting Slot 14, and Slot 13 is protecting Slot 12. Figure 7-1 Example: ONS 15454 Cards in a 1:1 Protection Configuration (SMB EIA) Table 7-1 provides supported 1:1 protection by electrical card type. 33384 Protect Working Protect Working Protect Working TCC+ XC10G AIC (Optional) XC10G TCC+ Working Protect Working Protect Working Protect 1:1 Protection Table 7-1 Supported 1:1 Protection by Electrical Card Working Card Protect Card Working Slot Protection Slot DS1-14 or DS1N-14 DS1-14 or DS1N-14 2 1 DS3-12/DS3-12E or DS3N-12/DS3N-12E DS3-12 or DS3N-12 4 3 DS3i-N-12 DS3i-N-12 6 5 DS3XM-6 (Transmux) DS3XM-6 (Transmux) 12 13 DS3XM-12 (Transmux) DS3XM-12 (Transmux) 14 15 16 177-3 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 7 Card Protection 7.1.2 1:N Protection 7.1.2 1:N Protection 1:N protection allows a single electrical card to protect up to five working cards of the same speed. 1:N cards have added circuitry to act as the protect card in a 1:N protection group. Otherwise, the card is identical to the standard card and can serve as a normal working card. The physical DS-1 or DS-3 interfaces on the ONS 15454 backplane use the working card until the working card fails. When the node detects this failure, the protect card takes over the physical DS-1 or DS-3 electrical interfaces through the relays and signal bridging on the backplane. Figure 7-2 shows the ONS 15454 in a 1:N protection configuration. Each side of the shelf assembly has only one card protecting all of the cards on that side. Figure 7-2 Example: ONS 15454 Cards in a 1:N Protection Configuration (SMB EIA) Table 7-2 provides the supported 1:N configurations by electrical card, as well as the card types that can be used for working and protection cards. Additional engineering rules for 1:N card deployments will be covered in the following sections. Working Working 1:N Protection Working Working Working TCC+ XC10G AIC (Optional) XC10G TCC+ Working Working Working 1:N Protection Working Working 1:N Protection 32106 Table 7-2 Supported 1:N Protection by Electrical Card Working Card Protect Card Protect Group (Maximum) Working Slot Protection Slot DS1-14 or DS1N-14 DS1N-14 N < 5 1, 2, 4, 5, 6 3 12, 13, 14, 16, 17 15 DS1/E1-56 DS1/E1-56 N < 211 , 22 3 163 , 174 15 DS3-12/DS3-12E or DS3N-12/DS3N-12E DS3N-12/DS3N-12E N < 5 1, 2, 4, 5, 6 3 12, 13, 14, 16, 17 15 DS3i-N-12 DS3i-N-12 N < 5 1, 2, 4, 5, 6 3 12, 13, 14, 16, 17 157-4 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 7 Card Protection 7.1.2 1:N Protection 7.1.2.1 Revertive Switching 1:N protection supports revertive switching. Revertive switching sends the electrical interfaces (traffic) back to the original working card after the card comes back online. Detecting an active working card triggers the reversion process. There is a variable time period for the lag between detection and reversion, called the revertive delay, which you can set using the ONS 15454 software, Cisco Transport Controller (CTC). To set the revertive delay, refer to the “Turn Up a Node” chapter in the Cisco ONS 15454 Procedure Guide. All cards in a protection group share the same reversion settings. 1:N protection groups default to automatic reversion. Caution A user-initiated switch (external switching command) overrides the revertive delay, that is, clearing the switch clears the timer. 7.1.2.2 1:N Protection Guidelines There are two types of 1:N protection groups for the ONS 15454: ported and portless. Ported 1:N interfaces are the traditional protection groups for signals electrically terminated on the shelf assembly. Portless 1:N interfaces are signals received through an electrical synchronous transport signal (STS) through the cross-connect card. The DS3XM-12 card supports portless as well as traditional ported deployments. Table 7-2 on page 7-3 outlines the 1:N configurations supported by each electrical card type. The following rules apply to ported 1:N protection groups in the ONS 15454: • Working and protect card groups must reside in the same card bank (Side A or Side B). • The 1:N protect card must reside in Slot 3 for Side A and Slot 15 for Side B. DS3/EC1-48 DS3/EC1-48 N < 215 , 26 3 167 , 178 15 DS3XM-12 (Transmux) DS3XM-12 (Transmux) N < 5 1, 2, 4, 5, 6 3 12, 13, 14, 16, 17 15 DS3XM-12 (Transmux) DS3XM-12 (Transmux) N < 7 (portless9 ) 1, 2, 4, 5, 6, 12, 13, 14, 15, 16, 17 3 1, 2, 3, 4, 5, 6, 12, 13, 14, 16, 17 15 1. A high-density electrical card inserted in Slot 1 restricts the use of Slots 5 and 6 to optical, data, or storage cards. 2. A high-density electrical card inserted in Slot 2 restricts the use of Slots 4 and 6 to optical, data, or storage cards. 3. A high-density electrical card inserted in Slot 16 restricts the use of Slot 14 to optical, data, or storage cards. 4. A high-density electrical card inserted in Slot 17 restricts the use of Slots 12 and 13 to optical, data, or storage cards. 5. A high-density electrical card inserted in Slot 1 restricts the use of Slots 5 and 6 to optical, data, or storage cards. 6. A high-density electrical card inserted in Slot 2 restricts the use of Slots 4 and 6 to optical, data, or storage cards. 7. A high-density electrical card inserted in Slot 16 restricts the use of Slot 14 to optical, data, or storage cards. 8. A high-density electrical card inserted in Slot 17 restricts the use of Slots 12 and 13 to optical, data, or storage cards. 9. Portless DS-3 Transmux operation does not terminate the DS-3 signal on the EIA panel. Table 7-2 Supported 1:N Protection by Electrical Card (continued) Working Card Protect Card Protect Group (Maximum) Working Slot Protection Slot7-5 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 7 Card Protection 7.2 Electrical Card Protection and the Backplane • Working cards can sit on either or both sides of the protect card. The following rules apply to portless 1:N protection groups in the ONS 15454: • Working and protect card groups can reside in the same card bank or different card banks (Side A or Side B). • The 1:N protect card can be installed in either Slot 3 or Slot 15 and protect working cards in both card banks. • Working cards can sit on either or both sides of the protect card. The ONS 15454 supports 1:N equipment protection for all add-drop multiplexer (ADM) configurations (ring, linear, and terminal), as specified by Telcordia GR-253-CORE. For detailed procedures for setting up DS-1 and DS-3 protection groups, refer to the Cisco ONS 15454 Procedure Guide. 7.2 Electrical Card Protection and the Backplane Protection schemes for electrical cards depend on the EIA type used on the ONS 15454 backplane. The difference is due to the varying connector size. For example, because BNC connectors are larger, fewer DS3-12 cards can be supported when using a BNC connector. Table 7-3 shows the number of connectors per side for each EIA type according to low-density and high-density interfaces. In the tables, high-density (HD) cards include the DS3/EC1-48 and DS1/E1-56 cards. Low-density (LD cards) include the following: • DS1-14, DS1N-14 • DS3-12/DS3-12E, DS3N-12/DS3N-12E • DS3XM-6 • DS3XM-12 • EC1-12 Note For EIA installation, refer to the “Install the Shelf and Backplane Cable” chapter in the Cisco ONS 15454 Procedure Guide. Caution When a protection switch moves traffic from the working/active electrical card to the protect/standby electrical card, ports on the new active/standby card cannot be taken out of service as long as traffic is switched. Lost traffic can result when a port is taken out of service even if the standby electrical card no longer carries traffic. Table 7-3 EIA Connectors Per Side Interfaces per Side Standard BNC High-Density BNC MiniBNC SMB AMP Champ UBIC-V and UBIC-H (SCSI) Total physical connectors 48 96 192 168 6 16 Maximum LD DS-1 Interfaces (transmit [Tx] and receive [Rx]) — — — 84 84 84 Maximum LD DS-3 interfaces (Tx and Rx) 24 48 72 72 — 72 Maximum HD DS-1 interfaces (Tx and Rx) — — — — — 112 Maximum HD DS-3 interfaces (Tx and Rx) — — 96 — — 967-6 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 7 Card Protection 7.2 Electrical Card Protection and the Backplane Table 7-4 shows the electrical card protection for each EIA type according to shelf side and slots. Table 7-4 Electrical Card Protection By EIA Type Protection Type Card Type Side Standard BNC High-Density BNC MiniBNC SMB AMP Champ UBIC-V and UBIC-H (SCSI) Unprotected LD, Working A 2, 4 1, 2, 4, 5 1–6 1–6 1–6 1–6 B 14, 16 13, 14, 16, 17 12–17 12–17 12–17 12–17 HD, Working A — — 1, 2 — — 1, 2 B — — 16, 17 — — 16, 17 1:1 LD, Working A 2, 4 2, 4 2, 4, 6 2, 4, 6 2, 4, 6 2, 4, 6 B 14, 16 14, 16 12, 14, 16 12, 14, 16 12, 14, 16 12, 14, 16 LD, Protect A 1, 3 1, 3 1, 3, 5 1, 3, 5 1, 3, 5 1, 3, 5 B 15, 17 15, 17 13, 15, 17 13, 15, 17 13, 15, 17 13, 15, 17 1:N LD, Working A — 1, 2, 4, 5 1–6 1–6 1–6 1–6 B — 13, 14, 16, 17 12–17 12–17 12–17 12–17 LD, Protect A — 3 3 3 3 3 B — 15 15 15 15 15 HD, Working A — — 1, 2 — — 1, 2 B — — 16, 17 — — 16, 17 HD, Protect A — — 3 — — 3 B — — 15 — — 157-7 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 7 Card Protection 7.2 Electrical Card Protection and the Backplane Figure 7-3 shows unprotected low-density electrical card schemes by EIA type. Figure 7-3 Unprotected Low-Density Electrical Card Schemes for EIA Types TCC Cross-connect AIC Cross-connect Working Working TCC Working Working TCC Cross-connect AIC Cross-connect Working Working Working Working TCC Working Working Working Working TCC Cross-connect AIC Cross-connect Working Working Working Working Working TCC Working Working Working Working Working TCC Cross-connect AIC Cross-connect Working Working Working Working Working TCC Working Working Working Working Working Standard BNC High-Density BNC SMB/UBIC/AMP Champ MiniBNC Working Working 1249607-8 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 7 Card Protection 7.2 Electrical Card Protection and the Backplane Figure 7-4 shows unprotected high-density electrical card schemes by EIA type. Figure 7-4 Unprotected High-Density Electrical Card Schemes for EIA Types TCC Cross-connect AIC Cross-connect TCC UBIC/MiniBNC 124963 Working Working Working Working7-9 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 7 Card Protection 7.2 Electrical Card Protection and the Backplane Figure 7-5 shows 1:1 low-density card protection by EIA type. Figure 7-5 1:1 Protection Schemes for Low-Density Electrical Cards with EIA Types TCC Cross-connect AIC Cross-connect Working Protect Working TCC Working Working TCC Cross-connect AIC Cross-connect Working Working TCC Working Working TCC Cross-connect AIC Cross-connect Working Working Working TCC Working Working Working Standard BNC High-Density BNC SMB/UBIC/AMP Champ/MiniBNC Protect Protect Protect Protect Protect Protect Protect 124962 Protect Protect Protect Protect Protect Protect7-10 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 7 Card Protection 7.2 Electrical Card Protection and the Backplane Figure 7-6 shows 1:N protection for low-density electrical cards. Figure 7-6 1:N Protection Schemes for Low-Density Electrical Cards with EIA Types Note EC-1 cards do not support 1:N protection. TCC Cross-connect AIC Cross-connect Working 1:N Protection Working TCC Working 1:N Protection Working TCC Cross-connect AIC Cross-connect Working Working 1:N Protection Working Working TCC Working Working 1:N Protection Working Working TCC Cross-connect AIC Cross-connect Working Working 1:N Protection Working Working Working TCC Working Working Working 1:N Protection Working Working Standard BNC High-Density BNC SMB/UBIC/AMP Champ/MiniBNC 1249617-11 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 7 Card Protection 7.2.1 Standard BNC Protection Figure 7-7 shows 1:1 high-density card protection by EIA type. Figure 7-7 1:1 Protection Schemes for High-Density Electrical Cards with UBIC or MiniBNC EIA Types 7.2.1 Standard BNC Protection When used with the standard BNC EIA, the ONS 15454 supports unprotected, 1:1, or 1:N (N < 2) electrical card protection for DS-3 and EC-1 signals, as outlined in Table 7-1 on page 7-2 and Table 7-2 on page 7-3. The standard BNC EIA panel provides 48 BNC connectors for terminating up to 24 transmit and 24 receive signals per EIA panel, enabling 96 BNC connectors for terminating up to 48 transmit and receive signals per shelf with two standard-BNC panels installed. With an A-Side standard BNC EIA, Slots 2 and 4 can be used for working slots and with a B-Side EIA, Slots 14 and 16 can be used for working slots. Each of these slots is mapped to 24 BNC connectors on the EIA to support up to 12 transmit/receive signals. These slots can be used with or without equipment protection for DS-3 and EC-1 services. 7.2.2 High-Density BNC Protection When used with the high-density BNC EIA, the ONS 15454 supports unprotected, 1:1, or 1:N (N < 4) electrical card protection for DS-3 and EC-1 signals, as outlined in Table 7-1 on page 7-2 and Table 7-2 on page 7-3. The high-density BNC EIA panel provides 96 BNC connectors for terminating up to 48 transmit and 24 receive signals per EIA panel, enabling 192 BNC connectors for terminating up to 96 transmit and receive signals per shelf with two high-density BNC panels installed. With an A-Side high-density BNC EIA, Slots 1, 2, 4, and 5 can be used for working slots and with a B-Side EIA, Slots 13, 14, 16, and 17 can be used for working slots. Each of these slots is mapped to 24 BNC connectors on the EIA to support up to 12 transmit/receive signals. These slots can be used with or without equipment protection for DS-3 and EC-1 services. TCC Cross-connect AIC Cross-connect TCC UBIC/MiniBNC 124964 Working Working Protect Protect Working Working7-12 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 7 Card Protection 7.2.3 MiniBNC Protection 7.2.3 MiniBNC Protection When used with the MiniBNC EIA, the ONS 15454 supports unprotected, 1:1, or 1:N (N < 5) electrical card protection for DS-1, DS-3 and EC-1 signals, as outlined in Table 7-1 on page 7-2 and Table 7-2 on page 7-3. The MiniBNC EIA provides 192 MiniBNC connectors for terminating up to 96 transmit and 96 receive signals per EIA, enabling 384 MiniBNC connectors for terminating up to 192 transmit and receive signals per shelf with two MiniBNC panels installed. With an A-Side MiniBNC EIA, Slots 1, 2, 4, 5, and 6 can be used for working slots and on a B-Side panel, Slots 12, 13, 14, 16, and 17 can be used for working slots. Each of these slots is mapped to 24 MiniBNC connectors on the EIA panel to support up to 12 transmit/receive signals. In addition, working Slots 1, 2, 16 and 17 can be mapped to 96 MiniBNC connectors to support the high-density electrical card. These slots can be used with or without equipment protection for DS-3 and EC-1 services. 7.2.4 SMB Protection When used with the SMB EIA, the ONS 15454 supports unprotected, 1:1, or 1:N (N < 5) electrical card protection for DS-3 and EC-1 signals, as outlined in Table 7-1 on page 7-2 and Table 7-2 on page 7-3. The SMB EIA provides 168 SMB connectors for terminating up to 84 transmit and 84 receive signals per EIA, enabling 336 SMB connectors for terminating up to 168 transmit and receive signals per shelf with two SMB EIAs installed. With an A-Side SMB EIA, Slots 1, 2, 3, 4, 5, and 6 can be used for working slots and with a B-Side EIA, Slots 12, 13, 14, 15, 16, and 17 can be used for working slots. Each of these slots is mapped to 28 SMB connectors on the EIA to support up to 14 transmit/receive signals. These slots can be used with or without equipment protection for DS-1, DS-3 and EC-1 services. For DS-1 services, an SMB-to-wire-wrap balun is installed on the SMB ports for termination of the 100 ohm signal. 7.2.5 AMP Champ Protection When used with the AMP Champ EIA, the ONS 15454 supports unprotected, 1:1, or 1:N (N < 5) electrical card protection for DS-1 signals, as outlined in Table 7-1 on page 7-2 and Table 7-2 on page 7-3. The AMP Champ EIA provides 6 AMP Champ connectors for terminating up to 84 transmit and 84 receive signals per EIA, enabling 12 AMP Champ connectors for terminating up to 168 transmit and receive signals per shelf with two AMP Champ EIAs installed. With an A-Side SMB EIA, Slots 1, 2, 3, 4, 5, and 6 can be used for working slots and with a B-Side EIA, Slots 12, 13, 14, 15, 16, and 17 can be used for working slots. Each of these slots is mapped to 1 AMP Champ connector on the EIA to support 14 transmit/receive signals. These slots can be used with or without equipment protection for DS-1 services. 7.2.6 UBIC Protection When used with the UBIC EIA, the ONS 15454 high-density shelf assembly (15454-HD-SA) supports unprotected, 1:1, or 1:N (N < 5) electrical card protection for DS-1, DS-3 and EC-1 signals, as outlined in Table 7-1 on page 7-2 and Table 7-2 on page 7-3. The UBIC EIA provides 16 SCSI connectors for terminating up to 112 transmit and receive DS-1 signals per EIA, or up to 96 transmit and receive DS-3 connections. With an A-side UBIC EIA, Slots 1, 2, 3, 4, 5, and 6 can be used for working slots and with a B-Side EIA, Slots 12, 13, 14, 15, 16, and 17 can be used for working slots. Each of these slots is mapped to two SCSI connectors on the EIA to support up to 14 transmit/receive signals. In addition, working Slots 1, 2, 16, and 17 can be mapped to 8 SCSI connectors to support the high-density electrical card. These slots can be used with or without equipment protection for DS-1, DS-3, and EC-1 services.7-13 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 7 Card Protection 7.3 OC-N Card Protection 7.3 OC-N Card Protection The ONS 15454 provides two optical card protection methods, 1+1 protection and optimized 1+1 protection. This section covers the general concept of optical card protection. Specific optical card protection schemes depend on the optical cards in use. 7.3.1 1+1 Protection Any OC-N card can use 1+1 protection. With 1+1 port-to-port protection, ports on the protect card can be assigned to protect the corresponding ports on the working card. Both ports must belong to two different cards and should have the same port number. For example, if port 2 is the protect port on Card A then port 2 on Card B would be the working port. The working and protect cards do not have to be placed side by side in the node. A working card must be paired with a protect card of the same type and number of ports. For example, a single-port OC-12 must be paired with another single-port OC-12, and a four-port OC-12 must be paired with another four-port OC-12. You cannot create a 1+1 protection group if one card is single-port and the other is multiport, even if the OC-N rates are the same. The protection takes place on the port level, and any number of ports on the protect card can be assigned to protect the corresponding ports on the working card. For example, on a four-port card, you can assign one port as a protection port on the protect card (protecting the corresponding port on the working card) and leave three ports unprotected. Conversely, you can assign three ports as protection ports and leave one port unprotected. In other words, all the ports on the protect card are used in the protection scheme. 1+1 span protection can be either revertive or nonrevertive. With nonrevertive 1+1 protection, when a failure occurs and the signal switches from the working card to the protect card, the signal stays switched to the protect card until it is manually switched back. Revertive 1+1 protection automatically switches the signal back to the working card when the working card comes back online. 1+1 protection is unidirectional and nonrevertive by default; revertive switching is easily provisioned using CTC. Note When provisioning a line timing reference for the node, you cannot select the protect port of a 1+1 protection group. If a traffic switch occurs on the working port of the 1+1 protection group, the timing reference of the node automatically switches to the protect port of the 1+1 protection group. 7.3.2 Optimized 1+1 Protection Optimized 1+1 protection is used in networks that mainly use the linear 1+1 bidirectional protection scheme. Optimized 1+1 is a line-level protection scheme using two lines, working and protect. One of the two lines assumes the role of the primary channel, where traffic is selected, and the other line assumes the role of secondary channel, which protects the primary channel. Traffic switches from the primary channel to the secondary channel based on either line conditions or an external switching command performed by the user. After the line condition clears, the traffic remains on the secondary channel. The secondary channel is automatically renamed as the primary channel and the former primary channel is automatically renamed as the secondary channel. Unlike 1+1 span protection, 1+1 optimized span protection does not use the revertive or nonrevertive feature. Also, 1+1 optimized span protection does not use the Manual switch command. The 1+1 optimized span protection scheme is supported only on the Cisco ONS 15454 SONET using either OC3-4 cards or OC3-8 cards with ports that are provisioned for SDH payloads. 7-14 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 7 Card Protection 7.4 Unprotected Cards Optimized 1+1 is fully compliant with Nippon Telegraph and Telephone Corporation (NTT) specifications. With optimized 1+1 port-to-port protection, ports on the protect card can be assigned to protect the corresponding ports on the working card. The working and protect cards do not have to be installed side by side in the node. A working card must be paired with a protect card of the same type and number of ports. For example, a four-port OC-3 must be paired with another four-port OC-3, and an eight-port OC-3 must be paired with another eight-port OC-3. You cannot create an optimized 1+1 protection group if the number of ports do not match, even if the OC-N rates are the same. The protection takes place on the port level, and any number of ports on the protect card can be assigned to protect the corresponding ports on the working card. For example, on a four-port card, you can assign one port as a protection port on the protect card (protecting the corresponding port on the working card) and leave three ports unprotected. Conversely, you can assign three ports as protection ports and leave one port unprotected. With 1:1 or 1:N protection (electrical cards), the protect card must protect an entire slot. In other words, all the ports on the protect card are used in the protection scheme. 7.4 Unprotected Cards Unprotected cards are not included in a protection scheme; therefore, a card failure or a signal error results in lost data. Because no bandwidth lies in reserve for protection, unprotected schemes maximize the available ONS 15454 bandwidth. Figure 7-8 shows the ONS 15454 in an unprotected configuration. All cards are in a working state. Figure 7-8 ONS 15454 in an Unprotected Configuration 7.5 External Switching Commands The external switching commands on the ONS 15454 are Manual, Force, and Lockout. If you choose a Manual switch, the command will switch traffic only if the path has an error rate less than the signal degrade (SD) bit error rate threshold. A Force switch will switch traffic even if the path has SD or signal fail (SF) conditions; however, a Force switch will not override an SF on a 1+1 protection channel. TCC Cro Unprotected ss-connect AIC (Optional) Cross-connect Working Working Working Working Working Working TCC Working Working Working Working Working Working 333837-15 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 7 Card Protection 7.5 External Switching Commands A Force switch has a higher priority than a Manual switch. Lockouts, which prevent traffic from switching to the protect port under any circumstance, can only be applied to protect cards (in 1+1 configurations). Lockouts have the highest priority. In a 1+1 configuration you can also apply a lock on to the working port. A working port with a lock on applied cannot switch traffic to the protect port in the protection group (pair). In 1:1 protection groups, working or protect ports can have a lock on. Note Force and Manual switches do not apply to 1:1 protection groups; these ports have a single switch command.7-16 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 7 Card Protection 7.5 External Switching CommandsCHAPTER 8-1 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 8 Cisco Transport Controller Operation This chapter describes Cisco Transport Controller (CTC), the software interface for the Cisco ONS 15454. For CTC set up and login information, refer to the Cisco ONS 15454 Procedure Guide. Chapter topics include: • 8.1 CTC Software Delivery Methods, page 8-1 • 8.2 CTC Installation Overview, page 8-4 • 8.3 PC and UNIX Workstation Requirements, page 8-4 • 8.4 ONS 15454 Connection, page 8-7 • 8.5 CTC Login, page 8-8 • 8.6 CTC Window, page 8-9 • 8.7 Using the CTC Launcher Application to Manage Multiple ONS Nodes, page 8-19 • 8.8 TCC2/TCC2P Card Reset, page 8-22 • 8.9 TCC2/TCC2P Card Database, page 8-22 • 8.10 Software Revert, page 8-23 8.1 CTC Software Delivery Methods ONS 15454 provisioning and administration is performed using the CTC software. CTC is a Java application that is installed in two locations; CTC is stored on the Advanced Timing, Communications, and Control (TCC2) card or the Advanced Timing, Communications, and Control Plus (TCC2P) card, and it is downloaded to your workstation the first time you log into the ONS 15454 with a new software release. 8.1.1 CTC Software Installed on the TCC2/TCC2P Card CTC software is preloaded on the ONS 15454 TCC2/TCC2P cards; therefore, you do not need to install software on the TCC2/TCC2P cards. When a new CTC software version is released, use the release-specific software upgrade document to upgrade the ONS 15454 software on the TCC2/TCC2P cards. 8-2 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 8 Cisco Transport Controller Operation 8.1.1 CTC Software Installed on the TCC2/TCC2P Card When you upgrade CTC software, the TCC2/TCC2P cards store the new CTC version as the protect CTC version. When you activate the new CTC software, the TCC2/TCC2P cards store the older CTC version as the protect CTC version, and the newer CTC release becomes the working version. You can view the software versions that are installed on an ONS 15454 by selecting the Maintenance > Software tabs in node view (Figure 8-1). Figure 8-1 CTC Software Versions, Node View 159507 Software tab Maintenance tab8-3 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 8 Cisco Transport Controller Operation 8.1.2 CTC Software Installed on the PC or UNIX Workstation Select the Maintenance > Software tabs in network view to display the software versions installed on all the network nodes (Figure 8-2). Figure 8-2 CTC Software Versions, Network View 8.1.2 CTC Software Installed on the PC or UNIX Workstation CTC software is downloaded from the TCC2/TCC2P cards and installed on your computer automatically after you connect to the ONS 15454 with a new software release for the first time. Downloading the CTC software files automatically ensures that your computer is running the same CTC software version as the TCC2/TCC2P cards you are accessing. The CTC files are stored in the temporary directory designated by your computer operating system. You can use the Delete CTC Cache button to remove files stored in the temporary directory. If the files are deleted, they download the next time you connect to an ONS 15454. Downloading the Java archive (JAR) files for CTC takes several minutes depending on the bandwidth of the connection between your workstation and the ONS 15454. For example, JAR files downloaded from a modem or a data communications channel (DCC) network link require more time than JAR files downloaded over a LAN connection. During network topology discovery, CTC polls each node in the network to determine which one contains the most recent version of the CTC software. If CTC discovers a node in the network that has a more recent version of the CTC software than the version you are currently running, CTC generates a message stating that a later version of the CTC has been found in the network and offers to install the CTC software upgrade JAR files. If you have network discovery disabled, CTC will not seek more recent versions of the software. Unreachable nodes are not included in the upgrade discovery. 159505 Maintenance tab8-4 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 8 Cisco Transport Controller Operation 8.2 CTC Installation Overview Note Upgrading the CTC software will overwrite your existing software. You must restart CTC after the upgrade is complete. 8.2 CTC Installation Overview To connect to an ONS 15454 using CTC, you enter the ONS 15454 IP address in the URL field of Netscape Navigator or Microsoft Internet Explorer. After connecting to an ONS 15454, the following occurs automatically: 1. A CTC launcher applet is downloaded from the TCC2/TCC2P card to your computer. 2. The launcher determines whether your computer has a CTC release matching the release on the ONS 15454 TCC2/TCC2P card. 3. If the computer does not have CTC installed, or if the installed release is older than the TCC2/TCC2P card’s version, the launcher downloads the CTC program files from the TCC2/TCC2P card. 4. The launcher starts CTC. The CTC session is separate from the web browser session, so the web browser is no longer needed. Always log into nodes having the latest software release. If you log into an ONS 15454 that is connected to ONS 15454s with older versions of CTC, or to Cisco ONS 15327s or Cisco ONS 15600s, CTC files are downloaded automatically to enable you to interact with those nodes. The CTC file download occurs only when necessary, such as during your first login. You cannot interact with nodes on the network that have a software version later than the node that you used to launch CTC. Each ONS 15454 can handle up to five concurrent CTC sessions. CTC performance can vary, depending on the volume of activity in each session, network bandwidth, and TCC2/TCC2P card load. Note You can also use TL1 commands to communicate with the Cisco ONS 15454 through VT100 terminals and VT100 emulation software, or you can telnet to an ONS 15454 using TL1 port 3083. Refer to the Cisco ONS SONET TL1 Command Guide for a comprehensive list of TL1 commands. 8.3 PC and UNIX Workstation Requirements To use CTC for the ONS 15454, your computer must have a web browser with the correct Java Runtime Environment (JRE) installed. The correct JRE for each CTC software release is included on the Cisco ONS 15454 software CD. If you are running multiple CTC software releases on a network, the JRE installed on the computer must be compatible with the different software releases. You can change the JRE version on the Preferences dialog box JRE tab. When you change the JRE version on the JRE tab, you must exit and restart CTC for the new JRE version to take effect. Table 8-1 shows JRE compatibility with ONS 15454 software releases.8-5 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 8 Cisco Transport Controller Operation 8.3 PC and UNIX Workstation Requirements Note To avoid network performance issues, Cisco recommends managing a maximum of 50 nodes concurrently with CTC. The 50 nodes can be on a single DCC or split across multiple DCCs. Cisco does not recommend running multiple CTC sessions when managing two or more large networks. To manage more than 50 nodes, Cisco recommends using Cisco Transport Manager (CTM). If you do use CTC to manage more than 50 nodes, you can improve performance by adjusting the heap size; see the “General Troubleshooting” chapter of the Cisco ONS 15454 Troubleshooting Guide. You can also create login node groups; see the “Connect the PC and Log Into the GUI” chapter of the Cisco ONS 15454 Procedure Guide. Table 8-2 lists the requirements for PCs and UNIX workstations. Table 8-1 JRE Compatibility ONS Software Release JRE 1.2.2 Compatible JRE 1.3 Compatible JRE 1.4 Compatible JRE 5.0 Compatible JRE 1.6 Compatible ONS 15454 Release 4.5 No Yes No No No ONS 15454 Release 4.6 No Yes Yes No No ONS 15454 Release 4.7 No No Yes No No ONS 15454 Release 5.0 No No Yes No No ONS 15454 Release 6.0 No No Yes No No ONS 15454 Release 7.0 No No Yes Yes No ONS 15454 Release 7.2 No No Yes Yes No ONS 15454 Release 8.0 No No No Yes No ONS 15454 Release 8.5 No No No Yes No ONS 15454 Release 9.0 No No No Yes No ONS 15454 Release 9.1 No No No Yes No ONS 15454 Release 9.2 No No No No Yes ONS 15454 Release 9.2.1 No No No No Yes Table 8-2 CTC Computer Requirements Area Requirements Notes Processor (PC only) Pentium 4 processor or equivalent A faster CPU is recommended if your workstation runs multiple applications or if CTC manages a network with a large number of nodes and circuits. RAM 512 MB RAM or more (1 GB RAM or more for Release 9.2) A minimum of 1 GB is recommended if your workstation runs multiple applications or if CTC manages a network with a large number of nodes and circuits. 8-6 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 8 Cisco Transport Controller Operation 8.3 PC and UNIX Workstation Requirements Hard drive 20 GB hard drive with 100MB of free space required (250 MB of free space required for Release 9.2) CTC application files are downloaded from the TCC2/TCC2P to your computer. These files occupy around 100MB (250MB to be safer) or more space depending on the number of versions in the network. Operating System • PC: Windows 2000 with SP4, Windows XP with SP2, Windows Vista with SP1, Windows Server 2003 with SP2 (Windows 7, Windows Server 2008 for Release 9.2 and later) • Workstation: Solaris version 9 or 10 • Apple Mac OS X, CTC Needs to be installed using the CacheInstaller available on CCO or the Release CD (for Release 9.2 and later). Use the latest patch/Service Packs released by the OS vendor. Check with the vendor for the latest patch/Service Packs. Java Runtime Environment JRE 5.0 (Release 9.1) JRE 1.6 (Release 9.2 and later) The appropriate JRE version is installed by the CTC Installation Wizard included on the Cisco ONS 15454 software CD. JRE installation provides enhancements to CTC performance, especially for large networks with numerous circuits. If CTC must be launched directly from nodes running software R7.0 or R7.2, Cisco recommends JRE 1.4.2 or JRE 5.0. If CTC must be launched directly from nodes running software R5.0 or R6.0, Cisco recommends JRE 1.4.2.If CTC must be launched directly from nodes running software earlier than R5.0, Cisco recommends JRE 1.3.1_02. Table 8-2 CTC Computer Requirements (continued) Area Requirements Notes8-7 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 8 Cisco Transport Controller Operation 8.4 ONS 15454 Connection 8.4 ONS 15454 Connection You can connect to the ONS 15454 in multiple ways. You can connect your PC directly the ONS 15454 (local craft connection) using the RJ-45 port on the TCC2/TCC2P card or the LAN pins on the backplane, connect your PC to a hub or switch that is connected to the ONS 15454, connect to the ONS 15454 through a LAN or modem, or establish TL1 connections from a PC or TL1 terminal. Table 8-3 lists the ONS 15454 connection methods and requirements. Web browser The appropriate JRE version is installed by the CTC Installation Wizard included on the Cisco ONS 15454 software CD. JRE installation provides enhancements to CTC performance, especially for large networks with numerous circuits. If CTC must be launched directly from nodes running software R7.0 or R7.2, Cisco recommends JRE 1.4.2 or JRE 5.0. If CTC must be launched directly from nodes running software R5.0 or R6.0, Cisco recommends JRE 1.4.2.If CTC must be launched directly from nodes running software earlier than R5.0, Cisco recommends JRE 1.3.1_02. For the PC, use JRE 5.0 or JRE 1.6 with any supported web browser. For UNIX, use JRE 5.0 with Netscape 7.x or JRE 1.3.1_02 with Netscape 4.76. The supported browser can be downloaded from the Web. Cable User-supplied CAT-5 straight-through cable with RJ-45 connectors on each end to connect the computer to the ONS 15310-CL or ONS 15310-MA directly or though a LAN — Table 8-2 CTC Computer Requirements (continued) Area Requirements Notes8-8 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 8 Cisco Transport Controller Operation 8.5 CTC Login 8.5 CTC Login After you have installed CTC, you can log in to a node using your browser. To log in, you must type the node IP address in the URL window. The CTC Login window appears. The CTC Login window provides the following options to accelerate the login process. • The Disable Network Discovery option omits the discovery of nodes with data communications channel (DCC) connectivity. To access all nodes with DCC connectivity, make sure that Disable Network Discovery is not checked. If you have network discovery disabled, CTC will not poll the network for more recent versions of the software. (For more information about the automatic download of the latest CTC JAR files, see the “8.1.2 CTC Software Installed on the PC or UNIX Workstation” section on page 8-3.) Table 8-3 ONS 15454 Connection Methods Method Description Requirements Local craft Refers to onsite network connections between the CTC computer and the ONS 15454 using one of the following: • The RJ-45 (LAN) port on the TCC2/TCC2P card • The LAN pins on the ONS 15454 backplane • A hub or switch to which the ONS 15454 is connected If you do not use Dynamic Host Configuration Protocol (DHCP), you must change the computer IP address, subnet mask, and default router, or use automatic host detection. Corporate LAN Refers to a connection to the ONS 15454 through a corporate or network operations center (NOC) LAN. • The ONS 15454 must be provisioned for LAN connectivity, including IP address, subnet mask, and default gateway. • The ONS 15454 must be physically connected to the corporate LAN. • The CTC computer must be connected to the corporate LAN that has connectivity to the ONS 15454. TL1 Refers to a connection to the ONS 15454 using TL1 rather than CTC. TL1 sessions can be started from CTC, or you can use a TL1 terminal. The physical connection can be a craft connection, corporate LAN, or a TL1 terminal. Refer to the Cisco ONS SONET TL1 Reference Guide. Remote Refers to a connection made to the ONS 15454 using a modem. • A modem must be connected to the ONS 15454. • The modem must be provisioned for the ONS 15454. To run CTC, the modem must be provisioned for Ethernet access.8-9 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 8 Cisco Transport Controller Operation 8.5.1 Legal Disclaimer • The Disable Circuit Management option omits the discovery of circuits. To view circuits immediately after logging in, make sure that Disable Circuit Management is not checked. However, if disabled, after you have logged in you can click the Circuits tab and CTC will give you the option to enable circuit management. These options are useful if you want to log in to a node to perform a single task, such as placing a card in or out of service, and do not want to wait while CTC discovers DCC connections and circuits. 8.5.1 Legal Disclaimer The CTC Login window currently displays the following warning message: “Warning: This system is restricted to authorized users for business purpose. Unauthorized access is a violation of the law. This service can be monitored for administrative and security reasons. By proceeding, you consent to this monitoring.” The ONS 15600 allows a user with Superuser privileges to modify the default login warning message and save it to a node using the Provisioning > Security > Legal Disclaimer > HTML tab. The login warning message field allows up to 250 characters of text (1600 characters total, including HTML markup). 8.5.2 Login Node Group Login node groups display nodes that have only an IP connection. After you are logged into CTC, you can create a login node group from the Edit > Preferences menu. Login groups appear in the Additional Nodes list on the Login window. For example, if you logged into Node 1, you would see Node 2 and Node 3 because they have DCC connectivity to Node 1. You would not see Nodes 4, 5, and 6 because DCC connections do not exist. To view all six nodes at once, you create a login node group with the IP addresses of Nodes 1, 4, 5, and 6. Those nodes, and all nodes optically connected to them, appear when you select the login group from the Additional Nodes list on the Login window the next time you log in. 8.6 CTC Window The CTC window appears after you log into an ONS 15454 (Figure 8-3). The window includes a menu bar, a toolbar, and a top and bottom pane. The top pane provides status information about the selected objects and a graphic of the current view. The bottom pane provides tabs and subtab to view ONS 15454 information and perform ONS 15454 provisioning and maintenance. From this window you can display three ONS 15454 views: network, node, and card. 8-10 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 8 Cisco Transport Controller Operation 8.6.1 Node View Figure 8-3 Node View (Default Login View) 8.6.1 Node View Node view, shown in Figure 8-3, is the first view that appears after you log into an ONS 15454. The login node is the first node shown, and it is the “home view” for the session. Node view allows you to manage one ONS 15454 node. The status area shows the node name; IP address; session boot date and time; number of Critical (CR), Major (MJ), and Minor (MN) alarms; the name of the current logged-in user; and the security level of the user; software version; and the network element default setup. 8.6.1.1 CTC Card Colors The graphic area of the CTC window depicts the ONS 15454 shelf assembly. The colors of the cards in the graphic reflect the real-time status of the physical card and slot (Table 8-4). 159506 Menu bar Top pane Tool bar Status area Graphic area Tabs Status bar Subtabs Bottom pane Table 8-4 Node View Card Colors Card Color Status Gray Slot is not provisioned; no card is installed. Violet Slot is provisioned; no card is installed. White Slot is provisioned; a functioning card is installed. Yellow Slot is provisioned; a Minor alarm condition exists. Orange Slot is provisioned; a Major alarm condition exists. Red Slot is provisioned; a Critical alarm exists.8-11 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 8 Cisco Transport Controller Operation 8.6.1 Node View The wording on a card in node view shows the status of a card (Active, Standby, Loading, or Not Provisioned). Table 8-5 lists the card statuses. The port color in both card and node view indicates the port service state. Table 8-6 lists the port colors and their service states. For more information about port service states, see Appendix B, “Administrative and Service States.” Table 8-5 Node View Card Statuses Card Status Description Sby Card is in standby mode. Act Card is active. NP Card is not present. Ldg Card is resetting. Mis Card is mismatched. Table 8-6 Node View Card Port Colors and Service States Port Color Service State Description Blue OOS-MA,LPBK (Out-of-Service and Management, Loopback) Port is in a loopback state. On the card in node view, a line between ports indicates that the port is in terminal or facility loopback (see Figure 8-4 on page 8-12 and Figure 8-5 on page 8-12). Traffic is carried and alarm reporting is suppressed. Raised fault conditions, whether or not their alarms are reported, can be retrieved on the CTC Conditions tab or by using the TL1 RTRV-COND command. Blue OOS-MA,MT (Out-of-Service and Management, Maintenance) Port is out-of-service for maintenance. Traffic is carried and loopbacks are allowed. Alarm reporting is suppressed. Raised fault conditions, whether or not their alarms are reported, can be retrieved on the CTC Conditions tab or by using the TL1 RTRV-COND command. Use OOS-MA,MT for testing or to suppress alarms temporarily. Change the state to IS-NR, OOS-MA,DSBLD, or OOS-AU,AINS when testing is complete. Gray OOS-MA,DSBLD (Out-of-Service and Management, Disabled) The port is out-of-service and unable to carry traffic. Loopbacks are not allowed in this service state. 8-12 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 8 Cisco Transport Controller Operation 8.6.1 Node View Figure 8-4 Terminal Loopback Indicator Figure 8-5 Facility Loopback Indicator 8.6.1.2 Node View Card Shortcuts If you move your mouse over cards in the graphic, popups display additional information about the card including the card type; the card status (active or standby); the type of alarm, such as Critical, Major, or Minor (if any); and the alarm profile used by the card. Right-click a card to reveal a shortcut menu, which you can use to open, reset, delete, or change a card. Right-click a slot to preprovision a card (that is, provision a slot before installing the card). 8.6.1.3 Node View Tabs Table 8-7 lists the tabs and subtabs available in the node view. Green IS-NR (In-Service and Normal) The port is fully operational and performing as provisioned. The port transmits a signal and displays alarms; loopbacks are not allowed. Violet OOS-AU,AINS (Out-of-Service and Autonomous, Automatic In-Service) The port is out-of-service, but traffic is carried. Alarm reporting is suppressed. The node monitors the ports for an error-free signal. After an error-free signal is detected, the port stays in OOS-AU,AINS state for the duration of the soak period. After the soak period ends, the port service state changes to IS-NR. Raised fault conditions, whether or not their alarms are reported, can be retrieved on the CTC Conditions tab or by using the TL1 RTRV-COND command. The AINS port will automatically transition to IS-NR when a signal is received for the length of time provisioned in the soak field. Table 8-6 Node View Card Port Colors and Service States (continued) Port Color Service State Description Table 8-7 Node View Tabs and Subtabs Tab Description Subtabs Alarms Lists current alarms (CR, MJ, MN) for the node and updates them in real time. — Conditions Displays a list of standing conditions on the node. —8-13 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 8 Cisco Transport Controller Operation 8.6.2 Network View 8.6.2 Network View Network view allows you to view and manage ONS 15454s that have DCC connections to the node that you logged into and any login node groups you have selected (Figure 8-6). History Provides a history of node alarms including date, type, and severity of each alarm. The Session subtab displays alarms and events for the current session. The Node subtab displays alarms and events retrieved from a fixed-size log on the node. Session, Shelf Circuits Creates, deletes, edits, and maps circuits and rolls. Circuits, Rolls Provisioning Provisions the ONS 15454 node. General, Ether Bridge, Network, OSI, BLSR, Protection, Security, SNMP, Comm Channels, Timing, Alarm Profiles, Cross-Connect, Defaults, WDM-ANS Inventory Provides inventory information (part number, serial number, Common Language Equipment Identification [CLEI] codes) for cards installed in the node. Allows you to delete and reset cards, and change card service state. For more information on card service states, see Appendix B, “Administrative and Service States.” — Maintenance Performs maintenance tasks for the node. Database, Ether Bridge, Network, OSI, BLSR, Protection, Software, Cross-Connect, Overhead XConnect, Diagnostic, Timing, Audit, Test Access, DWDM Table 8-7 Node View Tabs and Subtabs (continued) Tab Description Subtabs8-14 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 8 Cisco Transport Controller Operation 8.6.2 Network View Figure 8-6 Network in CTC Network View Note Nodes with DCC connections to the login node do not appear if you checked the Disable Network Discovery check box in the Login dialog box. The graphic area displays a background image with colored ONS 15454 icons. A Superuser can set up the logical network view feature, which enables each user to see the same network view. Selecting a node or span in the graphic area displays information about the node and span in the status area. 8.6.2.1 Network View Tabs Table 8-8 lists the tabs and subtabs available in network view. 96939 Bold letters indicate login node, asterisk indicates topology host Icon color indicates node status Dots indicate selected node Table 8-8 Network View Tabs and Subtabs Tab Description Subtabs Alarms Lists current alarms (CR, MJ, MN) for the network and updates them in real time. — Conditions Displays a list of standing conditions on the network. — History Provides a history of network alarms including date, type, and severity of each alarm. — Circuits Creates, deletes, edits, filters, and searches for network circuits and rolls. Circuits, Rolls8-15 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 8 Cisco Transport Controller Operation 8.6.2 Network View 8.6.2.2 CTC Node Colors The color of a node in network view, shown in Table 8-9, indicates the node alarm status. 8.6.2.3 DCC Links The lines show DCC connections between the nodes (Table 8-10). DCC connections can be green (active) or gray (fail). The lines can also be solid (circuits can be routed through this link) or dashed (circuits cannot be routed through this link). Circuit provisioning uses active/routable links. Provisioning Provisions security, alarm profiles, bidirectional line switched rings (BLSRs), overhead circuits, server trails, and loads/manages a VLAN database Security, Alarm Profiles, BLSR, Overhead Circuits, Server Trails, VLAN DB Profile Maintenance Displays the working and protect software versions and allows software to be downloaded, retrieves Open Shortest Path First (OSPF) node information, and displays the list of automatic power control (APC) domains for a network Software, Diagnostic, APC Table 8-8 Network View Tabs and Subtabs (continued) Tab Description Subtabs Table 8-9 Node Status Shown in Network View Color Alarm Status Green No alarms Yellow Minor alarms Orange Major alarms Red Critical alarms Gray with Unknown# Node initializing for the first time (CTC displays Unknown# because CTC has not discovered the name of the node yet) Table 8-10 DCC Colors Indicating State in Network View Color and Line Style State Green and solid Active/Routable Green and dashed Active/Nonroutable Gray and solid Failed/Routable Gray and dashed Failed/Nonroutable8-16 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 8 Cisco Transport Controller Operation 8.6.3 Card View 8.6.2.4 Link Consolidation CTC provides the ability to consolidate the DCC, general communications channel (GCC), optical transport section (OTS), provisionable patchcord (PPC), and server trail links shown in the network view. Link consolidation allows you to condense multiple inter-nodal links into a single link. The link consolidation sorts links by class; for example, all DCC links are consolidated together.You can access individual links within consolidated links using the right-click shortcut menu. Each link has an associated icon (Table 8-11). Note Link consolidation is only available on non-detailed maps. Non-detailed maps display nodes in icon form instead of detailed form, meaning the nodes appear as rectangles with ports on the sides. Refer to the Cisco ONS 15454 Procedure Guide for more information about consolidated links. 8.6.3 Card View The card view provides information about individual ONS 15454 cards. Use this window to perform card-specific maintenance and provisioning (Figure 8-7). A graphic showing the ports on the card is shown in the graphic area. The status area displays the node name, slot, number of alarms, card type, equipment type, and the card status (active or standby), card service state if the card is present, and port service state (described in Table 8-6 on page 8-11). The information that appears and the actions you can perform depend on the card. For more information about card service states, see Appendix B, “Administrative and Service States.” Table 8-11 Link Icons Icon Description DCC icon GCC icon OTS icon PPC icon Server Trail icon8-17 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 8 Cisco Transport Controller Operation 8.6.3 Card View Figure 8-7 CTC Card View Showing a DS1 Card Note CTC provides a card view for all ONS 15454 cards except the TCC2, TCC2P, XCVT, XC10G, and XC-VXC-10G cards. Provisioning for these common control cards occurs at the node view; therefore, no card view is necessary. Use the card view tabs and subtabs shown in Table 8-12 to provision and manage the ONS 15454. The subtabs, fields, and information shown under each tab depend on the card type selected. The Performance tab is not available for the Alarm Interface Controller-International (AIC-I) cards. 159504 Card identification and status Table 8-12 Card View Tabs and Subtabs Tab Description Subtabs Alarms Lists current alarms (CR, MJ, MN) for the card and updates them in real time. — Conditions Displays a list of standing conditions on the card. — History Provides a history of card alarms including date, object, port, and severity of each alarm. Session (displays alarms and events for the current session), Card (displays alarms and events retrieved from a fixed-size log on the card) Circuits Creates, deletes, edits, and search circuits and rolls. Circuits, Rolls8-18 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 8 Cisco Transport Controller Operation 8.6.4 Print or Export CTC Data 8.6.4 Print or Export CTC Data You can use the File > Print or File > Export options to print or export CTC provisioning information for record keeping or troubleshooting. The functions can be performed in card, node, or network views. The File > Print function sends the data to a local or network printer. File > Export exports the data to a file where it can be imported into other computer applications, such as spreadsheets and database management programs. Whether you choose to print or export data, you can choose from the following options: • Entire frame—Prints or exports the entire CTC window including the graphical view of the card, node, or network. This option is available for all windows. • Tabbed view—Prints or exports the lower half of the CTC window containing tabs and data. The printout includes the selected tab (on top) and the data shown in the tab window. For example, if you print the History window Tabbed view, you print only history items appearing in the window. This option is available for all windows. • Table Contents—Prints or exports CTC data in table format without graphical representations of shelves, cards, or tabs. The Table Contents option prints all the data contained in a table with the same column headings. For example, if you print the History window Table Contents view, you print all data included in the table whether or not items appear in the window. Provisioning Provisions an ONS 15454 card. DS-N and OC-N cards: Line, Line Thresholds (different threshold options are available for electrical and optical cards), Elect Path Thresholds, SONET Thresholds, Alarm Profiles Ethernet cards (subtabs depend on the card type): Line, Line Thresholds, Electrical Path Thresholds, SONET Thresholds, Port, RMON Thresholds, VLAN, Card, Alarm Profiles Maintenance Performs maintenance tasks for the card. DS-N and OC-N cards: Loopback, ALS, Info, Protection, Path Trace, Bandwidth, AINS Soak Ethernet cards (subtabs depend on the card type): Path Trace, Loopback, Allocation, AINS Soak, Ether Port Soak, RPR Span Soak Performance Performs performance monitoring for the card. DS-N and OC-N cards: no subtabs Ethernet cards: Statistics, Utilization, History Inventory Displays an Inventory screen of the ports (TXP and MXP cards only). — Table 8-12 Card View Tabs and Subtabs (continued) Tab Description Subtabs8-19 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 8 Cisco Transport Controller Operation 8.7 Using the CTC Launcher Application to Manage Multiple ONS Nodes The Table Contents option does not apply to all windows; for a list of windows that do not support print or export, see the Cisco ONS 15454 Procedure Guide. 8.7 Using the CTC Launcher Application to Manage Multiple ONS Nodes The CTC Launcher application is an executable file, StartCTC.exe, that is provided on Software Release 9.1, 9.2, and 9.2.1 CDs for Cisco ONS products. You can use CTC Launcher to log into multiple ONS nodes that are running CTC Software Release 3.3 or higher, without using a web browser. CTC Launcher provides two connection options. The first option is used to connect to ONS network elements (NEs) that have an IP connection to the CTC computer. The second option is used to connect to ONS NEs that reside behind third party, OSI-based gateway network elements (GNEs). For this option, CTC Launcher creates a TL1 tunnel to transport the TCP traffic through the OSI-based GNE. The TL1 tunnel transports the TCP traffic to and from ONS ENEs through the OSI-based GNE. TL1 tunnels are similar to the existing static IP-over-CLNS tunnels, GRE and Cisco IP, that can be created at ONS NEs using CTC. (Refer to the Cisco ONS product documentation for information about static IP-over-CLNS tunnels.) However, unlike the static IP-over-CLNS tunnels, TL1 tunnels require no provisioning at the ONS ENE, the third-party GNE, or DCN routers. All provisioning occurs at the CTC computer when the CTC Launcher is started. Figure 8-8 shows examples of two static IP-over-CLNS tunnels. A static Cisco IP tunnel is created from ENE 1 through other vendor GNE 1 to a DCN router, and a static GRE tunnel is created from ONS ENE 2 to the other vender, GNE 2. For both static tunnels, provisioning is required on the ONS ENEs. In addition, a Cisco IP tunnel must be provisioned on the DCN router and a GRE tunnel provisioned on GNE 2. 8-20 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 8 Cisco Transport Controller Operation 8.7 Using the CTC Launcher Application to Manage Multiple ONS Nodes Figure 8-8 Static IP-Over-CLNS Tunnels Figure 8-9 shows the same network using TL1 tunnels. Tunnel provisioning occurs at the CTC computer when the tunnel is created with the CTC Launcher. No provisioning is needed at ONS NEs, GNEs or routers. Other vendor GNE 1 Other vendor GNE 2 Central office IP+ OSI IP-over-CLNS tunnel IP-over-CLNS tunnel IP OSI/DCC OSI/DCC IP/DCC IP/DCC 140174 IP DCN CTC Tunnel provisioning Tunnel provisioning ONS ENE 1 ONS ENE 2 Tunnel provisioning Tunnel provisioning8-21 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 8 Cisco Transport Controller Operation 8.7 Using the CTC Launcher Application to Manage Multiple ONS Nodes Figure 8-9 TL1 Tunnels TL1 tunnels provide several advantages over static IP-over-CLNS tunnels. Because tunnel provisioning is needed only at the CTC computer, they are faster to set up. Because they use TL1 for TCP transport, they are more secure. TL1 tunnels also provide better flow control. On the other hand, IP over CLNS tunnels require less overhead and usually provide a slight performance edge over TL1 Tunnels (depending on network conditions). TL1 tunnels do not support all IP applications such as SNMP and RADIUS Authentication. Table 8-13 shows a comparison between the two types of tunnels. Other vendor GNE 1 Other vendor GNE 2 Central office IP + OSI TL1 tunnel IP OSI/DCC OSI/DCC IP/DCC IP/DCC Tunnel provisioning 140175 IP DCN CTC ONS ENE 1 ONS ENE 2 TL1 tunnel Table 8-13 TL1 and Static IP-Over-CLNS Tunnels Comparison Category Static IP-Over-CLNS TL1 Tunnel Comments Setup Complex Simple Requires provisioning at ONS NE, GNE, and DCN routers. For TL1 tunnels, provisioning is needed at CTC computer. Performance Best Average to good Static tunnels generally provide better performance than TL1 tunnels, depending on TL1 encoding used. LV+Binary provides the best performance. Other encoding will produce slightly slower TL1 tunnel performance. Support all IP applications Yes No TL1 tunnels do not support SNMP or RADIUS Server IP applications. ITU Standard Yes No Only the static IP-over-CLNS tunnels meet ITU standards. TL1 tunnels are new. Tunnel traffic control Good Very good Both tunnel types provide good traffic control Security setup Complex No setup needed Static IP-over-CLNS tunnels require careful planning. Because TL1 tunnels are carried by TL1, no security provisioning is needed.8-22 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 8 Cisco Transport Controller Operation 8.8 TCC2/TCC2P Card Reset TL1 tunnel specifications and general capabilities include: • Each tunnel generally supports between six to eight ENEs, depending on the number of tunnels at the ENE. • Each CTC session can support up to 32 tunnels. • The TL1 tunnel database is stored locally in the CTC Preferences file. • Automatic tunnel reconnection when the tunnel goes down. • Each ONS NE can support at least 16 concurrent tunnels. 8.8 TCC2/TCC2P Card Reset You can reset the ONS 15454 TCC2/TCC2P card by using CTC (a soft reset) or by physically reseating a TCC2/TCC2P card (a hard reset). A soft reset reboots the TCC2/TCC2P card and reloads the operating system and the application software. Additionally, a hard reset temporarily removes power from the TCC2/TCC2P card and clears all buffer memory. You can apply a soft reset from CTC to either an active or standby TCC2/TCC2P card without affecting traffic. If you need to perform a hard reset on an active TCC2/TCC2P card, put the TCC2/TCC2P card into standby mode first by performing a soft reset. Note When a CTC reset is performed on an active TCC2/TCC2P card, the AIC-I cards go through an initialization process and also reset because AIC-I cards are controlled by the active TCC2/TCC2P. 8.9 TCC2/TCC2P Card Database When dual TCC2/TCC2P cards are installed in the ONS 15454, each TCC2/TCC2P card hosts a separate database; therefore, the protect card database is available if the database on the working TCC2/TCC2P fails. You can also store a backup version of the database on the workstation running CTC. This Potential to breach DCN from DCC using IP. Possible Not possible A potential exists to breach a DCN from a DCC using IP. This potential does not exist for TL1 tunnels. IP route management Expensive Automatic For static IP-over-CLNS tunnels, route changes require manual provisioning at network routers, GNEs, and ENEs. For TL1 tunnels, route changes are automatic. Flow control Weak Strong TL1 tunnels provide the best flow control. Bandwidth sharing among multiple applications Weak Best — Tunnel lifecycle Fixed CTC session TL1 tunnels are terminated when the CTC session ends. Static IP-over-CLNS tunnels exist until they are deleted in CTC. Table 8-13 TL1 and Static IP-Over-CLNS Tunnels Comparison (continued) Category Static IP-Over-CLNS TL1 Tunnel Comments8-23 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 8 Cisco Transport Controller Operation 8.10 Software Revert operation should be part of a regular ONS 15454 maintenance program at approximately weekly intervals, and should also be completed when preparing an ONS 15454 for a pending natural disaster, such as a flood or fire. A database backup may be restored in two ways, partial or complete. A partial database restore operation restores only the provisioning data. A complete database restore operation restores both system and provisioning data. For more information on restoring a database, refer to the Cisco ONS 15454 Procedure Guide. Note The following parameters are not backed up and restored: node name, IP address, mask and gateway, and Internet Inter-ORB Protocol (IIOP) port. If you change the node name and then restore a backed up database with a different node name, the circuits map to the new node name. Cisco recommends keeping a record of the old and new node names. Note To avoid a node IP and secure IP ending up in the same domain after restoring a database, ensure that the node IP stored in the database differs in domain from that of the node in repeater mode. Also, after restoring a database, ensure that the node IP and secure IP differ in domain. 8.10 Software Revert When you click the Activate button after a software upgrade, the TCC2/TCC2P copies the current working database and saves it in a reserved location in the TCC2/TCC2P flash memory. If you later need to revert to the original working software load from the protect software load, the saved database installs automatically. You do not need to restore the database manually or recreate circuits. Note The TCC2/TCC2P card does not carry any software earlier than Software R4.0. You will not be able to revert to a software release earlier than Software R4.0 with TCC2/TCC2P cards installed. The revert feature is useful if a maintenance window closes while you are upgrading CTC software. You can revert to the protect software load without losing traffic. When the next maintenance window opens, complete the upgrade and activate the new software load. Circuits created and provisioning done after a software load is activated (upgraded to a higher software release) will be lost with a revert. The database configuration at the time of activation is reinstated after a revert. This does not apply to maintenance reverts (for example, 4.6.2 to 4.6.1), because maintenance releases use the same database. To perform a supported (non-service-affecting) revert from Software R9.1 and R9.2, the release you want to revert to must have been working at the time you first activated Software R9.1 and R9.2 on that node. Because a supported revert automatically restores the node configuration at the time of the previous activation, any configuration changes made after activation will be lost when you revert the software. Downloading R9.1 and R9.2 a second time after you have activated the new load ensures that no actual revert to a previous load can take place (the TCC2/TCC2P card will reset, but will not be traffic affecting and will not change your database).8-24 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 8 Cisco Transport Controller Operation 8.10 Software RevertCHAPTER 9-1 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 9 Security This chapter provides information about Cisco ONS 15454 users and security. To provision security, refer to the Cisco ONS 15454 Procedure Guide. Chapter topics include: • 9.1 User IDs and Security Levels, page 9-1 • 9.2 User Privileges and Policies, page 9-1 • 9.3 Audit Trail, page 9-9 • 9.4 RADIUS Security, page 9-10 9.1 User IDs and Security Levels The CISCO15 user ID is provided with the ONS 15454 for initial login to the node, but this user ID is not supplied in the prompt when you sign into Cisco Transport Controller (CTC). This ID can be used to set up other ONS 15454 user IDs. You can have up to 500 user IDs on one ONS 15454. Each CTC or Transaction Language One (TL1) user can be assigned one of the following security levels: • Retrieve—Users can retrieve and view CTC information but cannot set or modify parameters. • Maintenance—Users can access only the ONS 15454 maintenance options. • Provisioning—Users can access provisioning and maintenance options. • Superuser—Users can perform all of the functions of the other security levels as well as set names, passwords, and security levels for other users. See Table 9-3 on page 9-8 for idle user timeout information for each security level. By default, multiple concurrent user ID sessions are permitted on the node; that is, multiple users can log into a node using the same user ID. However, you can provision the node to allow only a single login per user ID and prevent concurrent logins for all users. 9.2 User Privileges and Policies This section lists user privileges for each CTC action and describes the security policies available to Superusers for provisioning. 9-2 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 9 Security 9.2.1 User Privileges by CTC Action 9.2.1 User Privileges by CTC Action Table 9-1 shows the actions that each user privilege level can perform in node view. Table 9-1 ONS 15454 Security Levels—Node View CTC Tab Subtab [Subtab]:Actions Retrieve Maintenance Provisioning Superuser Alarms — Synchronize/Filter/Delete Cleared Alarms XX X X Conditions — Retrieve/Filter X X X X History Session Filter X X X X Shelf Retrieve/Filter X X X X Circuits Circuits Create/Delete — — X X Edit/Filter/Search X X X X Rolls Complete/ Force Valid Signal/ Finish —— X X Provisioning General General: Edit — — Partial1 X Multishelf Config: Edit — — — — Power Monitor: Edit — — X X EtherBridge Spanning trees: Edit — — X X Network General: Edit — — — X Static Routing: Create/Edit/Delete —— X X OSPF: Create/Edit/Delete — — X X RIP: Create/Edit/Delete — — X X Proxy: Create/Edit/Delete — — — X Firewall: Create/Edit/Delete — — — X OSI Main Setup: Edit — — — X TARP: Config: Edit — — — X TARP: Static TDC: Add/Edit/Delete —— X X TARP: MAT: Add/Edit/Remove —— X X Routers: Setup: Edit — — — X Routers: Subnets: Edit/Enable/Disable —— X X Tunnels: Create/Edit/Delete — — X X BLSR Create/Edit/Delete/Upgrade — — X X Ring Map/Squelch Table/RIP Table XX X X Protection Create/Edit/Delete — — X X9-3 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 9 Security 9.2.1 User Privileges by CTC Action Security Users: Create/Delete/Clear Security Intrusion Alarm —— — X Users: Edit Same user Same user Same user All users Active Logins: View/Logout/ Retrieve Last Activity Time —— — X Policy: Edit/View (Prevent superuser disable - NE default) —— — X Access: Edit/View — — — X RADIUS Server: Create/Edit/Delete/Move Up/ Move Down/View —— — X Legal Disclaimer: Edit — — — X SNMP Create/Edit/Delete — — X X Browse trap destinations X X X X Comm Channels SDCC: Create/Edit/Delete — — X X LDCC: Create/Edit/Delete — — X X GCC: Create/Edit/Delete — — X X OSC: OSC Terminations: Create/Edit/Delete —— X X PPC: Create/Edit/Delete — — X X LMP: General/TE Links/Data Links XX X X LMP: Control Channels — — — X Timing General: Edit — — X X BITS Facilities: Edit — — X X Alarm Profiles Alarm Behavior: Edit — — X X Alarm Profile Editor: Store/Delete2 —— X X Alarm Profile Editor: New/Load/Compare/Available/ Usage XX X X Cross-Connect Edit — — X X Defaults Edit/Import — — — X Reset/Export X X X X Table 9-1 ONS 15454 Security Levels—Node View (continued) CTC Tab Subtab [Subtab]:Actions Retrieve Maintenance Provisioning Superuser9-4 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 9 Security 9.2.1 User Privileges by CTC Action WDM-ANS Provisioning: Edit — — — X Provisioning: Reset X X X X Internal Patchcords: Create/Edit/Delete/Commit/ Default Patchcords —— X X Port Status: Launch ANS — — — X Node Setup X X X X Optical Side: Create/Edit/Delete XX X X Inventory — Delete — — X X Reset — X X X Table 9-1 ONS 15454 Security Levels—Node View (continued) CTC Tab Subtab [Subtab]:Actions Retrieve Maintenance Provisioning Superuser9-5 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 9 Security 9.2.1 User Privileges by CTC Action Maintenance Database Backup — X X X Restore — — — X EtherBridge Spanning Trees X X X X MAC Table: Retrieve X X X X MAC Table: Clear/Clear All — X X X Trunk Utilization: Refresh X X X X Circuits: Refresh X X X X Network Routing Table: Retrieve X X X X RIP Routing Table: Retrieve X X X X OSI IS-IS RIB: Refresh X X X X ES-IS RIB: Refresh X X X X TDC: TID to NSAP/Flush Dynamic Entries —X X X TDC: Refresh X X X X BLSR Edit/Reset — X X X Protection Switch/Lock out/Lockon/ Clear/ Unlock —X X X Software Download/Cancel — X X X Activate/Revert — — — X Cross-Connect Cards: Switch/Lock/Unlock — X X X Resource Usage: Delete — — X X Overhead XConnect View X X X X Diagnostic Retrieve Tech Support Log Node Diagnostic Logs (Release 9.2 and later releases) —— X X Lamp Test — X X X Timing Source: Edit — X X X Report: View/Refresh X X X X Table 9-1 ONS 15454 Security Levels—Node View (continued) CTC Tab Subtab [Subtab]:Actions Retrieve Maintenance Provisioning Superuser9-6 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 9 Security 9.2.1 User Privileges by CTC Action Table 9-2 shows the actions that each user privilege level can perform in network view. Audit Retrieve — — — X Archive — — X X Test Access View X X X X DWDM APC: Run/Disable/Refresh — X X X WDM Span Check: Edit/Retrieve Span Loss values/Reset XX X X ROADM Power Monitoring: Refresh XX X X PP-MESH Internal Patchcord: Refresh XX X X Install Without Metro Planner: Retrieve Installation values XX X X All Facilities: Mark/Refresh X X X X 1. Provisioner user cannot change node name, contact, location, or AIS-V insertion on STS-1 signal degrade (SD) parameters. 2. The action buttons in the subtab are active for all users, but the actions can be completely performed only by the users with the required security levels. Table 9-1 ONS 15454 Security Levels—Node View (continued) CTC Tab Subtab [Subtab]:Actions Retrieve Maintenance Provisioning Superuser Table 9-2 ONS 15454 Security Levels—Network View CTC Tab Subtab [Subtab]: Actions Retrieve Maintenance Provisioning Superuser Alarms — Synchronize/Filter/Delete cleared alarms XX X X Conditions — Retrieve/Filter X X X X History — Filter X X X X Circuits Circuits Create/Edit/Delete — — X X Filter/Search X X X X Rolls Complete, Force Valid Signal, Finish —— X X9-7 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 9 Security 9.2.2 Security Policies 9.2.2 Security Policies Users with Superuser security privileges can provision security policies on the ONS 15454. These security policies include idle user timeouts, password changes, password aging, and user lockout parameters. In addition, a Superuser can access the ONS 15454 through the TCC2/TCC2P RJ-45 port, the backplane LAN connection, or both. If enabled in the NE defaults, superusers can be configured to override the inactive user timeout interval. 9.2.2.1 Superuser Privileges for Provisioning Users Superusers can grant permission to Provisioning users to retrieve audit logs, restore databases, clear performance monitoring (PM) parameters, activate software loads, and revert software loads. These privileges can only be set using CTC network element (NE) defaults, except the PM clearing privilege, which can be granted to a Provisioning user using the CTC Provisioning> Security > Access tabs. For more information about setting up Superuser privileges, refer to the Cisco ONS 15454 Procedure Guide. Provisioning Security Users: Create/Delete — — — X Users: Edit Same user Same user Same user All users Active logins: Logout/Retrieve Last Activity Time —— — X Policy: Change — — — X Alarm Profiles Store/Delete1 —— X X New/Load/Compare/ Available/Usage XX X X BLSR Create/Delete/Edit/Upgrade — — X X Overhead Circuits Create/Delete/Edit/Merge — — X X Search X X X X Provisionable Patchcords (PPC) Create/Edit/Delete — — X X Server Trails Create/Edit/Delete — — X X VLAN DB Profile Load/Store/Merge/Circuits X X X X Maintenance Software Download/Cancel — X — X Diagnostic OSPF Node Information: Retrieve/Clear XX X X APC Run APC/Disable APC — — — X Refresh X X X X 1. The action buttons in the subtab are active for all users, but the actions can be completely performed only by the users with the required security levels. Table 9-2 ONS 15454 Security Levels—Network View (continued) CTC Tab Subtab [Subtab]: Actions Retrieve Maintenance Provisioning Superuser9-8 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 9 Security 9.2.2 Security Policies 9.2.2.2 Idle User Timeout Each ONS 15454 CTC or TL1 user can be idle during his or her login session for a specified amount of time before the CTC window is locked. The lockouts prevent unauthorized users from making changes. Higher-level users have shorter default idle periods and lower-level users have longer or unlimited default idle periods, as shown in Table 9-3. The user idle period can be modified by a Superuser; refer to the Cisco ONS 15454 Procedure Guide for instructions. 9.2.2.3 User Password, Login, and Access Policies Superusers can view real-time lists of users who are logged into CTC or TL1 by node. Superusers can also provision the following password, login, and node access policies: • Password length, expiration and reuse—Superusers can configure the password length using NE defaults. The password length, by default, is set to a minimum of six and a maximum of 20 characters. You can configure the default values in CTC node view with the Provisioning > Defaults > Node > security > password Complexity tabs. The minimum length can be set to eight, ten or twelve characters, and the maximum length to 80 characters. The password must be a combination of alphanumeric (a-z, A-Z, 0-9) and special (+, #,%) characters, where at least two characters are nonalphabetic and at least one character is a special character. Superusers can specify when users must change and when they can reuse their passwords. • Locking out and disabling users—Superusers can provision the number of invalid logins that are allowed before locking out users and the length of time before inactive users are disabled. • Node access and user sessions—Superusers can limit the number of CTC sessions a user login can have to just one session. Superusers can also prohibit access to the ONS 15454 using the LAN or TCC2/TCC2P RJ-45 connections. In addition, a Superuser can select secure shell (SSH) instead of Telnet at the CTC Provisioning > Security > Access tabs. SSH is a terminal-remote host Internet protocol that uses encrypted links. It provides authentication and secure communication over unsecure channels. Port 22 is the default port and cannot be changed. Superuser can also configure EMS and TL1 access states to secure and non-secure modes. 9.2.2.4 Secure Access Secure access is based on SSH and SSL protocols. Secure access can be enabled for EMS (applicable to CTC). When access is set to secure, CTC provides enhanced SFTP and SSH security when communicating with the node. For more information on how to enable EMS secure access, refer Cisco ONS 15454 Procedure Guide for instructions. Table 9-3 ONS 15454 Default User Idle Times Security Level Idle Time Superuser 15 minutes Provisioning 30 minutes Maintenance 60 minutes Retrieve Unlimited9-9 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 9 Security 9.3 Audit Trail 9.3 Audit Trail The Cisco ONS 15454 maintains a Telcordia GR-839-CORE-compliant audit trail log that resides on the TCC2/TCC2P card. Audit trails are useful for maintaining security, recovering lost transactions, and enforcing accountability. Accountability refers to tracing user activities; that is, associating a process or action with a specific user. The audit trail log shows who has accessed the system and what operations were performed during a given period of time. The log includes authorized Cisco support logins and logouts using the operating system command line interface (CLI), CTC, and TL1; the log also includes FTP actions, circuit creation/deletion, and user/system generated actions. Event monitoring is also recorded in the audit log. An event is defined as the change in status of an network element. External events, internal events, attribute changes, and software upload/download activities are recorded in the audit trail. To view the audit trail log, refer to the Cisco ONS 15454 Procedure Guide. You can access the audit trail logs from any management interface (CTC, CTM, TL1). The audit trail is stored in persistent memory and is not corrupted by processor switches, resets, or upgrades. However, if you remove both TCC2/TCC2P cards, the audit trail log is lost. 9.3.1 Audit Trail Log Entries Table 9-4 contains the columns listed in Audit Trail window. Audit trail records capture the following activities: • User—Name of the user performing the action • Host—Host from where the activity is logged • Device ID—IP address of the device involved in the activity • Application—Name of the application involved in the activity • Task—Name of the task involved in the activity (view a dialog box, apply configuration, etc.) • Connection Mode—Telnet, Console, SNMP • Category—Type of change (Hardware, Software, Configuration) • Status—Status of the user action (Read, Initial, Successful, Timeout, Failed) • Time—Time of change • Message Type—Whether the event is Success/Failure type • Message Details—Description of the change Table 9-4 Audit Trail Window Columns Heading Explanation Date Date when the action occurred Num Incrementing count of actions User User ID that initiated the action P/F Pass/Fail (whether or not the action was executed) Operation Action that was taken9-10 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 9 Security 9.3.2 Audit Trail Capacities 9.3.2 Audit Trail Capacities The ONS 15454 is able to store 640 log entries. When this limit is reached, the oldest entries are overwritten with new events. When the log server is 80 percent full, an AUD-LOG-LOW condition is raised and logged (by way of CORBA/CTC). When the log server reaches the maximum capacity of 640 entries and begins overwriting records that were not archived, an AUD-LOG-LOSS condition is raised and logged. This event indicates that audit trail records have been lost. Until you off-load the file, this event will not occur a second time regardless of the amount of entries that are overwritten by incoming data. To export the audit trail log, refer to the Cisco ONS 15454 Procedure Guide. 9.4 RADIUS Security Users with Superuser security privileges can configure nodes to use Remote Authentication Dial In User Service (RADIUS) authentication. Cisco Systems uses a strategy known as authentication, authorization, and accounting (AAA) for verifying the identity of, granting access to, and tracking the actions of remote users. RADIUS server supports IPv6 addresses and can process authentication requests from a GNE or an ENE that uses IPv6 addresses. 9.4.1 RADIUS Authentication RADIUS is a system of distributed security that secures remote access to networks and network services against unauthorized access. RADIUS comprises three components: • A protocol with a frame format that utilizes User Datagram Protocol (UDP)/IP • A server • A client The server runs on a central computer, typically at a customer site, while the clients reside in the dial-up access servers and can be distributed throughout the network. An ONS 15454 node operates as a client of RADIUS. The client is responsible for passing user information to designated RADIUS servers, and then acting on the response that is returned. RADIUS servers are responsible for receiving user connection requests, authenticating the user, and returning all configuration information necessary for the client to deliver service to the user. The RADIUS servers can act as proxy clients to other kinds of authentication servers. Transactions between the RADIUS client and server are authenticated through the use of a shared secret, which is never sent over the network. In addition, any user passwords are sent encrypted between the client and RADIUS server. This eliminates the possibility that someone monitoring an unsecured network could determine a user's password. Refer to the Cisco ONS 15454 Procedure Guide for detailed instructions for implementing RADIUS authentication. 9.4.2 Shared Secrets A shared secret is a text string that serves as a password between: • A RADIUS client and RADIUS server • A RADIUS client and a RADIUS proxy9-11 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 9 Security 9.4.2 Shared Secrets • A RADIUS proxy and a RADIUS server For a configuration that uses a RADIUS client, a RADIUS proxy, and a RADIUS server, the shared secret that is used between the RADIUS client and the RADIUS proxy can be different from the shared secret used between the RADIUS proxy and the RADIUS server. Shared secrets are used to verify that RADIUS messages, with the exception of the Access-Request message, are sent by a RADIUS-enabled device that is configured with the same shared secret. Shared secrets also verify that the RADIUS message has not been modified in transit (message integrity). The shared secret is also used to encrypt some RADIUS attributes, such as User-Password and Tunnel-Password. When creating and using a shared secret: • Use the same case-sensitive shared secret on both RADIUS devices. • Use a different shared secret for each RADIUS server-RADIUS client pair. • To ensure a random shared secret, generate a random sequence at least 22 characters long. • You can use any standard alphanumeric and special characters. • You can use a shared secret of up to 128 characters in length. To protect your server and your RADIUS clients from brute force attacks, use long shared secrets (more than 22 characters). • Make the shared secret a random sequence of letters, numbers, and punctuation and change it often to protect your server and your RADIUS clients from dictionary attacks. Shared secrets should contain characters from each of the three groups listed in Table 9-5. The stronger your shared secret, the more secure are the attributes (for example, those used for passwords and encryption keys) that are encrypted with it. An example of a strong shared secret is 8d#>9fq4bV)H7%a3-zE13sW$hIa32M#m Timing > Report tabs show current timing information for an ONS 15454, including the timing mode, clock state and status, switch type, and reference data. 10-2 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 10 Timing 10.2 Network Timing Caution Mixed timing allows you to select both external and line timing sources. However, Cisco does not recommend its use because it can create timing loops. Use this mode with caution. 10.2 Network Timing Figure 10-1 shows an ONS 15454 network timing setup example. Node 1 is set to external timing. Two timing references are set to BITS. These are Stratum 1 timing sources wired to the BITS input pins on the Node 1 backplane. The third reference is set to internal clock. The BITS output pins on the backplane of Node 3 are used to provide timing to outside equipment, such as a digital access line multiplexer. In the example, Slots 5 and 6 contain the trunk (span) cards. Timing at Nodes 2, 3, and 4 is set to line, and the timing references are set to the trunk cards based on distance from the BITS source. Reference 1 is set to the trunk card closest to the BITS source. At Node 2, Reference 1 is Slot 5 because it is connected to Node 1. At Node 4, Reference 1 is set to Slot 6 because it is connected to Node 1. At Node 3, Reference 1 could be either trunk card because they are an equal distance from Node 1. Figure 10-1 ONS 15454 Timing Example Node 4 Timing Line Ref 1: Slot 6 Ref 2: Slot 5 Ref 3: Internal (ST3) Node 2 Timing Line Ref 1: Slot 5 Ref 2: Slot 6 Ref 3: Internal (ST3) Node 1 Timing External Ref 1: BITS1 Ref 2: BITS2 Ref 3: Internal (ST3) Node 3 Timing Line Ref 1: Slot 5 Ref 2: Slot 6 Ref 3: Internal (ST3) BITS1 out BITS2 out BITS1 source BITS2 source Third party equipment 34726 Slot 5 Slot 5 Slot 5 Slot 5 Slot 6 Slot 6 Slot 6 Slot 610-3 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 10 Timing 10.3 Synchronization Status Messaging 10.3 Synchronization Status Messaging Synchronization status messaging (SSM) is a SONET and SDH protocol that communicates information about the quality of the timing source. SSM messages are transported as follows: • If SSM is carried over an optical line, for both SONET and SDH the SSM is transported in the S1 byte. • If SSM is carried over an electrical line: – For SDH, the SSM is transported in the Sa bit of E1. – For SONET, the SSM is transported in the outband loop code. The SSM messages enable SONET and SDH devices to select the highest quality timing reference automatically and to avoid timing loops. 10.3.1 SONET SSM Messages SSM messages are either Generation 1 or Generation 2. Generation 1 is the first and most widely deployed SSM message set. Generation 2 is a newer version. If you enable SONET SSM for the ONS 15454, consult your timing reference documentation to determine which message set to use. Table 10-1 and Table 10-2 show the SONET Generation 1 and Generation 2 message sets. Table 10-1 SONET SSM Generation 1 Message Set Message Quality Description PRS 1 Primary reference source—Stratum 1 STU 2 Synchronization traceability unknown ST2 3 Stratum 2 ST3 4 Stratum 3 SMC 5 SONET minimum clock ST4 6 Stratum 4 DUS 7 Do not use for timing synchronization RES — Reserved; quality level set by user Table 10-2 SONET SSM Generation 2 Message Set Message Quality Description PRS 1 Primary reference source—Stratum 1 STU 2 Synchronization traceability unknown ST2 3 Stratum 2 TNC 4 Transit node clock ST3E 5 Stratum 3E ST3 6 Stratum 3 SMC 7 SONET minimum clock ST4 8 Stratum 410-4 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 10 Timing 10.3.2 SDH SSM Messages 10.3.2 SDH SSM Messages If you enable SDH SSM for the ONS 15454, consult your timing reference documentation to determine which message set to use. Table 10-3 shows the SDH SSM messages. DUS 9 Do not use for timing synchronization RES — Reserved; quality level set by user Table 10-2 SONET SSM Generation 2 Message Set Message Quality Description Table 10-3 SDH SSM Messages Message Quality Description G811 1 Primary reference clock STU 2 Sync traceability unknown G812T 3 Transit node clock traceable G812L 4 Local node clock traceable SETS 5 Synchronous equipment DUS 6 Do not use for timing synchronizationCHAPTER 11-1 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 11 SONET Topologies and Upgrades Note The terms “Unidirectional Path Switched Ring” and “UPSR” may appear in Cisco literature. These terms do not refer to using Cisco ONS 15xxx products in a unidirectional path switched ring configuration. Rather, these terms, as well as “Path Protected Mesh Network” and “PPMN,” refer generally to Cisco's path protection feature, which may be used in any topological network configuration. Cisco does not recommend using its path protection feature in any particular topological network configuration. This chapter explains Cisco ONS 15454 SONET topologies and upgrades. To provision topologies, refer to the Cisco ONS 15454 Procedure Guide. Chapter topics include: • 11.1 SONET Rings and TCC2/TCC2P Cards, page 11-1 • 11.2 Bidirectional Line Switched Rings, page 11-2 • 11.3 Path Protection, page 11-13 • 11.4 Dual-Ring Interconnect, page 11-18 • 11.5 Comparison of the Protection Schemes, page 11-27 • 11.6 Subtending Rings, page 11-28 • 11.7 Linear ADM Configurations, page 11-30 • 11.8 Path-Protected Mesh Networks, page 11-30 • 11.9 Four-Shelf Node Configurations, page 11-32 • 11.10 STS around the Ring, page 11-33 • 11.11 OC-N Speed Upgrades, page 11-34 • 11.12 In-Service Topology Upgrades, page 11-40 • 11.13 Overlay Ring Circuits, page 11-43 11.1 SONET Rings and TCC2/TCC2P Cards Table 11-1 shows the SONET rings that can be created on each ONS 15454 node using redundant TCC2/TCC2P cards.11-2 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 11 SONET Topologies and Upgrades 11.2 Bidirectional Line Switched Rings 11.2 Bidirectional Line Switched Rings The ONS 15454 can support five concurrent bidirectional line switch rings (BLSRs) in one of the following configurations: • Five two-fiber BLSRs • Four two-fiber and one four-fiber BLSR Each BLSR can have up to 32 ONS 15454s. Because the working and protect bandwidths must be equal, you can create only OC-12 (two-fiber only), OC-48, or OC-192 BLSRs. Note For best performance, BLSRs should have one LAN connection for every ten nodes in the BLSR. 11.2.1 Two-Fiber BLSRs In two-fiber BLSRs, each fiber is divided into working and protect bandwidths. For example, in an OC-48 BLSR (Figure 11-1), STSs 1 to 24 carry the working traffic, and STSs 25 to 48 are reserved for protection. Working traffic (STSs 1 to 24) travels in one direction on one fiber and in the opposite direction on the second fiber. The Cisco Transport Controller (CTC) circuit routing routines calculate the shortest path for circuits based on many factors, including user requirements, traffic patterns, and distance. For example, in Figure 11-1, circuits going from Node 0 to Node 1 typically travel on Fiber 1, unless that fiber is full, in which case circuits are routed on Fiber 2 through Node 3 and Node 2. Traffic from Node 0 to Node 2 (or Node 1 to Node 3) can be routed on either fiber, depending on circuit provisioning requirements and traffic loads. Table 11-1 ONS 15454 Rings with Redundant TCC2/TCC2P Cards Ring Type Maximum Rings per Node BLSRs 5 2-Fiber BLSR 5 4-Fiber BLSR 1 Path protection with SDCC 341 , 2 1. Total SDCC usage must be equal to or less than 68 SDCCs. 2. See the “11.3 Path Protection” section on page 11-13. Path protection with LDCC 143 , 4 3. Total LDCC usage must be equal to or less than 28 LDCCs. 4. See the “11.3 Path Protection” section on page 11-13. Path protection with LDCC and SDCC 265 5. Total LDCC and SDCC usage must be equal to or less than 84. When LDCC is provisioned, an SDCC termination is allowed on the same port, but is not recommended. Using SDCC and LDCC on the same port is only needed during a software upgrade if the other end of the link does not support LDCC. You can provision SDCCs and LDCCs on different ports in the same node.11-3 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 11 SONET Topologies and Upgrades 11.2.1 Two-Fiber BLSRs Figure 11-1 Four-Node, Two-Fiber BLSR The SONET K1, K2, and K3 bytes carry the information that governs BLSR protection switches. Each BLSR node monitors the K bytes to determine when to switch the SONET signal to an alternate physical path. The K bytes communicate failure conditions and actions taken between nodes in the ring. If a break occurs on one fiber, working traffic targeted for a node beyond the break switches to the protect bandwidth on the second fiber. The traffic travels in a reverse direction on the protect bandwidth until it reaches its destination node. At that point, traffic is switched back to the working bandwidth. Figure 11-2 shows a traffic pattern sample on a four-node, two-fiber BLSR. Node 0 Node 1 Node 2 Node 3 OC-48 Ring = Fiber 1 = Fiber 2 61938 STSs 1-24 (working) STSs 25-48 (protect) STSs 1-24 (working) STSs 25-48 (protect)11-4 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 11 SONET Topologies and Upgrades 11.2.1 Two-Fiber BLSRs Figure 11-2 Four-Node, Two-Fiber BLSR Traffic Pattern Sample Figure 11-3 shows how traffic is rerouted following a line break between Node 0 and Node 3. • All circuits originating on Node 0 that carried traffic to Node 2 on Fiber 2 are switched to the protect bandwidth of Fiber 1. For example, a circuit carrying traffic on STS-1 on Fiber 2 is switched to STS-25 on Fiber 1. A circuit carried on STS-2 on Fiber 2 is switched to STS-26 on Fiber 1. Fiber 1 carries the circuit to Node 3 (the original routing destination). Node 3 switches the circuit back to STS-1 on Fiber 2 where it is routed to Node 2 on STS-1. • Circuits originating on Node 2 that normally carried traffic to Node 0 on Fiber 1 are switched to the protect bandwidth of Fiber 2 at Node 3. For example, a circuit carrying traffic on STS-2 on Fiber 1 is switched to STS-26 on Fiber 2. Fiber 2 carries the circuit to Node 0 where the circuit is switched back to STS-2 on Fiber 1 and then dropped to its destination. Node 0 Node 1 Traffic flow Node 2 Node 3 OC-48 Ring Fiber 1 Fiber 2 6195611-5 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 11 SONET Topologies and Upgrades 11.2.2 Four-Fiber BLSRs Figure 11-3 Four-Node, Two-Fiber BLSR Traffic Pattern Following Line Break 11.2.2 Four-Fiber BLSRs Four-fiber BLSRs double the bandwidth of two-fiber BLSRs. Because they allow span switching as well as ring switching, four-fiber BLSRs increase the reliability and flexibility of traffic protection. Two fibers are allocated for working traffic and two fibers for protection, as shown in Figure 11-4. To implement a four-fiber BLSR, you must install four OC-48, OC-48 AS, or OC-192 cards at each BLSR node. Node 0 Node 1 Node 2 Node 3 OC-48 Ring 61957 Traffic flow Fiber 1 Fiber 211-6 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 11 SONET Topologies and Upgrades 11.2.2 Four-Fiber BLSRs Figure 11-4 Four-Node, Four-Fiber BLSR Four-fiber BLSRs provide span and ring switching: • Span switching (Figure 11-5 on page 11-7) occurs when a working span fails. Traffic switches to the protect fibers between the nodes (Node 0 and Node 1 in the example in Figure 11-5) and then returns to the working fibers. Multiple span switches can occur at the same time. Node 0 Node 1 Node 2 Node 3 Span 1 Span 3 Span 2 Span 4 Span 8 Span 6 Span 7 Span 5 OC-48 Ring = Working fibers = Protect fibers 6193211-7 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 11 SONET Topologies and Upgrades 11.2.2 Four-Fiber BLSRs Figure 11-5 Four-Fiber BLSR Span Switch • Ring switching (Figure 11-6) occurs when a span switch cannot recover traffic, such as when both the working and protect fibers fail on the same span. In a ring switch, traffic is routed to the protect fibers throughout the full ring. Node 0 Node 1 Node 2 Node 3 Span 1 Span 3 Span 2 Span 4 Span 8 Span 6 Span 7 Span 5 OC-48 Ring = Working fibers = Protect fibers 6195911-8 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 11 SONET Topologies and Upgrades 11.2.3 BLSR Bandwidth Figure 11-6 Four-Fiber BLSR Ring Switch 11.2.3 BLSR Bandwidth BLSR nodes can terminate traffic coming from either side of the ring. Therefore, BLSRs are suited for distributed node-to-node traffic applications such as interoffice networks and access networks. BLSRs allow bandwidth to be reused around the ring and can carry more traffic than a network with traffic flowing through one central hub. BLSRs can also carry more traffic than a path protection configuration operating at the same OC-N rate. Table 11-2 shows the bidirectional bandwidth capacities of two-fiber BLSRs. The capacity is the OC-N rate divided by two, multiplied by the number of nodes in the ring minus the number of pass-through STS-1 circuits. Table 11-3 shows the bidirectional bandwidth capacities of four-fiber BLSRs. Node 0 Node 1 Node 2 Node 3 Span 1 Span 3 Span 2 Span 4 Span 8 Span 6 Span 7 Span 5 OC-48 Ring = Working fibers = Protect fibers 61960 Table 11-2 Two-Fiber BLSR Capacity OC Rate Working Bandwidth Protection Bandwidth Ring Capacity OC-12 STS1-6 STS 7-12 6 x N1 – PT2 1. N equals the number of ONS 15454 nodes configured as BLSR nodes. 2. PT equals the number of STS-1 circuits passed through ONS 15454 nodes in the ring (capacity can vary depending on the traffic pattern). OC-48 STS 1-24 STS 25-48 24 x N – PT OC-192 STS 1-96 STS 97-192 96 x N – PT11-9 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 11 SONET Topologies and Upgrades 11.2.4 BLSR Application Example Figure 11-7 shows an example of BLSR bandwidth reuse. The same STS carries three different traffic sets simultaneously on different spans around the ring: one set from Node 3 to Node 1, another set from Node 1 to Node 2, and another set from Node 2 to Node 3. Figure 11-7 BLSR Bandwidth Reuse 11.2.4 BLSR Application Example Figure 11-8 shows a two-fiber BLSR implementation example with five nodes. A regional long-distance network connects to other carriers at Node 0. Traffic is delivered to the service provider’s major hubs. • Carrier 1 delivers six DS-3s over two OC-3 spans to Node 0. Carrier 2 provides twelve DS-3s directly. Node 0 receives the signals and delivers them around the ring to the appropriate node. • The ring also brings 14 DS-1s back from each remote site to Node 0. Intermediate nodes serve these shorter regional connections. Table 11-3 Four-Fiber BLSR Capacity OC Rate Working Bandwidth Protection Bandwidth Ring Capacity OC-48 STS 1-48 (Fiber 1) STS 1-48 (Fiber 2) 48 x N1 – PT2 1. N equals the number of ONS 15454 nodes configured as BLSR nodes. 2. PT equals the number of STS-1 circuits passed through ONS 15454 nodes in the ring (capacity can vary depending on the traffic pattern). OC-192 STS 1-192 (Fiber 1) STS 1-192 (Fiber 2) 192 x N – PT STS#1 STS#1 STS#1 STS#1 Node 0 Node 1 Node 2 Node 3 32131 = Node 3 – Node 1 traffic = Node 1 – Node 2 traffic = Node 2 – Node 3 traffic11-10 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 11 SONET Topologies and Upgrades 11.2.4 BLSR Application Example • The ONS 15454 OC-3 card supports a total of four OC-3 ports so that two additional OC-3 spans can be added at little cost. Figure 11-8 Five-Node Two-Fiber BLSR Figure 11-9 shows the shelf assembly layout for Node 0, which has one free slot. Node 0 56 local DS-1s 4 DS-3s 14 DS-1s 14 DS-1s 14 DS-1s 14 DS-1s 8 DS-3s 4 DS-3s 2 DS-3s Carrier 1 2 OC-3s Node 1 Node 2 Node 3 Node 4 = Fiber 1 = Fiber 2 32138 Carrier 2 12 DS-3s11-11 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 11 SONET Topologies and Upgrades 11.2.4 BLSR Application Example Figure 11-9 Shelf Assembly Layout for Node 0 in Figure 11-8 Figure 11-10 shows the shelf assembly layout for the remaining sites in the ring. In this BLSR configuration, an additional eight DS-3s at Node IDs 1 and 3 can be activated. An additional four DS-3s can be added at Node 4, and ten DS-3s can be added at Node 2. Each site has free slots for future traffic needs. Figure 11-10 Shelf Assembly Layout for Nodes 1 to 4 in Figure 11-8 DS1-14 DS1-14 DS1N-14 DS1-14 DS1-14 Free Slot TCC2/TCC2P Cross Connect AIC-I (Optional) Cross Connect TCC2/TCC2P OC48 OC48 OC3 OC3 DS3-12 DS3-12 134608 DS1-14 DS1-14 TCC2/TCC2P Cross Connect AIC-I (Optional) Cross Connect TCC2/TCC2P OC48 Free Slot Free Slot DS3-12 DS3-12 Free Slot Free Slot Free Slot Free Slot OC48 13460511-12 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 11 SONET Topologies and Upgrades 11.2.5 BLSR Fiber Connections 11.2.5 BLSR Fiber Connections Plan your fiber connections and use the same plan for all BLSR nodes. For example, make the east port the farthest slot to the right and the west port the farthest slot to the left. Plug fiber connected to an east port at one node into the west port on an adjacent node. Figure 11-11 shows fiber connections for a two-fiber BLSR with trunk cards in Slot 5 (west) and Slot 12 (east). Refer to the Cisco ONS 15454 Procedure Guide for fiber connection procedures. Note Always plug the transmit (Tx) connector of an OC-N card at one node into the receive (Rx) connector of an OC-N card at the adjacent node. Cards display an SF LED when Tx and Rx connections are mismatched. Figure 11-11 Connecting Fiber to a Four-Node, Two-Fiber BLSR For four-fiber BLSRs, use the same east-west connection pattern for the working and protect fibers. Do not mix working and protect card connections. The BLSR does not function if working and protect cards are interconnected. Figure 11-12 shows fiber connections for a four-fiber BLSR. Slot 5 (west) and Slot 12 (east) carry the working traffic. Slot 6 (west) and Slot 13 (east) carry the protect traffic. 55297 Node 1 West East West East West East West East Slot 5 Tx Rx Slot 12 Tx Rx Node 4 Slot 5 Tx Rx Slot 12 Tx Rx Node 2 Slot 5 Tx Rx Slot 12 Tx Rx Node 3 Slot 5 Tx Rx Slot 12 Tx Rx11-13 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 11 SONET Topologies and Upgrades 11.3 Path Protection Figure 11-12 Connecting Fiber to a Four-Node, Four-Fiber BLSR 11.3 Path Protection Path Protection Configurations (PPC) provide duplicate fiber paths around the ring. Working traffic flows in one direction and protection traffic flows in the opposite direction. If a problem occurs with the working traffic path, the receiving node switches to the path coming from the opposite direction. CTC automates ring configuration. path protection traffic is defined within the ONS 15454 on a circuit-by-circuit basis. If a path-protected circuit is not defined within a 1+1 or BLSR line protection scheme and path protection is available and specified, CTC uses path protection as the default. A path protection circuit requires two DCC-provisioned optical spans per node. Path protection circuits can be created across these spans until their bandwidth is consumed. Note If a path protection circuit is created manually by TL1, data communications channels (DCCs) are not needed; therefore, path protection circuits are limited by the cross-connection bandwidth or the span bandwidth, but not by the number of DCCs. The span bandwidth consumed by a path protection circuit is two times the circuit bandwidth, because the circuit is duplicated. The cross-connection bandwidth consumed by a path protection circuit is three times the circuit bandwidth at the source and destination nodes only. The cross-connection bandwidth consumed by an intermediate node has a factor of one. 61958 Node 1 West East West East West East West East Slot 5 Slot 12 Node 4 Slot 5 Slot 12 Node 2 Slot 5 Slot 12 Node 3 Slot 5 Slot 12 Tx Rx Slot 6 Slot 13 Tx Rx Slot 6 Slot 13 Tx Rx Slot 6 Slot 13 Tx Rx Slot 6 Slot 13 Working fibers Protect fibers11-14 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 11 SONET Topologies and Upgrades 11.3 Path Protection The path protection circuit limit is the sum of the optical bandwidth containing 84 section data communication channels (SDCCs) or 28 line data communication channels (LDCCs), divided by two if you are using redundant TCC2/TCC2P cards. The spans can be of any bandwidth from OC-3 to OC-192. The circuits can be of any size from VT1.5 to 192c. Figure 11-13 shows a basic four-node path protection configuration. If Node ID 0 sends a signal to Node ID 2, the working signal travels on the working traffic path through Node ID 1. The same signal is also sent on the protect traffic path through Node ID 3. Figure 11-13 Basic Four-Node Path Protection If a fiber break occurs (Figure 11-14), Node ID 2 switches its active receiver to the protect signal coming through Node ID 3. Because each traffic path is transported around the entire ring, path protection configurations are best suited for networks where traffic concentrates at one or two locations and is not widely distributed. Path protection capacity is equal to its bit rate. Services can originate and terminate on the same path protection, or they can be passed to an adjacent access or interoffice ring for transport to the service-terminating location. ONS 15454 Node ID 0 ONS 15454 Node ID 1 ONS 15454 Node ID 2 ONS 15454 Node ID 3 32148 = Fiber 1 = Fiber 211-15 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 11 SONET Topologies and Upgrades 11.3 Path Protection Figure 11-14 Path Protection with a Fiber Break Figure 11-15 shows a common path protection application. OC-3 optics provide remote switch connectivity to a host Telcordia TR-303 switch. In the example, each remote switch requires eight DS-1s to return to the host switch. Figure 11-16 on page 11-17 and Figure 11-17 on page 11-17 show the shelf layout for each site. Span 1 Span 2 Span 3 Span 4 Span 8 Span 6 Span 7 Span 5 Fiber break Source Destination 32639 ONS 15454 Node ID 0 ONS 15454 Node ID 1 ONS 15454 Node ID 2 ONS 15454 Node ID 3 = Fiber 1 = Fiber 211-16 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 11 SONET Topologies and Upgrades 11.3 Path Protection Figure 11-15 Four-Port, OC-3 Path Protection Node ID 0 has four DS1-14 cards to provide 56 active DS-1 ports. The other sites only require two DS1-14 cards to handle the eight DS-1s to and from the remote switch. You can use the other half of each ONS 15454 shelf assembly to provide support for a second or third ring to other existing or planned remote sites. In the OC-3 path protection sample, Node ID 0 contains four DS1-14 cards and two OC3 IR 4 1310 cards. Six free slots can be provisioned with cards or left empty. Figure 11-16 shows the shelf setup for these card. 8 DS-1s 8 DS-1s 8 DS-1s TR-303 Switch 32149 ONS 15454 Node ID 0 ONS 15454 Node ID 1 ONS 15454 Node ID 2 ONS 15454 Node ID 3 = Fiber 1 = Fiber 211-17 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 11 SONET Topologies and Upgrades 11.3 Path Protection Figure 11-16 Layout of Node ID 0 in the OC-3 Path Protection Example in Figure 11-15 In the Figure 11-15 on page 11-16 example, Nodes IDs 1 to 3 each contain two DS1-14 cards and two OC3 IR 4 1310 cards. Eight free slots exist. They can be provisioned with other cards or left empty. Figure 11-17 shows the shelf assembly setup for this configuration example. Figure 11-17 Layout of Node IDs 1 to 3 in the OC-3 Path Protection Example in Figure 11-15 DS1-14 DS1-14 DS1-14 DS1-14 OC3 IR 4 1310 OC3 IR 4 1310 TCC2/TCC2P Cross Connect AIC-I (Optional) Cross Connect TCC2/TCC2P Free Slot Free Slot Free Slot Free Slot Free Slot Free Slot 134606 DS1-14 DS1-14 Free Slot OC3 IR 4 1310 OC3 IR 4 1310 TCC2/TCC2P Cross Connect AIC-I (Optional) Cross Connect TCC2/TCC2P Free Slot Free Slot Free Slot Free Slot Free Slot Free Slot Free Slot 13460711-18 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 11 SONET Topologies and Upgrades 11.4 Dual-Ring Interconnect 11.4 Dual-Ring Interconnect Dual-ring interconnect (DRI) topologies provide an extra level of path protection for circuits on interconnected rings. DRI allows users to interconnect BLSRs, path protection configurations, or a path protection with a BLSR, with additional protection provided at the transition nodes. In a DRI topology, ring interconnections occur at two or four nodes. The drop-and-continue DRI method is used for all ONS 15454 DRIs. In drop-and-continue DRI, a primary node drops the traffic to the connected ring and routes traffic to a secondary node within the same ring. The secondary node also routes the traffic to the connected ring; that is, the traffic is dropped at two different interconnection nodes to eliminate single points of failure. To route circuits on DRI, you must choose the Dual Ring Interconnect option during circuit provisioning. Dual transmit is not supported. Two DRI topologies can be implemented on the ONS 15454: • A traditional DRI requires two pairs of nodes to interconnect two networks. Each pair of user-defined primary and secondary nodes drops traffic over a pair of interconnection links to the other network. • An integrated DRI requires one pair of nodes to interconnect two networks. The two interconnected nodes replace the interconnection ring. For DRI topologies, a hold-off timer sets the amount of time before a selector switch occurs. It reduces the likelihood of multiple switches, such as: • Both a service selector and a path selector • Both a line switch and a path switch of a service selector For example, if a path protection DRI service selector switch does not restore traffic, then the path selector switches after the hold-off time. The path protection DRI hold-off timer default is 100 ms. You can change this setting in the Path Protection Selectors tab of the Edit Circuits window. For BLSR DRI, if line switching does not restore traffic, then the service selector switches. The hold-off time delays the recovery provided by the service selector. The BLSR DRI default hold-off time is 100 ms, but it can be changed. 11.4.1 BLSR DRI Unlike BLSR automatic protection switching (APS) protocol, BLSR-DRI is a path-level protection protocol at the circuit level. Drop-and-continue BLSR-DRI requires a service selector in the primary node for each circuit routing to the other ring. Service selectors monitor signal conditions from dual feed sources and select the one that has the best signal quality. Same-side routing drops the traffic at primary nodes set up on the same side of the connected rings, and opposite-side routing drops the traffic at primary nodes set up on the opposite sides of the connected rings. For BLSR-DRI, primary and secondary nodes cannot be the circuit source or destination. Note A DRI circuit cannot be created if an intermediate node exists on the interconnecting link. However, an intermediate node can be added on the interconnecting link after the DRI circuit is created. DRI protection circuits act as protection channel access (PCA) circuits. In CTC, you set up DRI protection circuits by selecting the PCA option when setting up primary and secondary nodes during DRI circuit creation.11-19 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 11 SONET Topologies and Upgrades 11.4.1 BLSR DRI Figure 11-18 shows ONS 15454 nodes in a traditional BLSR-DRI topology with same-side routing. In Ring 1, Nodes 3 and 4 are the interconnect nodes, and in Ring 2, Nodes 8 and 9 are the interconnect nodes. Duplicate signals are sent between Node 4 (Ring 1) and Node 9 (Ring 2), and between Node 3 (Ring 1) and Node 8 (Ring 2). The primary nodes (Nodes 4 and 9) are on the same side, and the secondary nodes (Nodes 3 and 8) provide an alternative route. In Ring 1, traffic at Node 4 is dropped (to Node 9) and continued (to Node 3). Similarly, at Node 9, traffic is dropped (to Node 4) and continued (to Node 8). Figure 11-18 ONS 15454 Traditional BLSR Dual-Ring Interconnect (Same-Side Routing) Service Selector Secondary Path Primary Path, Drop and Continue to Bridge Drop and Continue 115235 BLSR Ring 1 Primary Node Secondary Node Node 5 Node 4 Node 3 Node 9 Node 8 Node 1 Node 2 BLSR Ring 2 Primary Node Secondary Node Node 10 Node 6 Node 711-20 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 11 SONET Topologies and Upgrades 11.4.1 BLSR DRI Figure 11-19 shows ONS 15454 nodes in a traditional BLSR-DRI topology with opposite-side routing. In Ring 1, Nodes 3 and 4 are the interconnect nodes, and in Ring 2, Nodes 8 and 9 are the interconnect nodes. Duplicate signals are sent from Node 4 (Ring 1) to Node 8 (Ring 2), and between Node 3 (Ring 1) and Node 9 (Ring 2). In Ring 1, traffic at Node 4 is dropped (to Node 9) and continued (to Node 3). Similarly, at Node 8, traffic is dropped (to Node 3) and continued (to Node 8). Figure 11-19 ONS 15454 Traditional BLSR Dual-Ring Interconnect (Opposite-Side Routing) Figure 11-20 shows ONS 15454s in an integrated BLSR-DRI topology. The same drop-and-continue traffic routing occurs at two nodes, rather than four. This is achieved by installing an additional OC-N trunk at the two interconnect nodes. Nodes 3 and 8 are the interconnect nodes. Service Selector Secondary Path Primary Path, Drop and Continue to Bridge Drop and Continue 115234 BLSR Ring 1 Primary Node Secondary Node Node 5 Node 4 Node 3 Node 9 Node 8 Node 1 Node 2 BLSR Ring 2 Secondary Node Primary Node Node 10 Node 6 Node 711-21 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 11 SONET Topologies and Upgrades 11.4.1 BLSR DRI Figure 11-20 ONS 15454 Integrated BLSR Dual-Ring Interconnect Figure 11-21 shows an example of an integrated BLSR DRI on the Edit Circuits window. Service Selector Secondary Path (protection) Primary Path (working) 115236 BLSR 1 Primary Secondary Secondary Primary BLSR 2 Node 8 Node 3 Node 1 Node 2 Node 7 Node 6 Node 5 Node 411-22 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 11 SONET Topologies and Upgrades 11.4.2 Path Protection DRI Figure 11-21 Integrated BLSR DRI on the Edit Circuits Window 11.4.2 Path Protection DRI Figure 11-22 shows ONS 15454 nodes in a traditional drop-and-continue path protection DRI topology. In Ring 1, Nodes 4 and 5 are the interconnect nodes, and in Ring 2, Nodes 6 and 7 are the interconnect nodes. Duplicate signals are sent between Node 4 (Ring 1) and Node 6 (Ring 2), and between Node 5 (Ring 1) and Node 7 (Ring 2). In Ring 1, traffic at Node 4 is dropped (to Node 6) and continued (to Node 5). Similarly, at Node 5, traffic is dropped (to Node 7) and continued (to Node 4). 11-23 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 11 SONET Topologies and Upgrades 11.4.2 Path Protection DRI Figure 11-22 ONS 15454 Traditional Path Protection Dual-Ring Interconnect Figure 11-23 shows ONS 15454 nodes in an integrated DRI topology. The same drop-and-continue traffic routing occurs at two nodes, rather than four. This is achieved by installing an additional OC-N trunk at the two interconnect nodes. Path Selector Primary Path, Primary Return Path, Secondary Return Path, Primary Primary Path, Secondary UPSR Ring 1 Duplicate Signals Pass-through Node UPSR Ring 2 Bridge 85761 Node 1 Node 3 Node 2 Node 4 Node 5 Node 6 Node 711-24 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 11 SONET Topologies and Upgrades 11.4.2 Path Protection DRI Figure 11-23 ONS 15454 Integrated Path Protection Dual-Ring Interconnect Path Selector Primary Path, Primary Return Path, Secondary Return Path, Primary Primary Path, Secondary ONS 15454 Path Protection Configuration 1 ONS 15454 Path Protection Configuration 2 DS1/EC1/DS3/GigE Duplicate Signals Pass-through Node Bridge DS1/EC1/DS3/GigE 85762 Cross Connect Cross Connect ONS 15454 DRI Node 1 of 2 supporting two-rings with integrated STS-1 and VT1.5 grooming11-25 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 11 SONET Topologies and Upgrades 11.4.3 Path Protection/BLSR DRI Handoff Configurations 11.4.3 Path Protection/BLSR DRI Handoff Configurations Path protection configurations and BLSRs can also be interconnected. In BLSR/path protection DRI handoff configurations, primary and secondary nodes can be the circuit source or destination, which is useful when non-DCC optical interconnecting links are present. Figure 11-24 shows an example of a path protection to BLSR traditional DRI handoff. Figure 11-24 ONS 15454 Path Protection to BLSR Traditional DRI Handoff Figure 11-25 shows an example of a path protection to BLSR integrated DRI handoff. Path Selector Secondary Path (protection) Primary Path (working) Bridge 115273 Path Protection Configuration BLSR Node 1 Node 5 Node 2 Node 10 Node 6 Node 7 Node 4 Node 3 Node 8 Node 911-26 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 11 SONET Topologies and Upgrades 11.4.3 Path Protection/BLSR DRI Handoff Configurations Figure 11-25 ONS 15454 Path Protection to BLSR Integrated DRI Handoff Figure 11-26 shows a path protection to BLSR integrated DRI handoff on the Edit Circuits window. Path Selector Bridge 115272 Path Protection Configuration BLSR Node 4 Node 3 Node 1 Node 5 Node 2 Node 8 Node 6 Node 711-27 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 11 SONET Topologies and Upgrades 11.5 Comparison of the Protection Schemes Figure 11-26 Path Protection to BLSR Integrated DRI Handoff on the Detailed Circuit Map 11.5 Comparison of the Protection Schemes Table 11-4 shows a comparison of the different protection schemes using OC-48 as an example. Table 11-4 Comparison of the Protection Schemes Topology Ring Capacity Protected Bandwidth Between Any Two Nodes Protection Channel Access Dual Failure Number of Cards Path Protection 48 - PT STS 1-48 Not supported Not supported 2 x N Two-Fiber BLSR 24 x N1 - PT2 STS 1-24 STS 25-48 Not supported 2 x N Four-Fiber BLSR 48 x N - PT STS 1-48 (Fiber 1) STS 1-48 (Fiber 2) Supported 4 x N Two-Fiber BLSR DRI 24 x N - PT STS 1-24 STS 25-48 Supported (2 x N) + 4 Path Protection DRI 48 - PT STS 1-48 Not supported Supported (2 x N) + 4 1. N equals the number of ONS 15454 nodes configured as BLSR nodes. 2. PT equals the number of STS-1 circuits passed through ONS 15454 nodes in the ring (capacity can vary depending on the traffic pattern).11-28 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 11 SONET Topologies and Upgrades 11.6 Subtending Rings 11.6 Subtending Rings The ONS 15454 supports up to 84 SONET SDCCs or 28 SONET LDCCs with TCC2/TCC2P cards. See Table 11-1 on page 11-2 for ring, SDCC, and LDCC information. Subtending rings reduce the number of nodes and cards required, and reduce external shelf-to-shelf cabling. Figure 11-27 shows an ONS 15454 with multiple subtending rings. Figure 11-27 ONS 15454 with Multiple Subtending Rings Figure 11-28 shows a path protection configuration subtending from a BLSR. In this example, Node 3 is the only node serving both the BLSR and the path protection configuration. OC-N cards in Slots 5 and 12 serve the BLSR, and OC-N cards in Slots 6 and 13 serve the path protection configuration. Path Protected Nodes BLSR BLSR 5530211-29 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 11 SONET Topologies and Upgrades 11.6 Subtending Rings Figure 11-28 Path Protection Subtending from a BLSR The ONS 15454 can support two BLSRs on the same node. This allows you to deploy an ONS 15454 in applications requiring SONET Digital Cross-connect Systems (DCSs) or multiple SONET add/drop multiplexers (ADMs). Figure 11-29 shows two BLSRs shared by one ONS 15454. Ring 1 runs on Nodes 1, 2, 3, and 4. Ring 2 runs on Nodes 4, 5, 6, and 7. Two BLSR rings, Ring 1 and Ring 2, are provisioned on Node 4. Ring 1 uses cards in Slots 5 and 12, and Ring 2 uses cards in Slots 6 and 13. Note Nodes in different BLSRs can have the same, or different node IDs. Figure 11-29 BLSR Subtending from a BLSR Node 3 Node 1 Node 2 BLSR Node 4 55303 Slot 13 Slot 12 Slot 12 Slot 12 Slot 13 Slot 6 Slot 5 Slot 5 Slot 5 Slot 6 55298 Node 5 Slot 6 West East Slot 13 Node 7 Slot 13 East Slot 6 West Slot 6 West Slot 13 East Node 6 Node 1 Slot 5 West Slot 5 West Slot 12 East Slot 12 East Node 3 Slot 12 East Slot 5 West Node 2 Slot 5 West Slot 12 East Slot 13 East Slot 6 West Node 4 BLSR Ring 1 BLSR Ring 211-30 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 11 SONET Topologies and Upgrades 11.7 Linear ADM Configurations After subtending two BLSRs, you can route circuits from nodes in one ring to nodes in the second ring. For example, in Figure 11-29 you can route a circuit from Node 1 to Node 7. The circuit would normally travel from Node 1 to Node 4 to Node 7. If fiber breaks occur, for example between Nodes 1 and 4 and Nodes 4 and 7, traffic is rerouted around each ring: in this example, Nodes 2 and 3 in Ring 1 and Nodes 5 and 6 in Ring 2. 11.7 Linear ADM Configurations You can configure ONS 15454s as a line of add/drop multiplexers (ADMs) by configuring one set of OC-N cards as the working path and a second set as the protect path. Unlike rings, point-to-point ADMs (two-node configurations) and linear ADMs (three-node configurations) require that the OC-N cards at each node be in 1+1 protection to ensure that a break to the working line is automatically routed to the protect line. Figure 11-30 shows three ONS 15454 nodes in a linear ADM configuration. Working traffic flows from Slot 5/Node 1 to Slot 5/Node 2, and from Slot 12/Node 2 to Slot 12/Node 3. You create the protect path by placing Slot 6 in 1+1 protection with Slot 5 at Nodes 1 and 2, and Slot 12 in 1+1 protection with Slot 13 at Nodes 2 and 3. Figure 11-30 Linear (Point-to-Point) ADM Configuration 11.8 Path-Protected Mesh Networks In addition to single BLSRs, path protection configurations, and ADMs, you can extend ONS 15454 traffic protection by creating path-protected mesh networks (PPMNs). PPMNs include multiple ONS 15454 SONET topologies and extend the protection provided by a single path protection to the meshed architecture of several interconnecting rings. In a PPMN, circuits travel diverse paths through a network of single or multiple meshed rings. When you create circuits, you can have CTC automatically route circuits across the PPMN, or you can manually route them. You can also choose levels of circuit protection. For example, if you choose full protection, CTC creates an alternate route for the circuit in addition to the main route. The second route follows a unique path through the network between the source and destination and sets up a second set of cross-connections. For example, in Figure 11-31 a circuit is created from Node 3 to Node 9. CTC determines that the shortest route between the two nodes passes through Node 8 and Node 7, shown by the dotted line, and automatically creates cross-connections at Nodes 3, 8, 7, and 9 to provide the primary circuit path. If full protection is selected, CTC creates a second unique route between Nodes 3 and 9 which, in this example, passes through Nodes 2, 1, and 11. Cross-connections are automatically created at Nodes 3, 2, 1, 11, and 9, shown by the dashed line. If a failure occurs on the primary path, traffic switches to the second circuit path. In this example, Node 9 switches from the traffic coming in from Node 7 to the traffic coming in from Node 11 and service resumes. The switch occurs within 50 ms. Node 1 Node 2 Node 3 Slot 5 to Slot 5 Slot 6 to Slot 6 Slot 12 to Slot 12 Slot 13 to Slot 13 Working Path Protect Path 3428411-31 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 11 SONET Topologies and Upgrades 11.8 Path-Protected Mesh Networks Figure 11-31 Path-Protected Mesh Network PPMN also allows spans with different SONET speeds to be mixed together in “virtual rings.” Figure 11-32 shows Nodes 1, 2, 3, and 4 in a standard OC-48 ring. Nodes 5, 6, 7, and 8 link to the backbone ring through OC-12 fiber. The “virtual ring” formed by Nodes 5, 6, 7, and 8 uses both OC-48 and OC-12 cards. = Primary path = Secondary path Working traffic Protect traffic Source Node Destination Node 32136 Node 1 Node 11 Node 2 Node 4 Node 5 Node 6 Node 7 Node 10 Node 8 Node 9 Node 311-32 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 11 SONET Topologies and Upgrades 11.9 Four-Shelf Node Configurations Figure 11-32 PPMN Virtual Ring 11.9 Four-Shelf Node Configurations You can link multiple ONS 15454s using their OC-N cards (that is, create a fiber-optic bus) to accommodate more access traffic than a single ONS 15454 can support. Refer to the Cisco ONS 15454 Procedure Guide. For example, to drop more than 112 DS-1s or 96 DS-3s (the maximum that can be aggregated in a single node), you can link the nodes but not merge multiple nodes into a single ONS 15454. You can link nodes with OC-12 or OC-48 fiber spans as you would link any other two network nodes. The nodes can be grouped in one facility to aggregate more local traffic. Figure 11-33 on page 11-33 shows a four-shelf node setup. Each shelf assembly is recognized as a separate node in the ONS 15454 software interface and traffic is mapped using CTC cross-connect options. In Figure 11-33, each node uses redundant fiber-optic cards. Node 1 uses redundant OC-N transport and OC-N bus (connecting) cards for a total of four cards, with eight free slots remaining. Nodes 2 and 3 each use two redundant OC-N bus cards for a total of four cards, with eight free slots remaining. Node 4 uses redundant OC-12 bus cards for a total of two cards, with ten free slots remaining. The four-shelf node example presented here is one of many ways to set up a multiple-node configuration. OC-12 OC-48 OC-12 32137 ONS 15454 Node 5 ONS 15454 Node 1 ONS 15454 Node 6 ONS 15454 Node 2 ONS 15454 Node 4 ONS 15454 Node 8 ONS 15454 Node 3 ONS 15454 Node 711-33 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 11 SONET Topologies and Upgrades 11.10 STS around the Ring Figure 11-33 Four-Shelf Node Configuration 11.10 STS around the Ring You can provision STS circuits with a source endpoint and a destination endpoint on the same node, and route the traffic around a ring. The circuit source and destination can be on the same card, but you must use two different ports on the card, see Figure 11-34 on page 11-34. Manual routing is required for STS around the ring circuits and “Route Automatically” must be unchecked in the CTC circuit provisioning pane. STS around ring circuits created using Transaction Language 1 (TL1) are discovered by CTC and the status “COMPLETE” is displayed. STS around the ring supports circuit sizes; STS-1, 3c, 6c, 9c, 12c, 24c, 36c, 48c, and 192cs. Both unidirectional and bidirectional circuits are supported, and STS around the ring circuits are CCAT only, VCAT is not supported. STS around ring circuits are linear circuits. Redundant OC-N Bus OC-N Feed Redundant OC-N Bus Redundant OC-N Bus Up to 72 DS-3s, 84 DS-1s Up to 72 DS-3s, 84 DS-1s ONS 15454, Node 1 ONS 15454, Node 2 ONS 15454, Node 3 ONS 15454, Node 4 Redundant Up to 72 DS-3s, 84 DS-1s Up to 96 DS-3s, 112 DS-1s 3209711-34 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 11 SONET Topologies and Upgrades 11.11 OC-N Speed Upgrades Figure 11-34 STS Around the Ring 11.11 OC-N Speed Upgrades A span is the optical fiber connection between two ONS 15454 nodes. In a span (optical speed) upgrade, the transmission rate of a span is upgraded from a lower to a higher OC-N signal but all other span configuration attributes remain unchanged. With multiple nodes, a span upgrade is a coordinated series of upgrades on all nodes in the ring or protection group. You can perform in-service span upgrades for the following ONS 15454 cards: • Single-port OC-12 to OC-48 • Single-port OC-12 to OC-192 • Single-port OC-12 to four-port OC-12 • Single-port OC-12 to OC-48 • Single-port OC-12 to OC-192 • Single-port OC-12 to MRC-12 • Four-port OC-12 to MRC-2.5G-4 • OC-48 to OC-192 • MRC-12 to OC-192 or OC192-XFP • MRC-2.5G-4 to OC-192 or OC192-XFP • OC-48 to OC192SR1/STM64IO Short Reach or OC192/STM64 Any Reach You can also perform in-service card upgrades for the following ONS 15454 cards: • Four-port OC-3 to eight-port OC-3 • Four-port OC-3 to MRC-2.5G-4 • Single-port OC-12 to four-port OC-12 ONS 15454 Node 2 ONS 15454 Node 3 ONS 15454 Node 4 ONS 15454 Node 1 Source Drop 24064411-35 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 11 SONET Topologies and Upgrades 11.11 OC-N Speed Upgrades • Single-port OC-12 to OC-48 • Single-port OC-12 to OC-192 • Single-port OC-12 to MRC-12 • Single-port OC-12 to MRC-2.5G-4 • OC-48 to MRC-12 • OC-192 to OC192-XFP • MRC-4 to MRC-12 • OC-48 to OC192SR1/STM64IO Short Reach or OC192/STM64 Any Reach Table 11-5 lists permitted upgrades for Slots 5, 6, 12, and 13 (high-speed slots). Table 11-5 Slot 5, 6, 12, and 13 Upgrade Options Cards Four-port OC-3 Eight-port OC-3 One-port OC-12 Four-port OC-12 OC-48 OC-192 MRC-12 MRC-2.5G-4 Four-port OC-3 — Not supported Not supported Not supported Not supported Not supported Not supported Supported Eight-port OC-31 1. The eight-port OC-3 is not supported in Slots 5, 6, 12, and 13. Not supported — Not supported Not supported Not supported Not supported Not supported Not supported One-port OC-12 Not supported Not supported — Not supported Supported Supported Supported Not supported Four-port OC-122 2. The four-port OC-12 is not supported in Slots 5, 6, 12, and 13. Not supported Not supported Not supported — Not supported Not supported Not supported Supported OC-48 Not supported Not supported Supported Not supported — Supported Supported Supported OC-192 Not supported Not supported Supported Not supported Supported — Supported Supported MRC-12 Not supported Not supported Supported Not supported Supported Supported — Not supported MRC-2.5G-4 Supported Not supported Not supported Supported Supported Supported Supported —11-36 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 11 SONET Topologies and Upgrades 11.11 OC-N Speed Upgrades Table 11-6 lists permitted upgrades for Slots 1 through 4 and 14 through 17 (low-speed slots). Note Replacing cards that are the same speed are not considered span upgrades. For example replacing a four-port OC-3 with an eight-port OC-3 card or replacing a single-port OC-12 with a four-port OC-12 card. To perform a span upgrade, the higher-rate OC-N card must replace the lower-rate card in the same slot. If the upgrade is conducted on spans residing in a BLSR, all spans in the ring must be upgraded. The protection configuration of the original lower-rate OC-N card (two-fiber BLSR, four-fiber BLSR, path protection, and 1+1) is retained for the higher-rate OC-N card. To perform a span upgrade on either the OC192-XFP or MRC-12 card with an SFP/XFP (known as pluggable port modules, PPMs, in CTC), the higher-rate PPM must replace the lower-rate PPM in the same slot. If you are using a multi-rate PPM, you do not need to physically replace the PPM but can provision the PPM for a different line rate. All spans in the network must be upgraded. The 1+1 protection configuration of the original lower-rate PPM is retained for the higher-rate PPM. When performing span upgrades on a large number of nodes, we recommend that you upgrade all spans in a ring consecutively and in the same maintenance window. Until all spans are upgraded, mismatched card types or PPM types are present. We recommend using the Span Upgrade Wizard to perform span upgrades. Although you can also use the manual span upgrade procedures, the manual procedures are mainly provided as error recovery for the wizard. The Span Upgrade Wizard and the Manual Span Upgrade procedures require at least two technicians (one at each end of the span) who can communicate with each other during the upgrade. Upgrading a span is non-service affecting and causes no more than three switches, each of which is less than 50 ms in duration. Table 11-6 Upgrade Options for Slots 1 through 4 and 14 through 17 Cards Four-port OC-3 Eight-port OC-3 One-port OC-12 Four-port OC-12 OC-48 OC-192 MRC-2.5G-4 MRC-12 Four-port OC-3 — Supported Not supported Not supported Not supported — Supported Not supported Eight-port OC-3 Supported — Not supported Not supported Not supported — Not supported Not supported One-port OC-12 Not supported Not supported — Supported Supported — Not Supported Supported Four-port OC-12 Not supported Not supported Supported — Not supported — Supported Not supported OC-48 Not supported Not supported Supported Not supported — — Supported Supported OC-1921 1. The OC-192 is not supported on Slots 1 through 4 and 14 through 17. — — — — — — — Not supported MRC-2.5G-4 Supported Not supported Not Supported Supported Supported — — Supported MRC-12 Not supported Not supported Supported Not supported Supported — Not supported —11-37 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 11 SONET Topologies and Upgrades 11.11.1 Span Upgrade Wizard Note Span upgrades do not upgrade SONET topologies (for example, a 1+1 group to a two-fiber BLSR). Refer to the Cisco ONS 15454 Procedure Guide for topology upgrade procedures. 11.11.1 Span Upgrade Wizard The Span Upgrade Wizard automates all steps in the manual span upgrade procedure (BLSR, path protection, and 1+1). The wizard can upgrade both lines on one side of a four-fiber BLSR or both lines of a 1+1 group; the wizard upgrades path protection configurations and two-fiber BLSRs one line at a time. The Span Upgrade Wizard requires that all working spans have DCC enabled. The Span Upgrade Wizard provides no way to back out of an upgrade. In the case of an error, you must exit the wizard and initiate the manual procedure to either continue with the upgrade or back out of it. To continue with the manual procedure, examine the standing conditions and alarms to identify the stage in which the wizard failure occurred. Note When a card change operation is initiated, either through an explicit card change operation or a span upgrade, you need to ensure that the parameters configured before the upgrade are supported by the new card or port that is plugged in. If the new card does not support the configured parameters on the existing card, then there can be unexpected behavior, such as the PROV-MISMATCH alarm. 11.11.2 Manual Span Upgrades Manual span upgrades are mainly provided as error recovery for the Span Upgrade Wizard, but they can be used to perform span upgrades. Downgrading can be performed to back out of a span upgrade. The procedure for downgrading is the same as upgrading except that you choose a lower-rate card type. You cannot downgrade if circuits exist on the STSs that will be removed (the higher STSs). Procedures for manual span upgrades can be found in the “Upgrade Cards and Spans” chapter in the Cisco ONS 15454 Procedure Guide. Five manual span upgrade options are available: • Upgrade on a two-fiber BLSR • Upgrade on a four-fiber BLSR • Upgrade on a path protection configuration • Upgrade on a 1+1 protection group • Upgrade on an unprotected span 11.11.3 In-Service MRC Card Upgrades The ONS 15454 supports in-service upgrades for the following multiport fixed optics cards: • MRC-12 multirate card • MRC-2.5G-4 multirate card11-38 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 11 SONET Topologies and Upgrades 11.11.3 In-Service MRC Card Upgrades 11.11.3.1 MRC-12 Multirate Card The MRC-12 multirate card supports an in-service card upgrade from a four-port OC-3 card. The configurations on Ports 1 to 4 of the OC-3 card are migrated to Ports 1 to 4 of the MRC-12 card with OC-3 SFPs. The MRC-12 multirate card supports an in-service card upgrade from a four-port OC-12 card. For an MRC-12 card with OC-12 SFPs, the configurations on Ports 1, 2, 3, 4 of the OC-12 card are migrated to Ports 1, 4, 7, 10 of the MRC-12 card. The MRC-12 card also supports an in-service card upgrade from an eight-port OC-3 card. The configurations on Ports 1 to 8 of the OC-3 card are migrated to Ports 1 to 8 of the MRC-12 card with OC-3 SFPs. The MRC-12 multirate card supports an in-service card upgrade from the MRC-2.5G-4 card. This upgrade is possible only if Port 1 is the only provisioned port on the MRC-2.5G-4 card. When the card is upgraded, all circuits, including overhead circuits, server trails, and timing information that is provisioned on the card, are moved to the port with the appropriate signal. Note that some circuits may become partial after the card upgrade and must be configured using CTC. Note An existing 1+1 or BLSR protection scheme must be deleted before you perform a card upgrade and must be recreated after the upgrade is complete. Span upgrades are not supported. Table 11-7 describes the upgrade matrix for the MRC-12 card. Table 11-7 MRC-12 Card Upgrade Matrix Existing Card Cross-Connect Card Type Existing Slot Type Existing Card Port Number Starting Backplane STS MRC-12 Card Port Number Starting Backplane STS Mapping OC-3 (4 ports) XCVT Drop slot 1 to 4 0, 3, 6, 9 1, 4, 7, 10 0, 48, 96, 144 OC-3 (4 ports) XCVT Trunk slot 1 to 4 0, 3, 6, 9 1, 2, 3, 4 0, 60, 72, 48 OC-3 (4 ports) XC10G/XC-VXC-10G Any slot 1 to 4 0, 3, 6, 9 1, 2, 3, 4 0, 60, 72, 48 OC-3 (8 ports) XCVT Not supported — — — — OC-3 (8 ports) XC10G/XC-VXC-10G Drop slot Note OC-3 (8 ports) card is not supported in trunk slots for the XC10G and XC-VXC-10G cards. 1 to 8 0, 3, 6, 9, 12, 15, 18, 21 1 to 8 0, 60, 72, 48, 108, 120, 96, 132 OC-12 (4 ports) XCVT Not supported — — — —11-39 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 11 SONET Topologies and Upgrades 11.11.3 In-Service MRC Card Upgrades 11.11.3.2 MRC-2.5G-4 Multirate Card The MRC-2.5G-4 card supports an in-service card upgrade from a four-port OC-3 card. The configurations on Ports 1 to 4 of the OC-3 card are migrated to Ports 1 to 4 of the MRC-2.5G-4 card with OC-3 SFPs. The MRC-2.5G-4 card also supports an in-service card upgrade from a four-port OC-12 card. For an MRC-2.5G-4 card with OC-12 SFPs, the configurations on Ports 1 to 4 of the OC-12 card are migrated to Ports 1 to 4 of the MRC-2.5G-4 card. When the card is upgraded, all circuits, including overhead circuits, server trails, and timing information that is provisioned on the card, are moved to the port with the appropriate signal. Note that some circuits may become partial after the card upgrade and must be configured using CTC. Note An existing 1+1 or BLSR protection scheme must be deleted before you perform a card upgrade and must be recreated after the upgrade is complete. Span upgrades are not supported. Table 11-8 describes the upgrade matrix for the MRC-2.5G-4 card. OC-12 (4 ports) XC10G/XC-VXC-10G Drop slot Note OC-12 (4 ports) card is not supported in trunk slots for the XC10G and XC-VXC-10G cards. 1 to 4 0, 12, 24, 36 1, 4, 7, 10 0, 48, 96, 144 MRC-2.5G-4 XCVT Drop Slot 1 0 1 0 MRC-2.5G-4 XCVT Trunk Slot 1 0 1 0 MRC-2.5G-4 XC10G/XC-VXC-10G Drop Slot 1 0 1 0 MRC-2.5G-4 XC10G/XC-VXC-10G Trunk Slot 1 0 1 0 Table 11-7 MRC-12 Card Upgrade Matrix (continued) Existing Card Cross-Connect Card Type Existing Slot Type Existing Card Port Number Starting Backplane STS MRC-12 Card Port Number Starting Backplane STS Mapping Table 11-8 MRC-2.5G-4 Card Upgrade Matrix Existing Card Cross-Connect Card Type Existing Slot Type Existing Card Port Number Starting Backplane STS MRC-2.5G-4 Card Port Number Starting Backplane STS Mapping OC-3 (4 ports) XCVT Drop slot 1 to 4 0, 3, 6, 9 1 to 4 0, 48, 96, 144 OC-3 (4 ports) XC10G/XC-VXC-10G Any slot 1 to 4 0, 3, 6, 9 1 to 4 0, 48, 96, 144 OC-3 (8 ports) XCVT/XC10G/XC-VXC-10G Not supported — — — —11-40 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 11 SONET Topologies and Upgrades 11.12 In-Service Topology Upgrades The card upgrade procedure automatically provisions PPMs, modifies the port count, adjusts bandwidth pools, and provisions VT circuits. For more information on how to perform in-service card upgrades, refer to the Cisco ONS 15454 Procedure Guide. Note When a card change operation is initiated, either through an explicit card change operation or a span upgrade, you need to ensure that the parameters configured before the upgrade are supported by the new card or port that is plugged in. If the new card does not support the configured parameters on the existing card, then there can be unexpected behavior, such as the PROV-MISMATCH alarm. 11.12 In-Service Topology Upgrades Topology upgrades can be performed in-service to convert a live network to a different topology. An in-service topology upgrade is potentially service-affecting, and generally allows a traffic hit of 50 ms or less. Traffic might not be protected during the upgrade. The following in-service topology upgrades are supported: • Unprotected point-to-point or linear ADM to path protection • Point-to-point or linear ADM to two-fiber BLSR • Path protection to two-fiber BLSR • Two-fiber to four-fiber BLSR • Node addition or removal from an existing topology You can perform in-service topology upgrades irrespective of the service state of the involved cross-connects or circuits; however, a circuit must have a DISCOVERED status. Circuit types supported for in-service topology upgrades are: • STS, VT, and VT tunnels • Virtual concatenated circuits (VCAT) • Unidirectional and bidirectional OC-12 (4 ports) XCVT Not supported — — — — OC-12 (4 ports) XC10G/XC-VXC-10G Drop slot Note OC-12 (4 ports) card is not supported in trunk slots for the XC10G and XC-VXC-10 G cards. 1 to 4 0, 12, 24, 36 1 to 4 0, 48, 96, 144 Table 11-8 MRC-2.5G-4 Card Upgrade Matrix Existing Card Cross-Connect Card Type Existing Slot Type Existing Card Port Number Starting Backplane STS MRC-2.5G-4 Card Port Number Starting Backplane STS Mapping11-41 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 11 SONET Topologies and Upgrades 11.12.1 Unprotected Point-to-Point or Linear ADM to Path Protection • Automatically routed and manually routed • CTC-created and TL1-created • Ethernet (unstitched) • Multiple source and destination (both sources should be on one node and both drops on one node) You cannot upgrade stitched Ethernet circuits during topology conversions. For in-service topology upgrade procedures, refer to the “Convert Network Configurations” chapter in the Cisco ONS 15454 Procedure Guide. For procedures to add or remove a node, refer to the “Add and Remove Nodes” chapter of the Cisco ONS 15454 Procedure Guide. Note A database restore on all nodes in a topology returns converted circuits to their original topology. Note Open-ended path protection and DRI configurations do not support in-service topology upgrades. 11.12.1 Unprotected Point-to-Point or Linear ADM to Path Protection CTC provides a topology conversion wizard for converting an unprotected point-to-point or linear ADM topology to path protection. This conversion occurs at the circuit level. CTC calculates the additional path protection circuit route automatically or you can do it manually. When routing the path protection circuit, you can provision the USPR as go-and-return or unidirectional. When performing an in-service topology upgrade on a configuration with VCAT circuits, CTC allows you to select member circuits to upgrade individually. When upgrading VT tunnels, CTC does not convert the VT tunnel to path protection, but instead creates a secondary tunnel for the alternate path. The result is two unprotected VT tunnels using alternate paths. To convert from point-to-point or linear ADM to a path protection, the topology requires an additional circuit route to complete the ring. When the route is established, CTC creates circuit connections on any intermediate nodes and modifies existing circuit connections on the original circuit path. The number and position of network spans in the topology remains unchanged during and after the conversion. Figure 11-35 shows an unprotected point-to-point ADM configuration converted to a path protection. An additional circuit routes through Node 3 to complete the path protection.11-42 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 11 SONET Topologies and Upgrades 11.12.2 Point-to-Point or Linear ADM to Two-Fiber BLSR Figure 11-35 Unprotected Point-to-Point ADM to Path Protection Conversion 11.12.2 Point-to-Point or Linear ADM to Two-Fiber BLSR A 1+1 point-to-point or linear ADM to a two-fiber BLSR conversion is manual. You must remove the protect fibers from all nodes in the linear ADM and route them from the end node to the protect port on the other end node. In addition, you must delete the circuit paths that are located in the bandwidth that will become the protection portion of the two-fiber BLSR (for example, circuits in STS 25 or higher on an OC-48 BLSR) and recreate them in the appropriate bandwidth. Finally, you must provision the nodes as BLSR nodes. To complete a conversion from an unprotected point-to-point or linear ADM to a two-fiber BLSR, use the CTC Convert Unprotected/Path Protection to BLSR wizard from the Tools > Topology Upgrade menu. 11.12.3 Path Protection to Two-Fiber BLSR CTC provides a topology conversion wizard to convert a path protection to a two-fiber BLSR. An upgrade from a path protection to a two-fiber BLSR changes path protection to line protection. A path protection can have a maximum of 16 nodes before conversion. Circuits paths must occupy the same time slots around the ring. Only the primary path through the path protection is needed; the topology conversion wizard removes the alternate path protection path during the conversion. Because circuit paths can begin and end outside of the topology, the conversion might create line-protected segments within path protection paths of circuits outside the scope of the ring. The physical arrangement of the ring nodes and spans remains the same after the conversion. OC-48 OC-12 37 ONS 15454 Node 1 ONS 15454 Node 4 ONS 15454 Node 811-43 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 11 SONET Topologies and Upgrades 11.12.4 Two-Fiber BLSR to Four-Fiber BLSR 11.12.4 Two-Fiber BLSR to Four-Fiber BLSR CTC provides a wizard to convert two-fiber OC-48 or OC-192 BLSRs to four-fiber BLSRs. To convert the BLSR, you must install two OC-48 or OC-192 cards at each two-fiber BLSR node, then log into CTC and convert each node from two-fiber to four-fiber. The fibers that were divided into working and protect bandwidths for the two-fiber BLSR are now fully allocated for working BLSR traffic. 11.12.5 Add or Remove a Node from a Topology You can add or remove a node from a linear ADM, BLSR, or path protection configuration. Adding or removing nodes from BLSRs is potentially service affecting; however, adding and removing nodes from an existing 1+1 linear ADM or path protection configuration does not disrupt traffic. CTC provides a wizard for adding a node to a point-to-point or 1+1 linear ADM. This wizard is used when adding a node between two other nodes. 11.13 Overlay Ring Circuits An overlay ring configuration consists of a core ring and subtended rings (Figure 11-36). An Overlay Ring Circuit routes traffic around multiple rings in an overlay ring configuration, passing through one or more nodes more than once. This results in multiple cross-connections on the nodes connecting the core ring to the subtended rings. For example, a customer having a core ring with cross-connects provisioned using TL1 can create cross-connects on subtended rings, due to a business need, without having to hamper the existing cross-connects on the core ring. This circuit can be either protected or unprotected. A typical path protected overlay ring configuration is shown in Figure 11-36, where the circuit traverses the nodes B, D, and F twice resulting in two cross-connections on these nodes for the same circuit. In Figure 11-36, the circuits on the OC-12 path are unprotected. The DS3 drop traffic is protected on the drop nodes by provisioning a primary and secondary destination, making it a path protected circuit.11-44 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 11 SONET Topologies and Upgrades 11.13 Overlay Ring Circuits Figure 11-36 Overlay Ring Circuit Overlay ring supports circuit sizes; STS-1, 3c, 6c, 9c, 12c, 24c, 36c, 48c, and 192cs. Both unidirectional and bidirectional circuits are supported. Overlay ring circuits are contiguous concatenated (CCAT) and not virtual concatenated (VCAT) circuits. Manual routing is mandatory while provisioning the overlay ring circuit. Overlay ring circuits created using Transaction Language 1 (TL1) are discovered by CTC and the status “DISCOVERED” is displayed. If the overlay ring circuit is deleted, the cross-connects on the core ring and subtended rings get deleted. Cross-connects on a subtended ring can be deleted through TL1 but would reflect as a partial overlay ring circuit in CTC, i.e. core ring will continue having cross-connects. Subtended Ring OC-12 Path Protection Subtended Rings Core Ring 223267 DS3 PASS-THRU DS3 DROP DS3 CIRCUIT OC-3 OVERLAY RING DS3 PASS-THRU DS3 DROP Node C Node A Node B Node D Node G Node F Node E OC-3 Path Protection OC-3 Path Protection OC-3 Path ProtectionCHAPTER 12-1 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 12 Circuits and Tunnels Note The terms “Unidirectional Path Switched Ring” and “UPSR” may appear in Cisco literature. These terms do not refer to using Cisco ONS 15xxx products in a unidirectional path switched ring configuration. Rather, these terms, as well as “Path Protected Mesh Network” and “PPMN,” refer generally to Cisco's path protection feature, which may be used in any topological network configuration. Cisco does not recommend using its path protection feature in any particular topological network configuration. This chapter explains Cisco ONS 15454 synchronous transport signal (STS), virtual tributary (VT), and virtual concatenated (VCAT) circuits and VT, data communications channel (DCC), and IP-encapsulated tunnels. To provision circuits and tunnels, refer to the Cisco ONS 15454 Procedure Guide. Chapter topics include: • 12.1 Overview, page 12-2 • 12.2 Circuit Properties, page 12-2 • 12.3 Cross-Connect Card Bandwidth, page 12-12 • 12.4 Portless Transmux, page 12-15 • 12.5 DCC Tunnels, page 12-16 • 12.7 Multiple Destinations for Unidirectional Circuits, page 12-18 • 12.8 Monitor Circuits, page 12-18 • 12.9 Path Protection Circuits, page 12-19 • 12.10 BLSR Protection Channel Access Circuits, page 12-21 • 12.11 BLSR STS and VT Squelch Tables, page 12-22 • 12.12 IEEE 802.17 Resilient Packet Ring Circuit Display, page 12-23 • 12.13 Section and Path Trace, page 12-24 • 12.14 Path Signal Label, C2 Byte, page 12-25 • 12.15 Automatic Circuit Routing, page 12-27 • 12.16 Manual Circuit Routing, page 12-29 • 12.17 Constraint-Based Circuit Routing, page 12-33 • 12.18 Virtual Concatenated Circuits, page 12-34 • 12.19 Bridge and Roll, page 12-39 • 12.20 Merged Circuits, page 12-4512-2 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 12 Circuits and Tunnels 12.1 Overview • 12.21 Reconfigured Circuits, page 12-46 • 12.22 VLAN Management, page 12-46 • 12.23 Server Trails, page 12-46 12.1 Overview You can create circuits across and within ONS 15454 nodes and assign different attributes to circuits. For example, you can: • Create one-way, two-way (bidirectional), or broadcast circuits. • Assign user-defined names to circuits. • Assign different circuit sizes. • Automatically or manually route circuits. • Automatically create multiple circuits with autoranging. VT tunnels do not use autoranging. • Provide full protection to the circuit path. • Provide only protected sources and destinations for circuits. • Define a secondary circuit source or destination that allows you to interoperate an ONS 15454 path protection configuration with third-party equipment path protection configurations. • Set path protection circuits as revertive or nonrevertive. You can provision circuits at either of the following points: • Before cards are installed. The ONS 15454 allows you to provision slots and circuits before installing the traffic cards. • After you preprovision the Small Form-factor Pluggables (SFPs) (also called provisionable port modules [PPMs]). • After cards and SFPs are installed and ports are in service. Circuits do not actually carry traffic until the cards and SFPs are installed and the ports are In-Service and Normal (IS-NR); Out-of-Service and Autonomous, Automatic In-Service (OO-AU,AINS); or Out-of-Service and Management, Maintenance (OOS-MA,MT). Circuits carry traffic as soon as the signal is received. 12.2 Circuit Properties The ONS 15454 Cisco Transport Controller (CTC) Circuits window, which appears in network, node, and card view, is where you can view information about circuits. The Circuits window (Figure 12-1) provides the following information: • Name—The name of the circuit. The circuit name can be manually assigned or automatically generated. • Type—The circuit types are STS (STS circuit), VT (VT circuit), VTT (VT tunnel), VAP (VT aggregation point), OCHNC (dense wavelength division multiplexing [DWDM] optical channel network connection; refer to the Cisco ONS 15454 DWDM Procedure Guide), STS-V (STS VCAT circuit), or VT-V (VT VCAT circuit). • Size—The circuit size. VT circuits are 1.5. STS circuit sizes are 1, 3c, 6c, 9c, 12c, 24c, 36c, 48c, and 192c. OCHNC sizes are Equipped non specific, Multi-rate, 2.5 Gbps No FEC (forward error correction), 2.5 Gbps FEC, 10 Gbps No FEC, and 10 Gbps FEC (OCHNC is DWDM only; refer to 12-3 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 12 Circuits and Tunnels 12.2 Circuit Properties the Cisco ONS 15454 DWDM Procedure Guide). VCAT circuits are VT1.5-nv, STS-1-nv, STS-3c-nv, and STS-12c-nv, where n is the number of members. For time slot availability on concatenated STSs, see the “12.2.1 Concatenated STS Time Slot Assignments” section on page 12-4. • OCHNC Wlen—For OCHNCs, the wavelength provisioned for the optical channel network connection. For more information, refer to the Cisco ONS 15454 DWDM Procedure Guide. • Direction—The circuit direction, either two-way or one-way. • OCHNC Dir—For OCHNCs, the direction of the optical channel network connection, either east to west or west to east. For more information, refer to the Cisco ONS 15454 DWDM Procedure Guide. • Protection—The type of circuit protection. See the “12.2.4 Circuit Protection Types” section on page 12-9 for a list of protection types. • Status—The circuit status. See the “12.2.2 Circuit Status” section on page 12-6. • Source—The circuit source in the format: node/slot/port “port name”/STS/VT. (The port name appears in quotes.) Node and slot always appear; port “port name”/STS/VT might appear, depending on the source card, circuit type, and whether a name is assigned to the port. For the OC192-XFP and MRC-12 cards, the port appears as port pluggable module (PPM)-port. If the circuit size is a concatenated size (3c, 6c, 12c, etc.), STSs used in the circuit are indicated by an ellipsis, for example, S7..9, (STSs 7, 8, and 9) or S10..12 (STS 10, 11, and 12). • Destination—The circuit destination in the same format as the circuit source. • # of VLANS—The number of VLANs used by an Ethernet circuit. • # of Spans—The number of internode links that constitute the circuit. Right-clicking the column shows a shortcut menu from which you can choose Span Details to show or hide circuit span detail. For each node in the span, the span detail shows the node/slot (card type)/port/STS/VT. • State—The circuit state. See the “12.2.3 Circuit States” section on page 12-7. The Filter button allows you to filter the circuits in network, node, or card view based on circuit name, size, type, direction, and other attributes. In addition, you can export the Circuit window data in HTML, comma-separated values (CSV), or tab-separated values (TSV) format using the Export command from the File menu.12-4 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 12 Circuits and Tunnels 12.2.1 Concatenated STS Time Slot Assignments Figure 12-1 ONS 15454 Circuit Window in Network View 12.2.1 Concatenated STS Time Slot Assignments Table 12-1 shows the available time slot assignments for concatenated STSs when using CTC to provision circuits. Table 12-1 STS Mapping Using CTC Starting STS STS-3c STS-6c STS-9c STS-12c STS-18c STS-24c STS-36c STS-48c STS-192c 1 Yes Yes Yes Yes Yes Yes Yes Yes Yes 4 Yes Yes Yes No Yes Yes Yes No No 7 Yes Yes No No Yes Yes Yes No No 10 Yes No Yes No Yes Yes Yes No No 13 Yes Yes Yes Yes Yes Yes Yes No No 16 Yes Yes Yes No Yes Yes No No No 19 Yes Yes Yes No Yes Yes No No No 22 Yes No No No Yes Yes No No No 25 Yes Yes Yes Yes Yes Yes No No No 28 Yes Yes Yes No Yes No No No No 31 Yes Yes No No Yes No No No No 34 Yes No No No No No No No No 37 Yes Yes Yes Yes Yes No Yes No No12-5 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 12 Circuits and Tunnels 12.2.1 Concatenated STS Time Slot Assignments 40 Yes Yes Yes No No No No No No 43 Yes Yes No No No No No No No 46 Yes No Yes No No No No No No 49 Yes Yes Yes Yes Yes Yes Yes Yes No 52 Yes Yes Yes No Yes Yes Yes No No 55 Yes Yes Yes No Yes Yes Yes No No 58 Yes No No No Yes Yes Yes No No 61 Yes Yes Yes Yes Yes Yes Yes No No 64 Yes Yes Yes No Yes Yes No No No 67 Yes Yes No No Yes Yes No No No 70 Yes No No No Yes Yes No No No 73 Yes Yes Yes Yes Yes Yes Yes No No 76 Yes Yes Yes No Yes No No No No 79 Yes Yes No No Yes No No No No 82 Yes No Yes No No No No No No 85 Yes Yes Yes Yes No No No No No 88 Yes Yes Yes No No No No No No 91 Yes Yes Yes No Yes No No No No 94 Yes No No No No No No No No 97 Yes Yes Yes Yes Yes Yes Yes Yes No 100 Yes Yes Yes No Yes Yes Yes No No 103 Yes Yes No No Yes Yes Yes No No 106 Yes No No No Yes Yes Yes No No 109 Yes Yes Yes Yes Yes Yes Yes No No 112 Yes Yes Yes No Yes Yes No No No 115 Yes Yes No No Yes Yes No No No 118 Yes No Yes No Yes Yes No No No 121 Yes Yes Yes Yes Yes Yes No No No 124 Yes Yes Yes No Yes No No No No 127 Yes Yes Yes No Yes No No No No 130 Yes No No No No No No No No 133 Yes Yes Yes Yes No No No No No 136 Yes Yes Yes No No No No No No 139 Yes Yes No No No No No No No 142 Yes No No No No No No No No Table 12-1 STS Mapping Using CTC (continued) Starting STS STS-3c STS-6c STS-9c STS-12c STS-18c STS-24c STS-36c STS-48c STS-192c12-6 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 12 Circuits and Tunnels 12.2.2 Circuit Status 12.2.2 Circuit Status The circuit statuses that appear in the Circuit window Status column are generated by CTC based on conditions along the circuit path. Table 12-2 shows the statuses that can appear in the Status column. 145 Yes Yes Yes Yes Yes Yes Yes Yes No 148 Yes Yes Yes No Yes Yes Yes No No 151 Yes Yes No No Yes Yes Yes No No 154 Yes No Yes No Yes Yes Yes No No 157 Yes Yes Yes Yes Yes Yes Yes No No 160 Yes Yes Yes No Yes Yes No No No 163 Yes Yes Yes No Yes Yes No No No 166 Yes No No No Yes Yes No No No 169 Yes Yes Yes Yes Yes Yes No No No 172 Yes Yes Yes No Yes No No No No 175 Yes Yes No No Yes No No No No 178 Yes No No No No No No No No 181 Yes Yes Yes Yes Yes No No No No 184 Yes Yes Yes No Yes No No No No 187 Yes Yes No No Yes No No No No 190 Yes No No No Yes No No No No Table 12-1 STS Mapping Using CTC (continued) Starting STS STS-3c STS-6c STS-9c STS-12c STS-18c STS-24c STS-36c STS-48c STS-192c Table 12-2 ONS 15454 Circuit Status Status Definition/Activity CREATING CTC is creating a circuit. DISCOVERED CTC created a circuit. All components are in place and a complete path exists from circuit source to destination. DELETING CTC is deleting a circuit.12-7 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 12 Circuits and Tunnels 12.2.3 Circuit States 12.2.3 Circuit States The circuit service state is an aggregate of the cross-connect states within the circuit. • If all cross-connects in a circuit are in the In-Service and Normal (IS-NR) service state, the circuit service state is In-Service (IS). PARTIAL A CTC-created circuit is missing a cross-connect or network span, a complete path from source to destinations does not exist, or an alarm interface panel (AIP) change occurred on one of the circuit nodes and the circuit is in need of repair. (AIPs store the node MAC address.) In CTC, circuits are represented using cross-connects and network spans. If a network span is missing from a circuit, the circuit status is PARTIAL. However, a PARTIAL status does not necessarily mean a circuit traffic failure has occurred, because traffic might flow on a protect path. Network spans are in one of two states: up or down. On CTC circuit and network maps, up spans appear as green lines, and down spans appear as gray lines. If a failure occurs on a network span during a CTC session, the span remains on the network map but its color changes to gray to indicate that the span is down. If you restart your CTC session while the failure is active, the new CTC session cannot discover the span and its span line does not appear on the network map. Subsequently, circuits routed on a network span that goes down appear as DISCOVERED during the current CTC session, but appear as PARTIAL to users who log in after the span failure. DISCOVERED_TL1 A TL1-created circuit or a TL1-like, CTC-created circuit is complete. A complete path from source to destinations exists. PARTIAL_TL1 A TL1-created circuit or a TL1-like, CTC-created circuit is missing a cross-connect or circuit span (network link), and a complete path from source to destinations does not exist. CONVERSION_PENDING An existing circuit in a topology upgrade is set to this state. The circuit returns to the DISCOVERED state once the topology upgrade is complete. For more information about topology upgrades, see Chapter 11, “SONET Topologies and Upgrades.” PENDING_MERGE Any new circuits created to represent an alternate path in a topology upgrade are set to this status to indicate that it is a temporary circuit. These circuits can be deleted if a topology upgrade fails. For more information about topology upgrades, see Chapter 11, “SONET Topologies and Upgrades.” DROP_PENDING A circuit is set to this status when a new circuit drop is being added. ROLL_PENDING A circuit roll is awaiting completion or cancellation. Table 12-2 ONS 15454 Circuit Status (continued) Status Definition/Activity12-8 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 12 Circuits and Tunnels 12.2.3 Circuit States • If all cross-connects in a circuit are in an Out-of-Service (OOS) service state, such as Out-of-Service and Management, Maintenance (OOS-MA,MT); Out-of-Service and Management, Disabled (OOS-MA,DSBLD); or Out-of-Service and Autonomous, Automatic In-Service (OOS-AU,AINS) service state, the circuit service state is Out-of-Service (OOS). • PARTIAL is appended to the OOS circuit service state when circuit cross-connects state are mixed and not all in IS-NR. The OOS-PARTIAL state can occur during automatic or manual transitions between states. For example, OOS-PARTIAL appears if you assign the IS,AINS administrative state to a circuit with DS-1 or DS3XM cards as the source or destination. Some cross-connects transition to the IS-NR service state, while others transition to OOS-AU,AINS. OOS-PARTIAL can appear during a manual transition caused by an abnormal event such as a CTC crash or communication error, or if one of the cross-connects could not be changed. Refer to the Cisco ONS 15454 Troubleshooting Guide for troubleshooting procedures. The OOS-PARTIAL circuit state does not apply to OCHNC circuit types. You can assign a state to circuit cross-connects at two points: • During circuit creation, you can set the state in the Create Circuit wizard. • After circuit creation, you can change a circuit state in the Edit Circuit window or from the Tools > Circuits > Set Circuit State menu. Note After you have created an initial circuit in a CTC session, the subsequent circuit states default to the circuit state of the initial circuit, regardless of which nodes in the network the circuits traverse or the node.ckt.state default setting. During circuit creation, you can apply a service state to the drop ports in a circuit. You cannot transition a drop port from the IS-NR service state to the OOS-MA,DSBLD service state; you must first put the port in the OOS-MA,MT state before changing it to the OOS-MA,DSBLD state. For more information about port service state transitions, see Appendix B, “Administrative and Service States.” Circuits do not use the soak timer, but ports do. The soak period is the amount of time that the port remains in the OOS-AU,AINS service state after a signal is continuously received. When the cross-connects in a circuit are in the OOS-AU,AINS service state, the ONS 15454 monitors the cross-connects for an error-free signal. It changes the state of the circuit from OOS to IS or to OOS-PARTIAL as each cross-connect assigned to the circuit path is completed. This allows you to provision a circuit using TL1, verify its path continuity, and prepare the port to go into service when it receives an error-free signal for the time specified in the port soak timer. Two common examples of state changes you see when provisioning circuits using CTC are: • When assigning the IS,AINS administrative state to cross-connects in VT circuits and VT tunnels, the source and destination ports on the VT circuits remain in the OOS-AU,AINS service state until an alarm-free signal is received for the duration of the soak timer. When the soak timer expires and an alarm-free signal is found, the VT source port and destination port service states change to IS-NR and the circuit service state becomes IS. • When assigning the IS,AINS administrative state to cross-connects in STS circuits, the circuit source and destination ports transition to the OOS-AU,AINS service state. When an alarm-free signal is received, the source and destination ports remain OOS-AU,AINS for the duration of the soak timer. After the port soak timer expires, STS source and destination ports change to IS-NR and the circuit service state changes to IS. To find the remaining port soak time, choose the Maintenance > AINS Soak tabs in card view and click the Retrieve button. If the port is in the OOS-AU,AINS state and has a good signal, the Time Until IS column shows the soak count down status. If the port is OOS-AU,AINS and has a bad signal, the Time Until IS column indicates that the signal is bad. You must click the Retrieve button to obtain the latest time value.12-9 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 12 Circuits and Tunnels 12.2.4 Circuit Protection Types Note Although ML-Series cards do not use the Telcordia GR-1093-CORE state model, you can also set a soak timer for ML-Series cards ports. The soak period is the amount of time that the ML-Series port remains in the Down state after an error-free signal is continuously received before changing to the Up state. To find the remaining port soak time, choose the Maintenance > Ether/POS Port Soak tabs in ML-Series card view and click the Retrieve button. For more information about port and cross-connect states, see Appendix B, “Administrative and Service States.” 12.2.4 Circuit Protection Types The Protection column in the Circuit window shows the card (line) and SONET topology (path) protection used for the entire circuit path. Table 12-3 shows the protection type indicators that appear in this column. Table 12-3 Circuit Protection Types Protection Type Description 1+1 The circuit is protected by a 1+1 protection group. 2F BLSR The circuit is protected by a two-fiber BLSR. 4F BLSR The circuit is protected by a four-fiber BLSR. 2F-PCA The circuit is routed on a protection channel access (PCA) path on a two-fiber BLSR. PCA circuits are unprotected. 4F-PCA The circuit is routed on a PCA path on a four-fiber BLSR. PCA circuits are unprotected. BLSR The circuit is protected by a both a two-fiber and a four-fiber BLSR. DRI The circuit is protected by a dual-ring interconnection (DRI). N/A A circuit with connections on the same node is not protected. PCA The circuit is routed on a PCA path on both two-fiber and four-fiber BLSRs. PCA circuits are unprotected. Protected The circuit is protected by diverse SONET topologies, for example, a BLSR and a path protection configuration, or a path protection configuration and 1+1 protection. Unknown A circuit has a source and destination on different nodes and communication is down between the nodes. This protection type appears if not all circuit components are known. Unprot (black) A circuit with a source and destination on different nodes is not protected. Unprot (red) A circuit created as a fully protected circuit is no longer protected due to a system change, such as removal of a BLSR or 1+1 protection group. Path Protection The circuit is protected by a path protection.12-10 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 12 Circuits and Tunnels 12.2.5 Circuit Information in the Edit Circuit Window 12.2.5 Circuit Information in the Edit Circuit Window You can edit a selected circuit using the Edit button on the Circuits window. The tabs that appear depend on the circuit chosen: • General—Displays general circuit information and allows you to edit the circuit name. • Drops—Allows you to add a drop to a unidirectional circuit. For more information, see the “12.7 Multiple Destinations for Unidirectional Circuits” section on page 12-18. • Monitors—Displays possible monitor sources and allows you to create a monitor circuit. For more information, see the “12.8 Monitor Circuits” section on page 12-18. • Path Protection Selectors—Allows you to change path protection selectors. For more information, see the “12.9 Path Protection Circuits” section on page 12-19. • Path Protection Switch Counts—Allows you to change path protection switch protection paths. For more information, see the “12.9 Path Protection Circuits” section on page 12-19. • State—Allows you to edit cross-connect service states. • Merge—Allows you to merge aligned circuits. For more information, see the “12.20 Merged Circuits” section on page 12-45. Using the Export command from the File menu, you can export data from the Path Protection Selectors, Path Protection Switch Counts, State, and Merge tabs in HTML, comma-separated values (CSV), or tab-separated values (TSV) format. The Show Detailed Map checkbox in the Edit Circuit window updates the graphical view of the circuit to show more detailed routing information, such as: • Circuit direction (unidirectional/bidirectional) • The nodes, STSs, and VTs through which a circuit passes, including slots and port numbers • The circuit source and destination points • Open Shortest Path First (OSPF) area IDs • Link protection (path protection, unprotected, BLSR, 1+1) and bandwidth (OC-N) • Provisionable patchcords between two cards on the same node or different nodes For BLSRs, the detailed map shows the number of BLSR fibers and the BLSR ring ID. For path protection configurations, the map shows the active and standby paths from circuit source to destination, and it also shows the working and protect paths. Selectors appear as pentagons on the detailed circuit map. The map indicates nodes set up as DRI nodes. For VCAT circuits, the detailed map is not available for an entire VCAT circuit. However, you can view the detailed map to see the circuit route for each individual member. You can also view alarms and states on the circuit map, including: SPLITTER The circuit is protected by the protect transponder (TXPP_MR_2.5G) splitter protection. For splitter information, refer to the Cisco ONS 15454 DWDM Procedure Guide. Y-Cable The circuit is protected by a transponder or muxponder card Y-cable protection group. For more information, refer to the Cisco ONS 15454 DWDM Procedure Guide. Table 12-3 Circuit Protection Types (continued) Protection Type Description12-11 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 12 Circuits and Tunnels 12.2.5 Circuit Information in the Edit Circuit Window • Alarm states of nodes on the circuit route • Number of alarms on each node organized by severity • Port service states on the circuit route • Alarm state/color of most severe alarm on port • Loopbacks • Path trace states • Path selector states By default, the working path is indicated by a green, bidirectional arrow, and the protect path is indicated by a purple, bidirectional arrow. Source and destination ports are shown as circles with an S and D. Port states are indicated by colors, shown in Table 12-4. In detailed view, a notation within or by the squares or selector pentagons indicates switches and loopbacks, including: • F = Force switch • M = Manual switch • L = Lockout switch • Arrow = Facility (outward) or terminal (inward) loopback Move the mouse cursor over nodes, ports, and spans to see tooltips with information including the number of alarms on a node (organized by severity), the port service state, and the protection topology. Right-click a node, port, or span on the detailed circuit map to initiate certain circuit actions: • Right-click a unidirectional circuit destination node to add a drop to the circuit. • Right-click a port containing a path-trace-capable card to initiate the path trace. • Right-click a path protection span to change the state of the path selectors in the path protection circuit. Figure 12-2 shows a circuit routed on a two-fiber BLSR. A port is shown in terminal loopback. Table 12-4 Port State Color Indicators Port Color Service State Green IS-NR Gray OOS-MA,DSBLD Violet OOS-AU,AINS Blue (Cyan) OOS-MA,MT12-12 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 12 Circuits and Tunnels 12.3 Cross-Connect Card Bandwidth Figure 12-2 BLSR Circuit Displayed on the Detailed Circuit Map 12.3 Cross-Connect Card Bandwidth The ONS 15454 XCVT, XC10G, and XC-VXC-10G cross-connect cards perform port-to-port, time-division multiplexing (TDM). XCVT, XC10G, and XC-VXC-10G cards perform STS, VT2 (XC-VXC-10G only), and VT1.5 multiplexing. The STS matrix on the XCVT cross-connect card has a capacity for 288 STS terminations, and the XC10G and XC-VXC-10G cards each have a capacity for 1152 STS terminations. Because each STS circuit requires a minimum of two terminations, one for ingress and one for egress, the XCVT card has a capacity for 144 STS circuits, while the XC10G and XC-VXC-10G cards have a capacity for 576 STS circuits. However, this capacity is reduced at path protection and 1+1 nodes because three STS terminations are required at circuit source and destination nodes and four terminations are required at 1+1 circuit pass-through nodes. Path protection pass-through nodes only require two STS terminations. The XCVT and XC10G cards perform VT1.5 multiplexing through 24 logical STS ports on the XCVT or XC10G VT matrix, and the XC-VXC-10G card performs VT1.5 and VT2 multiplexing through 96 logical STS ports on the XC-VXC-10G VT matrix. Each logical STS port can carry 28 VT1.5s or 21 VT2s. Subsequently, the VT matrix on the XCVT or XC10G has capacity for 672 VT1.5 terminations, or 336 VT1.5 circuits. The VT matrix on the XC-VXC-10G has capacity for 2688 VT1.5 terminations (1344 VT1.5 bidirectional circuits) or 2016 VT2 terminations (1008 VT2 bidirectional circuits). Every circuit requires two terminations, one for ingress and one for egress. However, this capacity is only achievable if: • Every STS port on the VT matrix carries 28 VT1.5s or 21 VT2s. • The node is in a BLSR or 1+1 protection scheme.12-13 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 12 Circuits and Tunnels 12.3 Cross-Connect Card Bandwidth For example, if you create a VT1.5 circuit from an STS-1 on a drop card, two VT matrix STS ports are used, as shown in Figure 12-3. If you create a second VT1.5 circuit from the same STS port on the drop card, no additional logical STS ports are used on the VT matrix. In fact, you can create up to 28 VT1.5 circuits using the same STS-1 port. However, if the next VT1.5 circuit originates on a different STS, an additional pair of STS ports on the VT matrix is used, as shown in Figure 12-4. If you continued to create VT1.5 circuits on different EC-1 STSs and mapped each to an unused outbound STS, the VT matrix capacity would be reached after you created 12 VT1.5 circuits in the case of the XCVT or XC10G cards, or 48 VT1.5 circuits in the case of the XC-VXC-10G card. Figure 12-3 One VT1.5 Circuit on One STS STS Matrix XCVT/XC10G Matrices VT1.5 circuit #1 on STS-1 1 VT1.5 used on STS-1 27 VT1.5s available on STS-1 EC-1 Drop 2 STSs total used 22 STSs available VT1.5 Matrix Source 134344 STS Matrix XC-VXC-10G Matrices VT1.5 circuit #1 on STS-1 1 VT1.5 used on STS-1 27 VT1.5s available on STS-1 EC-1 Drop 2 STSs total used 94 STSs available STS VT1.5 VT1.5 Matrix Source OC-12 OC-19212-14 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 12 Circuits and Tunnels 12.3 Cross-Connect Card Bandwidth Figure 12-4 Two VT1.5 Circuits in a BLSR Note Circuits with DS1-14 and DS1N-14 circuit sources or destinations use one STS port on the VT matrix. Because you can only create 14 VT1.5 circuits from the DS-1 cards, 14 VT1.5s are unused on the VT matrix. VT matrix capacity is also affected by SONET protection topology and node position within the circuit path. Matrix usage is slightly higher for path protection nodes than BLSR and 1+1 nodes. Circuits use two VT matrix ports at pass-through nodes if VT tunnels and aggregation points are not used. If the circuit is routed on a VT tunnel or an aggregation point, no VT matrix resources are used. Table 12-5 shows basic STS port usage rates for VT 1.5 circuits. STS Matrix XCVT/XC10G Matrices VT1.5 circuit #1 on STS-1 1 VT1.5 used on STS-1 27 VT1.5s available on STS-1 VT1.5 circuit #2 on STS-2 1 VT1.5 used on STS-2 27 VT1.5s available on STS-2 EC-1 4 STSs total used 20 STSs available Drop Source 134345 STS Matrix XC-VXC-10G Matrices VT1.5 circuit #1 on STS-1 1 VT1.5 used on STS-1 27 VT1.5s available on STS-1 VT1.5 circuit #2 on STS-2 1 VT1.5 used on STS-2 27 VT1.5s available on STS-2 EC-1 4 STSs total used 92 STSs available STS VT1.5 Drop Source VT1.5 Matrix VT1.5 Matrix OC-192 OC-1212-15 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 12 Circuits and Tunnels 12.4 Portless Transmux Cross-connect card resources can be viewed on the Maintenance > Cross-Connect > Resource Usage tab. This tab shows: • STS-1 Matrix—The percent of STS matrix resources that are used. 288 STSs are available on XCVT cards; 1152 are available on XC10G and XC-VXC-10G cards. • VT Matrix Ports—The percent of the VT matrix ports (logical STS ports) that are used. 24 ports are available on XCVT and XC10G cards. 96 ports are available on the XC-VXC-10G card. The VT Port Matrix Detail shows the percent of each VT matrix port that is used. • VT Matrix—The percent of the total VT matrix terminations that are used. There are 672 terminations for the XCVT and XC10G cards. 672 is the number of logical STS VT matrix ports (24) multiplied by the number of VT1.5s per port (28). There are 2688 terminations for the XC-VXC-10G card. 2688 is the number of logical STS VT matrix ports (96) multiplied by the number of VT1.5s per port (28). To maximize resources on the cross-connect card VT matrix, keep the following points in mind as you provision circuits: • Use all 28 VT1.5s on a given port or STS before moving to the next port or STS. • Try to use EC-1, DS3XM, or OC-N cards as the VT1.5 circuit source and destination. VT1.5 circuits with DS-1-14 or DS1N-14 sources or destinations use a full port on the VT matrix even though only 14 VT1.5 circuits can be created. • Use VT tunnels and VT aggregation points to reduce VT matrix utilization. VT tunnels allow VT1.5 circuits to bypass the VT matrix on pass-through nodes. They are cross-connected as STSs and only go through the STS matrix. VT aggregation points allow multiple VT1.5 circuits to be aggregated onto a single STS to bypass the VT matrix at the aggregation node. 12.4 Portless Transmux The DS3XM-12 card provides a portless transmux interface to change DS-3s into VT1.5s. For XCVT drop slots, the DS3XM-12 card provides a maximum of 6 portless transmux interfaces; for XCVT trunk slots and XC10G or XC-VXC-10G slots, the DS3XM-12 card provides a maximum of 12 portless transmux interfaces. If two ports are configured as portless transmux, CTC allows you to create a DS3/STS1 circuit using one of these ports as the circuit end point. You can create separate DS1/VT1.5 circuits (up to 28) using the other port in this portless transmux pair. When creating a circuit through the DS3XM-12 card, the portless pair blocks the mapped physical port(s); CTC does not display a blocked physical port in the source or destination drop-down list during circuit creation. Table 12-6 lists the portless transmux mapping for XCVT drop ports. Table 12-5 VT Matrix Port Usage for One VT1.5 Circuit Node Type No Protection BLSR Path Protection 1+1 Circuit source or destination node 2 2 3 2 Circuit pass-through node without VT tunnel 2 2 2 2 Circuit pass-through node with VT tunnel 0 0 0 012-16 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 12 Circuits and Tunnels 12.5 DCC Tunnels Table 12-7 lists the portless transmux for XCVT trunk ports and for XC10G or XC-VXC-10G any-slot ports. 12.5 DCC Tunnels SONET provides four DCCs for network element (NE) operation, administration, maintenance, and provisioning (OAM&P): one on the SONET Section layer (DCC1) and three on the SONET Line layer (DCC2, DCC3, and DCC4). The ONS 15454 uses the Section DCC (SDCC) for ONS 15454 management and provisioning. An SDCC and Line DCC (LDCC) each provide 192 Kbps of bandwidth per channel. The aggregate bandwidth of the three LDCCs is 576 Kbps. When multiple DCC channels exist between two neighboring nodes, the ONS 15454 balances traffic over the existing DCC channels using a load balancing algorithm. This algorithm chooses a DCC for packet transport by considering packet size and DCC utilization. You can tunnel third-party SONET equipment across ONS 15454 networks using one of two tunneling methods: a traditional DCC tunnel or an IP-encapsulated tunnel. Table 12-6 Portless Transmux Mapping for XCVT Drop Ports Physical Port Portless Port Pair 1, 2 13, 14 3, 4 15, 16 5, 6 17, 18 7, 8 19, 20 9, 10 21, 22 11, 12 23, 24 Table 12-7 Portless Transmux Mapping for XCVT Trunk and XC10G/XC-VXC-10G Any-Slot Ports Physical Port Portless Port Pair 1 13, 14 2 25, 26 3 15, 16 4 27, 28 5 17, 18 6 29, 30 7 19, 20 8 31, 32 9 21, 22 10 33, 34 11 23, 24 12 35, 3612-17 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 12 Circuits and Tunnels 12.5.1 Traditional DCC Tunnels 12.5.1 Traditional DCC Tunnels In traditional DCC tunnels, you can use the three LDCCs and the SDCC (when not used for ONS 15454 DCC terminations). A traditional DCC tunnel endpoint is defined by slot, port, and DCC, where DCC can be either the SDCC or one of the LDCCs. You can link LDCCs to LDCCs and link SDCCs to SDCCs. You can also link an SDCC to an LDCC, and an LDCC to an SDCC. To create a DCC tunnel, you connect the tunnel endpoints from one ONS 15454 optical port to another. Cisco recommends a maximum of 84 DCC tunnel connections for an ONS 15454. Table 12-8 shows the DCC tunnels that you can create using different OC-N cards. Figure 12-5 shows a DCC tunnel example. Third-party equipment is connected to OC-3 cards at Node 1/Slot 3/Port 1 and Node 3/Slot 3/Port 1. Each ONS 15454 node is connected by OC-48 trunk (span) cards. In the example, three tunnel connections are created, one at Node 1 (OC-3 to OC-48), one at Node 2 (OC-48 to OC-48), and one at Node 3 (OC-48 to OC-3). Figure 12-5 Traditional DCC Tunnel When you create DCC tunnels, keep the following guidelines in mind: • Each ONS 15454 can have up to 84 DCC tunnel connections. • Each ONS 15454 can have up to 84 Section DCC terminations. • A SDCC that is terminated cannot be used as a DCC tunnel endpoint. • A SDCC that is used as an DCC tunnel endpoint cannot be terminated. Table 12-8 DCC Tunnels Card DCC SONET Layer SONET Bytes OC3 IR 4/STM1 SH 1310 DCC1 Section D1 - D3 OC3 IR/STM1 SH 1310-8; all OC-12, OC-48, and OC-192 cards DCC1 Section D1 - D3 DCC2 Line D4 - D6 DCC3 Line D7 - D9 DCC4 Line D10 - D12 Third party equipment Link 1 From (A) Slot 3 (OC3) Port 1, SDCC To (B) Slot 13 (OC48) Port 1, Tunnel 1 Node 1 32134 Third party equipment Link 2 From (A) Slot 12 (OC48) Port 1, Tunnel 1 To (B) Slot 13 (OC48) Port 1, Tunnel 1 Node 2 Link 3 From (A) Slot 12 (OC48) Port 1, Tunnel 1 To (B) Slot 3 (OC3) Port 1, SDCC Node 312-18 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 12 Circuits and Tunnels 12.5.2 IP-Encapsulated Tunnels • All DCC tunnel connections are bidirectional. 12.5.2 IP-Encapsulated Tunnels An IP-encapsulated tunnel puts an SDCC in an IP packet at a source node and dynamically routes the packet to a destination node. To compare traditional DCC tunnels with IP-encapsulated tunnels, a traditional DCC tunnel is configured as one dedicated path across a network and does not provide a failure recovery mechanism if the path is down. An IP-encapsulated tunnel is a virtual path, which adds protection when traffic travels between different networks. IP-encapsulated tunneling has the potential of flooding the DCC network with traffic resulting in a degradation of performance for CTC. The data originating from an IP tunnel can be throttled to a user-specified rate, which is a percentage of the total SDCC bandwidth. Each ONS 15454 supports up to ten IP-encapsulated tunnels. You can convert a traditional DCC tunnel to an IP-encapsulated tunnel or an IP-encapsulated tunnel to a traditional DCC tunnel. Only tunnels in the DISCOVERED status can be converted. Caution Converting from one tunnel type to the other is service-affecting. 12.6 SDH Tunneling The Cisco ONS 15454 SONET MSPP provides a SDH traffic transport solution with scalable SONET, data or DWDM multiservice capabilities. The SDH traffic is aggregated and transported across an ONS 15454 network, similar to the SONET TDM and data services. STM-1 to STM-64 payloads are transported over SONET from any port on a Cisco ONS 15454 OC-N card provisioned to support SDH signals. For more information on SDH tunneling, refer to the "SDH Tunneling Over Cisco ONS 15454 SONET MSPP Systems" Application Note. 12.7 Multiple Destinations for Unidirectional Circuits Unidirectional circuits can have multiple destinations for use in broadcast circuit schemes. In broadcast scenarios, one source transmits traffic to multiple destinations, but traffic is not returned to the source. When you create a unidirectional circuit, the card that does not have its backplane receive (Rx) input terminated with a valid input signal generates a loss of signal (LOS) alarm. To mask the alarm, create an alarm profile suppressing the LOS alarm and apply the profile to the port that does not have its Rx input terminated. 12.8 Monitor Circuits Monitor circuits are secondary circuits that monitor traffic on primary bidirectional circuits. Figure 12-6 shows an example of a monitor circuit. At Node 1, a VT1.5 is dropped from Port 1 of an EC1-12 card. To monitor the VT1.5 traffic, plug test equipment into Port 2 of the EC1-12 card and provision a monitor circuit to Port 2. Circuit monitors are one-way. The monitor circuit in Figure 12-6 monitors VT1.5 traffic received by Port 1 of the EC1-12 card. 12-19 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 12 Circuits and Tunnels 12.8.1 Monitor Circuits using portless ports as a source on DS3XM-12 Figure 12-6 VT1.5 Monitor Circuit Received at an EC1-12 Port 12.8.1 Monitor Circuits using portless ports as a source on DS3XM-12 With STS bi-directional circuit between source and destination and with VT-MAPPED at “circuit source” as an option using DS3XM-12 in 15454 SONET platforms, two circuits will get created: 1) src->even portless port 2) odd portless port->dest Traffic flow from source to dest is as follows: src->even port->odd port->dest While creating Monitor circuit using Even portless port as source, the circuit will get created in the direction towards: dest-> odd portless port-> Even portless port -> dest Monitored port While creating Monitor circuit using odd portless port as source, the circuit will get created in the direction towards: src-> Even portless port-> odd portless port -> dest Monitored port Note Monitor circuits cannot be used with Ethernet circuits. 12.9 Path Protection Circuits Use the Edit Circuits window to change path protection selectors and switch protection paths (Figure 12-7). In the Path Protection Selectors subtab in the Edit Circuits window, you can: • View the path protection circuit’s working and protection paths. • Edit the reversion time. • Set the hold-off timer. • Edit the Signal Fail/Signal Degrade thresholds. • Change payload defect indication path (PDI-P) settings. EC1-12 OC-N XC ONS 15454 Node 1 OC-N DS1-14 XC ONS 15454 Node 2 VT1.5 Drop VT1.5 Monitor Test Set Port 1 Port 2 Class 5 Switch 4515712-20 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 12 Circuits and Tunnels 12.9.1 Open-Ended Path Protection Circuits Note The XC-VXC-10G cross-connect card supports VT switching based on SF and SD bit error rate (BER) thresholds. The XC10G and XCVT cross-connect cards do not support VT switching based on SF and SD BER thresholds, and hence, in the path protection Selectors tab, the SF BER Level and SD BER Level columns display “N/A” for these cards. In the Path Protection Switch Counts subtab, you can: • Perform maintenance switches on the circuit selector. • View switch counts for the selectors. Figure 12-7 Editing Path Protection Selectors 12.9.1 Open-Ended Path Protection Circuits If ONS 15454s are connected to a third-party network, you can create an open-ended path protection circuit to route a circuit through it. To do this, you create four circuits. One circuit is created on the source ONS 15454 network. This circuit has one source and two destinations, each destination provisioned to the ONS 15454 interface that is connected to the third-party network. The second and third circuits are created on the third-party network so that the circuit travels across the network on two diverse paths to the far end ONS 15454. At the destination node, the fourth circuit is created with two sources, one at each node interface connected to the third-party network. A selector at the destination node chooses between the two signals that arrive at the node, similar to a regular path protection circuit. 12-21 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 12 Circuits and Tunnels 12.9.2 Go-and-Return Path Protection Routing 12.9.2 Go-and-Return Path Protection Routing The go-and-return path protection routing option allows you to route the path protection working path on one fiber pair and the protect path on a separate fiber pair (Figure 12-8). The working path will always be the shortest path. If a fault occurs, both the working and protection fibers are not affected. This feature only applies to bidirectional path protection circuits. The go-and-return option appears in the Circuit Attributes panel of the Circuit Creation wizard. Figure 12-8 Path Protection Go-and-Return Routing 12.10 BLSR Protection Channel Access Circuits You can provision circuits to carry traffic on BLSR protection channels when conditions are fault-free. Traffic routed on BLSR PCA circuits, called extra traffic, has lower priority than the traffic on the working channels and has no means for protection. During ring or span switches, PCA circuits are preempted and squelched. For example, in a two-fiber OC-48 BLSR, STSs 25 to 48 can carry extra traffic when no ring switches are active, but PCA circuits on these STSs are preempted when a ring switch occurs. When the conditions that caused the ring switch are remedied and the ring switch is removed, PCA circuits are restored. If the BLSR is provisioned as revertive, this occurs automatically after the fault conditions are cleared and the reversion timer has expired. Traffic provisioning on BLSR protection channels is performed during circuit provisioning. The Protection Channel Access check box appears whenever Fully Protected Path is unchecked in the circuit creation wizard. Refer to the Cisco ONS 15454 Procedure Guide for more information. When provisioning PCA circuits, two considerations are important to keep in mind: Node B Go and Return working connection Go and Return protecting connection Node A 96953 Any network Any network12-22 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 12 Circuits and Tunnels 12.11 BLSR STS and VT Squelch Tables • If BLSRs are provisioned as nonrevertive, PCA circuits are not restored automatically after a ring or span switch. You must switch the BLSR manually. • PCA circuits are routed on working channels when you upgrade a BLSR from a two-fiber to a four-fiber or from one optical speed to a higher optical speed. For example, if you upgrade a two-fiber OC-48 BLSR to an OC-192, STSs 25 to 48 on the OC-48 BLSR become working channels on the OC-192 BLSR. 12.11 BLSR STS and VT Squelch Tables ONS 15454 nodes display STS and VT squelch tables depending on the type of circuits created. For example, if a fiber cut occurs, the BLSR squelch tables show STSs or VTs that will be squelched for every isolated node. Squelching replaces traffic by inserting the appropriate alarm indication signal path (AIS-P) and prevents traffic misconnections. For an STS with a VT-access check mark, the AIS-P will be removed after 100 ms. To view the squelch tables, refer to the “Manage Circuits” chapter in the Cisco ONS 15454 Procedure Guide for detailed instructions. For more information about BLSR squelching, refer to Telcordia GR-1230. 12.11.1 BLSR STS Squelch Table BLSR STS squelch tables show STSs that will be squelched for every isolated node. The BLSR Squelch Table window displays the following information: • STS Number—Shows the BLSR STS numbers. For two-fiber BLSRs, the number of STSs is half the BLSR OC-N, for example, an OC-48 BLSR squelch table will show 24 STSs. For four-fiber BLSRs, the number of STSs in the table is the same as the BLSR OC-N. • West Source—If traffic is received by the node on its west span, the BLSR node ID of the source appears. (To view the BLSR node IDs for all nodes in the ring, click the Ring Map button.) • West VT (from the West Source) — A check mark indicates that the STS carries incoming VT traffic. The traffic source is coming from the west side. • West VT (from the West Destination) — A check mark indicates that the STS carries outgoing VT traffic. The traffic is dropped on the west side. • West Dest—If traffic is sent on the node’s west span, the BLSR node ID of the destination appears. • East Source—If traffic is received by the node on its east span, the BLSR node ID of the source appears. • East VT — (from the East Source) - A check mark indicates that the STS carries incoming VT traffic. The traffic source is coming from the east side. • East VT — (from the East Destination) - A check mark indicate that the STS carries outgoing VT traffic. The traffic is dropped on the east side. • East Dest—If traffic is sent on the node’s east span, the BLSR node ID of the destination appears. Note BLSR squelching is performed on STSs that carry STS circuits only. Squelch table entries will not appear for STSs carrying VT circuits or Ethernet circuits to or from E-Series Ethernet cards provisioned in a multicard Ethergroup.12-23 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 12 Circuits and Tunnels 12.11.2 BLSR VT Squelch Table 12.11.2 BLSR VT Squelch Table BLSR VT squelch tables only appear on the node dropping VTs from a BLSR and are used to perform VT-level squelching when a node is isolated. VT squelching is supported on the ONS 15454 and the ONS 15327 platforms. The ONS 15600 platform does not support VT squelching; however, when an ONS 15454 and an ONS 15600 are in the same network, the ONS 15600 node allows the ONS 15454 node to carry VT circuits in a VT tunnel. The ONS 15600 performs 100-ms STS-level squelching for each VT-access STS at the switching node in case of a node failure. When using a VT circuit on a VT tunnel (VTT), the VTT allows multiple VT circuits to be passed through on a single STS without consuming VT matrix resources on the cross-connect card. Both endpoints of the VTT are the source and destination nodes for the VTT. The node carrying VT circuits through a VTT is called a VT-access node. In case of a source and destination node failure of the VTT, the switching node performs 100-ms STS-level squelching for the VTT STS. The node dropping VT traffic performs VT-level squelching. VT traffic on the VTT that is not coming from the failed node is protected. When using a VT circuit on a VT aggregation point (VAP), the VAP allows multiple VT circuits to be aggregated into a single STS without consuming VT matrix resources on the cross-connect card. The source for each VAP STS timeslot is the STS-grooming end where VT1.5 circuits are aggregated into a single STS. The destination for each VAP STS is the VT-grooming end where VT1.5 circuits originated. The source node for each VT circuit on a VAP is the STS-grooming end where the VT1.5 circuits are aggregated into a single STS. The STS grooming node is not a VT-access node. The non VT-access node performs STS-level squelching for each STS timeslot at the switching node in case the VT-grooming node fails. The node dropping VT traffic performs VT-level squelching for each VT timeslot in case the STS-grooming end node fails. No VT traffic on the VAP is protected during a failure of the STS-grooming node or the VT-grooming node. To view the VT squelch table, double-click the VT with a check mark in the BLSR STS squelch table window. The check mark appears on every VT-access STS; however, the VT-squelch table appears only by double-clicking the check mark on the node dropping the VT. The intermediate node of the VT does not maintain the VT-squelch table. The VT squelch table provides the following information: • VT Number—Shows the BLSR VT numbers. The VT number includes VT group number and VT number in group (VT group 2 and channel 1 are displayed as 2-1.) • West Source—If traffic is received by the node on its west span, the BLSR node ID of the source appears. (To view the BLSR node IDs for all nodes in the ring, click the Ring Map button.) • East Source—If traffic is received by the node on its east span, the BLSR node ID of the source appears. 12.12 IEEE 802.17 Resilient Packet Ring Circuit Display Resilient Packet Ring (RPR), as described in IEEE 802.17, is a metropolitan area network (MAN) technology supporting data transfer among stations interconnected in a dual-ring configuration. The IEEE 802.17b spatially-aware sublayer amendment is not yet ratified but is expected to add support for bridging to IEEE 802.17. Since the amendment is not yet ratified, no equipment is currently IEEE 802.17b compliant. The RPR-IEEE for ONS 15454 ML-Series cards is based on the expected IEEE 802.17b-based standard. CTC provides a graphical representation (map) of IEEE 802.17 RPR circuits between ML-Series cards with a list of the following information:12-24 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 12 Circuits and Tunnels 12.13 Section and Path Trace • Circuit name • Type • Size • OCHNC Wlen • Direction • Protection • Status • Source • Destination • # of VLANs • # of Spans • State • Loopback Note CTC does not support the display of Cisco proprietary RPR circuit topologies. Note CTC does not support provisioning or maintenance of IEEE RPR rings. You must use Cisco IOS. For more information about IEEE 802.17 RPR, refer to the Cisco ONS 15454 and Cisco ONS 15454 SDH Ethernet Card Software Feature and Configuration Guide. 12.13 Section and Path Trace SONET J0 section and J1 and J2 path trace are repeated, fixed-length strings composed of 16 or 64 consecutive bytes. You can use the strings to monitor interruptions or changes to circuit traffic. The OC192-XFP and MRC-12 cards support J0 section trace. Table 12-9 shows the ONS 15454 cards that support J1 path trace. DS-1 and DS-3 cards can transmit and receive the J1 field, while the EC-1, OC-3, OC-48 AS, and OC-192 can only receive the J1 bytes. Cards that are not listed in the table do not support the J1 byte. The DS3XM-12 card supports J2 path trace for VT circuits.12-25 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 12 Circuits and Tunnels 12.14 Path Signal Label, C2 Byte If the string received at a circuit drop port does not match the string the port expects to receive, an alarm is raised. Two path trace modes are available: • Automatic—The receiving port assumes that the first string it receives is the baseline string. • Manual—The receiving port uses a string that you manually enter as the baseline string. 12.14 Path Signal Label, C2 Byte One of the overhead bytes in the SONET frame is the C2 byte. The SONET standard defines the C2 byte as the path signal label. The purpose of this byte is to communicate the payload type being encapsulated by the STS path overhead (POH). The C2 byte functions similarly to EtherType and Logical Link Control Table 12-9 ONS 15454 Cards Capable of J1 Path Trace J1 Function Cards Transmit and Receive CE-Series DS1-141 DS1N-14 DS1/EC1-56 DS3-12E DS3i-N-12 DS3/EC1-48 DS3N-12E DS3XM-6 DS3XM-12 FC_MR-4 G-Series ML-Series 1. J1 path trace is not supported for DS-1s used in VT circuits. Receive Only EC1-12 OC3 IR 4/STM1 SH 1310 OC3 IR 4/STM1 SH 1310-8 OC12/STM4-4 OC48 IR/STM16 SH AS 1310 OC48 LR/STM16 LH AS 1550 OC192 SR/STM64 IO 1310 OC192 LR/STM64 LH 1550 OC192 IR/STM SH 1550 OC192-XFP12-26 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 12 Circuits and Tunnels 12.14 Path Signal Label, C2 Byte (LLC)/Subnetwork Access Protocol (SNAP) header fields on an Ethernet network; it allows a single interface to transport multiple payload types simultaneously. C2 byte hex values are provided in Table 12-10. If a circuit is provisioned using a terminating card, the terminating card provides the C2 byte. A VT circuit is terminated at the XCVT, XC10G, or XC-VXC-10G card, which generates the C2 byte (0x02) downstream to the STS terminating cards. The XCVT, XC10G, or XC-VXC-10G card generates the C2 value (0x02) to the DS1 or DS3XM terminating card. If an optical circuit is created with no terminating cards, the test equipment must supply the path overhead in terminating mode. If the test equipment is in pass-through mode, the C2 values usually change rapidly between 0x00 and 0xFF. Adding a terminating card to an optical circuit usually fixes a circuit having C2 byte problems. Table 12-11 lists label assignments for signals with payload defects. Table 12-10 STS Path Signal Label Assignments for Signals Hex Code Content of the STS Synchronous Payload Envelope (SPE) 0x00 Unequipped 0x01 Equipped - nonspecific payload 0x02 VT structured STS-1 (DS-1) 0x03 Locked VT mode 0x04 Asynchronous mapping for DS-3 0x12 Asynchronous mapping for DS4NA 0x13 Mapping for Asynchronous Transfer Mode (ATM) 0x14 Mapping for distributed queue dual bus (DQDB) 0x15 Asynchronous mapping for fiber distributed data interface (FDDI) 0x16 High-level data link control (HDLC) over SONET mapping 0x1B Generic Frame Procedure (GFP) used by the FC_MR-4 and ML Series cards 0xFD Reserved 0xFE 0.181 test signal (TSS1 to TSS3) mapping SDH network 0xFF Alarm indication signal, path (AIS-P) Table 12-11 STS Path Signal Label Assignments for Signals with Payload Defects Hex Code Content of the STS SPE 0xE1 VT-structured STS-1 SPE with 1 VTx payload defect (STS-1 with 1 VTx PD) 0xE2 STS-1 with 2 VTx PDs 0xE3 STS-1 with 3 VTx PDs 0xE4 STS-1 with 4 VTx PDs 0xE5 STS-1 with 5 VTx PDs 0xE6 STS-1 with 6 VTx PDs 0xE7 STS-1 with 7 VTx PDs 0xE8 STS-1 with 8 VTx PDs 0xE9 STS-1 with 9 VTx PDs12-27 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 12 Circuits and Tunnels 12.15 Automatic Circuit Routing 12.15 Automatic Circuit Routing If you select automatic routing during circuit creation, CTC routes the circuit by dividing the entire circuit route into segments based on protection domains. For unprotected segments of circuits provisioned as fully protected, CTC finds an alternate route to protect the segment, creating a virtual path protection configuration. Each segment of a circuit path is a separate protection domain. Each protection domain is protected in a specific protection scheme including card protection (1+1, 1:1, etc.) or SONET topology (path protection, BLSR, etc.). The following list provides principles and characteristics of automatic circuit routing: • Circuit routing tries to use the shortest path within the user-specified or network-specified constraints. VT tunnels are preferable for VT circuits because VT tunnels are considered shortcuts when CTC calculates a circuit path in path-protected mesh networks. • If you do not choose Fully Path Protected during circuit creation, circuits can still contain protected segments. Because circuit routing always selects the shortest path, one or more links and/or segments can have some protection. CTC does not look at link protection while computing a path for unprotected circuits. 0xEA STS-1 with 10 VTx PDs 0xEB STS-1 with 11 VTx PDs 0xEC STS-1 with 12 VTx PDs 0xED STS-1 with 13 VTx PDs 0xEE STS-1 with 14 VTx PDs 0xEF STS-1 with 15 VTx PDs 0xF0 STS-1 with 16 VTx PDs 0xF1 STS-1 with 17 VTx PDs 0xF2 STS-1 with 18 VTx PDs 0xF3 STS-1 with 19 VTx PDs 0xF4 STS-1 with 20 VTx PDs 0xF5 STS-1 with 21 VTx PDs 0xF6 STS-1 with 22 VTx PDs 0xF7 STS-1 with 23 VTx PDs 0xF8 STS-1 with 24 VTx PDs 0xF9 STS-1 with 25 VTx PDs 0xFA STS-1 with 26 VTx PDs 0xFB STS-1 with 27 VTx PDs 0xFC VT-structured STS-1 SPE with 28 VT1.5 (Payload defects or a non-VT-structured STS-1 or STS-Nc SPE with a payload defect.) 0xFF Reserved Table 12-11 STS Path Signal Label Assignments for Signals with Payload Defects (continued) Hex Code Content of the STS SPE12-28 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 12 Circuits and Tunnels 12.15.1 Bandwidth Allocation and Routing • Circuit routing does not use links that are down. If you want all links to be considered for routing, do not create circuits when a link is down. • Circuit routing computes the shortest path when you add a new drop to an existing circuit. It tries to find the shortest path from the new drop to any nodes on the existing circuit. • If the network has a mixture of VT-capable nodes and VT-incapable nodes, CTC can automatically create a VT tunnel. Otherwise, CTC asks you whether a VT tunnel is needed. • To create protected circuits between topologies, install an XCVT, XC10G, or XC-VXC-10G cross-connect card on the shared node. • For STS circuits, you can use portless transmux interfaces if a DS3XM-12 card is installed in the network. CTC automatically routes the circuit over the portless transmux interfaces on the specified node creating an end-to-end STS circuit. Note Automatic routing and its associated subfields are not available if both the Automatic Circuit Routing NE default and the Network Circuit Automatic Routing Overridable NE default are set to FALSE. For a full description of these defaults see Appendix C, “Network Element Defaults.” 12.15.1 Bandwidth Allocation and Routing Within a given network, CTC routes circuits on the shortest possible path between source and destination based on the circuit attributes, such as protection and type. CTC considers using a link for the circuit only if the link meets the following requirements: • The link has sufficient bandwidth to support the circuit. • The link does not change the protection characteristics of the path. • The link has the required time slots to enforce the same time slot restrictions for BLSRs. If CTC cannot find a link that meets these requirements, an error appears. The same logic applies to VT circuits on VT tunnels. Circuit routing typically favors VT tunnels because VT tunnels are shortcuts between a given source and destination. If the VT tunnel in the route is full (no more bandwidth), CTC asks whether you want to create an additional VT tunnel. 12.15.2 Secondary Sources and Destinations CTC supports secondary circuit sources and destinations (drops). Secondary sources and destinations typically interconnect two third-party networks, as shown in Figure 12-9. Traffic is protected while it goes through a network of ONS 15454s.12-29 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 12 Circuits and Tunnels 12.16 Manual Circuit Routing Figure 12-9 Secondary Sources and Destinations Several rules apply to secondary sources and destinations: • CTC does not allow a secondary destination for unidirectional circuits because you can always specify additional destinations after you create the circuit. • The sources and destinations cannot be DS-3, DS3XM, or DS-1-based STS-1s or VT1.5s. • Secondary sources and destinations are permitted only for regular STS/VT1.5 connections (not for VT tunnels and multicard EtherSwitch circuits). • For point-to-point (straight) Ethernet circuits, only SONET STS endpoints can be specified as multiple sources or destinations. For bidirectional circuits, CTC creates a path protection connection at the source node that allows traffic to be selected from one of the two sources on the ONS 15454 network. If you check the Fully Path Protected option during circuit creation, traffic is protected within the ONS 15454 network. At the destination, another path protection connection is created to bridge traffic from the ONS 15454 network to the two destinations. A similar but opposite path exists for the reverse traffic flowing from the destinations to the sources. For unidirectional circuits, a path protection drop-and-continue connection is created at the source node. 12.16 Manual Circuit Routing Routing circuits manually allows you to: • Choose a specific path, not necessarily the shortest path. • Choose a specific STS/VT1.5 on each link along the route. • Create a shared packet ring for multicard EtherSwitch circuits. • Choose a protected path for multicard EtherSwitch circuits, allowing virtual path protection segments. CTC imposes the following rules on manual routes: • All circuits, except multicard EtherSwitch circuits in a shared packet ring, should have links with a direction that flows from source to destination. This is true for multicard EtherSwitch circuits that are not in a shared packet ring. • If you enabled Fully Path Protected, choose a diverse protect (alternate) path for every unprotected segment (Figure 12-10). 55402 Primary source Secondary source Primary destination Secondary destination Vendor A network Vendor B network ONS 15454 network12-30 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 12 Circuits and Tunnels 12.16 Manual Circuit Routing Figure 12-10 Alternate Paths for Virtual Path Protection Segments • For multicard EtherSwitch circuits, the Fully Path Protected option is ignored. • For a node that has a path protection selector based on the links chosen, the input links to the path protection selectors cannot be 1+1 or BLSR protected (Figure 12-11). The same rule applies at the path protection bridge. Figure 12-11 Mixing 1+1 or BLSR Protected Links With a Path Protection Configuration • In a shared packet ring, choose the links of multicard EtherSwitch circuits to route from source to destination back to source (Figure 12-12). Otherwise, a route (set of links) chosen with loops is invalid. 55403 BLSR ring 1+1 1+1 1+1 Twoway Twoway Twoway Twoway Node 7 Node 8 Node 5 Node 6 Unidirectional Unidirectional Twoway Twoway Node 3 Node 4 Node 1 Node 2 Twoway Node 11 Node 12 Node 9 Node 10 Source Path Segment 1 Path/MESH protected Needs alternate path from N1 to N2 Drop Path Segment 3 BLSR protected Path Segment 2 1+1 protected Path Segment 4 1+1 protected No need for alternate path 55404 Unprotected Unprotected Unprotected Unprotected Unprotected Unprotected 1+1 protected BLSR ring Node 4 Node 3 (destination) Unidirectional Unidirectional Unidirectional Unidirectional Unidirectional Unidirectional Node 3 Node 4 Node 1 (source) Node 2 (destination) Node 1 (source) Node 2 Node 1 (source) Node 2 Node 4 Node 3 (destination) Illegal Illegal Unprotected Legal12-31 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 12 Circuits and Tunnels 12.16 Manual Circuit Routing Figure 12-12 Ethernet Shared Packet Ring Routing • Multicard EtherSwitch circuits can have virtual path protection segments if the source or destination is not in the path protection domain. This restriction also applies after circuit creation; therefore, if you create a circuit with path protection segments, Ethernet destinations cannot exist anywhere on the path protection segment (Figure 12-13). Figure 12-13 Ethernet and Path Protection • A VT tunnel cannot be the endpoint of a path protection segment. A path protection segment endpoint is where the path protection selector resides. If you provision full path protection, CTC verifies that the route selection is protected at all segments. A route can have multiple protection domains with each domain protected by a different scheme. Table 12-12 through Table 12-15 on page 12-32 summarize the available node connections. Any other combination is invalid and generates an error. 55405 Ethernet source Ethernet destination Node 3 Node 4 Node 1 Node 2 55406 Path Protection Segment Legal Node 7 Node 8 Node 2 Node 5 Node 11 Node 11 Node 6 Source Drop Path Protection Segment Illegal Node 7 Node 8 Node 5 Node 6 Source Drop Table 12-12 Bidirectional STS/VT/Regular Multicard EtherSwitch/Point-to-Point (Straight) Ethernet Circuits Connection Type Number of Inbound Links Number of Outbound Links Number of Sources Number of Destinations Path protection — 2 1 — Path protection 2 — — 1 Path protection 2 1 — — Path protection 1 2 — — Path protection 1 — — 2 Path protection — 1 2 — Double path protection 2 2 — —12-32 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 12 Circuits and Tunnels 12.16 Manual Circuit Routing Double path protection 2 — — 2 Double path protection — 2 2 — Two way 1 1 — — Ethernet 0 or 1 0 or 1 Ethernet node source — Ethernet 0 or 1 0 or 1 — Ethernet node drop Table 12-13 Unidirectional STS/VT Circuit Connection Type Number of Inbound Links Number of Outbound Links Number of Sources Number of Destinations One way 1 1 — — Path protection head end 1 2 —— Path protection head end —2 1 — Path protection drop and continue 2 — — 1+ Table 12-14 Multicard Group Ethernet Shared Packet Ring Circuit Connection Type Number of Inbound Links Number of Outbound Links Number of Sources Number of Destinations At Intermediate Nodes Only Double path protection 2 2 — — Two way 1 1 — — At Source or Destination Nodes Only Ethernet 1 1 — — Table 12-15 Bidirectional VT Tunnels Connection Type Number of Inbound Links Number of Outbound Links Number of Sources Number of Destinations At Intermediate Nodes Only Path protection 2 1 — — Path protection 1 2 — — Double path protection 2 2 —— Table 12-12 Bidirectional STS/VT/Regular Multicard EtherSwitch/Point-to-Point (Straight) Ethernet Circuits (continued) Connection Type Number of Inbound Links Number of Outbound Links Number of Sources Number of Destinations12-33 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 12 Circuits and Tunnels 12.17 Constraint-Based Circuit Routing Although virtual path protection segments are possible in VT tunnels, VT tunnels are still considered unprotected. If you need to protect VT circuits, use two independent VT tunnels that are diversely routed or use a VT tunnel that is routed over 1+1, BLSR, or a mixture of 1+1 and BLSR links. 12.17 Constraint-Based Circuit Routing When you create circuits, you can choose Fully Protected Path to protect the circuit from source to destination. The protection mechanism used depends on the path that CTC calculates for the circuit. If the network is composed entirely of BLSR or 1+1 links, or the path between source and destination can be entirely protected using 1+1 or BLSR links, no path-protected mesh network (PPMN), or virtual path protection, protection is used. If PPMN protection is needed to protect the path, set the level of node diversity for the PPMN portions of the complete path in the Circuit Routing Preferences area of the Circuit Creation dialog box: • Nodal Diversity Required—Ensures that the primary and alternate paths of each PPMN domain in the complete path have a diverse set of nodes. • Nodal Diversity Desired—CTC looks for a node diverse path; if a node-diverse path is not available, CTC finds a link-diverse path for each PPMN domain in the complete path. • Link Diversity Only—Creates only a link-diverse path for each PPMN domain. When you choose automatic circuit routing during circuit creation, you have the option to require or exclude nodes and links in the calculated route. You can use this option to achieve the following results: • Simplify manual routing, especially if the network is large and selecting every span is tedious. You can select a general route from source to destination and allow CTC to fill in the route details. • Balance network traffic. By default, CTC chooses the shortest path, which can load traffic on certain links while other links have most of their bandwidth available. By selecting a required node and/or a link, you force the CTC to use (or not use) an element, resulting in more efficient use of network resources. CTC considers required nodes and links to be an ordered set of elements. CTC treats the source nodes of every required link as required nodes. When CTC calculates the path, it makes sure that the computed path traverses the required set of nodes and links and does not traverse excluded nodes and links. The required nodes and links constraint is only used during the primary path computation and only for PPMN domains/segments. The alternate path is computed normally; CTC uses excluded nodes/links when finding all primary and alternate paths on PPMNs. Two way 1 1 — — At Source Nodes Only VT tunnel endpoint — 1 — — At Destination Nodes Only VT tunnel endpoint 1 — —— Table 12-15 Bidirectional VT Tunnels (continued) Connection Type Number of Inbound Links Number of Outbound Links Number of Sources Number of Destinations12-34 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 12 Circuits and Tunnels 12.18 Virtual Concatenated Circuits 12.18 Virtual Concatenated Circuits Virtual concatenated (VCAT) circuits, also called VCAT groups (VCGs), transport traffic using noncontiguous TDM time slots, avoiding the bandwidth fragmentation problem that exists with contiguous concatenated (CCAT) circuits. The cards that support VCAT circuits are the CE-Series, FC_MR-4 (both line rate and enhanced mode), and ML-Series cards. In a VCAT circuit, circuit bandwidth is divided into smaller circuits called VCAT members. The individual members act as independent TDM circuits. All VCAT members should be the same size and must originate and terminate at the same end points. For two-fiber BLSR configurations, some members can be routed on protected time slots and others on PCA time slots. To enable end-to-end connectivity in a VCAT circuit that traverses through a third-party network, you can use Open-Ended VCAT circuit creation, or you can create a server trail between the ports. For more details, refer to the “Create Circuits and VT Tunnels” chapter in the Cisco ONS 15454 Procedure Guide. 12.18.1 VCAT Circuit States The state of a VCAT circuit is an aggregate of its member circuits. You can view whether a VCAT member is In Group or Out of Group in the VCAT State column in the Edit Circuits window. • If all member circuits are in the IS state, the VCAT circuit state is IS. • If all In Group member circuits are in the OOS state, the VCAT circuit state is OOS. • If no member circuits exist or if all member circuits are Out of Group, the VCAT circuit state is OOS. • A VCAT circuit is in OOS-PARTIAL state when In Group member states are mixed and not all are in the IS state. 12.18.2 VCAT Member Routing The automatic and manual routing selection applies to the entire VCAT circuit, that is, all members are manually or automatically routed. Bidirectional VCAT circuits are symmetric, which means that the same number of members travel in each direction. With automatic routing, you can specify the constraints for individual members; with manual routing, you can select different spans for different members. Two types of automatic and manual routing are available for VCAT members: common fiber routing and split routing. CE-Series, FC_MR-4 (both line rate and enhanced mode), and ML-Series cards support common fiber routing. In common fiber routing, all VCAT members travel on the same fibers, which eliminates delay between members. Three protection options are available for common fiber routing: Fully Protected, PCA, and Unprotected. Figure 12-14 shows an example of common fiber routing. 12-35 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 12 Circuits and Tunnels 12.18.2 VCAT Member Routing Figure 12-14 VCAT Common Fiber Routing CE-Series cards also support split fiber routing, which allows the individual members to be routed on different fibers or each member to have different routing constraints. This mode offers the greatest bandwidth efficiency and also the possibility of differential delay, which is handled by the buffers on the terminating cards. Four protection options are available for split fiber routing: Fully Protected, PCA, Unprotected, and DRI. Figure 12-15 shows an example of split fiber routing. Figure 12-15 VCAT Split Fiber Routing In both common fiber and split fiber routing, each member can use a different protection scheme; however, for common fiber routing, CTC checks the combination to make sure that a valid route exists. If it does not, the user must modify the protection type. In both common fiber and split fiber routing, intermediate nodes treat the VCAT members as normal circuits that are independently routed and protected by the SONET network. At the terminating nodes, these member circuits are multiplexed into a contiguous stream of data. The switch time for split fiber routing depends on the type of circuits traversing the path. • CCAT circuits will carry traffic after the SONET defects are cleared. • VCAT circuits will carry traffic after the SONET defects are cleared and VCAT framers are in frame for ALL the time slots that are part of the group. Hence the switchover takes extra time. • LCAS circuits carry traffic after the SONET defects are cleared, and the VCAT framers are in frame for any time slots that are part of the group, and the LCAS protocol has fed back MST=OK (MST=Member Status) to the far end so the far end can enable the time slot to carry traffic. Member 1 VCG-2 Member 2 102170 Intermediate NE Member 1 VCG-1 Member 2 Member 1 VCG-2 Member 2 Member 1 VCG-1 Member 2 VCAT Function VCAT Function VCAT Function VCAT Function STS-1 STS-2 STS-3 STS-4 STS-1 STS-2 STS-3 STS-4 CE-100T-8 CE-100T-8 124065 VCAT Function Source VCAT at NE Traffic Traffic Virtually Concatenated Group Member #1 Member #2 Member #3 Intermediate NE VCAT Function with Differential Delay Buffer Destination VCAT at NE Intermediate NE Intermediate NE12-36 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 12 Circuits and Tunnels 12.18.3 Link Capacity Adjustment Note The switch time values shown in Table 12-16 does not include differential delay. The maximum differential delay for CE100T-8 is 48ms. This differential delay is added to the switch time to get the maximum time. 12.18.3 Link Capacity Adjustment The CE-100T-8 card supports the link capacity adjustment scheme (LCAS), which is a signaling protocol that allows dynamic bandwidth adjustment of VCAT circuits. When a member fails, a brief traffic hit occurs. LCAS temporarily removes the failed member from the VCAT circuit for the duration of the failure, leaving the remaining members to carry the traffic. When the failure clears, the member circuit is automatically added back into the VCAT circuit without affecting traffic. You can select LCAS during VCAT circuit creation. Note Although LCAS operations are errorless, a SONET error can affect one or more VCAT members. If this occurs, the VCAT Group Degraded (VCG-DEG) alarm is raised. For information on clearing this alarm, refer to the Cisco ONS 15454 Troubleshooting Guide. Instead of LCAS, the FC_MR-4 (enhanced mode), CE-1000-4 card, CE-MR-10, and ML-Series cards support software LCAS (SW-LCAS). SW-LCAS is a limited form of LCAS that allows the VCAT circuit to adapt to member failures and keep traffic flowing at a reduced bandwidth. SW-LCAS uses legacy SONET failure indicators like AIS-P and remote defect indication, path (RDI-P) to detect member failure. SW-LCAS removes the failed member from the VCAT circuit, leaving the remaining members to carry the traffic. When the failure clears, the member circuit is automatically added back into the VCAT circuit. For ML-Series cards, SW-LCAS allows circuit pairing over two-fiber BLSRs. With circuit pairing, a VCAT circuit is set up between two ML-Series cards: one is a protected circuit (line protection) and the other is a PCA circuit. For four-fiber BLSRs, member protection cannot be mixed. You select SW-LCAS during VCAT circuit creation. The FC_MR-4 (line rate mode) does not support SW-LCAS. In addition, you can create non-LCAS VCAT circuits, which do not use LCAS or SW-LCAS. While LCAS and SW-LCAS member cross-connects can be in different service states, all In Group non-LCAS members must have cross-connects in the same service state. A non-LCAS circuit can mix Out of Group and In Group members, as long as the In Group members are in the same service state. Non-LCAS members do not support the OOS-MA,OOG service state; to put a non-LCAS member in the Out of Group VCAT state, use the OOS-MA,DSBLD administrative state. Table 12-16 Switch Times Type of circuit For CE100T-8 in ms CCAT 60 HO VCAT 90 HO LCAS1 90 LO VCAT 202 LO LCAS 202 1. The calculated number for HO LCAS includes all the inherent delays of the protocol. Also the CE-100-T numbers are for a group size of only three members.12-37 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 12 Circuits and Tunnels 12.18.4 VCAT Circuit Size Note Protection switching for LCAS, SW-LCAS, and non-LCAS VCAT circuits might exceed 60ms. Traffic loss for VT VCAT circuits is approximately two times more than an STS VCAT circuit. You can minimize traffic loss by reducing path differential delay. 12.18.4 VCAT Circuit Size Table 12-17 lists supported VCAT circuit rates and number of members for each card. Use the Members tab in the Edit Circuit window to add or delete members from a VCAT circuit. The capability to add or delete members depends on the card and whether the VCAT circuit is LCAS, SW-LCAS, or non-LCAS. • CE-100T-8 cards—You can add or delete members to an LCAS VCAT circuit without affecting service. Before deleting a member of an LCAS VCAT circuit, Cisco recommends that you put the member in the OOS-MA,OOG service state. If you create non-LCAS VCAT circuits, adding and deleting members to the circuit is possible, but service-affecting. • CE-1000-4 and CE-MR-10 cards—You can add or delete SW-LCAS VCAT members, although it might affect service. Before deleting a member, Cisco recommends that you put the member in the OOS-MA,OOG service state. If you create non-LCAS VCAT circuits, adding and deleting members to the circuit is possible, but service-affecting. Table 12-17 ONS 15454 Card VCAT Circuit Rates and Members Card Circuit Rate Number of Members CE-100T-8 VT1.5 1–64 STS-1 1–31 1. A VCAT circuit with a CE-Series card as a source or destination and an ML-Series card as a source or destination can have only two members. CE-1000-4 STS-1 1–211 STS-3 1–7 CE-MR-10 VT1.5 1–64 STS-1 1–211 STS-3 1–7 FC_MR-4 (line rate mode) STS-1 24 (1 Gbps port) 48 (2 Gbps port) STS-3c 8 (1 Gbps port) 16 (2 Gbps port) FC_MR-4 (enhanced mode) STS-1 1–24 (1 Gbps port) 1–48 (2 Gbps port) STS-3c 1–8 (1 Gbps port) 1–16 (2 Gbps port) ML-Series STS-1, STS-3c, STS-12c 212-38 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 12 Circuits and Tunnels 12.18.5 Open-Ended VCAT • FC_MR-4 (enhanced mode) card—You can add or delete SW-LCAS VCAT members, although it might affect service. Before deleting a member, Cisco recommends that you put the member in the OOS-MA,OOG service state. You cannot add or delete members from non-LCAS VCAT circuits on FC_MR-4 cards. • FC_MR-4 (line mode) card—All VCAT circuits using FC_MR-4 (line mode) cards have a fixed number of members; you cannot add or delete members. • ML-Series cards—All VCAT circuits using ML-Series cards have a fixed number of members; you cannot add or delete members. Table 12-18 summarizes the VCAT capabilities for each card. 12.18.5 Open-Ended VCAT For applications where the complete end-to-end VCAT circuit is not in a CTC managed network, CTC will only see either the source or the destination of the Virtual Concatenated Group (VCG) and some of the intermediate nodes. Figure 12-16 shows an end-to-end VC AT circuit. The termination points of the end-to-end VCAT circuit, with VCAT functionality, are referred to as the VCAT-Source and VCAT-Destination. The termination points of the CTC managed circuit, which is the Open-Ended VCAT circuit, is referred to as simply the Source and Destination. Table 12-18 ONS 15454 VCAT Card Capabilities Card Mode Add a Member Delete a Member Support OOS-MA,OOG CE-100T-8 LCAS Yes1 1. When adding or deleting a member from an LCAS VCAT circuit, Cisco recommends that you first put the member in the OOS-MA,OOG service state to avoid service disruptions. Yes1 Yes SW-LCAS No No No Non-LCAS Yes2 2. For CE-Series cards, you can add or delete members after creating a VCAT circuit with no protection. During the time it takes to add or delete members (from seconds to minutes), the entire VCAT circuit will be unable to carry traffic. Yes2 No CE-1000-4 LCAS No No No SW-LCAS Yes Yes Yes Non-LCAS Yes2 Yes2 No CE-MR-10 LCAS Yes Yes Yes SW-LCAS Yes Yes Yes Non-LCAS Yes2 Yes2 No FC_MR-4 (enhanced mode) SW-LCAS Yes Yes Yes Non-LCAS No No No FC_MR-4 (line mode) Non-LCAS No No No ML-Series SW-LCAS No No No Non-LCAS No No No12-39 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 12 Circuits and Tunnels 12.19 Bridge and Roll Figure 12-16 Open-Ended VCAT Open-ended VCAT circuits can originate or terminate on any pair of OC-N ports and you can route open-ended VCAT circuits using any of the cards and ports supported by VCAT. The CTC circuit creation wizard provides an additional check box in the VCAT attributes pane to enable Open-VCAT circuit creation. Enabling the check box differentiates open-ended VCAT from regular VCAT Circuits. The routing preferences for an open-ended VCAT circuit must be specified in the initial stages of circuit provisioning. For example, if the circuit is independent fiber routing, then multiple OC-N ports can be involved. Alternatively, the source of an open-VCAT circuit should always be a card capable of participating in a VCG. This allows CTC to determine which routing preferences are permissible. Auto ranging of 12 STS1 circuits is supported. 12.19 Bridge and Roll The CTC Bridge and Roll wizard reroutes live traffic without interrupting service. The bridge process takes traffic from a designated “roll from” facility and establishes a cross-connect to the designated “roll to” facility. When the bridged signal at the receiving end point is verified, the roll process creates a new cross-connect to receive the new signal. When the roll completes, the original cross-connects are released. You can use the bridge and roll feature for maintenance functions such as card or facility replacement, or for load balancing. You can perform a bridge and roll on the following ONS platforms: ONS 15454, ONS 15454 SDH, ONS 15600, ONS 15327, and ONS 15310-CL. 12.19.1 Rolls Window The Rolls window lists information about a rolled circuit before the roll process is complete. You can access the Rolls window by clicking the Circuits > Rolls tabs in either network or node view. Figure 12-17 shows the Rolls window. 240645 Source Open-ended VCAT Circuit VCAT-Source CTC Managed Network SONET/SDH Port SONET/SDH Port Destination Destination End-to-end VCAT Circuit VCAT-Destination Non-CTC Managed Network12-40 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 12 Circuits and Tunnels 12.19.1 Rolls Window Figure 12-17 Rolls Window The Rolls window information includes: • Roll From Circuit—The circuit that has connections that will no longer be used when the roll process is complete. • Roll To Circuit—The circuit that will carry the traffic after the roll process is complete. The Roll To Circuit is the same as the Roll From Circuit if a single circuit is involved in a roll. • Roll State—The roll status; see the “12.19.2 Roll Status” section on page 12-41. • Roll Valid Signal—If the Roll Valid Signal status is true, a valid signal was found on the new port. If the Roll Valid Signal status is false, a valid signal was not found. It is not possible to get a Roll Valid Signal status of true for a one-way destination roll. • Roll Mode—The mode indicates whether the roll is automatic or manual. Note CTC implements a roll mode at the circuit level. TL1 implements a roll mode at the cross-connect level. If a single roll is performed, CTC and TL1 behave the same. If a dual roll is performed, the roll mode specified in CTC might be different than the roll mode retrieved in TL1. For example, if you select Automatic, CTC coordinates the two rolls to minimize possible traffic hits by using the Manual mode behind the scenes. When both rolls have a good signal, CTC signals the nodes to complete the roll. – Automatic—When a valid signal is received on the new path, CTC completes the roll on the node automatically. One-way source rolls are always automatic. When the valid signal status is true, the Automatic mode switches the traffic to the Roll To Path and completes the roll automatically. – Manual—You must complete a manual roll after a valid signal is received. One-way destination rolls are always manual. When the valid signal status is true, the Manual mode switches the traffic to the Roll To Path.12-41 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 12 Circuits and Tunnels 12.19.2 Roll Status • Roll Path—The fixed point of the roll object. • Roll From Circuit—The circuit that has connections that will no longer be used when the process is complete. • Roll From Path— The old path that is being rerouted. • Roll To Path—The new path where the Roll From Path is rerouted. • Complete—Completes a manual roll after a valid signal is received. You can do this when a manual roll is in a ROLL_PENDING status and you have not yet completed the roll or have not cancelled its sibling roll. You cannot cancel the roll after you complete the roll. • Force Valid Signal—Forces a roll onto the Roll To Circuit destination without a valid signal. Note If you choose Force Valid Signal, traffic on the circuit that is involved in the roll will be dropped when the roll is completed. • Finish—Completes the circuit processing of both manual and automatic rolls and changes the circuit status from ROLL_PENDING to DISCOVERED. After a roll, the Finish button also removes any cross-connects that are no longer used from the Roll From Circuit field. The roll process ends when you finish the roll. • Cancel—Cancels the roll process. Note When the roll mode is Manual, cancelling a roll is only allowed before you click the Complete button. When the roll mode is Auto, cancelling a roll is only allowed before a good signal is detected by the node or before clicking the Force Valid Signal button. 12.19.2 Roll Status Table 12-19 lists the roll statuses. Table 12-19 Roll Statuses State Description ROLL_PENDING Roll is awaiting completion or cancellation. ROLL_COMPLETED Roll is complete. Click the Finish button. ROLL_CANCELLED Roll has been canceled.12-42 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 12 Circuits and Tunnels 12.19.3 Single and Dual Rolls Note You can only reroute circuits in the DISCOVERED status. You cannot reroute circuits that are in the ROLL_PENDING status. 12.19.3 Single and Dual Rolls Circuits have an additional layer of roll types: single and dual. A single roll on a circuit is a roll on one of its cross-connects. Use a single roll to: • Change either the source or destination of a selected circuit (Figure 12-18 and Figure 12-19, respectively). • Roll a segment of the circuit onto another chosen circuit (Figure 12-20). This roll also results in a new destination or a new source. In Figure 12-18, you can select any available STS on Node 1 for a new source. Figure 12-18 Single Source Roll In Figure 12-19, you can select any available STS on Node 2 for a new destination. TL1_ROLL A TL1 roll was initiated. Note If a roll is created using TL1, a CTC user cannot complete or cancel the roll. Also, if a roll is created using CTC, a TL1 user cannot complete or cancel the roll. You must use the same interface to complete or change a roll. INCOMPLETE This state appears when the underlying circuit becomes incomplete. To correct this state, you must fix the underlying circuit problem before the roll state will change. For example, a circuit traveling on Nodes A, B, and C can become INCOMPLETE if Node B is rebooted. The cross-connect information is lost on Node B during a reboot. The Roll State on Nodes A and C will change to INCOMPLETE. Table 12-19 Roll Statuses (continued) State Description 83267 S1 Node 1 S2 Node 2 D Original leg New leg12-43 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 12 Circuits and Tunnels 12.19.3 Single and Dual Rolls Figure 12-19 Single Destination Roll Figure 12-20 shows one circuit rolling onto another circuit at the destination. The new circuit has cross-connects on Node 1, Node 3, and Node 4. CTC deletes the cross-connect on Node 2 after the roll. Figure 12-20 Single Roll from One Circuit to Another Circuit (Destination Changes) Figure 12-21 shows one circuit rolling onto another circuit at the source. Figure 12-21 Single Roll from One Circuit to Another Circuit (Source Changes) Note Create a Roll To Circuit before rolling a circuit with the source on Node 3 and the destination on Node 4. A dual roll involves two cross-connects. It allows you to reroute intermediate segments of a circuit, but keep the original source and destination. If the new segments require new cross-connects, use the Bridge and Roll wizard or create a new circuit and then perform a roll. Caution Only single rolls can be performed using TL1. Dual rolls require the network-level view that only CTC or CTM provide. 83266 S Node 1 D2 Node 2 D1 Original leg New leg 78703 S Node 1 D D2 Node 2 Node 3 Node 4 Original leg New leg 134274 S Node 1 Node 2 D Node 3 Node 4 Original leg New leg S212-44 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 12 Circuits and Tunnels 12.19.4 Two Circuit Bridge and Roll Dual rolls have several constraints: • You must complete or cancel both cross-connects rolled in a dual roll. You cannot complete one roll and cancel the other roll. • When a Roll To circuit is involved in the dual roll, the first roll must roll onto the source of the Roll To circuit and the second roll must roll onto the destination of the Roll To circuit. Figure 12-22 illustrates a dual roll on the same circuit. Figure 12-22 Dual Roll to Reroute a Link Figure 12-23 illustrates a dual roll involving two circuits. Figure 12-23 Dual Roll to Reroute to a Different Node Note If a new segment is created on Nodes 3 and 4 using the Bridge and Roll wizard, the created circuit has the same name as the original circuit with the suffix _ROLL**. The circuit source is on Node 3 and the circuit destination is on Node 4. 12.19.4 Two Circuit Bridge and Roll When using the bridge and roll feature to reroute traffic using two circuits, the following constraints apply: • DCC must be enabled on the circuits involved in a roll before roll creation. • A maximum of two rolls can exist between any two circuits. • If two rolls are involved between two circuits, both rolls must be on the original circuit. The second circuit should not carry live traffic. The two rolls loop from the second circuit back to the original circuit. The roll mode of the two rolls must be identical (either automatic or manual). • If a single roll exists on a circuit, you must roll the connection onto the source or the destination of the second circuit and not an intermediate node in the circuit. 83268 S Node 1 Node 2 D Original leg New leg 83102 S Node 1 Node 2 D Node 3 Node 4 Original leg New leg12-45 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 12 Circuits and Tunnels 12.19.5 Protected Circuits 12.19.5 Protected Circuits CTC allows you to roll the working or protect path regardless of which path is active. You can upgrade an unprotected circuit to a fully protected circuit or downgrade a fully protected circuit to an unprotected circuit with the exception of a path protection circuit. When using bridge and roll on path protection circuits, you can roll the source or destination or both path selectors in a dual roll. However, you cannot roll a single path selector. 12.20 Merged Circuits A circuit merge combines a single selected circuit with one or more circuits. You can merge VT tunnels, VAP circuits, VCAT members, CTC-created circuits, and TL1-created circuits. To merge circuits, you choose a circuit in the CTC Circuits window and the circuits that you want to merge with the chosen (master) circuit on the Merge tab in the Edit Circuits window. The Merge tab shows only the circuits that are available for merging with the master circuit: • Circuit cross-connects must create a single, contiguous path. • Circuits types must be a compatible. For example, you can combine an STS circuit with a VAP circuit to create a longer VAP circuit, but you cannot combine a VT circuit with an STS circuit. • Circuit directions must be compatible. You can merge a one-way and a two-way circuit, but not two one-way circuits in opposing directions. • Circuit sizes must be identical. • VLAN assignments must be identical. • Circuit end points must send or receive the same framing format. • The merged circuits must become a DISCOVERED circuit. If all connections from the master circuit and all connections from the merged circuits align to form one complete circuit, the merge is successful. If all connections from the master circuit and some, but not all, connections from the other circuits align to form a single complete circuit, CTC notifies you and gives you the chance to cancel the merge process. If you choose to continue, the aligned connections merge successfully into the master circuit, and the unaligned connections remain in the original circuits. All connections in the completed master circuit use the original master circuit name. All connections from the master circuit and at least one connection from the other selected circuits must be used in the resulting circuit for the merge to succeed. If a merge fails, the master circuit and all other circuits remain unchanged. When the circuit merge completes successfully, the resulting circuit retains the name of the master circuit. You can also merge orderwire and user data channel (UDC) overhead circuits, which use the overhead bytes instead of frame payload to transfer data. To merge overhead circuits, you choose the overhead circuits on the network view Provisioning > Overhead Circuits window. You can only merge orderwire and UDC circuits. 12-46 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 12 Circuits and Tunnels 12.21 Reconfigured Circuits 12.21 Reconfigured Circuits You can reconfigure multiple circuits, which is typically necessary when a large number of circuits are in the PARTIAL status. When reconfiguring multiple circuits, the selected circuits can be any combination of DISCOVERED, PARTIAL, DISCOVERED_TL1, or PARTIAL_TL1 circuits. You can reconfigure tunnels, VAP circuits, VLAN-assigned circuits, VCAT circuits, CTC-created circuits, and TL1-created circuits. The Reconfigure command maintains the names of the original cross-connects. Use the CTC Tools > Circuits > Reconfigure Circuits menu item to reconfigure selected circuits. During reconfiguration, CTC reassembles all connections of the selected circuits and VCAT members into circuits based on path size, direction, and alignment. Some circuits might merge and others might split into multiple circuits. If the resulting circuit is a valid circuit, it appears as a DISCOVERED circuit. Otherwise, the circuit appears as a PARTIAL or PARTIAL_TL1 circuit. Note If CTC cannot reconfigure all members in a VCAT circuit, the reconfigure operation fails for the entire VCAT circuit and it remains in the PARTIAL or PARTIAL_TL1 status. If CTC does reconfigure all members in a VCAT circuit, the VCAT circuit may still remain in the PARTIAL or PARTIAL_TL1 status. This occurs if the ports defined in the VCAT termination do not match the source/drop ports of the member circuits or if one or two VCAT terminations are missing. Note PARTIAL tunnel and PARTIAL VLAN-capable circuits do not split into multiple circuits during reconfiguration. 12.22 VLAN Management In Software Release 4.6 and later, VLANs are populated within topologies to limit broadcasts to each topology rather than to the entire network. Using the Manage VLANs command in the Tools menu, you can view a list of topology hosts and provisioned VLANs. You create VLANs during circuit creation or with the Manage VLANs command. When creating a VLAN, you must identify the topology host (node) where the VLAN will be provisioned. The Manage VLANs command also allows you to delete existing VLANs. 12.23 Server Trails A server trail is a non-DCC (logical or virtual) link across a third-party network that connects two CTC network domains. A server trail allows A-Z circuit provisioning when no DCC is available. You can create server trails between two distant optical or EC-1 ports. The end ports on a server trail can be different types (for example, an OC-3 port can be linked to an OC-12 port). Server trails are not allowed on DCC-enabled ports. The server trail link is bidirectional and can be VT1.5, VT2, STS1, STS-3c, STS-6c, STS-12c, STS-48c, or STS-192c; you cannot change an existing server trail to another size. It must be deleted and recreated. A circuit provisioned over a server trail must match the type and size of the server trail it uses. For example, an STS-3c server trail can carry only STS-3c circuits and not three STS-1 circuits. Note There is no OSPF or any other management information exchange between NEs over a server trail.12-47 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 12 Circuits and Tunnels 12.23.1 Server Trail Protection Types 12.23.1 Server Trail Protection Types The server trail protection type determines the protection type for any circuits that traverse it. A server trail link can be one of the following protection types: • Preemptible— PCA circuits will use server trails with the Preemptible attribute. • Unprotected—In Unprotected Server Trail, CTC assumes that the circuits going out from that specific port will not be protected by provider network and will look for a secondary path from source to destination if you are creating a protected circuit. • Fully Protected—In Fully Protected Server Trail, CTC assumes that the circuits going out from that specific port will be protected by provider network and will not look for a secondary path from source to destination. Note Only path protection is available on server trails. BLSR protection is not available on server trail. 12.23.2 VCAT Circuit Routing over Server Trails An STS-3c server trail can be used to route STS-3c circuits and an STS-1 server trail can be used to route STS-1 circuits. Similarly, a VT1.5 server trail can be used to route VT1.5 circuits and an STS-12c server trail can only be used for STS-12c circuits. For example, to route a STS-3c-2v circuit over a server trail, you must enable split fiber routing and create two STS-3c server trails and route each member manually or automatically over each server trail. To route a STS-12c-2v circuit over a server trail, you must enable split fiber routing and create two STS-12c server trails and route each member manually or automatically over each server trail. Note Server trails can only be created between any two optical ports or EC-1 ports. VCAT circuities can be created over server trails in the following ways: • Manual routing • Automatic routing – Diverse routing: This method enables VCAT circuit routing over diverse server trail links. Note When creating circuits or VCATs, you can choose a server trail link during manual circuit routing. CTC may also route circuits over server trail links during automatic routing. VCAT common-fiber automatic routing is not supported. For a detailed procedure on how to route a VCAT circuit over a server trail, refer “Chapter 6, Create Circuits and VT Tunnels, Section NTP-A264, Create an Automatically Routed VCAT Circuit and Section NTP-A265, Create a Manually Routed VCAT Circuit” in the Cisco ONS 15454 Procedure Guide.12-48 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 12 Circuits and Tunnels 12.23.2 VCAT Circuit Routing over Server Trails 12.23.2.1 Shared Resource Link Group The Shared Resource Link Group (SRLG) attribute can be assigned to a server trail link using a commonly shared resource such as port, fiber or span. For example, if two server trail links are routed over the same fiber, an SRLG attribute can be assigned to these links. SRLG is used by Cisco Transport Manager (CTM) to specify link diversity. If you create multiple server trails from one port, you can assign the same SRLG value to all the links to indicate that they originate from the same port.CHAPTER 13-1 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 13 Alarm Monitoring and Management This chapter describes Cisco Transport Controller (CTC) alarm management. To troubleshoot specific alarms, refer to the Cisco ONS 15454 Troubleshooting Guide. Chapter topics include: • 13.1 Overview, page 13-1 • 13.2 LCD Alarm Counts, page 13-1 • 13.3 Alarm Information, page 13-2 • 13.4 Alarm Severities, page 13-9 • 13.5 Alarm Profiles, page 13-9 • 13.6 Alarm Suppression, page 13-13 • 13.7 External Alarms and Controls, page 13-14 13.1 Overview CTC detects and reports SONET alarms generated by the Cisco ONS 15454 and the larger SONET network. You can use CTC to monitor and manage alarms at the card, node, or network level. Alarming conforms to Telcordia GR-253 standard. Severities conform to Telcordia GR-474, but you can set alarm severities in customized alarm profiles or suppress CTC alarm reporting. For a detailed description of the standard Telcordia categories employed by Optical Networking System (ONS) nodes, refer to the Cisco ONS 15454 Troubleshooting Guide. Note ONS 15454 alarms can also be monitored and managed through Transaction Language One (TL1) or a network management system (NMS). 13.2 LCD Alarm Counts You can view node, slot, or port-level alarm counts and summaries using the buttons on the ONS 15454 LCD panel. The Slot and Port buttons toggle between display types; the Slot button toggles between node display and slot display, and the Port button toggles between slot and port views. Pressing the Status button after you choose the display mode changes the display from alarm count to alarm summary.13-2 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 13 Alarm Monitoring and Management 13.3 Alarm Information The ONS 15454 has a one-button update for some commonly viewed alarm counts. If you press the Slot button once and then wait eight seconds, the display automatically changes from a slot alarm count to a slot alarm summary. If you press the Port button to toggle to port-level display, you can use the Port button to toggle to a specific slot and to view each port’s port-level alarm count. Figure 13-1 shows the LCD panel layout. Figure 13-1 Shelf LCD Panel 13.3 Alarm Information You can use the Alarms tab to view card, node, or network-level alarms. The Alarms window shows alarms in conformance with Telcordia GR-253. This means that if a network problem causes two alarms, such as loss of frame (LOF) and loss of signal (LOS), CTC only shows the LOS alarm in this window because it supersedes LOF. (The LOF alarm can still be retrieved in the Conditions window.) The Path Width column in the Alarms and Conditions tabs expands upon alarmed object information contained in the access identifier (AID) string (such as “STS-4-1-3”) by giving the number of STSs contained in the alarmed path. For example, the Path Width will tell you whether a critical alarm applies to an STS1 or an STS48c. The column reports the width as a 1, 3, 6, 12, 48, etc. as appropriate, understood to be “STS-N.” Table 13-1 lists the column headings and the information recorded in each column. FAN FAIL Slot 8/18/03 04.06-002L-10 24˚C 97758 CRIT MAJ MIN Status Port Table 13-1 Alarms Column Descriptions Column Information Recorded Num Num (number) is the quantity of alarm messages received, and is incremented automatically as alarms occur to display the current total of received error messages. (The column is hidden by default; to view it, right-click a column and choose Show Column > Num.) Ref Ref (reference) is a unique identification number assigned to each alarm to reference a specific alarm message that is displayed. (The column is hidden by default. To view it, right-click a column and choose Show Column.) New Indicates a new alarm. To change this status, click either the Synchronize button or the Delete Cleared Alarms button. Date Date and time of the alarm. Node Shows the name of the node where the condition or alarm occurred. (Visible in network view.) Object TL1 AID for the alarmed object. For an STSmon or VTmon, this is the monitored STS or VT object. Eqpt Type Card type in this slot.13-3 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 13 Alarm Monitoring and Management 13.3 Alarm Information Note When an entity is put in the OOS,MT administrative state, the ONS 15454 suppresses all standing alarms on that entity. All alarms and events appear on the Conditions tab. You can change this behavior for the LPBKFACILITY and LPBKTERMINAL alarms. To display these alarms on the Alarms tab, set the NODE.general.ReportLoopbackConditionsOnPortsInOOS-MT to TRUE on the NE Defaults tab. Table 13-2 lists the color codes for alarm and condition severities. The inherited (I) and unset (U) severities are only listed in the network view Provisioning > Alarm Profiles tab. Note Major and Minor alarms might appear yellow in CTC under certain circumstances. This is not due to a CTC problem but to a workstation memory and color utilization problem. For example, a workstation might run out of colors if many color-intensive applications are running. When using Netscape, you can limit the number of colors used by launching it from the command line with either the -install option or the -ncols 32 option. Shelf For dense wavelength division multiplexing (DWDM) configurations, the shelf where the alarmed object is located. Visible in network view. Slot Slot where the alarm occurred (appears only in network and node view). Port Port where the alarm is raised. For STSTerm and VTTerm, the port refers to the upstream card it is partnered with. Path Width Indicates how many STSs are contained in the alarmed path. This information complements the alarm object notation, which is explained in the “Alarm Troubleshooting” chapter of the Cisco ONS 15454 Troubleshooting Guide. Sev Severity level: CR (Critical), MJ (Major), MN (Minor), NA (Not Alarmed), NR (Not Reported). ST Status: R (raised), C (clear), or T (transient). SA When checked, indicates a service-affecting alarm. Cond The error message/alarm name. These names are alphabetically defined in the “Alarm Troubleshooting” chapter of the Cisco ONS 15454 Troubleshooting Guide. Description Description of the alarm. Table 13-1 Alarms Column Descriptions (continued) Column Information Recorded Table 13-2 Color Codes for Alarm and Condition Severities Color Description Red Raised Critical (CR) alarm Orange Raised Major (MJ) alarm Yellow Raised Minor (MN) alarm Magenta Raised Not Alarmed (NA) condition Blue Raised Not Reported (NR) condition White Cleared (C) alarm or condition13-4 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 13 Alarm Monitoring and Management 13.3.1 Viewing Alarms With Each Node’s Time Zone 13.3.1 Viewing Alarms With Each Node’s Time Zone By default, alarms and conditions are displayed with the time stamp of the CTC workstation where you are viewing them. But you can set the node to report alarms (and conditions) using the time zone where the node is located by clicking Edit > Preferences, and clicking the Display Events Using Each Node’s Timezone check box. 13.3.2 Controlling Alarm Display You can control the display of the alarms shown on the Alarms window. Table 13-3 shows the actions you can perform in the Alarms window. 13.3.3 Filtering Alarms The alarm display can be filtered to prevent display of alarms with certain severities or alarms that occurred between certain dates and times. You can set the filtering parameters by clicking the Filter button at the bottom-left of the Alarms window. You can turn the filter on or off by clicking the Filter tool at the bottom-right of the window. CTC retains your filter activation setting. For example, if you turn the filter on and then log out, CTC keeps the filter active the next time you log in. Table 13-3 Alarm Display Button/Check Box/Tool Action Filter button Allows you to change the display on the Alarms window to show only alarms that meet a certain severity level, occur in a specified time frame, and/or reflect specific conditions. For example, you can set the filter so that only critical alarms display on the window. If you enable the Filter feature by clicking the Filter button in one CTC view, such as node view, it is enabled in the others as well (card view and network view). Synchronize button Updates the alarm display. Although CTC displays alarms in real time, the Synchronize button allows you to verify the alarm display. This is particularly useful during provisioning or troubleshooting. Delete Cleared Alarms button Deletes, from the view, alarms that have been cleared. AutoDelete Cleared Alarms check box If checked, CTC automatically deletes cleared alarms. Filter tool Enables or disables alarm filtering in the card, node, or network view. When enabled or disabled, this state applies to other views for that node and for all other nodes in the network. For example, if the Filter tool is enabled in the node (default login) view Alarms window, the network view Alarms window and card view Alarms window also show the tool enabled. All other nodes in the network also show the tool enabled.13-5 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 13 Alarm Monitoring and Management 13.3.4 Viewing Alarm-Affected Circuits 13.3.4 Viewing Alarm-Affected Circuits A user can view which ONS 15454 circuits are affected by a specific alarm by positioning the cursor over the alarm in the Alarm window and right-clicking. A shortcut menu appears (Figure 13-2). When the user selects the Select Affected Circuits option, the Circuits window opens to show the circuits that are affected by the alarm. Figure 13-2 Select Affected Circuits Option 13.3.5 Conditions Tab The Conditions window displays retrieved fault conditions. A condition is a fault or status detected by ONS 15454 hardware or software. When a condition occurs and continues for a minimum period, CTC raises a condition, which is a flag showing that this particular condition currently exists on the ONS 15454. The Conditions window shows all conditions that occur, including those that are superseded. For instance, if a network problem causes two alarms, such as LOF and LOS, CTC shows both the LOF and LOS conditions in this window (even though LOS supersedes LOF). Having all conditions visible can be helpful when troubleshooting the ONS 15454. If you want to retrieve conditions that obey a root-cause hierarchy (that is, LOS supersedes and replaces LOF), you can exclude the same root causes by checking “Exclude Same Root Cause” check box in the window. Fault conditions include reported alarms and Not Reported or Not Alarmed conditions. Refer to the trouble notifications information in the Cisco ONS 15454 Troubleshooting Guide for more information about alarm and condition classifications.13-6 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 13 Alarm Monitoring and Management 13.3.6 Controlling the Conditions Display 13.3.6 Controlling the Conditions Display You can control the display of the conditions on the Conditions window. Table 13-4 shows the actions you can perform in the window. 13.3.6.1 Retrieving and Displaying Conditions The current set of all existing conditions maintained by the alarm manager can be seen when you click the Retrieve button. The set of conditions retrieved is relative to the view. For example, if you click the button while displaying the node view, node-specific conditions are displayed. If you click the button while displaying the network view, all conditions for the network (including ONS 15454 nodes and other connected nodes) are displayed, and the card view shows only card-specific conditions. You can also set a node to display conditions using the time zone where the node is located, rather than the time zone of the PC where they are being viewed. See the “13.3.1 Viewing Alarms With Each Node’s Time Zone” section on page 13-4 for more information. 13.3.6.2 Conditions Column Descriptions Table 13-5 lists the Conditions window column headings and the information recorded in each column. Table 13-4 Conditions Display Button Action Retrieve Retrieves the current set of all existing fault conditions, as maintained by the alarm manager, from the ONS 15454. Filter Allows you to change the Conditions window display to only show the conditions that meet a certain severity level or occur in a specified time. For example, you can set the filter so that only critical conditions display on the window. There is a Filter button on the lower-right of the window that allows you to enable or disable the filter feature. Exclude Same Root Cause Retrieves conditions that obey a root-cause hierarchy (for example, LOS supersedes and replaces LOF). Table 13-5 Conditions Column Description Column Information Recorded Date Date and time of the condition. Node Shows the name of the node where the condition or alarm occurred. (Visible in network view.) Object TL1 AID for the condition object. For an STSmon or VTmon, the object. Eqpt Type Card type in this slot. Shelf For DWDM configurations, the shelf where the alarmed object is located. Visible in network view. Slot Slot where the condition occurred (appears only in network and node view). Port Port where the condition occurred. For STSTerm and VTTerm, the port refers to the upstream card it is partnered with.13-7 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 13 Alarm Monitoring and Management 13.3.7 Viewing History 13.3.6.3 Filtering Conditions The condition display can be filtered to prevent display of conditions (including alarms) with certain severities or that occurred between certain dates. You can set the filtering parameters by clicking the Filter button at the bottom-left of the Conditions window. You can turn the filter on or off by clicking the Filter tool at the bottom-right of the window. CTC retains your filter activation setting. For example, if you turn the filter on and then log out, CTC keeps the filter active the next time your user ID is activated. 13.3.7 Viewing History The History window displays historic alarm or condition data for the node or for your login session. You can choose to display only alarm history, only events, or both by checking check boxes in the History > Shelf window. You can view network-level alarm and condition history, such as for circuits, for all the nodes visible in network view. At the node level, you can see all port (facility), card, STS, and system-level history entries for that node. For example, protection-switching events or performance-monitoring threshold crossings appear here. If you double-click a card, you can view all port, card, and STS alarm or condition history that directly affects the card. Note In the Preference dialog General tab, the Maximum History Entries value only applies to the Session window. Different views of CTC display different kinds of history: • The History > Session window is shown in network view, node view, and card view. It shows alarms and conditions that occurred during the current user CTC session. • The History > Shelf window is only shown in node view. It shows the alarms and conditions that occurred on the node since CTC software was operated on the node. • The History > Card window is only shown in card view. It shows the alarms and conditions that occurred on the card since CTC software was installed on the node. Tip Double-click an alarm in the History window to display the corresponding view. For example, double-clicking a card alarm takes you to card view. In network view, double-clicking a node alarm takes you to node view. Path Width Width of the data path. Sev1 Severity level: CR (Critical), MJ (Major), MN (Minor), NA (Not Alarmed), NR (Not Reported). SA1 Indicates a service-affecting alarm (when checked). Cond The error message/alarm name; these names are alphabetically defined in the “Alarm Troubleshooting” chapter of the Cisco ONS 15454 Troubleshooting Guide. Description Description of the condition. 1. All alarms, their severities, and service-affecting statuses are also displayed in the Condition tab unless you choose to filter the alarm from the display using the Filter button. Table 13-5 Conditions Column Description (continued) Column Information Recorded13-8 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 13 Alarm Monitoring and Management 13.3.7 Viewing History If you check the History window Alarms check box, you display the node history of alarms. If you check the Events check box, you display the node history of Not Alarmed and transient events (conditions). If you check both check boxes, you retrieve node history for both. 13.3.7.1 History Column Descriptions Table 13-6 lists the History window column headings and the information recorded in each column. 13.3.7.2 Retrieving and Displaying Alarm and Condition History You can retrieve and view the history of alarms and conditions, as well as transients (passing notifications of processes as they occur) in the CTC history window. The information in this window is specific to the view where it is shown (that is, network history in the network view, node history in the node view, and card history in the card view). The node and card history views are each divided into two tabs. In node view, when you click the Retrieve button, you can see the history of alarms, conditions, and transients that have occurred on the node in the History > Shelf window, and the history of alarms, conditions, and transients that have occurred on the node during your login session in the History > Session window. In the card-view history window, after you retrieve the card history, you can see the history of alarms, conditions, and transients Table 13-6 History Column Description Column Information Recorded Num An incrementing count of alarm or condition messages. (The column is hidden by default; to view it, right-click a column and choose Show Column > Num.) Ref The reference number assigned to the alarm or condition. (The column is hidden by default; to view it, right-click a column and choose Show Column > Ref.) Date Date and time of the condition. Node Shows the name of the node where the condition or alarm occurred. (Visible in network view.) Object TL1 AID for the condition object. For an STSmon or VTmon, the object. Eqpt Type Card type in this slot. Shelf For DWDM configurations, the shelf where the alarmed object is located. Visible in network view. Slot Slot where the condition occurred (only displays in network view and node view). Port Port where the condition occurred. For STSTerm and VTTerm, the port refers to the upstream card it is partnered with. Path Width Width of the data path. Sev Severity level: Critical (CR), Major (MJ), Minor (MN), Not Alarmed (NA), Not Reported (NR). ST Status: raised (R), cleared (C), or transient (T). SA Indicates a service-affecting alarm (when checked). Cond Condition name. Description Description of the condition.13-9 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 13 Alarm Monitoring and Management 13.3.8 Alarm History and Log Buffer Capacities on the card in the History > Card window, or a history of alarms, conditions, and transients that have occurred during your login session in the History > Session window. You can also filter the severities and occurrence period in these history windows. 13.3.8 Alarm History and Log Buffer Capacities The ONS 15454 alarm history log, stored in the TCC2/TCC2P RSA memory, contains four categories of alarms. These include: • CR severity alarms • MJ severity alarms • MN severity alarms • the combined group of cleared, Not Alarmed severity, and Not Reported severity alarms Each category can store between 4 and 640 alarm chunks, or entries. In each category, when the upper limit is reached, the oldest entry in the category is deleted. The capacity is not user-provisionable. CTC also has a log buffer, separate from the alarm history log, that pertains to the total number of entries displayed in the Alarms, Conditions, and History windows. The total capacity is provisionable up to 5,000 entries. When the upper limit is reached, the oldest entries are deleted. 13.4 Alarm Severities ONS 15454 alarm severities follow the Telcordia GR-253 standard, so a condition might be Alarmed (at a severity of Critical [CR], Major [MJ], or Minor [MN]), Not Alarmed (NA), or Not Reported (NR). These severities are reported in the CTC software Alarms, Conditions, and History windows at all levels: network, shelf, and card. ONS equipment provides a standard profile named Default listing all alarms and conditions with severity settings based on Telcordia GR-474 and other standards, but users can create their own profiles with different settings for some or all conditions and apply these wherever desired. (See the “13.5 Alarm Profiles” section on page 13-9.) For example, in a custom alarm profile, the default severity of a carrier loss (CARLOSS) alarm on an Ethernet port could be changed from major to critical. The profile allows setting to Not Reported or Not Alarmed, as well as the three alarmed severities. Critical and Major severities are only used for service-affecting alarms. If a condition is set as Critical or Major by profile, it will raise as Minor alarm in the following situations: • In a protection group, if the alarm is on a standby entity (side not carrying traffic) • If the alarmed entity has no traffic provisioned on it, so no service is lost Because of this possibility of being raised at two different levels, the alarm profile pane shows Critical as CR / MN and Major as MJ / MN. 13.5 Alarm Profiles The alarm profiles feature allows you to change default alarm severities by creating unique alarm profiles for individual ONS 15454 ports, cards, or nodes. A created alarm profile can be applied to any node on the network. Alarm profiles can be saved to a file and imported elsewhere in the network, but the profile must be stored locally on a node before it can be applied to the node, its cards, or its cards’ ports. 13-10 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 13 Alarm Monitoring and Management 13.5.1 Creating and Modifying Alarm Profiles CTC can store up to ten active alarm profiles at any time to apply to the node. Custom profiles can take eight of these active profile positions. Two other profiles, Default profile and Inherited profile, are reserved by the NE, and cannot be edited.The reserved Default profile contains Telcordia GR-474 severities. The reserved Inherited profile allows port alarm severities to be governed by the card-level severities, or card alarm severities to be determined by the node-level severities. If one or more alarm profiles have been stored as files from elsewhere in the network onto the local PC or server hard drive where CTC resides, you can use as many profiles as you can physically store by deleting and replacing them locally in CTC so that only eight are active at any given time. 13.5.1 Creating and Modifying Alarm Profiles Alarm profiles are created in the network view using the Provisioning > Alarm Profiles tabs. Figure 13-3 shows the default list of alarm severities. A default alarm severity following Telcordia GR-253 standards is preprovisioned for every alarm. After loading the default profile or another profile on the node, you can clone a profile to create custom profiles. After the new profile is created, the Alarm Profiles window shows the original profile (frequently Default) and the new profile. Figure 13-3 Network View Alarm Profiles Window The alarm profile list contains a master list of alarms that is used for a mixed node network. Some of these alarms might not be used in all ONS nodes. Tip To see the full list of profiles including those available for loading or cloning, click the Available button. You must load a profile before you can clone it. 13-11 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 13 Alarm Monitoring and Management 13.5.2 Alarm Profile Buttons Note Up to 10 profiles, including the two reserved profiles (Inherited and Default) can be stored in CTC. Wherever it is applied, the Default alarm profile sets severities to standard Telcordia GR-253 settings. In the Inherited profile, alarms inherit, or copy, severity from the next-highest level. For example, a card with an Inherited alarm profile copies the severities used by the node housing the card. If you choose the Inherited profile from the network view, the severities at the lower levels (node and card) are copied from this selection. You do not have to apply a single severity profile to the node, card, and port alarms. Different profiles can be applied at different levels. You could use the inherited or default profile on a node and on all cards and ports, but apply a custom profile that downgrades an alarm on one particular card. For example, you might choose to downgrade an OC-N unequipped path alarm (UNEQ-P) from Critical (CR) to Not Alarmed (NA) on an optical card because this alarm raises and then clears every time you create a circuit. UNEQ-P alarms for the card with the custom profile would not display on the Alarms tab. (But they would still be recorded on the Conditions and History tabs.) When you modify severities in an alarm profile: • All Critical (CR) or Major (MJ) default or user-defined severity settings are demoted to Minor (MN) in Non-Service-Affecting (NSA) situations as defined in Telcordia GR-474. • Default severities are used for all alarms and conditions until you create a new profile and apply it. The Load and Store buttons are not available for Retrieve and Maintenance users. The Delete and Store options will only display nodes to delete profiles from or store profiles to if the user has provisioning permission for those nodes. If the user does not have the proper permissions, CTC greys out the buttons and they are not available to the user. 13.5.2 Alarm Profile Buttons The Alarm Profiles window displays six buttons at the bottom of the window. Table 13-7 lists and describes each of the alarm profile buttons and their functions. Table 13-7 Alarm Profile Buttons Button Description New Creates a new profile. Load Loads a profile to a node or a file. Store Saves profiles on a node (or nodes) or in a file. Delete Deletes profiles from a node. Compare Displays differences between alarm profiles (for example, individual alarms that are not configured equivalently between profiles). Available Displays all profiles available on each node. Usage Displays all entities (nodes and alarm subjects) present in the network and which profiles contain the alarm. Can be printed.13-12 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 13 Alarm Monitoring and Management 13.5.3 Alarm Profile Editing 13.5.3 Alarm Profile Editing Table 13-8 lists and describes the five profile-editing options available when you right-click an alarm item in the profile column. 13.5.4 Alarm Severity Options To change or assign alarm severity, left-click the alarm severity you want to change in the alarm profile column. Seven severity levels appear for the alarm: • Not Reported (NR) • Not Alarmed (NA) • Minor (MN) • Major (MJ) • Critical (CR) • Use Default • Inherited Inherited and Use Default severity levels only appear in alarm profiles. They do not appear when you view alarms, history, or conditions. 13.5.5 Row Display Options The Alarm Profiles window (from network view) or the Alarm Profile Editor (from node view) displays three check boxes at the bottom of the window: • Only show service-affecting severities—If unchecked, the editor shows severities in the format / where is a service-affecting severity and is not service-affecting. If checked, the editor only shows alarms. • Hide reference values—Highlights alarms with non-default severities by clearing alarm cells with default severities. This check-box is normally greyed out. It becomes active only when more than one profile is listed in the Alarm Profile Editor window. (The check box text changes to “Hide Values matching profile Default” in this case. • Hide identical rows—Hides rows of alarms that contain the same severity for each profile. Table 13-8 Alarm Profile Editing Options Button Description Store Saves a profile in a node or in a file. Rename Changes a profile name. Clone Creates a profile that contains the same alarm severity settings as the profile being cloned. Reset Restores a profile to its previous state or to the original state (if it has not yet been applied). Remove Removes a profile from the table editor.13-13 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 13 Alarm Monitoring and Management 13.5.6 Applying Alarm Profiles 13.5.6 Applying Alarm Profiles In CTC node view, the Alarm Behavior window displays alarm profiles for the node. In card view, the Alarm Behavior window displays the alarm profiles for the selected card. Alarm profiles form a hierarchy. A node-level alarm profile applies to all cards in the node except cards that have their own profiles. A card-level alarm profile applies to all ports on the card except ports that have their own profiles. At the node level, you can apply profile changes on a card-by-card basis or set a profile for the entire node. At the card-level view, you can apply profile changes on a port-by-port basis or set alarm profiles for all ports on that card. Figure 13-4 shows the DS1 card alarm profile. Figure 13-4 DS1 Card Alarm Profile 13.6 Alarm Suppression The following sections explain alarm suppression features for the ONS 15454. 13.6.1 Alarms Suppressed for Maintenance When you place a port in OOS,MT administrative state, this raises the alarm suppressed for maintenance (AS-MT) alarm in the Conditions and History windows1 and causes subsequently raised alarms for that port to be suppressed. 1. AS-MT can be seen in the Alarms window as well if you have set the Filter dialog box to show NA severity events.13-14 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 13 Alarm Monitoring and Management 13.6.2 Alarms Suppressed by User Command While the facility is in the OOS,MT state, any alarms or conditions that are raised and suppressed on it (for example, a transmit failure [TRMT] alarm) are reported in the Conditions window and show their normal severity in the Sev column. The suppressed alarms are not shown in the Alarms and History windows. (These windows only show AS-MT). When you place the port back into IS,AINS administrative state, the AS-MT alarm is resolved in all three windows. Suppressed alarms remain raised in the Conditions window until they are cleared. 13.6.2 Alarms Suppressed by User Command In the Provisioning > Alarm Profiles > Alarm Behavior tabs, the ONS 15454 has an alarm suppression option that clears raised alarm messages for the node, chassis, one or more slots (cards), or one or more ports. Using this option raises the alarms suppressed by user command, or AS-CMD alarm. The AS-CMD alarm, like the AS-MT alarm, appears in the Conditions, and History1 windows. Suppressed conditions (including alarms) appear only in the Conditions window--showing their normal severity in the Sev column. When the Suppress Alarms check box is unchecked, the AS-CMD alarm is cleared from all three windows. A suppression command applied at a higher level does not supersede a command applied at a lower level. For example, applying a node-level alarm suppression command makes all raised alarms for the node appear to be cleared, but it does not cancel out card-level or port-level suppression. Each of these conditions can exist independently and must be cleared independently. Caution Use alarm suppression with caution. If multiple CTC or TL1 sessions are open, suppressing the alarms in one session suppresses the alarms in all other open sessions. 13.7 External Alarms and Controls External alarm inputs can be provisioned on the Alarm Interface Controller-International (AIC-I) card for external sensors such as an open door and flood sensors, temperature sensors, and other environmental conditions. External control outputs on these two cards allow you to drive external visual or audible devices such as bells and lights. They can control other devices such as generators, heaters, and fans. You provision external alarms in the AIC-I card view Provisioning > External Alarms tab and controls in the AIC-I card view Provisioning > External Controls tab. Up to 12 external alarm inputs and four external controls are available. If you also provision the alarm extension panel (AEP), there are 32 inputs and 16 outputs. 13.7.1 External Alarms You can provision each alarm input separately. Provisionable characteristics of external alarm inputs include: • Alarm Type—List of alarm types. • User Defined Alarm Types • Severity—CR, MJ, MN, NA, and NR. • Virtual Wire—The virtual wire associated with the alarm.13-15 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 13 Alarm Monitoring and Management 13.7.2 User Defined Alarm Types • Raised When—Open means that the normal condition is to not have current flowing through the contact, and the alarm is generated when current does flow; closed means that the normal condition is to have current flowing through the contact, and the alarm is generated when current stops flowing. • Description—CTC alarm log description (up to 63 characters). Note If you provision an external alarm to raise when a contact is open, and you have not attached the alarm cable, the alarm will remain raised until the alarm cable is connected. Note When you provision an external alarm, the alarm object is ENV-IN-nn. The variable nn refers to the external alarm’s number, regardless of the name you assign. 13.7.2 User Defined Alarm Types User Defined Alarm Types allows you to dynamically add and delete the alarm types. In addition to the existing hard coded alarm type attributes, you can define up to 50 alarm types. These dynamically added alarm types can be associated, or disassociated, to any external alarm input and the added alarm type can use the same behavior as hard coded alarm type attributes. The following limits and guidelines apply: • An AIC or AIC-I card must be installed • Up to 50 Alarm Types can be defined • The User Defined name can be up to 20 alphanumeric characters (upper case). • The User Defined name can not contain special characters or spaces (Hyphen (-) is allowed) 13.7.3 External Controls You can provision each alarm output separately. Provisionable characteristics of alarm outputs include: • Control type. • Trigger type (alarm or virtual wire). • Description for CTC display. • Closure setting (manually or by trigger). If you provision the output closure to be triggered, the following characteristics can be used as triggers: – Local NE alarm severity—A chosen alarm severity (for example, major) and any higher-severity alarm (in this case, critical) causes output closure. – Remote NE alarm severity—Similar to local NE alarm severity trigger setting, but applies to remote alarms. – Virtual wire entities—You can provision an alarm that is input to a virtual wire to trigger an external control output.13-16 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 13 Alarm Monitoring and Management 13.7.3 External ControlsCHAPTER 14-1 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 14 Management Network Connectivity This chapter provides an overview of ONS 15454 data communications network (DCN) connectivity. Cisco Optical Networking System (ONS) network communication is based on IP, including communication between Cisco Transport Controller (CTC) computers and ONS 15454 nodes, and communication among networked ONS 15454 nodes. The chapter provides scenarios showing Cisco ONS 15454 nodes in common IP network configurations as well as information about provisionable patchcords, the IP routing table, external firewalls, and open gateway network element (GNE) networks. Although ONS 15454 DCN communication is based on IP, ONS 15454 nodes can be networked to equipment that is based on the Open System Interconnection (OSI) protocol suites. This chapter also describes the ONS 15454 OSI implementation and provides scenarios that show how the ONS 15454 can be networked within a mixed IP and OSI environment. Note This chapter does not provide a comprehensive explanation of IP networking concepts and procedures, nor does it provide IP addressing examples to meet all networked scenarios. For ONS 15454 networking setup instructions, refer to the “Turn Up a Node” chapter of the Cisco ONS 15454 Procedure Guide. Chapter topics include: • 14.1 IP Networking Overview, page 14-2 • 14.2 IP Addressing Scenarios, page 14-2 • 14.3 Routing Table, page 14-24 • 14.4 External Firewalls, page 14-25 • 14.5 Open GNE, page 14-27 • 14.6 TCP/IP and OSI Networking, page 14-29 • 14.7 IPv6 Network Compatibility, page 14-62 • 14.8 IPv6 Native Support, page 14-62 • 14.9 FTP Support for ENE Database Backup, page 14-64 Note To connect ONS 15454s to an IP network, you must work with a LAN administrator or other individual at your site who has IP networking training and experience. 14-2 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.1 IP Networking Overview 14.1 IP Networking Overview ONS 15454s can be connected in many different ways within an IP environment: • They can be connected to LANs through direct connections or a router. • IP subnetting can create multiple logical ONS 15454 networks within a single Class A, B, or C IP network. If you do not subnet, you will only be able to use one network from your Class A, B, or C network. • Different IP functions and protocols can be used to achieve specific network goals. For example, Proxy Address Resolution Protocol (ARP) enables one LAN-connected ONS 15454 to serve as a gateway for ONS 15454s that are not connected to the LAN. • Static routes can be created to enable connections among multiple CTC sessions with ONS 15454s that reside on the same subnet. • ONS 15454s can be connected to Open Shortest Path First (OSPF) networks so that ONS 15454 network information is automatically communicated across multiple LANs and WANs. • The ONS 15454 SOCKS (network proxy protocol) proxy server can control the visibility and accessibility between CTC computers and ONS 15454 element nodes. 14.2 IP Addressing Scenarios ONS 15454 IP addressing generally has eight common scenarios or configurations. Use the scenarios as building blocks for more complex network configurations. Table 14-1 provides a general list of items to check when setting up ONS 15454 nodes in IP networks. The TCC2P card secure mode option allows two IP addresses to be provisioned for the node: one for the backplane LAN port and one for the TCC2P LAN (TCP/IP) port. Secure mode IP addressing examples are provided in the “14.2.9 IP Scenario 9: IP Addressing with Secure Mode Enabled” section on page 14-20. IP addresses shown in the other scenarios assume that secure mode is not enabled. If secure Table 14-1 General ONS 15454 IP Troubleshooting Checklist Item What to Check Link integrity Verify that link integrity exists between: • CTC computer and network hub/switch • ONS 15454s (backplane wire-wrap pins or RJ-45 port) and network hub/switch • Router ports and hub/switch ports ONS 15454 hub/switch ports If connectivity problems occur, set the hub or switch port that is connected to the ONS 15454 to 10 Mbps half-duplex. Ping Ping the node to test connections between computers and ONS 15454s. IP addresses/subnet masks Verify that ONS 15454 IP addresses and subnet masks are set up correctly. Optical connectivity Verify that ONS 15454 optical trunk (span) ports are in service and that a DCC is enabled on each trunk port.14-3 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.2.1 IP Scenario 1: CTC and ONS 15454s on Same Subnet mode is enabled, the IP addresses shown in the examples apply to the backplane LAN port. See the “14.2.9 IP Scenario 9: IP Addressing with Secure Mode Enabled” section on page 14-20 for information about secure mode, repeater (single IP address) mode, and configuration locks. 14.2.1 IP Scenario 1: CTC and ONS 15454s on Same Subnet IP Scenario 1 shows a basic ONS 15454 LAN configuration (Figure 14-1). The ONS 15454s and CTC computer reside on the same subnet. All ONS 15454s connect to LAN A, and all ONS 15454s have DCC connections. Figure 14-1 IP Scenario 1: CTC and ONS 15454s on Same Subnet 14.2.2 IP Scenario 2: CTC and ONS 15454 Nodes Connected to a Router In IP Scenario 2 the CTC computer resides on a subnet (192.168.1.0) and attaches to LAN A (Figure 14-2). The ONS 15454s reside on a different subnet (192.168.2.0) and attach to LAN B. A router connects LAN A to LAN B. The IP address of router interface A is set to LAN A (192.168.1.1), and the IP address of router interface B is set to LAN B (192.168.2.1). On the CTC computer, the default gateway is set to router interface A. If the LAN uses Dynamic Host Configuration Protocol (DHCP), the default gateway and IP address are assigned automatically. In the Figure 14-2 example, a DHCP server is not available. CTC Workstation IP Address 192.168.1.100 Subnet Mask 255.255.255.0 Default Gateway = N/A Host Routes = N/A ONS 15454 #1 IP Address 192.168.1.10 Subnet Mask 255.255.255.0 Default Router = N/A Static Routes = N/A ONS 15454 #2 IP Address 192.168.1.20 Subnet Mask 255.255.255.0 Default Router = N/A Static Routes = N/A ONS 15454 #3 IP Address 192.168.1.30 Subnet Mask 255.255.255.0 Default Router = N/A Static Routes = N/A LAN A SONET RING14-4 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.2.3 IP Scenario 3: Using Proxy ARP to Enable an ONS 15454 Gateway Figure 14-2 IP Scenario 2: CTC and ONS 15454 Nodes Connected to a Router 14.2.3 IP Scenario 3: Using Proxy ARP to Enable an ONS 15454 Gateway ARP matches higher-level IP addresses to the physical addresses of the destination host. It uses a lookup table (called ARP cache) to perform the translation. When the address is not found in the ARP cache, a broadcast is sent out on the network with a special format called the ARP request. If one of the machines on the network recognizes its own IP address in the request, it sends an ARP reply back to the requesting host. The reply contains the physical hardware address of the receiving host. The requesting host stores this address in its ARP cache so that all subsequent datagrams (packets) to this destination IP address can be translated to a physical address. Proxy ARP enables one LAN-connected ONS 15454 to respond to the ARP request for ONS 15454s not connected to the LAN. (ONS 15454 proxy ARP requires no user configuration.) For this to occur, the DCC-connected ONS 15454s must reside on the same subnet. When a LAN device sends an ARP request to an ONS 15454 that is not connected to the LAN, the gateway ONS 15454 returns its MAC address to the LAN device. The LAN device then sends the datagram for the remote ONS 15454 to the MAC address of the proxy ONS 15454. The proxy ONS 15454 uses its routing table to forward the datagram to the non-LAN ONS 15454. CTC Workstation IP Address 192.168.1.100 Subnet Mask 255.255.255.0 Default Gateway = 192.168.1.1 Host Routes = N/A Router IP Address of interface “A” to LAN “A” 192.168.1.1 IP Address of interface “B” to LAN “B” 192.168.2.1 Subnet Mask 255.255.255.0 Default Router = N/A Host Routes = N/A ONS 15454 #1 IP Address 192.168.2.10 Subnet Mask 255.255.255.0 Default Router = 192.168.2.1 Static Routes = N/A ONS 15454 #2 IP Address 192.168.2.20 Subnet Mask 255.255.255.0 Default Router = 192.168.2.1 Static Routes = N/A ONS 15454 #3 IP Address 192.168.2.30 Subnet Mask 255.255.255.0 Default Router = 192.168.2.1 Static Routes = N/A LAN B LAN A Int "A" Int "B" SONET RING 3315814-5 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.2.3 IP Scenario 3: Using Proxy ARP to Enable an ONS 15454 Gateway IP Scenario 3 is similar to IP Scenario 1, but only one ONS 15454 (1) connects to the LAN (Figure 14-3). Two ONS 15454s (2 and 3) connect to ONS 15454 1 through the SONET DCC. Because all three ONS 15454s are on the same subnet, proxy ARP enables ONS 15454 1 to serve as a gateway for ONS 15454 2 and 3. Note This scenario assumes all CTC connections are to Node 1. If you connect a laptop to either ONS 15454 2 or 3, network partitioning occurs; neither the laptop nor the CTC computer can see all nodes. If you want laptops to connect directly to end network elements, you must create static routes (see “14.2.5 IP Scenario 5: Using Static Routes to Connect to LANs” section on page 14-7) or enable the ONS 15454 SOCKS proxy server (see “14.2.7 IP Scenario 7: Provisioning the ONS 15454 SOCKS Proxy Server” section on page 14-12). Figure 14-3 IP Scenario 3: Using Proxy ARP You can also use proxy ARP to communicate with hosts attached to the craft Ethernet ports of DCC-connected nodes (Figure 14-4). The node with an attached host must have a static route to the host. Static routes are propagated to all DCC peers using OSPF. The existing proxy ARP node is the gateway for additional hosts. Each node examines its routing table for routes to hosts that are not connected to the DCC network but are within the subnet. The existing proxy server replies to ARP requests for these additional hosts with the node MAC address. The existence of the host route in the routing table ensures that the IP packets addressed to the additional hosts are routed properly. Other than establishing a static route between a node and an additional host, no provisioning is necessary. The following restrictions apply: • Only one node acts as the proxy ARP server for any given additional host. • A node cannot be the proxy ARP server for a host connected to its Ethernet port. CTC Workstation IP Address 192.168.1.100 Subnet Mark at CTC Workstation 255.255.255.0 Default Gateway = N/A ONS 15454 #2 IP Address 192.168.1.20 Subnet Mask 255.255.255.0 Default Router = N/A Static Routes = N/A ONS 15454 #1 IP Address 192.168.1.10 Subnet Mask 255.255.255.0 Default Router = N/A Static Routes = N/A ONS 15454 #3 IP Address 192.168.1.30 Subnet Mask 255.255.255.0 Default Router = N/A Static Routes = N/A LAN A SONET RING14-6 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.2.4 IP Scenario 4: Default Gateway on a CTC Computer In Figure 14-4, Node 1 announces to Node 2 and 3 that it can reach the CTC host. Similarly, Node 3 announces that it can reach the ONS 152xx. The ONS 152xx is shown as an example; any network element (NE) can be set up as an additional host. Figure 14-4 IP Scenario 3: Using Proxy ARP with Static Routing 14.2.4 IP Scenario 4: Default Gateway on a CTC Computer IP Scenario 4 is similar to IP Scenario 3, but Nodes 2 and 3 reside on different subnets, 192.168.2.0 and 192.168.3.0, respectively (Figure 14-5). Node 1 and the CTC computer are on subnet 192.168.1.0. Proxy ARP is not used because the network includes different subnets. For the CTC computer to communicate with Nodes 2 and 3, Node 1 is entered as the default gateway on the CTC computer. CTC Workstation IP Address 192.168.1.100 Subnet Mark at CTC Workstation 255.255.255.0 Default Gateway = N/A ONS 15454 #2 IP Address 192.168.1.20 Subnet Mask 255.255.255.0 Default Router = N/A Static Routes = N/A ONS 15454 #1 IP Address 192.168.1.10 Subnet Mask 255.255.255.0 Default Router = N/A Static Routes = Destination 192.168.1.100 Mask 255.255.255.255 Next Hop 192.168.1.10 ONS 15454 #3 IP Address 192.168.1.30 Subnet Mask 255.255.255.0 Default Router = N/A Static Routes = Destination 192.168.1.31 Mask 255.255.255.255 Next Hop 192.168.1.30 ONS 152xx IP Address 192.168.1.31 Subnet Mask 255.255.255.0 LAN A SONET RING 9698414-7 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.2.5 IP Scenario 5: Using Static Routes to Connect to LANs Figure 14-5 IP Scenario 4: Default Gateway on a CTC Computer 14.2.5 IP Scenario 5: Using Static Routes to Connect to LANs Static routes are used for two purposes: • To connect ONS 15454s to CTC sessions on one subnet connected by a router to ONS 15454s residing on another subnet. (These static routes are not needed if OSPF is enabled. “14.2.6 IP Scenario 6: Using OSPF” section on page 14-10 shows an OSPF example.) • To enable multiple CTC sessions among ONS 15454s residing on the same subnet. In Figure 14-6, one CTC residing on subnet 192.168.1.0 connects to a router through interface A. (The router is not set up with OSPF.) ONS 15454s residing on different subnets are connected through Node 1 to the router through interface B. Because Nodes 2 and 3 are on different subnets, proxy ARP does not enable Node 1 as a gateway. To connect to the CTC computer on LAN A (subnet 192.168.1.0), you must create a static route on Node 1. You must also manually add static routes between the CTC computer on LAN A and Nodes 2 and 3 because these nodes are on different subnets. CTC Workstation IP Address 192.168.1.100 Subnet Mask at CTC Workstation 255.255.255.0 Default Gateway = 192.168.1.10 Host Routes = N/A ONS 15454 #2 IP Address 192.168.2.20 Subnet Mask 255.255.255.0 Default Router = N/A Static Routes = N/A ONS 15454 #1 IP Address 192.168.1.10 Subnet Mask 255.255.255.0 Default Router = N/A Static Routes = N/A ONS 15454 #3 IP Address 192.168.3.30 Subnet Mask 255.255.255.0 Default Router = N/A Static Routes = N/A LAN A SONET RING 3316014-8 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.2.5 IP Scenario 5: Using Static Routes to Connect to LANs Figure 14-6 IP Scenario 5: Static Route With One CTC Computer Used as a Destination The destination and subnet mask entries control access to the ONS 15454s: • If a single CTC computer is connected to a router, enter the complete CTC “host route” IP address as the destination with a subnet mask of 255.255.255.255. • If CTC computers on a subnet are connected to a router, enter the destination subnet (in this example, 192.168.1.0) and a subnet mask of 255.255.255.0. • If all CTC computers are connected to a router, enter a destination of 0.0.0.0 and a subnet mask of 0.0.0.0. Figure 14-7 shows an example. The IP address of router interface B is entered as the next hop, and the cost (number of hops from source to destination) is 2. You must manually add static routes between the CTC computers on LAN A, B, and C and Nodes 2 and 3 because these nodes are on different subnets. CTC Workstation IP Address 192.168.1.100 Subnet Mask 255.255.255.0 Default Gateway = 192.168.1.1 Host Routes = N/A Router IP Address of interface ”A” to LAN “A” 192.168.1.1 IP Address of interface “B” to LAN “B” 192.168.2.1 Subnet Mask 255.255.255.0 Static Routes Destination 192.168.3.0 Mask 255.255.255.0 Next Hop 192.168.2.10 Destination 192.168.4.0 Mask 255.255.255.0 Next Hop 192.168.2.10 ONS 15454 #2 IP Address 192.168.3.20 Subnet Mask 255.255.255.0 Default Router = N/A Static Routes = N/A ONS 15454 #1 IP Address 192.168.2.10 Subnet Mask 255.255.255.0 Default Router = 192.168.2.1 Static Routes Destination 192.168.1.0 Mask 255.255.255.0 Next Hop 192.168.2.1 Cost = 2 ONS 15454 #3 IP Address 192.168.4.30 Subnet Mask 255.255.255.0 Default Router = N/A Static Routes = N/A LAN B LAN A Int "A" Int "B" SONET RING 3316214-9 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.2.5 IP Scenario 5: Using Static Routes to Connect to LANs Figure 14-7 IP Scenario 5: Static Route With Multiple LAN Destinations CTC Workstation IP Address 192.168.1.100 Subnet Mask 255.255.255.0 Default Gateway = 192.168.1.1 Host Routes = N/A Router #1 IP Address of interface ”A” to LAN “A” 192.168.1.1 IP Address of interface “B” to LAN “B” 192.168.2.1 Subnet Mask 255.255.255.0 Destination = 192.168.0.0 Mask = 255.255.255.0 Next Hop = 192.168.2.10 ONS 15454 #2 IP Address 192.168.3.20 Subnet Mask 255.255.255.0 Default Router = N/A Static Routes = N/A ONS 15454 #1 IP Address 192.168.2.10 Subnet Mask 255.255.255.0 Default Router = 192.168.2.1 ONS 15454 #3 IP Address 192.168.4.30 Subnet Mask 255.255.255.0 Default Router = N/A Static Routes = N/A LAN B LAN A Int "A" Int "B" SONET RING 55251 Static Routes Destination 0.0.0.0 Mask 0.0.0.0 Next Hop 192.168.2.1 Cost = 2 LAN C LAN D Router #2: IP Address of the interface connected to LAN-A = 192.168.1.10 IP Address of the interface connected to LAN-C = 192.168.5.1 Subnet Mask = 255.255.255.0 Static Routes: Destination = 192.168.0.0 Mask = 255.255.255.0 Next Hop = 192.168.1.1 Router #3: IP Address of the interface connected to LAN-C = 192.168.5.10 IP Address of the interface connected to LAN-D = 192.168.6.1 Subnet Mask = 255.255.255.0 Static Routes: Destination = 192.168.0.0 Mask = 255.255.255.0 Next Hop = 192.168.5.1 Destination = 192.168.4.0 Mask = 255.255.255.0 Next Hop = 192.168.5.1 Destination = 192.168.4.0 Mask = 255.255.255.0 Next Hop = 192.168.5.1 Destination = 192.168.4.0 Mask = 255.255.255.0 Next Hop = 192.168.5.114-10 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.2.6 IP Scenario 6: Using OSPF 14.2.6 IP Scenario 6: Using OSPF Open Shortest Path First (OSPF) is a link state Internet routing protocol. Link state protocols use a “hello protocol” to monitor their links with adjacent routers and to test the status of their links to their neighbors. Link state protocols advertise their directly connected networks and their active links. Each link state router captures the link state “advertisements” and puts them together to create a topology of the entire network or area. From this database, the router calculates a routing table by constructing a shortest path tree. Routes are recalculated when topology changes occur. ONS 15454s use the OSPF protocol in internal ONS 15454 networks for node discovery, circuit routing, and node management. You can enable OSPF on the ONS 15454s so that the ONS 15454 topology is sent to OSPF routers on a LAN. Advertising the ONS 15454 network topology to LAN routers eliminates the need to manually enter static routes for ONS 15454 subnetworks. Figure 14-8 shows a network enabled for OSPF. Figure 14-9 shows the same network without OSPF. Static routes must be manually added to the router for CTC computers on LAN A to communicate with Nodes 2 and 3 because these nodes reside on different subnets. OSPF divides networks into smaller regions, called areas. An area is a collection of networked end systems, routers, and transmission facilities organized by traffic patterns. Each OSPF area has a unique ID number, known as the area ID. Every OSPF network has one backbone area called “area 0.” All other OSPF areas must connect to area 0. When you enable an ONS 15454 OSPF topology for advertising to an OSPF network, you must assign an OSPF area ID in decimal format to the ONS 15454 network. Coordinate the area ID number assignment with your LAN administrator. All DCC-connected ONS 15454s should be assigned the same OSPF area ID.14-11 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.2.6 IP Scenario 6: Using OSPF Figure 14-8 IP Scenario 6: OSPF Enabled CTC Workstation IP Address 192.168.1.100 Subnet Mask 255.255.255.0 Default Gateway = 192.168.1.1 Host Routes = N/A Router IP Address of interface “A” to LAN A 192.168.1.1 IP Address of interface “B” to LAN B 192.168.2.1 Subnet Mask 255.255.255.0 ONS 15454 #2 IP Address 192.168.3.20 Subnet Mask 255.255.255.0 Default Router = N/A Static Routes = N/A ONS 15454 #1 IP Address 192.168.2.10 Subnet Mask 255.255.255.0 Default Router = 192.168.2.1 Static Routes = N/A ONS 15454 #3 IP Address 192.168.4.30 Subnet Mask 255.255.255.0 Default Router = N/A Static Routes = N/A LAN B LAN A Int "A" Int "B" SONET RING 5525014-12 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.2.7 IP Scenario 7: Provisioning the ONS 15454 SOCKS Proxy Server Figure 14-9 IP Scenario 6: OSPF Not Enabled 14.2.7 IP Scenario 7: Provisioning the ONS15454 SOCKS Proxy Server The ONS 15454 SOCKS proxy is an application that allows an ONS 15454 node to serve as an internal gateway between a private enterprise network and the ONS 15454 network. (SOCKS is a standard proxy protocol for IP-based applications developed by the Internet Engineering Task Force.) Access is allowed from the private network to the ONS 15454 network, but access is denied from the ONS 15454 network to the private network. For example, you can set up a network so that field technicians and network operations center (NOC) personnel can both access the same ONS 15454s while preventing the field technicians from accessing the NOC LAN. To do this, one ONS 15454 is provisioned as a gateway network element (GNE) and the other ONS 15454s are provisioned as end network elements (ENEs). The GNE ONS 15454 tunnels connections between CTC computers and ENE ONS 15454s, providing management capability while preventing access for non-ONS 15454 management purposes. CTC Workstation IP Address 192.168.1.100 Subnet Mask 255.255.255.0 Default Gateway = 192.168.1.1 Host Routes = N/A Router IP Address of interface “A” to LAN A 192.168.1.1 IP Address of interface “B” to LAN B 192.168.2.1 Subnet Mask 255.255.255.0 Static Routes = Destination 192.168.3.20 Next Hop 192.168.2.10 Destination 192.168.4.30 Next Hop 192.168.2.10 ONS 15454 #2 IP Address 192.168.3.20 Subnet Mask 255.255.255.0 Default Router = N/A Static Routes = N/A ONS 15454 #1 IP Address 192.168.2.10 Subnet Mask 255.255.255.0 Default Router = 192.168.2.1 Static Routes Destination = 192.168.1.100 Mask = 255.255.255.255 Next Hop = 192.168.2.1 Cost = 2 ONS 15454 #3 IP Address 192.168.4.30 Subnet Mask 255.255.255.0 Default Router = N/A Static Routes = N/A LAN B LAN A Int "A" Int "B" SONET RING14-13 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.2.7 IP Scenario 7: Provisioning the ONS 15454 SOCKS Proxy Server The ONS 15454 gateway setting performs the following tasks: • Isolates DCC IP traffic from Ethernet (craft port) traffic and accepts packets based on filtering rules. The filtering rules (see Table 14-3 on page 14-17 and Table 14-4 on page 14-18) depend on whether the packet arrives at the ONS 15454 DCC or the TCC2/TCC2P Ethernet interface. • Processes Simple Network Time Protocol (SNTP) and Network Time Protocol (NTP) requests. ONS 15454 ENEs can derive time-of-day from an SNTP/NTP LAN server through the GNE ONS 15454. • Processes Simple Network Management Protocol version 1 (SNMPv1) traps. The GNE ONS 15454 receives SNMPv1 traps from the ENE ONS 15454s and forwards or relays the traps to SNMPv1 trap destinations or ONS 15454 SNMP relay nodes. The ONS 15454 SOCKS proxy server is provisioned using the Enable SOCKS proxy server on port check box on the Provisioning > Network > General tab (Figure 14-10). Figure 14-10 SOCKS Proxy Server Gateway Settings If checked, the ONS 15454 serves as a proxy for connections between CTC clients and ONS 15454s that are DCC-connected to the proxy ONS 15454. The CTC client establishes connections to DCC-connected nodes through the proxy node. The CTC client can connect to nodes that it cannot directly reach from the host on which it runs. If not selected, the node does not proxy for any CTC clients, although any established proxy connections continue until the CTC client exits. In addition, you can set the SOCKS proxy server as an ENE or a GNE:14-14 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.2.7 IP Scenario 7: Provisioning the ONS 15454 SOCKS Proxy Server • External Network Element (ENE)—If set as an ENE, the ONS 15454 neither installs nor advertises default or static routes. CTC computers can communicate with the ONS 15454 using the TCC2/TCC2P craft port, but they cannot communicate directly with any other DCC-connected ONS 15454. In addition, firewall is enabled, which means that the node prevents IP traffic from being routed between the DCC and the LAN port. The ONS 15454 can communicate with machines connected to the LAN port or connected through the DCC. However, the DCC-connected machines cannot communicate with the LAN-connected machines, and the LAN-connected machines cannot communicate with the DCC-connected machines. A CTC client using the LAN to connect to the firewall-enabled node can use the proxy capability to manage the DCC-connected nodes that would otherwise be unreachable. A CTC client connected to a DCC-connected node can only manage other DCC-connected nodes and the firewall itself. • Gateway Network Element (GNE)—If set as a GNE, the CTC computer is visible to other DCC-connected nodes and firewall is enabled. • Proxy-only—If Proxy-only is selected, firewall is not enabled. CTC can communicate with any other DCC-connected ONS 15454s. Note If you launch CTC against a node through a Network Address Translation (NAT) or Port Address Translation (PAT) router and that node does not have proxy enabled, your CTC session starts and initially appears to be fine. However, CTC never receives alarm updates and disconnects and reconnects every two minutes. If the proxy is accidentally disabled, it is still possible to enable the proxy during a reconnect cycle and recover your ability to manage the node, even through a NAT/PAT firewall. Note ENEs that belong to different private subnetworks do not need to have unique IP addresses. Two ENEs that are connected to different GNEs can have the same IP address. However, ENEs that connect to the same GNE must always have unique IP addresses. Figure 14-11 shows an ONS 15454 SOCKS proxy server implementation. A GNE ONS 15454 is connected to a central office LAN and to ENE ONS 15454s. The central office LAN is connected to a NOC LAN, which has CTC computers. Both the NOC CTC computer and the craft technicians must be able to access the ONS 15454 ENEs. However, the craft technicians must be prevented from accessing or seeing the NOC or central office LANs. In the example, the ONS 15454 GNE is assigned an IP address within the central office LAN and is physically connected to the LAN through its LAN port. ONS 15454 ENEs are assigned IP addresses that are outside the central office LAN and are given private network IP addresses. If the ONS 15454 ENEs are collocated, the craft LAN ports could be connected to a hub. However, the hub should have no other network connections. 14-15 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.2.7 IP Scenario 7: Provisioning the ONS 15454 SOCKS Proxy Server Figure 14-11 IP Scenario 7: ONS 15454 SOCKS Proxy Server with GNE and ENEs on the Same Subnet Table 14-2 shows recommended settings for ONS 15454 GNEs and ENEs in the configuration shown in Figure 14-11. Figure 14-12 shows the same SOCKS proxy server implementation with ONS 15454 ENEs on different subnets. Figure 14-13 on page 14-17 shows the implementation with ONS 15454 ENEs in multiple rings. In each example, ONS 15454 GNEs and ENEs are provisioned with the settings shown in Table 14-2. Remote CTC 10.10.20.10 10.10.20.0/24 10.10.10.0/24 Interface 0/0 10.10.20.1 Router A Interface 0/1 10.10.10.1 ONS 15454 GNE 10.10.10.100/24 ONS 15454 ENE 10.10.10.250/24 ONS 15454 ENE 10.10.10.150/24 ONS 15454 ENE 10.10.10.200/24 71673 Local/Craft CTC 10.10.10.50 Ethernet SONET Table 14-2 ONS 15454 Gateway and End NE Settings Setting ONS 15454 Gateway NE ONS 15454 End NE OSPF Off Off SNTP server (if used) SNTP server IP address Set to ONS 15454 GNE IP address SNMP (if used) SNMPv1 trap destinations Set SNMPv1 trap destinations to ONS 15454 GNE, port 39114-16 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.2.7 IP Scenario 7: Provisioning the ONS 15454 SOCKS Proxy Server Figure 14-12 IP Scenario 7: ONS 15454 SOCKS Proxy Server with GNE and ENEs on Different Subnets 71674 Remote CTC 10.10.20.10 10.10.20.0/24 10.10.10.0/24 Interface 0/0 10.10.20.1 Router A Interface 0/1 10.10.10.1 ONS 15454 GNE 10.10.10.100/24 ONS 15454 ENE 192.168.10.250/24 ONS 15454 ENE 192.168.10.150/24 ONS 15454 ENE 192.168.10.200/24 Local/Craft CTC 192.168.10.20 Ethernet SONET14-17 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.2.7 IP Scenario 7: Provisioning the ONS 15454 SOCKS Proxy Server Figure 14-13 IP Scenario 7: ONS 15454 SOCKS Proxy Server With ENEs on Multiple Rings Table 14-3 shows the rules that the ONS 15454 follows to filter packets for the firewall when nodes are configured as ENEs and GNEs. If the packet is addressed to the ONS 15454 node, additional rules, shown in Table 14-4, are applied. Rejected packets are silently discarded. 71675 Remote CTC 10.10.20.10 10.10.20.0/24 10.10.10.0/24 Interface 0/0 10.10.20.1 Router A Interface 0/1 10.10.10.1 ONS 15454 GNE 10.10.10.100/24 ONS 15454 ENE 192.168.10.250/24 ONS 15454 ENE 192.168.10.150/24 ONS 15454 ENE 192.168.10.200/24 Ethernet SONET ONS 15454 GNE 10.10.10.200/24 ONS 15454 ENE 192.168.80.250/24 ONS 15454 ENE 192.168.60.150/24 ONS 15454 ENE 192.168.70.200/24 Table 14-3 SOCKS Proxy Server Firewall Filtering Rules Packets Arriving At: Are Accepted if the Destination IP Address is: TCC2/TCC2P Ethernet interface • The ONS 15454 node itself • The ONS 15454 node’s subnet broadcast address • Within the 224.0.0.0/8 network (reserved network used for standard multicast messages) • Subnet mask = 255.255.255.255 DCC interface • The ONS 15454 node itself • Any destination connected through another DCC interface • Within the 224.0.0.0/8 network14-18 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.2.8 IP Scenario 8: Dual GNEs on a Subnet If you implement the SOCKS proxy server, note that all DCC-connected ONS 15454s on the same Ethernet segment must have the same gateway setting. Mixed values produce unpredictable results, and might leave some nodes unreachable through the shared Ethernet segment. If nodes become unreachable, correct the setting with one of the following actions: • Disconnect the craft computer from the unreachable ONS 15454. Connect to the ONS 15454 through another network ONS 15454 that has a DCC connection to the unreachable ONS 15454. • Disconnect all DCCs to the node by disabling them on neighboring nodes. Connect a CTC computer directly to the ONS 15454 and change its provisioning. 14.2.8 IP Scenario 8: Dual GNEs on a Subnet The ONS 15454 provides GNE load balancing, which allows CTC to reach ENEs over multiple GNEs without the ENEs being advertised over OSPF. This feature allows a network to quickly recover from the loss of a GNE, even if the GNE is on a different subnet. If a GNE fails, all connections through that GNE fail. CTC disconnects from the failed GNE and from all ENEs for which the GNE was a proxy, and then reconnects through the remaining GNEs. GNE load balancing reduces the dependency on the launch GNE and DCC bandwidth, both of which enhance CTC performance. Figure 14-14 shows a network with dual GNEs on the same subnet. Table 14-4 SOCKS Proxy Server Firewall Filtering Rules When Packet Addressed to the ONS 15454 Packets Arriving At Accepts Rejects TCC2/TCC2P Ethernet interface • All UDP1 packets except those in the Rejected column 1. UDP = User Datagram Protocol • UDP packets addressed to the SNMP trap relay port (391) DCC interface • All UDP packets • All TCP2 protocols except packets addressed to the Telnet and SOCKS proxy server ports • OSPF packets • ICMP3 packets 2. TCP = Transmission Control Protocol 3. ICMP = Internet Control Message Protocol • TCP packets addressed to the Telnet port • TCP packets addressed to the SOCKS proxy server port • All packets other than UDP, TCP, OSPF, ICMP14-19 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.2.8 IP Scenario 8: Dual GNEs on a Subnet Figure 14-14 IP Scenario 8: Dual GNEs on the Same Subnet Figure 14-15 shows a network with dual GNEs on different subnets. 115258 Remote CTC 10.10.20.10 10.10.20.0/24 10.10.10.0/24 Interface 0/0 10.10.20.1 Router A Interface 0/1 10.10.10.1 ONS 15454 GNE 10.10.10.100/24 ONS 15454 ENE 10.10.10.250/24 ONS 15454 GNE 10.10.10.150/24 ONS 15454 ENE 10.10.10.200/24 Local/Craft CTC 192.168.20.20 Ethernet SONET14-20 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.2.9 IP Scenario 9: IP Addressing with Secure Mode Enabled Figure 14-15 IP Scenario 8: Dual GNEs on Different Subnets 14.2.9 IP Scenario 9: IP Addressing with Secure Mode Enabled The TCC2 card and TCC2P card both default to nonsecure mode. In this mode, the front and back Ethernet (LAN) ports share a single MAC address and IP address. TCC2P cards allow you to place a node in secure mode, which prevents a front-access craft port user from accessing the LAN through the backplane port. Secure mode can be locked, which prevents the mode from being altered. To place a node in secure mode or to lock secure node, refer to the “Change Node Settings” chapter in the Cisco ONS 15454 Procedure Guide. 14.2.9.1 Secure Mode Behavior Changing a TCC2P node from repeater mode to secure mode allows you to provision two IP addresses for the ONS 15454 and causes the node to assign the ports different MAC addresses. In secure mode, one IP address is provisioned for the ONS 15454 backplane LAN port, and the other IP address is provisioned for the TCC2P Ethernet port. Both addresses reside on different subnets, providing an additional layer of separation between the craft access port and the ONS 15454 LAN. If secure mode is 115259 Remote CTC 10.10.20.10 10.10.20.0/24 10.10.10.0/24 10.20.10.0/24 Interface 0/0 10.10.20.1 Router A Interface 0/1 10.10.10.1 Interface 0/2 10.20.10.1 ONS 15454 GNE 10.10.10.100/24 ONS 15454 ENE 192.168.10.250/24 ONS 15454 GNE 10.20.10.100/24 ONS 15454 ENE 192.168.10.200/24 Local/Craft CTC 192.168.20.20 Ethernet SONET14-21 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.2.9 IP Scenario 9: IP Addressing with Secure Mode Enabled enabled, the IP addresses provisioned for both TCC2P TCP/IP LAN ports must follow general IP addressing guidelines and must reside on different subnets from each other and the default router IP address. In secure mode, the IP address assigned to the front LAN (Ethernet) port becomes a private address, while the backplane connects the node to an Operations Support System (OSS) through a central office LAN or private enterprise network. A superuser can configure the node to hide or reveal the backplane's LAN IP address in CTC, the routing table, or autonomous message reports. In nonsecure mode, a node can be a GNE or ENE. Placing the node into secure mode automatically turns on SOCKS proxy and defaults the node to GNE status. However, the node can be changed back to an ENE. In nonsecure mode, an ENE’s SOCKS proxy can be disabled—effectively isolating the node beyond the LAN firewall—but it cannot be disabled in secure mode.To change a node’s GNE or ENE status and disable the SOCKS proxy, refer to the “Turn Up a Node” chapter in the Cisco ONS 15454 Procedure Guide. Caution Enabling secure mode causes the TCC2P card to reboot; a TCC2P card reboot affects traffic. Note The secure mode option does not appear in CTC if TCC2 cards are installed. If one TCC2 and one TCC2P card are installed in a node, secure mode will appear in CTC but it cannot be modified. Note If both front and backplane access ports are disabled in an ENE and the node is isolated from DCC communication (due to user provisioning or network faults), the front and backplane ports are automatically reenabled. Figure 14-16 on page 14-22 shows an example of secure-mode ONS 15454 nodes with front-access Ethernet port addresses that reside on the same subnet. 14-22 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.2.9 IP Scenario 9: IP Addressing with Secure Mode Enabled Figure 14-16 IP Scenario 9: ONS 15454 GNE and ENEs on the Same Subnet with Secure Mode Enabled Figure 14-17 shows an example of ONS 15454 nodes connected to a router with secure mode enabled. In each example, the node’s TCC2P port address (node address) resides on a different subnet from the node backplane addresses. Remote CTC 10.10.20.10 10.10.20.0/24 10.10.10.0/24 Interface 0/0 10.10.20.1 Router A Interface 0/1 10.10.10.1 ONS 15454 GNE Backplane - 10.10.10.100/24 TCC2P - 176.20.20.40/24 ONS 15454 ENE Backplane - 10.10.10.250/24 TCC2P - 176.20.20.30/24 ONS 15454 ENE 10.10.10.150/24 - Backplane 176.20.20.10/24 - TCC2P ONS 15454 ENE 10.10.10.200/24 - Backplane 176.20.20.20/24 - TCC2P 124679 Local/Craft CTC 176.20.20.50 Ethernet SONET14-23 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.2.9 IP Scenario 9: IP Addressing with Secure Mode Enabled Figure 14-17 IP Scenario 9: ONS 15454 GNE and ENEs on Different Subnets with Secure Mode Enabled 14.2.9.2 Secure Node Locked and Unlocked Behavior Secure mode can operate on a node in either locked or unlocked mode. By default, secure mode’s status is unlocked; only a superuser can convert it to locked mode. Doing so permanently changes the hardware configuration on the active and standby TCC2P cards as well as the chassis. Locked mode must be used carefully because the cards and shelf retain their locked status even if separated from each other. For example, if a node is in secure, locked mode and you perform a card pull on its standby TCC2P, then insert that as the active card into another node, the secure, locked mode is written to the new node’s chassis and standby TCC2P. If you perform a card pull on a secure, locked node’s active and standby TCC2Ps and insert both of them into a chassis that previously was in unlocked mode, the node becomes locked. When it is secure and locked, a node’s configuration, Ethernet port status, its secure mode, and the locked status cannot be changed by any network user— including a superuser. To have a secure node’s lock removed, contact Cisco Technical Support to arrange a Return Material Authorization (RMA) for the chassis and for the TCC2Ps. Refer to the “Obtaining Documentation and Submitting a Service Request” section on page liii as needed. 71674 Remote CTC 10.10.20.10 10.10.20.0/24 10.10.10.0/24 Interface 0/0 10.10.20.1 Router A Interface 0/1 10.10.10.1 ONS 15454 GNE Backplane - 10.10.10.100/24 TCC2P - 176.20.20.40/24 ONS 15454 ENE Backplane - 192.168.10.250/24 TCC2P - 176.20.20.30/24 ONS 15454 ENE 192.168.10.150/24 - Backplane 176.20.20.10/24 - TCC2P ONS 15454 ENE 192.168.10.200/24 - Backplane 176.20.20.20/24 - TCC2P Local/Craft CTC 176.20.20.50 Ethernet SONET14-24 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.3 Routing Table 14.3 Routing Table ONS 15454 routing information appears on the Maintenance > Routing Table tab. The routing table provides the following information: • Destination—Displays the IP address of the destination network or host. • Mask—Displays the subnet mask used to reach the destination host or network. • Gateway—Displays the IP address of the gateway used to reach the destination network or host. • Usage—Shows the number of times the listed route has been used. • Interface—Shows the ONS 15454 interface used to access the destination. Values are: – motfcc0—The ONS 15454 Ethernet interface, that is, the RJ-45 jack on the TCC2/TCC2P and the LAN 1 pins on the backplane – pdcc0—A DCC/OSC/GCC interface – lo0—A loopback interface Table 14-5 shows sample routing table entries for an ONS 15454. Entry 1 shows the following: • Destination (0.0.0.0) is the default route entry. All undefined destination network or host entries on this routing table are mapped to the default route entry. • Mask (0.0.0.0) is always 0 for the default route. • Gateway (172.20.214.1) is the default gateway address. All outbound traffic that cannot be found in this routing table or is not on the node’s local subnet is sent to this gateway. • Interface (motfcc0) indicates that the ONS 15454 Ethernet interface is used to reach the gateway. Entry 2 shows the following: • Destination (172.20.214.0) is the destination network IP address. • Mask (255.255.255.0) is a 24-bit mask, meaning all addresses within the 172.20.214.0 subnet can be destinations. • Gateway (172.20.214.92) is the gateway address. All outbound traffic belonging to this network is sent to this gateway. • Interface (motfcc0) indicates that the ONS 15454 Ethernet interface is used to reach the gateway. Entry 3 shows the following: • Destination (172.20.214.92) is the destination host IP address. Table 14-5 Sample Routing Table Entries Entry Destination Mask Gateway Usage Interface 1 0.0.0.0 0.0.0.0 172.20.214.1 265103 motfcc0 2 172.20.214.0 255.255.255.0 172.20.214.92 0 motfcc0 3 172.20.214.92 255.255.255.255 127.0.0.1 54 lo0 4 172.20.214.93 255.255.255.255 0.0.0.0 16853 pdcc0 5 172.20.214.94 255.255.255.255 172.20.214.93 16853 pdcc014-25 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.4 External Firewalls • Mask (255.255.255.255) is a 32 bit mask, meaning that only the 172.20.214.92 address is a destination. • Gateway (127.0.0.1) is a loopback address. The host directs network traffic to itself using this address. • Interface (lo0) indicates that the local loopback interface is used to reach the gateway. Entry 4 shows the following: • Destination (172.20.214.93) is the destination host IP address. • Mask (255.255.255.255) is a 32 bit mask, meaning that only the 172.20.214.93 address is a destination. • Gateway (0.0.0.0) means the destination host is directly attached to the node. • Interface (pdcc0) indicates that a DCC interface is used to reach the destination host. Entry 5 shows a DCC-connected node that is accessible through a node that is not directly connected: • Destination (172.20.214.94) is the destination host IP address. • Mask (255.255.255.255) is a 32-bit mask, meaning that only the 172.20.214.94 address is a destination. • Gateway (172.20.214.93) indicates that the destination host is accessed through a node with IP address 172.20.214.93. • Interface (pdcc0) indicates that a DCC interface is used to reach the gateway. 14.4 External Firewalls This section provides sample access control lists (ACLs) for external firewalls. Table 14-6 lists the ports that are used by the TCC2/TCC2P card. Table 14-6 Ports Used by the TCC2/TCC2P Port Function Action1 0 Never used D 20 FTP D 21 FTP control D 22 SSH (Secure Shell) D 23 Telnet D 80 HTTP D 111 SUNRPC (Sun Remote Procedure Call) NA 161 SNMP traps destinations D 162 SNMP traps destinations D 513 rlogin D 683 CORBA IIOP2 OK 1080 Proxy server (socks) D 2001-2017 I/O card Telnet D 2018 DCC processor on active TCC2/TCC2P D14-26 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.4 External Firewalls The following ACL example shows a firewall configuration when the SOCKS proxy server gateway setting is not enabled. In the example, the CTC workstation's address is 192.168.10.10. and the ONS 15454 address is 10.10.10.100. The firewall is attached to the GNE, so inbound is CTC to the GNE and outbound is from the GNE to CTC. The CTC CORBA Standard constant is 683 and the TCC CORBA Default is TCC Fixed (57790). access-list 100 remark *** Inbound ACL, CTC -> NE *** access-list 100 remark access-list 100 permit tcp host 192.168.10.10 host 10.10.10.100 eq www access-list 100 remark *** allows initial contact with ONS 15454 using http (port 80) *** access-list 100 remark access-list 100 permit tcp host 192.168.10.10 host 10.10.10.100 eq 57790 access-list 100 remark *** allows CTC communication with ONS 15454 GNE (port 57790) *** access-list 100 remark access-list 100 permit tcp host 192.168.10.10 host 10.10.10.100 established access-list 100 remark *** allows ACKs back from CTC to ONS 15454 GNE *** access-list 101 remark *** Outbound ACL, NE -> CTC *** access-list 101 remark access-list 101 permit tcp host 10.10.10.100 host 192.168.10.10 eq 683 access-list 101 remark *** allows alarms etc., from the 15454 (random port) to the CTC workstation (port 683) *** access-list 100 remark access-list 101 permit tcp host 10.10.10.100 host 192.168.10.10 established access-list 101 remark *** allows ACKs from the 15454 GNE to CTC *** The following ACL example shows a firewall configuration when the SOCKS proxy server gateway setting is enabled. As with the first example, the CTC workstation address is 192.168.10.10 and the ONS 15454 address is 10.10.10.100. The firewall is attached to the GNE, so inbound is CTC to the GNE and outbound is from the GNE to CTC. CTC CORBA Standard constant is 683 and the TCC CORBA Default is TCC Fixed (57790). access-list 100 remark *** Inbound ACL, CTC -> NE *** access-list 100 remark access-list 100 permit tcp host 192.168.10.10 host 10.10.10.100 eq www 2361 TL1 D 3082 Raw TL1 D 3083 TL1 D 5001 BLSR3 server port D 5002 BLSR client port D 7200 SNMP alarm input port D 9100 EQM port D 9401 TCC boot port D 9999 Flash manager D 10240-12287 Proxy client D 57790 Default TCC listener port OK 1. D = deny, NA = not applicable, OK = do not deny 2. CORBA IIOP = Common Object Request Broker Architecture Internet Inter-ORB Protocol 3. BLSR = bidirectional line switched ring Table 14-6 Ports Used by the TCC2/TCC2P (continued) Port Function Action114-27 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.5 Open GNE access-list 100 remark *** allows initial contact with the 15454 using http (port 80) *** access-list 100 remark access-list 100 permit tcp host 192.168.10.10 host 10.10.10.100 eq 1080 access-list 100 remark *** allows CTC communication with the 15454 GNE (port 1080) *** access-list 100 remark access-list 101 remark *** Outbound ACL, NE -> CTC *** access-list 101 remark access-list 101 permit tcp host 10.10.10.100 host 192.168.10.10 established access-list 101 remark *** allows ACKs from the 15454 GNE to CTC *** 14.5 Open GNE The ONS 15454 can communicate with non-ONS nodes that do not support Point-to-Point Protocol (PPP) vendor extensions or OSPF type 10 opaque link-state advertisements (LSA), both of which are necessary for automatic node and link discovery. An open GNE configuration allows the DCC-based network to function as an IP network for non-ONS nodes. To configure an open GNE network, you can provision SDCC, LDCC, and GCC terminations to include a far-end, non-ONS node using either the default IP address of 0.0.0.0 or a specified IP address. You provision a far-end, non-ONS node by checking the Far End is Foreign check box during SDCC, LDCC, and GCC creation. The default 0.0.0.0 IP address allows the far-end, non-ONS node to provide the IP address; if you set an IP address other than 0.0.0.0, a link is established only if the far-end node identifies itself with that IP address, providing an extra level of security. By default, the SOCKS proxy server only allows connections to discovered ONS peers and the firewall blocks all IP traffic between the DCC network and LAN. You can, however, provision proxy tunnels to allow up to 12 additional destinations for SOCKS version 5 connections to non-ONS nodes. You can also provision firewall tunnels to allow up to 12 additional destinations for direct IP connectivity between the DCC network and the LAN. Proxy and firewall tunnels include both a source and destination subnet. The connection must originate within the source subnet and terminate within the destination subnet before either the SOCKS connection or IP packet flow is allowed. To set up proxy and firewall subnets in CTC, use the Provisioning > Network > Proxy and Firewalls subtabs. The availability of proxy and/or firewall tunnels depends on the network access settings of the node: • If the node is configured with the SOCKS proxy server enabled in GNE or ENE mode, you must set up a proxy tunnel and/or a firewall tunnel. • If the node is configured with the SOCKS proxy server enabled in proxy-only mode, you can set up proxy tunnels. Firewall tunnels are not allowed. • If the node is configured with the SOCKS proxy server disabled, neither proxy tunnels nor firewall tunnels are allowed. Figure 14-18 shows an example of a foreign node connected to the DCC network. Proxy and firewall tunnels are useful in this example because the GNE would otherwise block IP access between the PC and the foreign node.14-28 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.5 Open GNE Figure 14-18 Proxy and Firewall Tunnels for Foreign Terminations Figure 14-19 shows a remote node connected to an ENE Ethernet port. Proxy and firewall tunnels are useful in this example because the GNE would otherwise block IP access between the PC and foreign node. This configuration also requires a firewall tunnel on the ENE. Remote CTC 10.10.20.10 10.10.20.0/24 10.10.10.0/24 Interface 0/0 10.10.20.1 Router A Interface 0/1 10.10.10.1 ONS 15454 GNE 10.10.10.100/24 ONS 15454 ENE 10.10.10.250/24 Non-ONS node Foreign NE 130.94.122.199/28 ONS 15454 ENE 10.10.10.150/24 ONS 15454 ENE 10.10.10.200/24 115748 Local/Craft CTC 192.168.20.20 Ethernet SONET14-29 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.6 TCP/IP and OSI Networking Figure 14-19 Foreign Node Connection to an ENE Ethernet Port 14.6 TCP/IP and OSI Networking ONS 15454 DCN communication is based on the TCP/IP protocol suite. However, ONS 15454s can also be networked with equipment that uses the OSI protocol suite. While TCP/IP and OSI protocols are not directly compatible, they do have the same objectives and occupy similar layers of the OSI reference model. Table 14-7 shows the protocols and mediation processes that are involved when TCP/IP-based NEs are networked with OSI-based NEs. Remote CTC 10.10.20.10 10.10.20.0/24 10.10.10.0/24 Interface 0/0 10.10.20.1 Router A Interface 0/1 10.10.10.1 ONS 15454 GNE 10.10.10.100/24 ONS 15454 ENE 10.10.10.250/24 ONS 15454 ENE 10.10.10.150/24 ONS 15454 ENE 10.10.10.200/24 115749 Local/Craft CTC 192.168.20.20 Ethernet SONET Non-ONS node Foreign NE 130.94.122.199/2814-30 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.6.1 Point-to-Point Protocol 14.6.1 Point-to-Point Protocol PPP is a data link (Layer 2) encapsulation protocol that transports datagrams over point-to-point links. Although PPP was developed to transport IP traffic, it can carry other protocols including the OSI CLNP. PPP components used in the transport of OSI include: • High-level data link control (HDLC)—Performs the datagram encapsulation for transport across point-to-point links. • Link control protocol (LCP)—Establishes, configures, and tests the point-to-point connections. CTC automatically enables IP over PPP whenever you create an SDCC or LDCC. The SDCC or LDCC can be provisioned to support OSI over PPP. Table 14-7 TCP/IP and OSI Protocols OSI Model IP Protocols OSI Protocols IP-OSI Mediation Layer 7 Application • TL1 • FTP • HTTP • Telnet • IIOP • TARP1 1. TARP = TID Address Resolution Protocol • TL1 (over OSI) • FTAM2 • ACSE3 2. FTAM = File Transfer and Access Management 3. ACSE = association-control service element • T–TD4 • FT–TD5 4. T–TD = TL1–Translation Device 5. FT–TD = File Transfer—Translation Device Layer 6 Presentation • PST6 6. PST = Presentation layer Layer 5 Session • Session Layer 4 Transport • TCP • UDP • TP (Transport) Class 4 • IP-over-CLNS7 tunnels 7. CLNS = Connectionless Network Layer Service Layer 3 Network • IP • OSPF • CLNP8 • ES-IS9 • IS-IS10 8. CLNP = Connectionless Network Layer Protocol 9. ES-IS = End System-to-Intermediate System 10. IS-IS = Intermediate System-to-Intermediate System Layer 2 Data link • PPP • PPP • LAP-D11 11. LAP-D = Link Access Protocol on the D Channel Layer 1 Physical DCC, LAN, fiber, electrical DCC, LAN, fiber, electrical14-31 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.6.2 Link Access Protocol on the D Channel 14.6.2 Link Access Protocol on the D Channel LAP-D is a data link protocol used in the OSI protocol stack. LAP-D is assigned when you provision an ONS 15454 SDCC as OSI-only. Provisionable LAP-D parameters include: • Transfer Service—One of the following transfer services must be assigned: – Acknowledged Information Transfer Service (AITS)—(Default) Does not exchange data until a logical connection between two LAP-D users is established. This service provides reliable data transfer, flow control, and error control mechanisms. – Unacknowledged Information Transfer Service (UITS)—Transfers frames containing user data with no acknowledgement. The service does not guarantee that the data presented by one user will be delivered to another user, nor does it inform the user if the delivery attempt fails. It does not provide any flow control or error control mechanisms. • Mode—LAP-D is set to either Network or User mode. This parameter sets the LAP-D frame command/response (C/R) value, which indicates whether the frame is a command or a response. • Maximum transmission unit (MTU)—The LAP-D N201 parameter sets the maximum number of octets in a LAP-D information frame. The range is 512 to 1500 octets. Note The MTU must be the same size for all NEs on the network. • Transmission Timers—The following LAP-D timers can be provisioned: – The T200 timer sets the timeout period for initiating retries or declaring failures. – The T203 timer provisions the maximum time between frame exchanges, that is, the trigger for transmission of the LAP-D “keep-alive” Receive Ready (RR) frames. Fixed values are assigned to the following LAP-D parameters: • Terminal Endpoint Identifier (TEI)—A fixed value of 0 is assigned. • Service Access Point Identifier (SAPI)—A fixed value of 62 is assigned. • N200 supervisory frame retransmissions—A fixed value of 3 is assigned. 14.6.3 OSI Connectionless Network Service OSI connectionless network service is implemented by using the Connectionless Network Protocol (CLNP) and Connectionless Network Service (CLNS). CLNP and CLNS are described in the ISO 8473 standard. CLNS provides network layer services to the transport layer through CLNP. CLNS does not perform connection setup or termination because paths are determined independently for each packet that is transmitted through a network. CLNS relies on transport layer protocols to perform error detection and correction. CLNP is an OSI network layer protocol that carries upper-layer data and error indications over connectionless links. CLNP provides the interface between the CLNS and upper layers. CLNP performs many of the same services for the transport layer as IP. The CLNP datagram is very similar to the IP datagram. It provides mechanisms for fragmentation (data unit identification, fragment/total length, and offset). Like IP, a checksum computed on the CLNP header verifies that the information used to process the CLNP datagram is transmitted correctly, and a lifetime control mechanism (Time to Live) limits the amount of time a datagram is allowed to remain in the system.14-32 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.6.3 OSI Connectionless Network Service CLNP uses network service access points (NSAPs) to identify network devices. The CLNP source and destination addresses are NSAPs. In addition, CLNP uses a network element title (NET) to identify a network-entity in an end system (ES) or intermediate system (IS). NETs are allocated from the same name space as NSAP addresses. Whether an address is an NSAP address or a NET depends on the network selector value in the NSAP. The ONS 15454 supports the ISO Data Country Code (ISO-DCC) NSAP address format as specified in ISO 8348. The NSAP address is divided into an initial domain part (IDP) and a domain-specific part (DSP). NSAP fields are shown in Table 14-8. NSAP field values are in hexadecimal format. All NSAPs are editable. Shorter NSAPs can be used. However NSAPs for all NEs residing within the same OSI network area usually have the same NSAP format. Table 14-8 NSAP Fields Field Definition Description IDP AFI Authority and format identifier Specifies the NSAP address format. The initial value is 39 for the ISO-DCC address format. IDI Initial domain identifier Specifies the country code. The initial value is 840F, the United States country code padded with an F. DSP DFI DSP format identifier Specifies the DSP format. The initial value is 80, indicating the DSP format follows American National Standards Institute (ANSI) standards. ORG Organization Organization identifier. The initial value is 000000. Reserved Reserved Reserved NSAP field. The Reserved field is normally all zeros (0000). RD Routing domain Defines the routing domain. The initial value is 0000. AREA Area Identifies the OSI routing area to which the node belongs. The initial value is 0000.14-33 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.6.3 OSI Connectionless Network Service Figure 14-20 shows the ISO-DCC NSAP address with the default values delivered with the ONS 15454. The System ID is automatically populated with the node MAC address. Figure 14-20 ISO-DCC NSAP Address The ONS 15454 main NSAP address is shown on the node view Provisioning > OSI > Main Setup subtab (Figure 14-21). System System identifier The ONS 15454 system identifier is set to its IEEE 802.3 MAC address. Each ONS 15454 supports three OSI virtual routers. Each router NSAP system identifier is the ONS 15454 IEEE 802.3 MAC address + n, where n = 0 to 2. For the primary virtual router, n = 0. SEL Selector The selector field directs the protocol data units (PDUs) to the correct destination using the CLNP network layer service. Selector values supported by the ONS 15454 include: • 00—Network Entity Title (NET). Used to exchange PDUs in the ES-IS and IS-IS routing exchange protocols. (See the “14.6.4.1 End System-to-Intermediate System Protocol” section on page 14-36 and the “14.6.4.2 Intermediate System-to-Intermediate System Protocol” section on page 14-36.) • 1D—Selector for Transport Class 4 (and for FTAM and TL1 applications (Telcordia GR-253-CORE standard) • AF—Selector for the TARP protocol (Telcordia GR-253-CORE standard) • 2F—Selector for the GRE IP-over-CLNS tunnel (ITU/RFC standard) • CC—Selector for the Cisco IP-over-CLNS tunnels (Cisco specific) • E0—Selector for the OSI ping application (Cisco specific) NSELs are only advertised when the node is configured as an ES. They are not advertised when a node is configured as an IS. Tunnel NSELs are not advertised until a tunnel is created. Table 14-8 NSAP Fields (continued) Field Definition Description 39.840F.80.000000.0000.0000.0000.xxxxxxxxxxxx.00 131598 AFI IDI ORG Reserved RD Area System ID Authority and Format Identifier SEL NSAP Selector DFI DSP Format Identifier Routing Domain Initial Domain Identifier14-34 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.6.4 OSI Routing Figure 14-21 OSI Main Setup This address is also the Router 1 primary manual area address, which is viewed and edited on the Provisioning > OSI > Routers subtab. See the “14.6.7 OSI Virtual Routers” section on page 14-41 for information about the OSI router and manual area addresses in CTC. 14.6.4 OSI Routing OSI architecture includes ESs and ISs. The OSI routing scheme includes: • A set of routing protocols that allow ESs and ISs to collect and distribute the information necessary to determine routes. Protocols include the ES-IS and IS-IS protocols. ES-IS routing establishes connectivity and reach ability among ESs and ISs attached to the same (single) subnetwork. • A routing information base (RIB) (see containing this information, from which routes between ESs can be computed. The RIB consists of a table of entries that identify a destination (for example, an NSAP), the subnetwork over which packets should be forwarded to reach that destination, and a routing metric. The routing metric communicates characteristics of the route (such as delay properties or expected error rate) that are used to evaluate the suitability of a route compared to another route with different properties, for transporting a particular packet or class of packets. • A routing algorithm, Shortest Path First (SPF), that uses information contained in the RIB to derive routes between ESs. 14-35 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.6.4 OSI Routing In OSI networking, discovery is based on announcements. An ES uses the ES-IS protocol end system hello (ESH) message to announce its presence to ISs and ESs connected to the same network. Any ES or IS that is listening for ESHs gets a copy. ISs store the NSAP address and the corresponding subnetwork address pair in routing tables. ESs might store the address, or they might wait to be informed by ISs when they need such information. An IS composes intermediate system hello (ISH) messages to announce its configuration information to ISs and ESs that are connected to the same broadcast subnetwork. Like the ESHs, the ISH contains the addressing information for the IS (the NET and the subnetwork point-of-attachment address [SNPA]) and a holding time. ISHs might also communicate a suggested ES configuration time recommending a configuration timer to ESs. The exchange of ISHs is called neighbor greeting or initialization. Each router learns about the other routers with which they share direct connectivity. After the initialization, each router constructs a link-state packet (LSP). The LSP contains a list of the names of the IS’s neighbors and the cost to reach each of the neighbors. Routers then distribute the LSPs to all of the other routers. When all LSPs are propagated to all routers, each router has a complete map of the network topology (in the form of LSPs). Routers use the LSPs and the SPF algorithm to compute routes to every destination in the network. OSI networks are divided into areas and domains. An area is a group of contiguous networks and attached hosts that is designated as an area by a network administrator. A domain is a collection of connected areas. Routing domains provide full connectivity to all ESs within them. Routing within the same area is known as Level 1 routing. Routing between two areas is known as Level 2 routing. LSPs that are exchanged within a Level 1 area are called L1 LSPs. LSPs that are exchanged across Level 2 areas are called L2 LSPs. Figure 14-22 shows an example of Level 1 and Level 2 routing. Figure 14-22 Level 1 and Level 2 OSI Routing When you provision an ONS 15454 for a network with NEs that use both the TCP/IP and OSI protocol stacks, you will provision it as one of the following: • End System—The ONS 15454 performs OSI ES functions and relies upon an IS for communication with nodes that reside within its OSI area. • Intermediate System Level 1—The ONS 15454 performs OSI IS functions. It communicates with IS and ES nodes that reside within its OSI area. It depends upon an IS L1/L2 node to communicate with IS and ES nodes that reside outside its OSI area. Level 2 routing Area 1 IS IS IS IS Area 2 Domain Level 1 routing Level 1 routing ES 131597 ES ES ES14-36 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.6.4 OSI Routing • Intermediate System Level 1/Level 2—The ONS 15454 performs IS functions. It communicates with IS and ES nodes that reside within its OSI area. It also communicates with IS L1/L2 nodes that reside in other OSI areas. This option should not be provisioned unless the node is connected to another IS L1/L2 node that resides in a different OSI area. The node must also be connected to all nodes within its area that are provisioned as IS L1/L2. 14.6.4.1 End System-to-Intermediate System Protocol ES-IS is an OSI protocol that defines how ESs (hosts) and ISs (routers) learn about each other. ES-IS configuration information is transmitted at regular intervals through the ES and IS hello messages. The hello messages contain the subnetwork and network layer addresses of the systems that generate them. The ES-IS configuration protocol communicates both OSI network layer addresses and OSI subnetwork addresses. OSI network layer addresses identify either the NSAP, which is the interface between OSI Layer 3 and Layer 4, or the NET, which is the network layer entity in an OSI IS. OSI SNPAs are the points at which an ES or IS is physically attached to a subnetwork. The SNPA address uniquely identifies each system attached to the subnetwork. In an Ethernet network, for example, the SNPA is the 48-bit MAC address. Part of the configuration information transmitted by ES-IS is the NSAP-to-SNPA or NET-to-SNPA mapping. 14.6.4.2 Intermediate System-to-Intermediate System Protocol IS-IS is an OSI link-state hierarchical routing protocol that floods the network with link-state information to build a complete, consistent picture of a network topology. IS-IS distinguishes between Level 1 and Level 2 ISs. Level 1 ISs communicate with other Level 1 ISs in the same area. Level 2 ISs route between Level 1 areas and form an intradomain routing backbone. Level 1 ISs need to know only how to get to the nearest Level 2 IS. The backbone routing protocol can change without impacting the intra-area routing protocol. OSI routing begins when the ESs discover the nearest IS by listening to ISH packets. When an ES wants to send a packet to another ES, it sends the packet to one of the ISs on its directly attached network. The router then looks up the destination address and forwards the packet along the best route. If the destination ES is on the same subnetwork, the local IS knows this from listening to ESHs and forwards the packet appropriately. The IS also might provide a redirect (RD) message back to the source to tell it that a more direct route is available. If the destination address is an ES on another subnetwork in the same area, the IS knows the correct route and forwards the packet appropriately. If the destination address is an ES in another area, the Level 1 IS sends the packet to the nearest Level 2 IS. Forwarding through Level 2 ISs continues until the packet reaches a Level 2 IS in the destination area. Within the destination area, the ISs forward the packet along the best path until the destination ES is reached. Link-state update messages help ISs learn about the network topology. Each IS generates an update specifying the ESs and ISs to which it is connected, as well as the associated metrics. The update is then sent to all neighboring ISs, which forward (flood) it to their neighbors, and so on. (Sequence numbers terminate the flood and distinguish old updates from new ones.) Using these updates, each IS can build a complete topology of the network. When the topology changes, new updates are sent. IS-IS uses a single required default metric with a maximum path value of 1024. The metric is arbitrary and typically is assigned by a network administrator. Any single link can have a maximum value of 64, and path links are calculated by summing link values. Maximum metric values were set at these levels to provide the granularity to support various link types while at the same time ensuring that the shortest-path algorithm used for route computation is reasonably efficient. Three optional IS-IS metrics (costs)—delay, expense, and error—are not supported by the ONS 15454. IS-IS maintains a mapping of the metrics to the quality of service (QoS) option in the CLNP packet header. IS-IS uses the mappings to compute routes through the internetwork.14-37 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.6.5 TARP 14.6.5 TARP TARP is used when TL1 target identifiers (TIDs) must be translated to NSAP addresses. The TID-to-NSAP translation occurs by mapping TIDs to the NETs, then deriving NSAPs from the NETs by using the NSAP selector values (Table 14-8 on page 14-32). TARP uses a selective PDU propagation methodology in conjunction with a distributed database (that resides within the NEs) of TID-to-NET mappings. TARP allows NEs to translate between TID and NET by automatically exchanging mapping information with other NEs. The TARP PDU is carried by the standard CLNP Data PDU. TARP PDU fields are shown in Table 14-9. Table 14-10 shows the TARP PDUs types that govern TARP interaction and routing. Table 14-9 TARP PDU Fields Field Abbreviation Size (bytes) Description TARP Lifetime tar-lif 2 The TARP time-to-live in hops. TARP Sequence Number tar-seq 2 The TARP sequence number used for loop detection. Protocol Address Type tar-pro 1 Used to identify the type of protocol address that the TID must be mapped to. The value FE is used to identify the CLNP address type. TARP Type Code tar-tcd 1 The TARP Type Code identifies the TARP type of PDU. Five TARP types, shown in Table 14-10, are defined. TID Target Length tar-tln 1 The number of octets that are in the tar-ttg field. TID Originator Length tar-oln 1 The number of octets that are in the tar-tor field. Protocol Address Length tar-pln 1 The number of octets that are in the tar-por field. TID of Target tar-ttg n = 0, 1, 2... TID value for the target NE. TID of Originator tar-tor n = 0, 1, 2... TID value of the TARP PDU originator. Protocol Address of Originator tar-por n = 0, 1, 2... Protocol address (for the protocol type identified in the tar-pro field) of the TARP PDU originator. When the tar-pro field is set to FE (hex), tar-por will contain a CLNP address (that is, the NET). Table 14-10 TARP PDU Types Type Description Actions 1 Sent when a device has a TID for which it has no matching NSAP. After an NE originates a TARP Type 1 PDU, the PDU is sent to all adjacent NEs within the NE routing area. 2 Sent when a device has a TID for which it has no matching NSAP and no response was received from the Type 1 PDU. After an NE originates a TARP Type 2 PDU, the PDU is sent to all Level 1 and Level 2 neighbors.14-38 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.6.5 TARP 14.6.5.1 TARP Processing A TARP data cache (TDC) is created at each NE to facilitate TARP processing. In CTC, the TDC is displayed and managed on the node view Maintenance > OSI > TDC subtab. The TDC subtab contains the following TARP PDU fields: • TID—TID of the originating NE (tar-tor). • NSAP—NSAP of the originating NE. • Type— Indicates whether the TARP PDU was created through the TARP propagation process (dynamic) or manually created (static). Provisionable timers, shown in Table 14-11, control TARP processing. Table 14-12 shows the main TARP processes and the general sequence of events that occurs in each process. 3 Sent as a response to Type 1, Type 2, or Type 5 PDUs. After a TARP Request (Type 1 or 2) PDU is received, a TARP Type 3 PDU is sent to the request originator. Type 3 PDUs do not use the TARP propagation procedures. 4 Sent as a notification when a change occurs locally, for example, a TID or NSAP change. It might also be sent when an NE initializes. A Type 4 PDU is a notification of a TID or Protocol Address change at the NE that originates the notification. The PDU is sent to all adjacencies inside and outside the NE’s routing area. 5 Sent when a device needs a TID that corresponds to a specific NSAP. When a Type 5 PDU is sent, the CLNP destination address is known, so the PDU is sent to only that address. Type 5 PDUs do not use the TARP propagation procedures. Table 14-10 TARP PDU Types (continued) Type Description Actions Table 14-11 TARP Timers Timer Description Default (seconds) Range (seconds) T1 Waiting for response to TARP Type 1 Request PDU 15 0–3600 T2 Waiting for response to TARP Type 2 Request PDU 25 0–3600 T3 Waiting for response to address resolution request 40 0–3600 T4 Timer starts when T2 expires (used during error recovery) 20 0–360014-39 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.6.5 TARP 14.6.5.2 TARP Loop Detection Buffer The TARP loop detection buffer (LDB) can be enabled to prevent duplicate TARP PDUs from entering the TDC. When a TARP Type 1, 2, or 4 PDU arrives, TARP checks its LDB for a NET address (tar-por) of the PDU originator match. If no match is found, TARP processes the PDU and assigns a tar-por, tar-seq (sequence) entry for the PDU to the LDB. If the tar-seq is zero, a timer associated with the LDB entry is started using the provisionable LDB entry timer on the node view OSI > TARP > Config tab. If a match exists, the tar-seq is compared to the LDB entry. If the tar-seq is not zero and is less than or equal to the LDB entry, the PDU is discarded. If the tar-seq is greater than the LDB entry, the PDU is processed and the tar-seq field in the LDB entry is updated with the new value. The Cisco ONS 15454 LDB holds approximately 500 entries. The LDB is flushed periodically based on the time set in the LDB Flush timer on the node view OSI > TARP > Config tab. 14.6.5.3 Manual TARP Adjacencies TARP adjacencies can be manually provisioned in networks where ONS 15454s must communicate across routers or non-SONET NEs that lack TARP capability. In CTC, manual TARP adjacencies are provisioned on the node view Provisioning > OSI > TARP > MAT (Manual Area Table) subtab. The manual adjacency causes a TARP request to hop through the general router or non-SONET NE, as shown in Figure 14-23. Table 14-12 TARP Processing Flow Process General TARP Flow Find a NET that matches a TID 1. TARP checks its TDC for a match. If a match is found, TARP returns the result to the requesting application. 2. If no match is found, a TARP Type 1 PDU is generated and Timer T1 is started. 3. If Timer T1 expires before a match if found, a Type 2 PDU is generated and Timer T2 is started. 4. If Timer T2 expires before a match is found, Timer T4 is started. 5. If Timer T4 expires before a match is found, a Type 2 PDU is generated and Timer T2 is started. Find a TID that matches a NET A Type 5 PDU is generated. Timer T3 is used. However, if the timer expires, no error recovery procedure occurs, and a status message is provided to indicate that the TID cannot be found. Send a notification of TID or protocol address change TARP generates a Type 4 PDU in which the tar-ttg field contains the NE TID value that existed prior to the change of TID or protocol address. Confirmation that other NEs successfully received the address change is not sent.14-40 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.6.6 TCP/IP and OSI Mediation Figure 14-23 Manual TARP Adjacencies 14.6.5.4 Manual TID to NSAP Provisioning TIDs can be manually linked to NSAPs and added to the TDC. Static TDC entries are similar to static routes. For a specific TID, you force a specific NSAP. Resolution requests for that TID always return that NSAP. No TARP network propagation or instantaneous replies are involved. Static entries allow you to forward TL1 commands to NEs that do not support TARP. However, static TDC entries are not dynamically updated, so outdated entries are not removed after the TID or the NSAP changes on the target node. 14.6.6 TCP/IP and OSI Mediation Two mediation processes facilitate TL1 networking and file transfers between NEs and ONS client computers running TCP/IP and OSI protocol suites: • T–TD—Performs a TL1-over-IP to TL1-over-OSI gateway mediation to enable an IP-based OSS to manage OSI-only NEs subtended from a GNE. Figure 14-24 shows the T–TD protocol flow. 131957 Generic router DCN DCN Manual adjacency14-41 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.6.7 OSI Virtual Routers Figure 14-24 T–TD Protocol Flow • FT–TD—Performs an FTP conversion between FTAM and FTP. The FT–TD gateway entity includes an FTAM responder (server) and an FTP client, allowing FTAM initiators (clients) to store, retrieve, or delete files from an FTP server. The FT–TD gateway is unidirectional and is driven by the FTAM initiator. The FT–TD FTAM responder exchanges messages with the FTAM initiator over the full OSI stack. Figure 14-25 shows the FT–TD protocol flow. Figure 14-25 FT–TD Protocol Flow The ONS 15454 uses FT–TD for the following file transfer processes: • Software downloads • Database backups and restores • Cisco IOS configuration backups and restores for ML and ML2 Series cards. 14.6.7 OSI Virtual Routers The ONS 15454 supports three OSI virtual routers. The routers are provisioned on the Provisioning > OSI > Routers tab, shown in Figure 14-26. 131954 OSS GNE TL1 Gateway DCC LAPD ISIS / CLNS TP4 Session Presentation ACSE LAN LLC1 IPv4 UDP TCP TL1 LAN LLC1 IPv4 TL1 UDP TCP DCC LAPD ISIS / CLNS TP4 Session Presentation ACSE TL1 TL1 Gateway ENE FT-TD ENE FTP File Server OSS FTP Client FTAM FTAM Initiator Responder GNE FTP / IP FTAM / OSI 13195514-42 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.6.7 OSI Virtual Routers Figure 14-26 Provisioning OSI Routers Each router has an editable manual area address and a unique NSAP System ID that is set to the node MAC address + n. For Router 1, n = 0. For Router 2, n = 1. For Router 3, n = 2. Each router can be enabled and connected to different OSI routing areas. However, Router 1 is the primary router, and it must be enabled before Router 2 and Router 3 can be enabled. The Router 1 manual area address and System ID create the NSAP address assigned to the node’s TID. In addition, Router 1 supports OSI TARP, mediation, and tunneling functions that are not supported by Router 2 and Router 3. These include: • TID-to-NSAP resolution • TARP data cache • IP-over-CLNS tunnels • FTAM • FT-TD • T-TD • LAN subnet OSI virtual router constraints depend on the routing mode provisioned for the node. Table 14-13 shows the number of IS L1s, IS L1/L2s, and DCCs that are supported by each router. An IS Level1 and IS Level1/Level2 support one ES per DCC subnet and up to 100 ESs per LAN subnet.14-43 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.6.8 IP-over-CLNS Tunnels Each OSI virtual router has a primary manual area address. You can also create two additional manual area addresses. These manual area addresses can be used to: • Split up an area—Nodes within a given area can accumulate to a point that they are difficult to manage, cause excessive traffic, or threaten to exceed the usable address space for an area. Additional manual area addresses can be assigned so that you can smoothly partition a network into separate areas without disrupting service. • Merge areas—Use transitional area addresses to merge as many as three separate areas into a single area that shares a common area address. • Change to a different address—You might need to change an area address for a particular group of nodes. Use multiple manual area addresses to allow incoming traffic intended for an old area address to continue being routed to associated nodes. 14.6.8 IP-over-CLNS Tunnels IP-over-CLNS tunnels are used to encapsulate IP for transport across OSI NEs. The ONS 15454 supports two tunnel types: • GRE—Generic Routing Encapsulation is a tunneling protocol that encapsulates one network layer for transport across another. GRE tunnels add both a CLNS header and a GRE header to the tunnel frames. GRE tunnels are supported by Cisco routers and some other vendor NEs. • Cisco IP—The Cisco IP tunnel directly encapsulates the IP packet with no intermediate header. Cisco IP is supported by most Cisco routers. Figure 14-24 shows the protocol flow when an IP-over-CLNS tunnel is created through four NEs (A, B, C, and D). The tunnel ends are configured on NEs A and D, which support both IP and OSI. NEs B and C only support OSI, so they only route the OSI packets. Table 14-13 OSI Virtual Router Constraints Routing Mode Router 1 Router 2 Router 3 IS L1 per area IS L1/L2 per area DCC per IS End System Yes No No — — — IS L1 Yes Yes Yes 250 — 40 IS L1/L2 Yes Yes Yes 250 50 4014-44 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.6.8 IP-over-CLNS Tunnels Figure 14-27 IP-over-CLNS Tunnel Flow 14.6.8.1 Provisioning IP-over-CLNS Tunnels IP-over-CLNS tunnels must be carefully planned to prevent nodes from losing visibility or connectivity. Before you begin a tunnel, verify that the tunnel type, either Cisco IP or GRE, is supported by the equipment at the other end. Always verify IP and NSAP addresses. Provisioning of IP-over-CLNS tunnels in CTC is performed on the node view Provisioning > OSI > IP over CLNS Tunnels tab. For procedures, refer to the “Turn Up a Node” chapter in the Cisco ONS 15454 Procedure Guide. Provisioning IP-over-CLNS tunnels on Cisco routers requires the following prerequisite tasks, as well as other OSI provisioning: • (Required) Enable IS-IS • (Optional) Enable routing for an area on an interface • (Optional) Assign multiple area addresses • (Optional) Configure IS-IS interface parameters • (Optional) Configure miscellaneous IS-IS parameters The Cisco IOS commands used to create IP-over-CLNS tunnels (CTunnels) are shown in Table 14-14. 131956 NE-D SNMP RMON HTTP FTP Telnet UDP IPv4 GRE Tunnel LLC1 LAN CLNP LAPD DCC TCP EMS SNMP RMON HTTP FTP Telnet UDP IPv4 LLC1 LAN TCP NE-A (GNE) IPv4 GRE Tunnel LLC1 LAN CLNP LAPD DCC NE-C CLNP LAPD DCC NE-B CLNP LAPD DCC14-45 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.6.8 IP-over-CLNS Tunnels If you are provisioning an IP-over-CLNS tunnel on a Cisco router, always follow procedures provided in the Cisco IOS documentation for the router you are provisioning. For information about ISO CLNS provisioning including IP-over-CLNS tunnels, see the “Configuring ISO CLNS” chapter in the Cisco IOS Apollo Domain, Banyon VINES, DECnet, ISO CLNS, and XNS Configuration Guide. 14.6.8.2 IP-over-CLNS Tunnel Scenario 1: ONS Node to Other Vendor GNE Figure 14-28 shows an IP-over-CLNS tunnel created from an ONS node to another vendor GNE. The other vendor NE has an IP connection to an IP DCN to which a CTC computer is attached. An OSI-only (LAP-D) SDCC and a GRE tunnel are created between the ONS NE 1 to the other vender GNE. ONS NE 1 IP-over-CLNS tunnel provisioning information: • Destination: 10.10.10.100 (CTC 1) • Mask: 255.255.255.255 for host route (CTC 1 only), or 255.255.255.0 for subnet route (all CTC computers residing on the 10.10.10.0 subnet) • NSAP: 39.840F.80.1111.0000.1111.1111.cccccccccccc.00 (other vendor GNE) • Metric: 110 • Tunnel Type: GRE Other vender GNE IP-over-CLNS tunnel provisioning information: • Destination: 10.20.30.30 (ONS NE 1) • Mask: 255.255.255.255 for host route (ONS NE 1 only), or 255.255.255.0 for subnet route (all ONS nodes residing on the 10.30.30.0 subnet) • NSAP: 39.840F.80.1111.0000.1111.1111.dddddddddddd.00 (ONS NE 1) • Metric: 110 • Tunnel Type: GRE Table 14-14 IP-over-CLNS Tunnel IOS Commands Step Step Purpose 1 Router (config) # interface ctunnel interface-number Creates a virtual interface to transport IP over a CLNS tunnel and enters interface configuration mode. The interface number must be unique for each CTunnel interface. 2 Router (config-if # ctunnel destination remote-nsap-address Configures the destination parameter for the CTunnel. Specifies the destination NSAP1 address of the CTunnel, where the IP packets are extracted. 3 Router (config-if) # ip address ip-address mask Sets the primary or secondary IP address for an interface.14-46 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.6.8 IP-over-CLNS Tunnels Figure 14-28 IP-over-CLNS Tunnel Scenario 1: ONS NE to Other Vender GNE 14.6.8.3 IP-over-CLNS Tunnel Scenario 2: ONS Node to Router Figure 14-29 shows an IP-over-CLNS tunnel from an ONS node to a router. The other vendor NE has an OSI connection to a router on an IP DCN, to which a CTC computer is attached. An OSI-only (LAP-D) SDCC is created between the ONS NE 1 and the other vender GNE. The OSI over IP tunnel can be either the Cisco IP tunnel or a GRE tunnel, depending on the tunnel types supported by the router. ONS NE 1 IP-over-CLNS tunnel provisioning: • Destination: 10.10.30.10 (Router 1, Interface 0/1) • Mask: 255.255.255.255 for host route (Router 1 only), or 255.255.255.0 for subnet route (all routers on the same subnet) • NSAP: 39.840F.80.1111.0000.1111.1111.bbbbbbbbbbbb.00 (Router 1) • Metric: 110 • Tunnel Type: Cisco IP Router 1 CTunnel (IP-over-CLNS) provisioning: ip routing 134355 CTC 1 10.10.10.100/24 IP DCN IP/OSI Vendor GNE 10.10.30.20/24 39.840F.80. 111111.0000.1111.1111.cccccccccccc.00 ONS NE 1 10.10.30.30/24 39.840F.80. 111111.0000.1111.1111.dddddddddddd.00 Other vendor NE OSI OSI-only DCC (LAPD) GRE tunnel OSI Router 2 Interface 0/0: 10.10.10.10/24 Interface 0/1: 10.10.20.10/24 39.840F.80.111111.0000.1111.1111.aaaaaaaaaaaa.00 Router 1 Interface 0/0: 10.10.20.20/24 Interface 0/1: 10.10.30.10/24 39.840F.80. 111111.0000.1111.1111.bbbbbbbbbbbb.0014-47 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.6.8 IP-over-CLNS Tunnels clns routing interface ctunnel 102 ip address 10.10.30.30 255.255.255.0 ctunnel destination 39.840F.80.1111.0000.1111.1111.dddddddddddd.00 interface Ethernet0/1 clns router isis router isis net 39.840F.80.1111.0000.1111.1111.bbbbbbbbbbbb.00 Figure 14-29 IP-over-CLNS Tunnel Scenario 2: ONS Node to Router 14.6.8.4 IP-over-CLNS Tunnel Scenario 3: ONS Node to Router Across an OSI DCN Figure 14-30 shows an IP-over-CLNS tunnel from an ONS node to a router across an OSI DCN. The other vendor NE has an OSI connection to an IP DCN to which a CTC computer is attached. An OSI-only (LAP-D) SDCC is created between the ONS NE 1 and the other vender GNE. The OSI over IP tunnel can be either the Cisco IP tunnel or a GRE tunnel, depending on the tunnel types supported by the router. 134356 CTC 1 10.10.10.100/24 IP DCN OSI Other vendor GNE Other vendor NE OSI OSI-only DCC (LAPD) GRE or Cisco IP tunnel OSI ONS NE 1 10.10.30.30/24 39.840F.80. 111111.0000.1111.1111.dddddddddddd.00 Router 2 Interface 0/0: 10.10.10.10/24 Interface 0/1: 10.10.20.10/24 39.840F.80.111111.0000.1111.1111.aaaaaaaaaaaa.00 Router 1 Interface 0/0: 10.10.20.20/24 Interface 0/1: 10.10.30.10/24 39.840F.80. 111111.0000.1111.1111.bbbbbbbbbbbb.0014-48 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.6.8 IP-over-CLNS Tunnels ONS NE 1 IP-over-CLNS tunnel provisioning: • Destination: Router 2 IP address • Mask: 255.255.255.255 for host route (CTC 1 only), or 255.255.255.0 for subnet route (all CTC computers on the same subnet) • NSAP: Other vender GNE NSAP address • Metric: 110 • Tunnel Type: Cisco IP Router 2 IP-over-CLNS tunnel provisioning (sample Cisco IOS provisioning): ip routing clns routing interface ctunnel 102 ip address 10.10.30.30 255.255.255.0 ctunnel destination 39.840F.80.1111.0000.1111.1111.dddddddddddd.00 interface Ethernet0/1 clns router isis router isis net 39.840F.80.1111.0000.1111.1111.aaaaaaaaaaaa.0014-49 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.6.9 OSI/IP Networking Scenarios Figure 14-30 IP-over-CLNS Tunnel Scenario 3: ONS Node to Router Across an OSI DCN 14.6.9 OSI/IP Networking Scenarios The following eight scenarios show examples of ONS 15454s in networks with OSI-based NEs. The scenarios show ONS 15454 nodes in a variety of roles. The scenarios assume the following: • ONS 15454 NEs are configured as dual OSI and IP nodes with both IP and NSAP addresses. They run both OSPF and OSI (IS-IS or ES-IS) routing protocols as “Ships-In-The-Night,” with no route redistribution. • ONS 15454 NEs run TARP, which allows them to resolve a TL1 TID to a NSAP address. A TID might resolve to both an IP and an NSAP address when the destination TID is an ONS 15454 NE that has both IP and NSAP address. • DCC links between ONS 15454 NEs and OSI-only NEs run the full OSI stack over LAP-D, which includes IS-IS, ES-IS, and TARP. • DCC links between ONS 15454 NEs run the full OSI stack and IP (OSPF) over PPP. 134357 CTC 1 10.10.10.100/24 OSI DCN OSI IP Other vendor GNE Other vendor NE OSI OSI-only DCC (LAPD) GRE or Cisco IP tunnel OSI ONS NE 1 10.10.30.30/24 39.840F.80. 111111.0000.1111.1111.dddddddddddd.00 Router 2 Interface 0/0: 10.10.10.10/24 Interface 0/1: 10.10.20.10/24 39.840F.80.111111.0000.1111.1111.aaaaaaaaaaaa.00 Router 1 Interface 0/0: 10.10.20.20/24 Interface 0/1: 10.10.30.10/24 39.840F.80. 111111.0000.1111.1111.bbbbbbbbbbbb.0014-50 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.6.9 OSI/IP Networking Scenarios • All ONS 15454 NEs participating in an OSI network run OSI over PPP between themselves. This is needed so that other vendor GNEs can route TL1 commands to all ONS 15454 NEs participating in the OSI network. 14.6.9.1 OSI/IP Scenario 1: IP OSS, IP DCN, ONS GNE, IP DCC, and ONS ENE Figure 14-31 shows OSI/IP Scenario 1, the current ONS 15454 IP-based implementation, with an IP DCN, IP-over-PPP DCC, and OSPF routing. Figure 14-31 OSI/IP Scenario 1: IP OSS, IP DCN, ONS GNE, IP DCC, and ONS ENE 14.6.9.2 OSI/IP Scenario 2: IP OSS, IP DCN, ONS GNE, OSI DCC, and Other Vendor ENE OSI/IP Scenario 2 (Figure 14-32) shows an ONS 15454 GNE in a multivendor OSI network. Both the ONS 15454 GNE and the other vendor NEs are managed by an IP OSS using TL1 and FTP. The ONS 15454 is also managed by CTC and Cisco Transport Manager (CTM). Because the other vendor NE only supports TL1 and FTAM over the full OSI stack, the ONS 15454 GNE provides T–TD and FT–TD mediation to convert TL1/IP to TL1/OSI and FTAM/OSI to FTP/IP. 1 IP OSS manages ONS 15454 using TL1 and FTP. 2 DCCs carry IP over the PPP protocol. 3 The ONS 15454 network is managed by IP over OSPF. 131930 IP DCN IP IP CTC/CTM IP OSS IP IP/PPP/DCC ONS GNE ONS ENE ONS NE ONS NE ONS NE IP/OSPF IP/PPP/DCC IP/PPP/DCC IP/PPP/DCC 1 2 314-51 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.6.9 OSI/IP Networking Scenarios Figure 14-32 OSI/IP Scenario 2: IP OSS, IP DCN, ONS GNE, OSI DCC, and Other Vendor ENE The ONS 15454 GNE routes TL1 traffic to the correct NE by resolving the TL1 TID to either an IP or NSAP address. For TL1 traffic to other vendor NEs (OSI-only nodes), the TID is resolved to an NSAP address. The ONS 15454 GNE passes the TL1 to the mediation function, which encapsulates it over the full OSI stack and routes it to the destination using the IS-IS protocol. For TL1 traffic to ONS 15454 NEs, the TID is resolved to both an IP and an NSAP address. The ONS 15454 GNE follows the current TL1 processing model and forwards the request to the destination NE using the TCP/IP stack and OSPF routing. 1 The IP OSS manages ONS 15454 and other vendor NEs using TL1 and FTP. 2 The ONS 15454 GNE performs mediation for other vendor NEs. 3 DCCs between the ONS 15454 GNE and ONS 15454 NEs are provisioned for IP and OSI over PPP. 4 DCCs between the ONS 15454 GNE and other vendor NEs are provisioned for OSI over LAP-D. 5 The ONS 15454 and the other vendor NE network include IP over OSPF and OSI over the IS-IS protocol. 131932 IP DCN IP IP CTC/CTM IP OSS IP IP and OSI/PPP/DCC ONS GNE ONS NE ONS NE Other vendor NE Other vendor NE OSI/IS-IS IP/OSPF OSI/LAP-D/DCC IP and OSI/PPP/DCC OSI/LAP-D/DCC 1 2 3 4 514-52 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.6.9 OSI/IP Networking Scenarios OSS-initiated software downloads consist of two parts: the OSS to destination NE TL1 download request and the file transfer. The TL1 request is handled the same as described in the previous paragraph. The ONS 15454 NEs use FTP for file transfers. OSI-only NEs use FTAM to perform file transfers. The FTAM protocol is carried over OSI between the OSI NE and the ONS 15454 GNE. The GNE mediation translates between FTAM to FTP. 14.6.9.3 OSI/IP Scenario 3: IP OSS, IP DCN, Other Vendor GNE, OSI DCC, and ONS ENE In OSI/IP Scenario 3 (Figure 14-33), all TL1 traffic between the OSS and GNE is exchanged over the IP DCN. TL1 traffic targeted for the GNE is processed locally. All other TL1 traffic is forwarded to the OSI stack, which performs IP-to-OSI TL1 translation. The TL1 is encapsulated in the full OSI stack and sent to the target NE over the DCC. The GNE can route to any node within the IS-IS domain because all NEs, ONS 15454 and non-ONS 15454, have NSAP addresses and support IS-IS routing. TL1 traffic received by an ONS 15454 NE and not addressed to its NSAP address is forwarded by IS-IS routing to the correct destination. TL1 traffic received by an ONS 15454 NE and addressed to its NSAP is sent up the OSI stack to the mediation function, which extracts the TL1 and passes it to the ONS 15454 TL1 processor. An OSS initiated software download includes the OSS-to-destination node TL1 download request and the file transfer. The TL1 request is handled as described in the previous paragraph. The target node uses FTAM for file transfers because the GNE does not support IP on the DCC and cannot forward FTP. The ONS 15454 NEs therefore must support an FTAM client and initiate file transfer using FTAM when subtended to an OSI GNE. In this scenario, the GNE has both IP and OSI DCN connections. The GNE only supports TL1 and FTP over IP. Both are translated and then carried over OSI to the destination ENE (ONS 15454 or OSI-only NE). All other IP traffic is discarded by the GNE. The CTC/CTM IP traffic is carried over an IP-over-OSI tunnel to an ONS 15454 NE. The tunnel is created between an external router and an ONS 15454 NE. The traffic is sent to the ONS 15454 terminating the tunnel. That ONS 15454 then forwards the traffic over the tunnel to CTC/CTM by way of the external router. 14-53 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.6.9 OSI/IP Networking Scenarios Figure 14-33 OSI/IP Scenario 3: IP OSS, IP DCN, Other Vendor GNE, OSI DCC, and ONS ENE Figure 14-34 shows the same scenario, except the IP-over-CLNS tunnel endpoint is the GNE rather than the DCN router. 1 The IP OSS manages the ONS 15454 and other vendor NEs using TL1 and FTP. 2 The other vendor GNE performs mediation for TL1 and FTP, so the DCCs to the ONS 15454 and other vendor NEs are OSI-only. 3 CTC/CTM communicates with ONS 15454 NEs over a IP-over-CLNS tunnel. The tunnel is created from the ONS 15454 node to the external router. 4 The ONS 15454 NE exchanges TL1 over the full OSI stack using FTAM for file transfer. 131933 IP DCN IP IP OSI CTC/CTM IP OSS IP Other vendor GNE ONS NE 1 ONS NE 2 Other vendor NE Other vendor NE IP and OSI/PPP/DCC OSI/LAP-D/DCC OSI/LAP-D/DCC OSI/LAPD/DCC 1 2 4 314-54 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.6.9 OSI/IP Networking Scenarios Figure 14-34 OSI/IP Scenario 3 with OSI/IP-over-CLNS Tunnel Endpoint at the GNE 14.6.9.4 OSI/IP Scenario 4: Multiple ONS DCC Areas OSI/IP Scenario 4 (Figure 14-35) is similar to OSI/IP Scenario 3 except that the OSI GNE is subtended by multiple isolated ONS 15454 areas. A separate IP-over-CLNS tunnel is required to each isolated ONS 15454 OSPF area. An alternate approach is to create a single IP-over-CLNS tunnel from CTC/CTM to an ONS 15454 NE, and then to configure a tunnel from that NE to an NE in each isolated OSPF area. This approach requires additional static routes. 1 The IP OSS manages ONS and other vendor NEs using TL1 and FTP. 2 The router routes requests to the other vender GNE. 3 The other vendor GNE performs mediation for TL1 and FTP, so the DCCs to ONS 15454 and other vendor NEs are OSI-only. 4 CTC/CTM communicates with ONS 15454 NEs over an IP-over-CLNS tunnel between the ONS 15454 and the GNE. 5 ONS 15454 NEs exchange TL1 over the full OSI stack. FTAM is used for file transfer. 131931 IP DCN IP IP CTC/CTM IP OSS IP Other vendor GNE ONS NE 1 ONS NE 2 Other vendor NE Other vendor NE IP and OSI/PPP/DCC OSI/LAP-D/DCC OSI/LAP-D/DCC OSI/LAPD/DCC 1 3 5 4 214-55 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.6.9 OSI/IP Networking Scenarios Figure 14-35 OSI/IP Scenario 4: Multiple ONS DCC Areas 14.6.9.5 OSI/IP Scenario 5: GNE Without an OSI DCC Connection OSI/IP Scenario 5 (Figure 14-36) is similar to OSI/IP Scenario 3 except that the OSI GNE only has an IP connection to the DCN. It does not have an OSI DCN connection to carry CTC/CTM IP traffic through an IP-over-OSI tunnel. A separate DCN to ONS 15454 NE connection is created to provide CTC/CTM access. 1 The IP OSS manages ONS 15454 and other vendor NEs using TL1 and FTP. 2 A separate tunnel is created for each isolated ONS 15454 DCC area. 131934 IP DCN IP IP IP CTC/CTM IP OSS IP ONS NE ONS NE IP and OSI/PPP/DCC 1 2 2 2 ONS NE ONS NE ONS NE ONS NE IP and OSI/PPP/DCC IP and OSI/PPP/DCC OSI/ LAP-D/ DCC OSI/ LAP-D/ DCC OSI/ LAP-D/ DCC Other vendor GNE OSI14-56 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.6.9 OSI/IP Networking Scenarios Figure 14-36 OSI/IP Scenario 5: GNE Without an OSI DCC Connection 14.6.9.6 OSI/IP Scenario 6: IP OSS, OSI DCN, ONS GNE, OSI DCC, and Other Vendor ENE OSI/IP Scenario 6 (Figure 14-37) shows how the ONS 15454 supports OSI DCNs. The OSI DCN has no impact on the ONS 15454 because all IP traffic (CTC/CTM, FTP, and TL1) is tunneled through the OSI DCN. 1 The IP OSS manages ONS 15454 and other vendor NEs using TL1 and FTP. 2 The other vendor GNE performs mediation on TL1 and FTP, so DCCs are OSI-only. 3 CTC/CTM communicates with ONS 15454 NEs over a separate IP DCN connection. 4 ONS 15454 NE exchanges TL1 over the full OSI stack. FTAM is used for file transfers. 131935 IP DCN IP IP IP CTC/CTM IP OSS IP ONS NE ONS NE IP and OSI/PPP/DCC 1 2 4 3 OSI/LAP-D/DCC Other vendor GNE Other vendor NE Other vendor NE OSI/ LAP-D/ DCC OSI/ LAP-D/ DCC14-57 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.6.9 OSI/IP Networking Scenarios Figure 14-37 OSI/IP Scenario 6: IP OSS, OSI DCN, ONS GNE, OSI DCC, and Other Vendor ENE 14.6.9.7 OSI/IP Scenario 7: OSI OSS, OSI DCN, Other Vender GNE, OSI DCC, and ONS NEs OSI/IP Scenario 7 (Figure 14-38) shows an example of a European network. 1 The IP OSS manages ONS 15454 and other vendor NEs using TL1 and FTP. 2 OSS IP traffic is tunneled through the DCN to the ONS 15454 GNE. 3 CTC/CTM IP traffic is tunneled through the DCN to the ONS 15454 GNE. 4 The GNE performs mediation for other vendor NEs. 131936 OSI DCN OSI IP IP IP CTC/CTM IP OSS OSI OSI ONS GNE ONS GNE IP and OSI/PPP/DCC 1 2 4 3 OSI/LAP-D/DCC ONS GNE Other vendor NE Other vendor NE OSI/ LAP-D/ DCC OSI/ LAP-D/ DCC14-58 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.6.9 OSI/IP Networking Scenarios Figure 14-38 OSI/IP Scenario 7: OSI OSS, OSI DCN, Other Vender GNE, OSI DCC, and ONS NEs In European networks: • CTC and CTM are used for management only. • IP-over-CLNS tunnels are widely accepted and deployed. 1 ONS 15454 NEs are managed by CTC/CTM only (TL1/FTP is not used). 2 The OSI OSS manages other vendor NEs only. 3 CTC/CTM communicates with the ONS 15454 over a IP-over-CLNS tunnel between the ONS 15454 NE and external router. 131937 OSI DCN OSI IP CTC/CTM IP OSS OSI OSI ONS NE 1 ONS NE 3 ONS NE 2 IP and OSI/PPP/DCC IP and OSI/PPP/DCC 2 3 1 OSI/LAP-D/DCC Other vendor GNE Other vendor NE 1 Other vendor NE 2 OSI/ LAP-D/ DCC OSI/ LAP-D/ DCC14-59 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.6.9 OSI/IP Networking Scenarios • TL1 management is not required. • FTP file transfer is not required. • TL1 and FTAM to FTP mediation is not required. Management traffic between CTC/CTM and ONS 15454 NEs is carried over an IP-over-CLNS tunnel. A static route is configured on the ONS 15454 that terminates the tunnel (ONS 15454 NE 1) so that downstream ONS 15454 NEs (ONS 15454 NE 2 and 3) know how to reach CTC/CTM. 14.6.9.8 OSI/IP Scenario 8: OSI OSS, OSI DCN, ONS GNE, OSI DCC, and Other Vender NEs OSI/IP Scenario 8 (Figure 14-39) is another example of a European network. Similar to OSI/IP Scenario 7, the ONS 15454 NEs are solely managed by CTC/CTM. The CTC/CTM IP traffic is carried over a IP-over-OSI tunnel between an external router and the ONS 15454 GNE. The GNE extracts the IP from the tunnel and forwards it to the destination ONS 15454. Management traffic between the OSS and other vendor NEs is routed by the ONS 15454 GNE and NEs. This is possible because all ONS 15454 NEs run dual stacks (OSI and IP). 14-60 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.6.9 OSI/IP Networking Scenarios Figure 14-39 OSI/IP Scenario 8: OSI OSS, OSI DCN, ONS GNE, OSI DCC, and Other Vender NEs 1 The ONS NEs are managed by CTC/CTM only (TL1/FTP is not used). 2 The OSI OSS manages other vendor NEs only. 3 CTC/CTM communicates with the ONS 15454 over an IP-over-CLNS tunnel between the ONS 15454 NE and the external router. A static route is needed on the GNE. 4 The ONS 15454 GNE routes OSI traffic to other vendor NEs. No IP-over-CLNS tunnel is needed. 131938 OSI DCN OSI IP CTC/CTM IP OSS OSI OSI ONS NE 1 Other vendor NE 3 ONS NE 2 IP and OSI/PPP/DCC OSI/PPP/DCC 2 3 4 1 OSI/LAP-D/DCC ONS GNE Other vendor NE 1 Other vendor NE 2 IP and OSI/LAP-D/ DCC OSI/ LAP-D/ DCC14-61 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.6.10 Provisioning OSI in CTC 14.6.10 Provisioning OSI in CTC Table 14-15 shows the OSI actions that are performed from the node view Provisioning tab. Refer to the Cisco ONS 15454 Procedure Guide for OSI procedures and tasks. Table 14-16 shows the OSI actions that are performed from the node view Maintenance tab. Table 14-15 OSI Actions from the CTC Provisioning Tab Tab Actions OSI > Main Setup • View and edit Primary Area Address. • Change OSI routing mode. • Change LSP buffers. OSI > TARP > Config Configure the TARP parameters: • PDU L1/L2 propagation and origination. • TARP data cache and loop detection buffer. • LAN storm suppression. • Type 4 PDU on startup. • TARP timers: LDB, T1, T2, T3, T4. OSI > TARP > Static TDC Add and delete static TARP data cache entries. OSI > TARP > MAT Add and delete static manual area table entries. OSI > Routers > Setup • Enable and disable routers. • Add, delete, and edit manual area addresses. OSI > Routers > Subnets Edit SDCC, LDCC, and LAN subnets that are provisioned for OSI. OSI > Tunnels Add, delete, and edit Cisco and IP-over-CLNS tunnels. Comm Channels > SDCC • Add OSI configuration to an SDCC. • Choose the data link layer protocol, PPP or LAP-D. Comm Channels > LDCC • Add OSI configuration to an SDCC. Table 14-16 OSI Actions from the CTC Maintenance Tab Tab Actions OSI > ISIS RIB View the IS-IS routing table. OSI > ESIS RIB View ESs that are attached to ISs. OSI > TDC • View the TARP data cache and identify static and dynamic entries. • Perform TID to NSAP resolutions. • Flush the TDC.14-62 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.7 IPv6 Network Compatibility 14.7 IPv6 Network Compatibility IPv6 simplifies IP configuration and administration and has a larger address space than IPv4 to support the future growth of the Internet and Internet related technologies. It uses 128-bit addresses as against the 32-bit used in IPv4 addresses. Also, IPv6 gives more flexibility in designing newer addressing architectures. Cisco ONS 15454 can function in an IPv6 network when an Internet router that supports Network Address Translation-Protocol Translation (NAT-PT) is positioned between the GNE, such as an ONS 15454, and the client workstation. NAT-PT is a migration tool that helps users transition from IPv4 networks to IPv6 networks. NAT-PT is defined in RFC-2766. IPv4 and IPv6 nodes communicate with each other using NAT-PT by allowing both IPv6 and IPv4 stacks to interface between the IPv6 DCN and the IPv4 DCC networks. Note IPv6 is supported on Cisco ONS 15454 Software R8.0 and later with an external NAT-PT router. 14.8 IPv6 Native Support Cisco ONS 15454 Software R9.0 and later supports native IPv6. ONS 15454 can be managed over IPv6 DCN networks by enabling the IPv6 feature. After you enable IPv6 in addition to IPv4, you can use CTC, TL1, and SNMP over an IPv6 DCN to manage ONS 15454. Each NE can be assigned an IPv6 address in addition to the IPv4 address. You can access the NE by entering the IPv4 address, an IPv6 address or the DNS name of the device. The IPv6 address is assigned only on the LAN interface of the NE. DCC/GCC interfaces use the IPv4 address. By default, when IPv6 is enabled, the node processes both IPv4 and IPv6 packets on the LAN interface. If you want to process only IPv6 packets, you need to disable IPv4 on the node. Before you disable IPv4, ensure that IPv6 is enabled and the node is not in multishelf mode. Figure 14-40 shows how an IPv6 DCN interacts with and IPv4 DCC. Figure 14-40 IPv6-IPv4 Interaction 270827 IPv6 DCN DCC IPv4 Network ENE C IPv6 Address: 3ffe:b00:ffff:1::4 IPv4 Address: 10.10.10.20 ENE B IPv6 Address: 3ffe:b00:ffff:1::3 IPv4 Address: 10.10.10.10 GNE A IPv6 Address: 3ffe:b00:ffff:1::5 IPv4 Address: 10.10.20.40 ENE D IPv6 Address: 3ffe:b00:ffff:1::6 IPv4 Address: 10.10.20.30 NMS IPv6 Address: 3ffe:b00:ffff:1::214-63 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.8.1 IPv6 Enabled Mode You can manage MSTP multishelf nodes over IPv6 DCN. RADIUS, FTP, SNTP, and other network applications support IPv6 DCN. To enable IPv6 addresses, you need to make the necessary configuration changes from the CTC or TL1 management interface. After you enable IPv6, you can start a CTC or TL1 session using the provisioned IPv6 address. The ports used for all IPv6 connections to the node are the same as the ports used for IPv4. An NE can either be in IPv6 mode or IPv4 mode. In IPv4 mode, the LAN interface does not have an IPv6 address assigned to it. An NE, whether it is IPv4 or IPv6, has an IPv4 address and subnet mask. TCC2/TCC2P cards do not reboot automatically when you provision an IPv6 address, but a change in IPv4 address initiates a TCC2/TCC2P card reset. Table 14-17 describes the differences between an IPv4 node and an IPv6 node. 14.8.1 IPv6 Enabled Mode The default IP address configured on the node is IPv4. You can use either CTC or the TL1 management interface to enable IPv6. For more information about enabling IPv6 from the CTC interface, see the Cisco ONS 15454 Procedure Guide. For more information about enabling IPv6 using TL1 commands, see the Cisco ONS SONET TL1 Command Guide. 14.8.2 IPv6 Disabled Mode You can disable IPv6 either from the CTC or from the TL1 management interface. For more information about disabling IPv6 from the CTC interface, see the Cisco ONS 15454 Procedure Guide. For more information about disabling IPv6 using TL1 commands, see the Cisco ONS SONET TL1 Command Guide. 14.8.3 IPv6 in Non-secure Mode In non-secure mode, IPv6 is supported on the front and the rear Ethernet interfaces. You can start a CTC or TL1 session using the IPv6 address provisioned on the on the front and rear ports of the NE. Table 14-17 Differences Between an IPv6 Node and an IPv4 Node IPv6 Node IPv4 Node Has both IPv6 address and IPv4 address assigned to its craft Ethernet interface. Does not have an IPv6 address assigned to its craft Ethernet interface. The default router has an IPv6 address for IPv6 connectivity, and an IPv4 address for IPv4 connectivity. The default router has an IPv4 address. Cannot enable OSPF on LAN. Cannot change IPv4 NE to IPv6 NE if OSPF is enabled on the LAN. Can enable OSPF on the LAN. Cannot enable RIP on the LAN. Cannot change IPv4 NE to IPv6 NE if RIP is enabled on the LAN. Can enable static routes/RIP on the LAN. Not supported on static routes, proxy tunnels, and firewall tunnels. Supported on static routes, proxy tunnels, and firewall tunnels. Routing decisions are based on the default IPv6 router provisioned.14-64 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 14 Management Network Connectivity 14.8.4 IPv6 in Secure Mode 14.8.4 IPv6 in Secure Mode In secure mode, IPv6 is only supported on the rear Ethernet interface. The front port only supports IPv4 even if it is disabled on the rear Ethernet interface. For more information about provisioning IPv6 addresses in secure mode, see the Cisco ONS 15454 Procedure Guide. For more information on secure mode behavior, see the “14.2.9 IP Scenario 9: IP Addressing with Secure Mode Enabled” section on page 14-20. 14.8.5 IPv6 Limitations IPv6 has the following configuration restrictions: • You can provision an NE as IPv6 enabled only if the node is a SOCKS-enabled or firewall-enabled GNE/ENE. • IPSec is not supported. • OSPF/RIP cannot be enabled on the LAN interface if the NE is provisioned as an IPv6 node. • Static route/firewall/proxy tunnel provisioning is applicable only to IPv4 addresses even if the IPv6 is enabled. • In secure mode, IPv6 is supported only on the rear Ethernet interface. IPv6 is not supported on the front port. • ONS platforms use NAT-PT internally for providing IPv6 native support. NAT-PT uses the IPv4 address range 128.x.x.x for packet translation. Do not use the 128.x.x.x address range when you enable IPv6 feature. 14.9 FTP Support for ENE Database Backup The Cisco ONS 15454 provides FTP database backup and restore download to ENEs when proxy/firewall is enabled. This feature allows you to provision a list of legal FTP hosts in CTC, that can be used with TL1 commands to perform database backup/restore or software download. The FTP hosts can be provisioned to elapse after a specified time interval with the enable FTP relay function. Once FTP host are provisioned, and FTP Relay is enabled, TL1 users can then use the COPY-RFILE command to perform database backup/restore or software download to and from this list of legal FTP hosts that are provisioned to ENEs. Also, TL1 supports TID to IP address translation for the GNE TID that is specified in the FTP URL of COPY-RFILE and COPY-IOSCFG commands. Using the FTP Host provisioning feature in CTC and TL1 you can configure up to 12 valid FTP hosts. ENEs are allowed access through the firewall according to the time configured in the FTP Relay Timer in CTC or TL1. The time interval is 1 to 60 minutes, and once the timer elapses, all FTP access to the FTP host is blocked again. A time of 0 disallows ENE access to FTP commands through the firewall. When the firewall is not enabled (Proxy only), all FTP operations to the ENE will be allowed – software download, database backup/restore and IOS config file backup/restore. All FTP operations to the ENEs will be blocked when firewall is enabled.CHAPTER 15-1 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 15 Performance Monitoring Performance monitoring (PM) parameters are used by service providers to gather, store, set thresholds for, and report performance data for early detection of problems. In this chapter, PM parameters and concepts are defined for electrical cards, ethernet cards, optical cards, optical multirate cards, and storage access networking (SAN) cards in the Cisco ONS 15454. For information about enabling and viewing PM values, refer to the Cisco ONS 15454 Procedure Guide. Chapter topics include: • 15.1 Threshold Performance Monitoring, page 15-2 • 15.2 Intermediate Path Performance Monitoring, page 15-3 • 15.3 Pointer Justification Count Performance Monitoring, page 15-4 • 15.4 Performance Monitoring Parameter Definitions, page 15-5 • 15.5 Performance Monitoring for Electrical Cards, page 15-12 • 15.6 Performance Monitoring for Ethernet Cards, page 15-29 • 15.7 Performance Monitoring for Optical Cards, page 15-49 • 15.8 Performance Monitoring for Optical Multirate Cards, page 15-52 • 15.9 Performance Monitoring for Storage Access Networking Cards, page 15-53 Note For transponder (TXP), and muxponder (TXP), and DWDM card PM parameters, refer to the Cisco ONS 15454 DWDM Reference Manual. Note For additional information regarding PM parameters, refer to Telcordia documents GR-1230-CORE, GR-820-CORE, GR-499-CORE, and GR-253-CORE and the ANSI T1.231 document entitled Digital Hierarchy - Layer 1 In-Service Digital Transmission Performance Monitoring. Note When circuits transition from the out-of-service state to the in-service state, the performance monitoring counts during the out-of-service circuit state are not part of the accumulation cycle.15-2 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 15 Performance Monitoring 15.1 Threshold Performance Monitoring 15.1 Threshold Performance Monitoring Thresholds are used to set error levels for each PM parameter. You can set individual PM threshold values from the Cisco Transport Controller (CTC) card view Provisioning tab. For procedures on provisioning card thresholds, such as line, path, and SONET thresholds, refer to the Cisco ONS 15454 Procedure Guide. During the accumulation cycle, if the current value of a PM parameter reaches or exceeds its corresponding threshold value, a threshold crossing alert (TCA) is generated by the node and displayed by CTC. TCAs provide early detection of performance degradation. When a threshold is crossed, the node continues to count the errors during a given accumulation period. If zero is entered as the threshold value, generation of TCAs is disabled, but performance monitoring continues. Change the threshold if the default value does not satisfy your error monitoring needs. For example, customers with a critical DS-1 installed for 911 calls must guarantee the best quality of service on the line; therefore, they lower all thresholds so that the slightest error raises a TCA. When TCAs occur, they appear in CTC. An example is T-UASP-P in the Cond column (shown in Figure 15-1), where the “T-” indicates a threshold crossing. For certain electrical cards, “RX” or “TX” is appended to the TCA description, as indicated by the red circles in Figure 15-1. The RX indicates that the TCA is associated with the receive direction, and TX indicates that the TCA is associated with the transmit direction. Figure 15-1 TCAs Displayed in CTC Table 15-1 shows the electrical cards for which RX and TX are appended to the TCA descriptions.15-3 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 15 Performance Monitoring 15.2 Intermediate Path Performance Monitoring Due to memory limitations and the number of TCAs generated by different platforms, you can manually add/modify the following two properties to the platform property file (CTC.INI for Windows and .ctcrc for UNIX): • ctc.15xxx.node.tr.lowater=yyy where xxx is the platform and yyy is the number of the lowater mark. The default lowater mark is 25. • ctc.15xxx.node.tr.hiwater=yyy where xxx is the platform and yyy is the number of the hiwater mark. The default hiwater mark is 50. If the number of the incoming TCA is greater than the hiwater mark, the node will keep the latest lowater mark and discard older ones. 15.2 Intermediate Path Performance Monitoring Intermediate path performance monitoring (IPPM) allows transparent monitoring of a constituent channel of an incoming transmission signal by a node that does not terminate that channel. Many large networks only use line terminating equipment (LTE), not path terminating equipment (PTE). Table 15-2 shows ONS 15454 cards that are considered LTE. Table 15-1 Electrical Cards that Report RX and TX Direction for TCAs Card Line Path Near End Far End Near End Far End RX TX RX TX RX TX RX TX DS1-14 YES — YES — YES YES YES — DS1N-14 YES — YES — YES YES YES — Table 15-2 ONS 15454 Line Terminating Equipment ONS 15454 Electrical LTE EC1-12 card ONS 15454 Optical LTE OC3 IR 4/STM1 SH 1310 OC3 IR/STM1 SH 1310-8 OC12 IR/STM4 SH1310 OC12 LR/STM4 LH1310 OC12 LR/STM4 LH 1550 OC12 IR/STM4 SH 1310-4 OC48 IR/STM16 SH AS 1310 OC48 LR/STM16 LH AS 1550 OC48 ELR/STM16 EH 100 GHz OC48 ELR 200 GHz OC192 SR/STM64 IO 1310 OC192 IR/STM64 SH 1550 OC192 LR/STM64 LH 1550 OC192 LR/STM64 LH ITU 15xx.xx TXP_MR_10G MXP_2.5G_10G MXP_MR_2.5G MXPP_MR_2.5G MRC-12 MRC-2.5G-4 OC 192 - XFP15-4 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 15 Performance Monitoring 15.3 Pointer Justification Count Performance Monitoring ONS 15454 Software R3.0 and higher allows LTE cards to monitor near-end PM data on individual synchronous transport signal (STS) payloads by enabling IPPM. After enabling IPPM provisioning on the line card, service providers can monitor large amounts of STS traffic through intermediate nodes, thus making troubleshooting and maintenance activities more efficient. IPPM occurs only on STS paths that have IPPM enabled, and TCAs are raised only for PM parameters on the IPPM enabled paths. The monitored IPPM parameters are STS CV-P, STS ES-P, STS SES-P, STS UAS-P, and STS FC-P. Note Far-end IPPM is not supported by all OC-N cards. It is supported by OC3-4 and EC-1 cards. However, SONET path PMs can be monitored by logging into the far-end node directly. The ONS 15454 performs IPPM by examining the overhead in the monitored path and by reading all of the near-end path PM values in the incoming direction of transmission. The IPPM process allows the path signal to pass bidirectionally through the node completely unaltered. See Table 15-3 on page 15-5 for detailed information and definitions of specific IPPM parameters. 15.3 Pointer Justification Count Performance Monitoring Pointers are used to compensate for frequency and phase variations. Pointer justification counts indicate timing errors on SONET networks. When a network is out of synchronization, jitter and wander occur on the transported signal. Excessive wander can cause terminating equipment to slip. Slips cause different effects in service. Voice service has intermittent audible clicks. Compressed voice technology has short transmission errors or dropped calls. Fax machines lose scanned lines or experience dropped calls. Digital video transmission has distorted pictures or frozen frames. Encryption service loses the encryption key, causing data to be transmitted again. Pointers provide a way to align the phase variations in STS and VT payloads. The STS payload pointer is located in the H1 and H2 bytes of the line overhead. Clocking differences are measured by the offset in bytes from the pointer to the first byte of the STS synchronous payload envelope (SPE) called the J1 byte. Clocking differences that exceed the normal range of 0 to 782 can cause data loss. There are positive (PPJC) and negative (NPJC) pointer justification count parameters. PPJC is a count of path-detected (PPJC-PDET-P) or path-generated (PPJC-PGEN-P) positive pointer justifications. NPJC is a count of path-detected (NPJC-PDET-P) or path-generated (NPJC-PGEN-P) negative pointer justifications depending on the specific PM name. PJCDIFF is the absolute value of the difference between the total number of detected pointer justification counts and the total number of generated pointer justification counts. PJCS-PDET-P is a count of the one-second intervals containing one or more PPJC-PDET or NPJC-PDET. PJCS-PGEN-P is a count of the one-second intervals containing one or more PPJC-PGEN or NPJC-PGEN. A consistent pointer justification count indicates clock synchronization problems between nodes. A difference between the counts means that the node transmitting the original pointer justification has timing variations with the node detecting and transmitting this count. Positive pointer adjustments occur when the frame rate of the SPE is too slow in relation to the rate of the STS-1. You must enable PPJC and NPJC performance monitoring parameters for LTE cards. See Table 15-2 on page 15-3 for a list of Cisco ONS 15454 LTE cards. In CTC, the count fields for PPJC and NPJC PMs appear white and blank unless they are enabled on the card view Provisioning tab. See Table 15-3 on page 15-5 for detailed information and definitions of specific pointer justification count PM parameters.15-5 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 15 Performance Monitoring 15.4 Performance Monitoring Parameter Definitions 15.4 Performance Monitoring Parameter Definitions Table 15-3 gives definitions for each type of PM parameter found in this chapter. Table 15-3 Performance Monitoring Parameters Parameter Definition AISS-P AIS Seconds Path (AISS-P) is a count of one-second intervals containing one or more alarm indication signal (AIS) defects. BBE-PM Path Monitoring Background Block Errors (BBE-PM) indicates the number of background block errors recorded in the optical transport network (OTN) path during the PM time interval. BBE-SM Section Monitoring Background Block Errors (BBE-SM) indicates the number of background block errors recorded in the OTN section during the PM time interval. BBER-PM Path Monitoring Background Block Errors Ratio (BBER-PM) indicates the background block errors ratio recorded in the OTN path during the PM time interval. BBER-SM Section Monitoring Background Block Errors Ratio (BBER-SM) indicates the background block errors ratio recorded in the OTN section during the PM time interval. BIT-EC Bit Errors Corrected (BIT-EC) indicated the number of bit errors corrected in the DWDM trunk line during the PM time interval. CSS Controlled Slip Seconds (CSS) indicates the count of the seconds when at least one or more controlled slips have occurred. CSS-P Controlled Slip Seconds Path (CSS-P) indicates the count of the seconds when at least one or more controlled slips have occurred. CVCP-P Code Violation CP-bit Path (CVCP-P) is a count of CP-bit parity errors occurring in the accumulation period. CVCP-PFE Code Violation CP-bit Path (CVCP-PFE) is a parameter that is counted when the three far-end block error (FEBE) bits in an M-frame are not all collectively set to 1. CGV Code Group Violations (CGV) is a count of received code groups that do not contain a start or end delimiter. CV-L Line Code Violation (CV-L) indicates the number of coding violations occurring on the line. This parameter is a count of bipolar violations (BPVs) and excessive zeros (EXZs) occurring over the accumulation period. CV-P Near-End STS Path Coding Violations (CV-P) is a count of BIP errors detected at the STS path layer (that is, using the B3 byte). Up to eight BIP errors can be detected per frame; each error increments the current CV-P second register. CV-PFE Far-End STS Path Coding Violations (CV-PFE) is a count of BIP errors detected at the STS path layer (that is, using the B3 byte). Up to eight BIP errors can be detected per frame; each error increments the current CV-PFE second register.15-6 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 15 Performance Monitoring 15.4 Performance Monitoring Parameter Definitions CVP-P Code Violation Path (CVP-P) is a code violation parameter for M23 applications. CVP-P is a count of P-bit parity errors occurring in the accumulation period. CV-S Section Coding Violation (CV-S) is a count of bit interleaved parity (BIP) errors detected at the section layer (that is, using the B1 byte in the incoming SONET signal). Up to eight section BIP errors can be detected per STS-N frame; each error increments the current CV-S second register. CV-V Code Violation VT Layer (CV-V) is a count of the BIP errors detected at the VT path layer. Up to two BIP errors can be detected per VT superframe, with each error incrementing the current CV-V second register. DCG Data Code Groups (DCG) is a count of received data code groups that do not contain ordered sets. ESA-P Path Errored Seconds-A (ESA-P) is the count of 1-second intervals with exactly one CRC-6 error and no AIS or severely errored framing (SEF) defects. ESB-P Path Errored Seconds-B (Rx ESB-P) is a count of 1-second intervals with between 2 and 319 CRC-6 errors and no AIS or SEF. ESCP-P Errored Seconds CP-bit Path (ESCP-P) is a count of seconds containing one or more CP-bit parity errors, one or more SEF defects, or one or more AIS defects. ESCP-P is defined for the C-bit parity application. ESCP-PFE Far-End Errored Seconds CP-bit Path (ESCP-PFE) is a count of one-second intervals containing one or more M-frames with the three FEBE bits not all collectively set to 1 or one or more far-end SEF/AIS defects. ES-L Line Errored Seconds (ES-L) is a count of the seconds containing one or more anomalies (BPV + EXZ) and/or defects (that is, loss of signal) on the line. ES-NP ES-P Near-End STS Path Errored Seconds (ES-P) is a count of the seconds when at least one STS path BIP error was detected. An AIS Path (AIS-P) defect (or a lower-layer, traffic-related, near-end defect) or a Loss of Pointer Path (LOP-P) defect can also cause an ES-P. ES-PFE Far-End STS Path Errored Seconds (ES-PFE) is a count of the seconds when at least one STS path BIP error was detected. An AIS-P defect (or a lower-layer, traffic-related, far-end defect) or an LOP-P defect can also cause an STS ES-PFE. ES-PM Path Monitoring Errored Seconds (ES-PM) indicates the errored seconds recorded in the OTN path during the PM time interval. ESP-P Errored Seconds Path (ESP-P) is a count of seconds containing one or more P-bit parity errors, one or more SEF defects, or one or more AIS defects. ESR-PM Path Monitoring Errored Seconds Ratio (ESR-PM) indicates the errored seconds ratio recorded in the OTN path during the PM time interval. Table 15-3 Performance Monitoring Parameters (continued) Parameter Definition15-7 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 15 Performance Monitoring 15.4 Performance Monitoring Parameter Definitions ESR-SM Section Monitoring Errored Seconds Ratio (ESR-SM) indicates the errored seconds ratio recorded in the OTN section during the PM time interval. ES-S Section Errored Seconds (ES-S) is a count of the number of seconds when at least one section-layer BIP error was detected or an SEF or loss of signal (LOS) defect was present. ES-SM Section Monitoring Errored Seconds (ES-SM) indicates the errored seconds recorded in the OTN section during the PM time interval. ES-V Errored Seconds VT Layer (ES-V) is a count of the seconds when at least one VT Path BIP error was detected. An AIS Virtual Tributary (VT) (AIS-V) defect (or a lower-layer, traffic-related, near-end defect) or an LOP VT (LOP-V) defect can also cause an ES-V. FC-L Line Failure Count (FC-L) is a count of the number of near-end line failure events. A failure event begins when an AIS Line (AIS-L) failure is declared or when a lower-layer, traffic-related, near-end failure is declared. This failure event ends when the failure is cleared. A failure event that begins in one period and ends in another period is counted only in the period where it begins. FC-P Near-End STS Path Failure Counts (FC-P) is a count of the number of near-end STS path failure events. A failure event begins when an AIS-P failure, an LOP-P failure, a UNEQ-P failure, or a Section Trace Identifier Mismatch Path (TIM-P) failure is declared. A failure event also begins if the STS PTE that is monitoring the path supports Three-Bit (Enhanced) Remote Failure Indication Path Connectivity (ERFI-P-CONN) for that path. The failure event ends when these failures are cleared. FC-PFE Far-End STS Path Failure Counts (FC-PFE) is a count of the number of near-end STS path failure events. A failure event begins when an AIS-P failure, an LOP-P failure, a UNEQ-P failure, or a TIM-P failure is declared. A failure event also begins if the STS PTE that is monitoring the path supports ERFI-P-CONN for that path. The failure event ends when these failures are cleared. FC-PM Path Monitoring Failure Counts (FC-PM) indicates the failure counts recorded in the OTN path during the PM time interval. FC-SM Section Monitoring Failure Counts (FC-SM) indicates the failure counts recorded in the OTN section during the PM time interval. IOS Idle Ordered Sets (IOS) is a count of received packets containing idle ordered sets. IPC Invalid Packets (IPC) is the count of received packets that contain errored data code groups that have start and end delimiters. LBCL-MIN Laser Bias Current Line—Minimum (LBCL-MIN) is the minimum percentage of laser bias current. LBCL-AVG Laser Bias Current Line—Average (LBCL-AVG) is the average percentage of laser bias current. LBCL-MAX Laser Bias Current Line—Maximum (LBCL-MAX) is the maximum percentage of laser bias current. Table 15-3 Performance Monitoring Parameters (continued) Parameter Definition15-8 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 15 Performance Monitoring 15.4 Performance Monitoring Parameter Definitions LOFC Loss of Frame Count (LOFC) LOSS-L Line Loss of Signal (LOSS-L) is a count of one-second intervals containing one or more LOS defects. NIOS Non-Idle Ordered Sets (NIOS) is a count of received packets containing non-idle ordered sets. NPJC-PDET Negative Pointer Justification Count, STS Detected (NPJC-PDET), formerly Pointer Justification Negative (PJNEG) NPJC-PDET-P Negative Pointer Justification Count, STS Path Detected (NPJC-PDET-P) is a count of the negative pointer justifications detected on a particular path in an incoming SONET signal. NPJC-PGEN-P Negative Pointer Justification Count, STS Path Generated (NPJC-PGEN-P) is a count of the negative pointer justifications generated for a particular path to reconcile the frequency of the SPE with the local clock. OPR Optical Power Received (OPR) is the measure of average optical power received as a percentage of the nominal OPR. OPR-AVG Average Receive Optical Power (dBm) OPR-MAX Maximum Receive Optical Power (dBm) OPR-MIN Minimum Receive Optical Power (dBm) OPT Optical Power Transmitted (OPT) is the measure of average optical power transmitted as a percentage of the nominal OPT. OPT-AVG Average Transmit Optical Power (dBm) OPT-MAX Maximum Transmit Optical Power (dBm) OPT-MIN Minimum Transmit Optical Power (dBm) OPWR-AVG Optical Power - Average (OPWR-AVG) is the measure of average optical power on the unidirectional port. OPWR-MAX Optical Power - Maximum (OPWR-MAX) is the measure of maximum value of optical power on the unidirectional port. OPWR-MIN Optical Power - Minimum (OPWR-MIN) is the measure of minimum value of optical power on the unidirectional port. PJCDIFF-P Pointer Justification Count Difference, STS Path (PJCDIFF-P) is the absolute value of the difference between the total number of detected pointer justification counts and the total number of generated pointer justification counts. That is, PJCDiff-P is equal to (PPJC-PGEN-P – NPJC-PGEN-P) – (PPJC-PDET-P – NPJC-PDET-P). PPJC-PDET Pointer Justification STS Detected (PPJC-PDET), formerly Pointer Justification Positive (PJPOS). PPJC-PDET-P Positive Pointer Justification Count, STS Path Detected (PPJC-PDET-P) is a count of the positive pointer justifications detected on a particular path in an incoming SONET signal. Table 15-3 Performance Monitoring Parameters (continued) Parameter Definition15-9 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 15 Performance Monitoring 15.4 Performance Monitoring Parameter Definitions PPJC-PGEN-P Positive Pointer Justification Count, STS Path Generated (PPJC-PGEN-P) is a count of the positive pointer justifications generated for a particular path to reconcile the frequency of the SPE with the local clock. PJCS-PDET-P Pointer Justification Count Seconds, STS Path Detect (NPJCS-PDET-P) is a count of the one-second intervals containing one or more PPJC-PDET or NPJC-PDET. PJCS-PGEN-P Pointer Justification Count Seconds, STS Path Generate (PJCS-PGEN-P) is a count of the one-second intervals containing one or more PPJC-PGEN or NPJC-PGEN. PSC In a 1 + 1 protection scheme for a working card, Protection Switching Count (PSC) is a count of the number of times service switches from a working card to a protection card plus the number of times service switches back to the working card. For a protection card, PSC is a count of the number of times service switches to a working card from a protection card plus the number of times service switches back to the protection card. The PSC PM parameter is only applicable if revertive line-level protection switching is used. PSC-R In a four-fiber bidirectional line switched ring (BLSR), Protection Switching Count-Ring (PSC-R) is a count of the number of times service switches from a working line to a protection line plus the number of times it switches back to a working line. A count is only incremented if ring switching is used. PSC-S In a four-fiber BLSR, Protection Switching Count-Span (PSC-S) is a count of the number of times service switches from a working line to a protection line plus the number of times it switches back to the working line. A count is only incremented if span switching is used. PSC-W For a working line in a two-fiber BLSR, Protection Switching Count-Working (PSC-W) is a count of the number of times traffic switches away from the working capacity in the failed line and back to the working capacity after the failure is cleared. PSC-W increments on the failed working line and PSC increments on the active protect line. For a working line in a four-fiber BLSR, PSC-W is a count of the number of times service switches from a working line to a protection line plus the number of times it switches back to the working line. PSC-W increments on the failed line and PSC-R or PSC-S increments on the active protect line. PSD Protection Switching Duration (PSD) applies to the length of time, in seconds, that service is carried on another line. For a working line, PSD is a count of the number of seconds that service was carried on the protection line. For the protection line, PSD is a count of the seconds that the line was used to carry service. The PSD PM is only applicable if revertive line-level protection switching is used. Table 15-3 Performance Monitoring Parameters (continued) Parameter Definition15-10 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 15 Performance Monitoring 15.4 Performance Monitoring Parameter Definitions PSD-R In a four-fiber BLSR, Protection Switching Duration-Ring (PSD-R) is a count of the seconds that the protection line was used to carry service. A count is only incremented if ring switching is used. PSD-S In a four-fiber BLSR, Protection Switching Duration-Span (PSD-S) is a count of the seconds that the protection line was used to carry service. A count is only incremented if span switching is used. SASCP-P SEF/AIS Seconds CP-bit Path (SASCP-P) is a count of one-second intervals containing one or more SEFs or one or more AIS defects on the path. SASP SEF/AIS Seconds (SASP) is a count of one-second intervals containing one or more SEFs or one or more AIS defects on the path. SASP-P SEF/AIS Seconds Path (SASP-P) is a count of one-second intervals containing one or more SEFs or one or more AIS defects on the path. SEF-S Severely Errored Framing Seconds (SEFS-S) is a count of the seconds when an SEF defect was present. An SEF defect is expected to be present during most seconds when an LOS or loss of frame (LOF) defect is present. However, there can be situations when the SEFS-S parameter is only incremented based on the presence of the SEF defect. Note The RTRV-PM- command does not retrieve SEF-S counter for OC192/STM64 payloads on ADM-10G and OTU2-XP cards. SESCP-P Severely Errored Seconds CP-bit Path (SESCP-P) is a count of seconds containing more than 44 CP-bit parity errors, one or more SEF defects, or one or more AIS defects. SESCP-PFE Severely Errored Seconds CP-bit Path (SESCP-PFE) is a count of one-second intervals containing one or more far-end SEF/AIS defects, or one or more 44 M-frames with the three FEBE bits not all collectively set to 1. SES-L Line Severely Errored Seconds (SES-L) is a count of the seconds containing more than a particular quantity of anomalies (BPV + EXZ > 44) and/or defects on the line. SES-P Near-End STS Path Severely Errored Seconds (SES-P) is a count of the seconds when K (2400) or more STS path BIP errors were detected. An AIS-P defect (or a lower-layer, traffic-related, near-end defect) or an LOP-P defect can also cause an SES-P. SES-PFE Far-End STS Path Severely Errored Seconds (SES-PFE) is a count of the seconds when K (2400) or more STS path BIP errors were detected. An AIS-P defect (or a lower-layer, traffic-related, far-end defect) or an LOP-P defect can also cause an SES-PFE. SES-PM Path Monitoring Severely Errored Seconds (SES-PM) indicates the severely errored seconds recorded in the OTN path during the PM time interval. SESP-P Severely Errored Seconds Path (SESP-P) is a count of seconds containing more than 44 P-bit parity violations, one or more SEF defects, or one or more AIS defects. Table 15-3 Performance Monitoring Parameters (continued) Parameter Definition15-11 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 15 Performance Monitoring 15.4 Performance Monitoring Parameter Definitions SES-S Section Severely Errored Seconds (SES-S) is a count of the seconds when K (see Telcordia GR-253 for value) or more section-layer BIP errors were detected or an SEF or LOS defect was present. SES-SM Section Monitoring Severely Errored Seconds (SES-SM) indicates the severely errored seconds recorded in the OTN section during the PM time interval. SESR-PM Path Monitoring Severely Errored Seconds Ratio (SESR-PM) indicates the severely errored seconds ratio recorded in the OTN path during the PM time interval. SESR-SM Section Monitoring Severely Errored Seconds Ratio (SESR-SM) indicates the severely errored seconds ratio recorded in the OTN section during the PM time interval. SES-V Severely Errored Seconds VT Layer (SES-V) is a count of seconds when K (600) or more VT Path BIP errors were detected. An AIS-V defect (or a lower-layer, traffic-related, near-end defect) or an LOP-V defect can also cause SES-V. UAS-L Line Unavailable Seconds (UAS-L) is a count of the seconds when the line is unavailable. A line becomes unavailable when ten consecutive seconds occur that qualify as SES-Ls, and it continues to be unavailable until ten consecutive seconds occur that do not qualify as SES-Ls. UASCP-P Unavailable Seconds CP-bit Path (UASCP-P) is a count of one-second intervals when the DS-3 path is unavailable. A DS-3 path becomes unavailable when ten consecutive SESCP-Ps occur. The ten SESCP-Ps are included in unavailable time. After the DS-3 path becomes unavailable, it becomes available again when ten consecutive seconds with no SESCP-Ps occur. The ten seconds with no SESCP-Ps are excluded from unavailable time. UASCP-PFE Unavailable Seconds CP-bit Path (UASCP-PFE) is a count of one-second intervals when the DS-3 path becomes unavailable. A DS-3 path becomes unavailable when ten consecutive far-end CP-bit SESs occur. The ten CP-bit SESs are included in unavailable time. After the DS-3 path becomes unavailable, it becomes available again when ten consecutive seconds occur with no CP-bit SESs. The ten seconds with no CP-bit SESs are excluded from unavailable time. UAS-P Near-End STS Path Unavailable Seconds (UAS-P) is a count of the seconds when the STS path was unavailable. An STS path becomes unavailable when ten consecutive seconds occur that qualify as SES-Ps, and continues to be unavailable until ten consecutive seconds occur that do not qualify as SES-Ps. UAS-PFE Far-End STS Path Unavailable Seconds (UAS-PFE) is a count of the seconds when the STS path was unavailable. An STS path becomes unavailable when ten consecutive seconds occur that qualify as SES-PFEs, and continues to be unavailable until ten consecutive seconds occur that do not qualify as SES-PFEs. Table 15-3 Performance Monitoring Parameters (continued) Parameter Definition15-12 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 15 Performance Monitoring 15.5 Performance Monitoring for Electrical Cards 15.5 Performance Monitoring for Electrical Cards The following sections define PM parameters for the EC1-12, DS1/E1-56, DS1-14, DS1N-14, DS3-12, DS3-12E, DS3N-12, DS3N-12E, DS3i-N-12, DS3XM-6, DS3XM-12, and DS3/EC1-48 cards. 15.5.1 EC1-12 Card Performance Monitoring Parameters Figure 15-2 shows signal types that support near-end and far-end PMs. Figure 15-3 shows where overhead bytes detected on the application specific integrated circuits (ASICs) produce PM parameters for the EC1-12 card. UAS-PM Path Monitoring Unavailable Seconds (UAS-PM) indicates the unavailable seconds recorded in the OTN path during the PM time interval. UASP-P Unavailable Seconds Path (UASP-P) is a count of one-second intervals when the DS-3 path is unavailable. A DS-3 path becomes unavailable when ten consecutive SESP-Ps occur. The ten SESP-Ps are included in unavailable time. After the DS-3 path becomes unavailable, it becomes available again when ten consecutive seconds with no SESP-Ps occur. The ten seconds with no SESP-Ps are excluded from unavailable time. UAS-SM Section Monitoring Unavailable Seconds (UAS-SM) indicates the unavailable seconds recorded in the OTN section during the PM time interval. UAS-V Unavailable Seconds VT Layer (UAS-V) is a count of the seconds when the VT path was unavailable. A VT path becomes unavailable when ten consecutive seconds occur that qualify as SES-Vs, and it continues to be unavailable until ten consecutive seconds occur that do not qualify as SES-Vs. UNC-WORDS Uncorrectable Words (UNC-WORDS) is the number of uncorrectable words detected in the DWDM trunk line during the PM time interval. VPC Valid Packets (VPC) is a count of received packets that contain non-errored data code groups that have start and end delimiters. Table 15-3 Performance Monitoring Parameters (continued) Parameter Definition15-13 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 15 Performance Monitoring 15.5.1 EC1-12 Card Performance Monitoring Parameters Figure 15-2 Monitored Signal Types for the EC1-12 Card Note The XX in Figure 15-2 represents all PMs listed in Table 15-4 with the given prefix and/or suffix. Figure 15-3 PM Read Points on the EC1-12 Card Table 15-4 lists the PM parameters for the EC1-12 cards. 78981 PTE ONS 15454 EC1 OC48 Fiber EC1 Signal EC1 Path (EC1 XX) PMs Near and Far End Supported EC1 Signal ONS 15454 OC48 EC1 STS Path (STS XX-P) PMs Near and Far End Supported PTE 78982 ONS 15454 EC1 Card LIU Framer BTC Tx/Rx XC Card(s) OC-N EC1 Side SONET Side STS CV-P STS ES-P STS FC-P STS SES-P STS UAS-P STS CV-PFE STS ES-PFE STS FC-PFE STS SES-PFE STS UAS-PFE CV-S ES-S SES-S SEFS-S CV-L SES-L ES-L UAS-L FC-L PPJC-Pdet NPJC-Pdet PPJC-Pgen NPJC-Pgen PMs read on LIU PMs read on Framer15-14 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 15 Performance Monitoring 15.5.2 DS1/E1-56 Card Performance Monitoring Parameters Note If the CV-L(NE and FE) falls in the range 51-61 for EC1,then, the user might see discrepancy in the SES and the UAS-L values. However, ES-L will be in the nearest accuracy. For a few seconds, in a given 10 seconds interval, the number of CV-L counted may not cross the CV count criteria for SES, (due to system/application limitation for the below mentioned ranges); as a consequence of which there may not be 10 continuous SES, thus UAS will not be observed. 15.5.2 DS1/E1-56 Card Performance Monitoring Parameters Figure 15-4 shows signal types that support near-end and far-end PMs. Figure 15-4 Monitored Signal Types for the DS1/E1-56 Card Figure 15-5 shows where overhead bytes detected on the ASICs produce PM parameters for the DS1/E1-56 card. Table 15-4 EC1-12 Card PMs Section (NE) Line (NE) STS Path (NE) Line (FE) STS Path (FE) CV-S ES-S SES-S SEF-S CV-L ES-L SES-L UAS-L FC-L CV-P ES-P SES-P UAS-P FC-P PPJC-PDET-P NPJC-PDET-P PPJC-PGEN-P NPJC-PGEN-P PJCS-PDET-P PJCS-PGEN-P PJC-DIFF-P CV-LFE ES-LFE SES-LFE UAS-LFE FC-LFE CV-PFE ES-PFE SES-PFE UAS-PFE FC-PFE 78981 PTE ONS 15454 EC1 OC48 Fiber EC1 Signal EC1 Path (EC1 XX) PMs Near and Far End Supported EC1 Signal ONS 15454 OC48 EC1 STS Path (STS XX-P) PMs Near and Far End Supported PTE15-15 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 15 Performance Monitoring 15.5.2 DS1/E1-56 Card Performance Monitoring Parameters Figure 15-5 PM Read Points on the DS1/E1-56 Card Tx/Rx LIU Ultramapper ASIC Stingray ASIC DS-1 Path Side E-1 Path Side This group of PMs are received from the far end. They only exist for ESF framing mode. PMs read on Ultramapper ASIC and LIU ES-P SAS-P UAS-P AISS-P CSS-P CV-P SAS-P ESA-P ESB-P FC-P FC-PFE ES-NP ES-NPFE SES-NP SES-NPFE UAS-NP UAS-NPFE ES-PFE SES-PFE UAS-PFE CSS-PFE CV-PFE ESA-PFE ESB-PFE SEFS-PFE BFDL (ES) BFDL (UAS) BFDL (BES) BFDL (SES) BFDL (CSS) BFDL LOFC) AISS-P ES-P SES-P UAS-P EB-P BBE-P ESA-P SESR-P BBER-P ONS 15454 High Density DS-1/E1 Card DS-1 Line PMs CV-L ES-L SES-L LOSS-L ES-L (far end) E1 Line PMs CV-L ES-L SES-L LOSS-L 134414 XC Card(s) OC-N15-16 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 15 Performance Monitoring 15.5.3 DS1-14 and DS1N-14 Card Performance Monitoring Parameters Table 15-5 lists the PM parameters for the DS1/E1-56 card. 15.5.3 DS1-14 and DS1N-14 Card Performance Monitoring Parameters Figure 15-6 shows the signal types that support near-end and far-end PMs. Figure 15-6 Monitored Signal Types for the DS1-14 and DS1N-14 Cards Note The XX in Figure 15-6 represents all PMs listed in Table 15-6 with the given prefix and/or suffix. Figure 15-7 shows where overhead bytes detected on the ASICs produce PM parameters for the DS1-14 and DS1N-14 cards. Table 15-5 DS1/E1-56 Card PMs Line (NE) Line (FE) Rx Path (NE) Tx Path (NE) STS Path (NE) Rx Path (FE) STS Path (FE) Network Path BFDL (FE) CV-L ES-L SES-L LOSS-L CV-L ES-L SES-L LOSS-L AISS-P CV-P ES-P SES-P SAS-P UAS-P CSS-P ESA-P ESB-P SEFS-P AISS-P CV-P ES-P SES-P UAS-P BBER-P SESR-P ESR-P CV-P ES-P SES-P UAS-P FC-P ES-PFE ESA-PFE ESB-PFE CV-PFE CSS-PFE SEFS-PFE SES-PFE UAS-PFE CV-PFE ES-PFE SES-PFE UAS-PFE FC-PFE ES-NP ES-NPFE SES-NP SES-NPFE UAS-NP UAS-NPFE CSS ES SES BES UAS LOFC 90324 PTE CSU ONS 15454 DS1 OC-N Fiber DS1 Signal FDL PRM FDL PRM DS1 Path (DS1 XX) PMs Near and Far End Supported DS1 Signal ONS 15454 OC-N DS1 VT Path (XX-V) PMs Near and Far End Supported STS Path (STS XX-P) PMs Near and Far End Supported PTE CSU DS1 FDL (DS1 XX) PMs Near and Far End Supported15-17 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 15 Performance Monitoring 15.5.3 DS1-14 and DS1N-14 Card Performance Monitoring Parameters Figure 15-7 PM Read Points on the DS1-14 and DS1N-14 Cards Table 15-6 describes the PM parameters for the DS1-14 and DS1N-14 cards. Note Far-end DS1 performance monitoring values are valid only when the DS1 line is set to extended super frame (ESF). 78974 ONS 15454 DS1 and DS1N Cards LIU Framer BTC Tx/Rx XC Card(s) OC-N DS1 CV-L DS1 ES-L DS1 SES-L DS1 LOSS-L DS1 Rx AISS-P DS1 Rx CV-P DS1 Rx ES-P DS1 Rx SAS-P DS1 Rx SES-P DS1 Rx UAS-P DS1 Tx AISS-P DS1 Tx CV-P DS1 Tx ES-P DS1 Tx SAS-P DS1 Tx SES-P DS1 Tx UAS-P PMs read on LIU DS1 Side VT Level Path Level SONET Side CV-V ES-V SES-V UAS-V STS CV-P STS ES-P STS FC-P STS SES-P STS UAS-P STS CV-PFE STS ES-PFE STS FC-PFE STS SES-PFE STS UAS-PFE PMs read on Framer Table 15-6 DS1-14 and DS1N-14 Card PMs Line (NE) Line (FE) Rx Path (NE) Tx Path (NE) VT Path (NE) STS Path (NE) Rx Path (FE) VT Path (FE) STS Path (FE) CV-L ES-L SES-L LOSS-L CV-L ES-L AISS-P CV-P ES-P FC-P SAS-P SES-P UAS-P CSS-P ESA-P ESB-P SEFS-P AISS-P CV-P ES-P FC-P SAS-P SES-P UAS-P CV-V ES-V SES-V UAS-V FC-V CV-P ES-P SES-P UAS-P FC-P ES-PFE ESA-PFE ES-B-PFE CV-PFE CSS-PFE SEFS-PFE SES-PFE UAS-PFE CV-VFE ES-VFE SES-VFE UAS-VFE FC-VFE CV-PFE ES-PFE SES-PFE UAS-PFE FC-PFE15-18 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 15 Performance Monitoring 15.5.4 DS3-12 and DS3N-12 Card Performance Monitoring Parameters 15.5.3.1 DS-1 Facility Data Link Performance Monitoring Facility Data Link (FDL) performance monitoring enables an ONS 15454 DS1N-14 card to calculate and report DS-1 error rate performance measured at both the near-end and far-end of the FDL. The far-end information is reported as received on the FDL in a performance report message (PRM) from an intelligent channel service unit (CSU). To monitor DS-1 FDL PM values, the DS-1 must be set to use ESF format and the FDL must be connected to an intelligent CSU. For procedures for provisioning ESF on the DS1N-14 card, refer to the Cisco ONS 15454 Procedure Guide. The monitored DS-1 FDL PM parameters are CV-PFE, ES-PFE, ESA-PFE, ESB-PFE, SES-PFE, SEFS-PFE, CSS-PFE, UAS-PFE, FC-PFE, and ES-LFE. See Table 15-3 on page 15-5 for detailed information and definitions of specific FDL DS1 PM parameters. 15.5.4 DS3-12 and DS3N-12 Card Performance Monitoring Parameters Figure 15-8 shows the signal types that support near-end and far-end PMs. Figure 15-9 shows where overhead bytes detected on the ASICs produce PM parameters for the DS3-12 and DS3N-12 cards. Figure 15-8 Monitored Signal Types for the DS3-12 and DS3N-12 Cards Note The XX in Figure 15-8 represents all PMs listed in Table 15-7 with the given prefix and/or suffix. 78975 PTE ONS 15454 DS3 OC-N Fiber DS3 Signal DS3 Path (DS3 XX) PMs Near and Far End Supported DS3 Signal ONS 15454 OC-N DS3 STS Path (STS XX-P) PMs Near and Far End Supported PTE15-19 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 15 Performance Monitoring 15.5.5 DS3-12E and DS3N-12E Card Performance Monitoring Parameters Figure 15-9 PM Read Points on the DS3-12 and DS3N-12 Cards The PM parameters for the DS3-12 and DS3N-12 cards are described in Table 15-7. 15.5.5 DS3-12E and DS3N-12E Card Performance Monitoring Parameters Figure 15-10 shows the signal types that support near-end and far-end PMs. 78976 ONS 15454 DS3 & DS3N Cards LIU Mux/Demux ASIC BTC ASIC XC Card(s) OC-N DS3 Side Path Level SONET Side STS CV-P STS ES-P STS FC-P STS SES-P STS UAS-P STS CV-PFE STS ES-PFE STS FC-PFE STS SES-PFE STS UAS-PFE DS3 CV-L DS3 ES-L DS3 SES-L DS3 LOSS-L PMs read on Mux/Demux ASIC PMs read on LIU Table 15-7 DS3-12 and DS3N-12 Card PMs Line (NE) STS Path (NE) STS Path (FE) CV-L ES-L SES-L LOSS-L CV-P ES-P SES-P UAS-P FC-P CV-PFE ES-PFE SES-PFE UAS-PFE FC-PFE15-20 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 15 Performance Monitoring 15.5.5 DS3-12E and DS3N-12E Card Performance Monitoring Parameters Figure 15-10 Monitored Signal Types for the DS3-12E and DS3N-12E Cards Note The XX in Figure 15-10 represents all PMs listed in Table 15-8 with the given prefix and/or suffix. Figure 15-11 shows where overhead bytes detected on the ASICs produce PM parameters for the DS3-12E and DS3N-12E cards. Figure 15-11 PM Read Points on the DS3-12E and DS3N-12E Cards Table 15-8 describes the PM parameters for the DS3-12E and DS3N-12E cards. 78977 PTE ONS 15454 DS3E OC-N Fiber DS3 Signal DS3E Path (DS3 XX) PMs Near and Far End Supported DS3 Signal ONS 15454 OC-N DS3E STS Path (STS XX-P) PMs Near and Far End Supported PTE 78978 ONS 15454 DS3-12E & DS3N-12E Cards LIU Mux/Demux ASIC BTC ASIC XC Card(s) OC-N DS3 Side Path Level SONET Side STS CV-P STS ES-P STS FC-P STS SES-P STS UAS-P STS CV-PFE STS ES-PFE STS FC-PFE STS SES-PFE STS UAS-PFE DS3 CV-L DS3 ES-L DS3 SES-L DS3 LOSS-L DS3 AISS-P DS3 CVP-P DS3 ESP-P DS3 SASP-P DS3 SESP-P DS3 UASP-P DS3 CVCP-P DS3 ESCP-P DS3 SESCP-P DS3 UASCP-P DS3 CVCP-PFE DS3 ESCP-PFE DS3 SASCP-PFE DS3 SESCP-PFE DS3 UASCP-PFE PMs read on LIU PMs read on Mux/Demux ASIC15-21 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 15 Performance Monitoring 15.5.6 DS3i-N-12 Card Performance Monitoring Parameters 15.5.6 DS3i-N-12 Card Performance Monitoring Parameters Figure 15-12 shows the signal types that support near-end and far-end PMs. Figure 15-12 Monitored Signal Types for the DS3i-N-12 Cards Note The XX in Figure 15-12 represents all PMs listed in Table 15-9 with the given prefix and/or suffix. Figure 15-13 shows where overhead bytes detected on the ASICs produce PM parameters for the DS3i-N-12 cards. Table 15-8 DS3-12E and DS3N-12E Card PMs Line (NE) Path (NE) STS Path (NE) Path (FE)1 1. The C-bit PMs (PMs that contain the text “CP-P”) are applicable only if the line format is C-bit. STS Path (FE) CV-L ES-L SES-L LOSS-L AISS-P CV-P ES-P SAS-P2 SES-P UAS-P CVCP-P ESCP-P SASCP-P3 SESCP-P UASCP-P 2. DS3(N)-12E cards support SAS-P only on the receive (Rx) path. 3. The SASCP parameter is also displayed as “undefined” for near-end parameter though it is a far-end parameter. CV-P ES-P SES-P UAS-P FC-P CVCP-PFE ESCP-PFE SASCP-P SESCP-PFE UASCP-PFE CV-PFE ES-PFE SES-PFE UAS-PFE FC-PFE 110718 PTE ONS 15454 DS3i-N-12 OC-N Fiber DS3 Signal DS3i Path (DS3 XX) PMs Near and Far End Supported DS3 Signal ONS 15454 OC-N DS3i-N-12 STS Path (STS XX-P) PMs Near and Far End Supported PTE15-22 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 15 Performance Monitoring 15.5.6 DS3i-N-12 Card Performance Monitoring Parameters Figure 15-13 PM Read Points on the DS3i-N-12 Cards Table 15-9 describes the PM parameters for the DS3i-N-12 card. 110717 ONS 15454 DS3i-N-12 Card LIU Mux/Demux ASIC BTC ASIC XC Card(s) OC-N DS3 Side Path Level SONET Side CV-P ES-P FC-P SES-P UAS-P CV-PFE ES-PFE FC-PFE SES-PFE UAS-PFE DS3 CV-L DS3 ES-L DS3 SES-L DS3 LOSS-L DS3 AISS-P DS3 CVP-P DS3 ESP-P DS3 SASP-P DS3 SESP-P DS3 UASP-P DS3 CVCP-P DS3 ESCP-P DS3 SASCP-P DS3 SESCP-P DS3 UASCP-P DS3 CVCP-PFE DS3 ESCP-PFE DS3 SASCP-PFE DS3 SESCP-PFE DS3 UASCP-PFE PMs read on LIU PMs read on Mux/Demux ASIC Table 15-9 DS3i-N-12 Card PMs Line (NE) Path (NE) STS Path (NE) Path (FE)1 1. The C-Bit PMs (PMs that contain the text “CP-P”) are applicable only if the line format is C-Bit. STS Path (FE) CV-L ES-L SES-L LOSS-L AISSP-P CVP-P ESP-P SASP-P2 SESP-P UASP-P CVCP-P ESCP-P SASCP-P3 SESCP-P UASCP-P 2. DS3i-N-12 cards support SAS-P only on the Rx path. 3. The SASCP parameter is also displayed as “undefined” for near-end parameter though it is a far-end parameter. CV-P ES-P SES-P UAS-P FC-P CVCP-PFE ESCP-PFE SASCP-PFE SESCP-PFE UASCP-PFE CV-PFE ES-PFE SES-PFE UAS-PFE FC-PFE15-23 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 15 Performance Monitoring 15.5.7 DS3XM-6 Card Performance Monitoring Parameters 15.5.7 DS3XM-6 Card Performance Monitoring Parameters Figure 15-14 shows the signal types that support near-end and far-end PMs. Figure 15-14 Monitored Signal Types for the DS3XM-6 Card Note The XX in Figure 15-14 represents all PMs listed in Table 15-10 with the given prefix and/or suffix. Figure 15-15 shows where the overhead bytes detected on the ASICs produce PM parameters for the DS3XM-6 card. PTE ONS 15454 DS3XM OC-N Fiber Muxed DS3 Signal Muxed DS3 Signal DS1 Path (DS1 XX) PMs Near and Far End Supported ONS 15454 OC-N DS3XM VT Path (XX-V) PMs Near and Far End Supported PTE 78979 DS3 Path (DS3 XX) PMs Near and Far End Supported STS Path (STS XX-P) PMs Near and Far End Supported15-24 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 15 Performance Monitoring 15.5.7 DS3XM-6 Card Performance Monitoring Parameters Figure 15-15 PM Read Points on the DS3XM-6 Card Table 15-10 lists the PM parameters for the DS3XM-6 cards. 78980 ONS 15454 DS3XM-6 Card LIU Mapper Unit BTC ASIC XC Card(s) OC-N DS1 Side VT Level SONET Side CV-V ES-V SES-V UAS-V DS1 AISS-P DS1 ES-P DS1 SAS-P DS1 SES-P DS1 UAS-P DS3 CV-L DS3 ES-L DS3 SES-L DS3 LOSS-L DS3 AISS-P DS3 CVP-P DS3 ESP-P DS3 SASP-P DS3 SESP-P DS3 UASP-P DS3 CVCP-P DS3 ESCP-P DS3 SASCP-P DS3 SESCP-P DS3 UASCP-P DS3 CVCP-PFE DS3 ESCP-PFE DS3 SASCP-PFE DS3 SESCP-PFE DS3 UASCP-PFE PMs read on LIU STS CV-P STS ES-P STS FC-P STS SES-P STS UAS-P STS CV-PFE STS ES-PFE STS FC-PFE STS SES-PFE STS UAS-PFE PMs read on Mapper Unit ASIC The DS3 path is terminated on the transmux and regenerated. Path Level Table 15-10 DS3XM-6 Card PMs DS3 Line (NE) DS3 Path (NE)1 1. The C-Bit PMs (PMs that contain the text “CP-P”) are applicable only if the line format is C-Bit. DS1 Path (NE) VT Path (NE) STS Path (NE) DS3 Path (FE)1 VT Path (FE) STS Path (FE) Network Path2 2. Parameter received from far-end direction only. CV-L ES-L SES-L LOSS-L AISS-P CVP-P ESP-P SASP-P3 SESP-P UASP-P ESCP-P SASCP-P4 SESCP-P UASCP-P CVCP-P 3. DS3XM-6 cards support SAS-P only on the Rx path. 4. The SASCP parameter is also displayed as “undefined” for near-end parameter though it is a far-end parameter. AISS-P ES-P SAS-P3 SES-P UAS-P CV-V ES-V SES-V UAS-V CV-P ES-P SES-P UAS-P FC-P CVCP-PFE ESCP-PFE SASCP-PFE SESCP-PFE UASCP-PFE CV-VFE ES-VFE SES-VFE UAS-VFE CV-PFE ES-PFE SES-PFE UAS-PFE FC-PFE ES-NP ES-NPFE SES-NP SES-NPFE UAS-NP UAS-NPFE15-25 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 15 Performance Monitoring 15.5.8 DS3XM-12 Card Performance Monitoring Parameters 15.5.8 DS3XM-12 Card Performance Monitoring Parameters Figure 15-16 shows the signal types that support near-end and far-end PMs. Figure 15-16 Monitored Signal Types for the DS3XM-12 Card Note The XX in Figure 15-16 represents all PMs listed in Table 15-11 with the given prefix and/or suffix. Figure 15-17 shows where the overhead bytes detected on the ASICs produce PM parameters for the DS3XM-12 card. PTE ONS 15454 DS3XM OC-N Fiber Muxed DS3 Signal Muxed DS3 Signal DS1 Path (DS1 XX) PMs Near and Far End Supported ONS 15454 OC-N DS3XM VT Path (XX-V) PMs Near and Far End Supported PTE 78979 DS3 Path (DS3 XX) PMs Near and Far End Supported STS Path (STS XX-P) PMs Near and Far End Supported15-26 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 15 Performance Monitoring 15.5.8 DS3XM-12 Card Performance Monitoring Parameters Figure 15-17 PM Read Points on the DS3XM-12 Card Table 15-11 lists the PM parameters for the DS3XM-12 cards. 124556 ONS 15454 DS3XM-12 Card LIU Mapper Unit BTC ASIC XC Card(s) OC-N DS1 Side VT Level SONET Side CV-V ES-V SES-V UAS-V DS1 AISS-P DS1 ES-P DS1 SAS-P DS1 SES-P DS1 UAS-P DS3 CV-L DS3 ES-L DS3 SES-L DS3 LOSS-L DS3 AISS-P DS3 CVP-P DS3 ESP-P DS3 SASP-P DS3 SESP-P DS3 UASP-P DS3 CVCP-P DS3 ESCP-P DS3 SASCP-P DS3 SESCP-P DS3 UASCP-P DS3 CVCP-PFE DS3 ESCP-PFE DS3 SASCP-PFE DS3 SESCP-PFE DS3 UASCP-PFE PMs read on LIU STS CV-P STS ES-P STS FC-P STS SES-P STS UAS-P STS CV-PFE STS ES-PFE STS FC-PFE STS SES-PFE STS UAS-PFE PMs read on Mapper Unit ASIC The DS3 path is terminated on the transmux and regenerated. Path Level Table 15-11 DS3XM-12 Card PMs DS3 Line (NE) DS3 Path (NE)1 1. The C-Bit PMs (PMs that contain the text “CP-P”) are applicable only if the line format is C-Bit. DS1 Path (NE) VT Path (NE) STS Path (NE) DS3 Path (FE)1 VT Path (FE) STS Path (FE) BFDL (FE) Network Path2 2. Parameter received from far-end direction only. CV-L ES-L SES-L LOSS-L AISS-P CV-P ES-P SAS-P3 SES-P UAS-P ESCP-P SESCP-P UASCP-P CVCP-P 3. DS3XM-12 cards support SAS-P only on the Rx path. AISS-P CV-P ES-P FC-P SAS-P3 SES-P UAS-P CSS-P ESA-P ESB-P SEFS-P CV-V ES-V SES-V UAS-V CV-P ES-P SES-P UAS-P FC-P CVCP-PFE ESCP-PFE SASCP-PFE4 SESCP-PFE UASCP-PFE 4. The SASCP parameter is also displayed as “undefined” for near-end parameter though it is a far-end parameter. CV-VFE ES-VFE SES-VFE UAS-VFE CV-PFE ES-PFE SES-PFE UAS-PFE FC-PFE CSS ES SES BES UAS LOFC ES-NP ES-NPFE SES-NP SES-NPFE UAS-NP UAS-NPFE15-27 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 15 Performance Monitoring 15.5.9 DS3/EC1-48 Card Performance Monitoring Parameters 15.5.9 DS3/EC1-48 Card Performance Monitoring Parameters Figure 15-18 shows the signal types that support near-end and far-end PMs. Figure 15-18 Monitored Signal Types for the DS3/EC1-48 Card Note The XX in Figure 15-18 represents all PMs listed in Table 15-12 with the given prefix and/or suffix. Figure 15-19 shows where the overhead bytes detected on the ASICs produce PM parameters for the DS3-EC1-48 card. 78975 PTE ONS 15454 DS3 OC-N Fiber DS3 Signal DS3 Path (DS3 XX) PMs Near and Far End Supported DS3 Signal ONS 15454 OC-N DS3 STS Path (STS XX-P) PMs Near and Far End Supported PTE15-28 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 15 Performance Monitoring 15.5.9 DS3/EC1-48 Card Performance Monitoring Parameters Figure 15-19 PM Read Points on the DS3/EC1-48 Card Table 15-12 lists the PM parameters for the DS3/EC1-48 cards. 124997 ONS 15454 DS3/EC1-48 Card LIU Mapper Unit BTC ASIC XC Card(s) OC-N SONET Side DS3 CV-L DS3 ES-L DS3 SES-L DS3 LOSS-L DS3 AISS-P DS3 CVP-P DS3 ESP-P DS3 SASP-P DS3 SESP-P DS3 UASP-P DS3 CVCP-P DS3 ESCP-P DS3 SASCP-P DS3 SESCP-P DS3 UASCP-P DS3 CVCP-PFE DS3 ESCP-PFE DS3 SASCP-PFE DS3 SESCP-PFE DS3 UASCP-PFE PMs read on LIU STS CV-P STS ES-P STS FC-P STS SES-P STS UAS-P STS CV-PFE STS ES-PFE STS FC-PFE STS SES-PFE STS UAS-PFE PMs read on Mapper Unit ASIC The DS3 path is terminated on the transmux and regenerated. Path Level Table 15-12 DS3/EC1-48 Card PMs DS3/EC1 Line (NE) DS3 Path (NE)1 1. The C-Bit PMs (PMs that contain the text “CP-P”) are applicable only if the line format is C-Bit. STS Path (NE) DS3 Path (FE)1 STS Path (FE) CV-L ES-L SES-L LOSS-L AISS-P CVP-P ESP-P SASP-P2 SESP-P UASP-P ESCP-P SASCP-P3 SESCP-P UASCP-P CVCP-P 2. DS3/EC1-48 cards support SAS-P only on the Rx path. 3. The SASCP parameter is also displayed as “undefined” for near-end parameter though it is a far-end parameter. CV-P ES-P SES-P UAS-P FC-P CVCP-PFE ESCP-PFE SASCP-PFE SESCP-PFE UASCP-PFE CV-PFE ES-PFE SES-PFE UAS-PFE FC-PFE15-29 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 15 Performance Monitoring 15.6 Performance Monitoring for Ethernet Cards Note If the CV-L(NE and FE) falls in the range 51-61 for DS3,then, the user might see discrepancy in the SES and the UAS-L values. However, ES-L will be in the nearest accuracy. For a few seconds, in a given 10 seconds interval, the number of CV-L counted may not cross the CV count criteria for SES, (due to system/application limitation for the below mentioned ranges); as a consequence of which there may not be 10 continuous SES, thus UAS will not be observed. 15.6 Performance Monitoring for Ethernet Cards The following sections define PM parameters and definitions for the ONS 15454 E-Series, G-Series, ML-Series, and CE-Series Ethernet cards. 15.6.1 E-Series Ethernet Card Performance Monitoring Parameters CTC provides Ethernet performance information, including line-level parameters, port bandwidth consumption, and historical Ethernet statistics. The E-Series Ethernet performance information is divided into the Statistics, Utilization, and History tabbed windows within the card view Performance tab window. 15.6.1.1 E-Series Ethernet Statistics Window The Ethernet Statistics window lists Ethernet parameters at the line level. The Statistics window provides buttons to change the statistical values shown. The Baseline button resets the displayed statistics values to zero. The Refresh button manually refreshes statistics. Auto-Refresh sets a time interval at which automatic refresh occurs. Table 15-13 defines the E-Series Ethernet card statistics parameters. Table 15-13 E-Series Ethernet Statistics Parameters Parameter Definition Link Status Indicates whether link integrity is present; up means present, and down means not present. ifInOctets Number of bytes received since the last counter reset. ifInUcastPkts Number of unicast packets received since the last counter reset. ifInErrors The number of inbound packets (or transmission units) that contained errors preventing them from being deliverable to a higher-layer protocol. ifOutOctets Number of bytes transmitted since the last counter reset. ifOutUcastPkts Number of unicast packets transmitted. dot3StatsAlignmentErrors A count of frames received on a particular interface that are not an integral number of octets in length and do not pass the FCS check. dot3StatsFCSErrors A count of frames received on a particular interface that are an integral number of octets in length but do not pass the FCS check. dot3StatsFrameTooLong A count of frames received on a particular interface that exceed the maximum permitted frame size.15-30 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 15 Performance Monitoring 15.6.1 E-Series Ethernet Card Performance Monitoring Parameters etherStatsUndersizePkts The total number of packets received that were less than 64 octets long (excluding framing bits, but including FCS octets) and were otherwise well formed. etherStatsFragments The total number of packets received that were less than 64 octets in length (excluding framing bits but including FCS octets) and had either a bad FCS with an integral number of octets (FCS Error) or a bad FCS with a nonintegral number of octets (Alignment Error). Note It is entirely normal for etherStatsFragments to increment. This is because it counts both runts (which are normal occurrences due to collisions) and noise hits. etherStatsPkts64Octets The total number of packets (including bad packets) received that were 64 octets in length (excluding framing bits but including FCS octets). etherStatsPkts65to127 Octets The total number of packets (including bad packets) received that were between 65 and 127 octets in length inclusive (excluding framing bits but including FCS octets). etherStatsPkts128to255 Octets The total number of packets (including bad packets) received that were between 128 and 255 octets in length inclusive (excluding framing bits but including FCS octets). etherStatsPkts256to511 Octets The total number of packets (including bad packets) received that were between 256 and 511 octets in length inclusive (excluding framing bits but including FCS octets). etherStatsPkts512to1023 Octets The total number of packets (including bad packets) received that were between 512 and 1023 octets in length inclusive (excluding framing bits but including FCS octets). etherStatsPkts1024to1518 Octets The total number of packets (including bad packets) received that were between 1024 and 1518 octets in length inclusive (excluding framing bits but including FCS octets). etherStatsOversizePkts The total number of packets received that were longer than 1518 octets (excluding framing bits, but including FCS octets) and were otherwise well formed. Note that for tagged interfaces, this number becomes 1522 bytes. etherStatsJabbers The total number of packets received that were longer than 1518 octets (excluding framing bits, but including FCS octets), and had either a bad FCS with an integral number of octets (FCS Error) or a bad FCS with a nonintegral number of octets (Alignment Error). etherStatsOctets The total number of octets of data (including those in bad packets) received on the network (excluding framing bits but including FCS octets etherStatsCRCAlign Errors The total number of packets received that had a length (excluding framing bits, but including FCS octets) of between 64 and 1518 octets, inclusive, but had either a bad FCS with an integral number of octets (FCS Error) or a bad FCS with a nonintegral number of octets (Alignment Error). Table 15-13 E-Series Ethernet Statistics Parameters (continued) Parameter Definition15-31 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 15 Performance Monitoring 15.6.1 E-Series Ethernet Card Performance Monitoring Parameters 15.6.1.2 E-Series Ethernet Utilization Window The Utilization window shows the percentage of transmit (Tx) and receive (Rx) line bandwidth used by the Ethernet ports during consecutive time segments. The Mode field displays the real-time mode status, such as 100 Full, which is the mode setting configured on the E-Series port. However, if the E-Series port is set to autonegotiate the mode (Auto), this field shows the result of the link negotiation between the E-Series and the peer Ethernet device attached directly to the E-Series port. The Utilization window provides an Interval drop-down list that enables you to set time intervals of 1 minute, 15 minutes, 1 hour, and 1 day. Line utilization is calculated with the following formulas: Rx = (inOctets + inPkts * 20) * 8 / 100% interval * maxBaseRate Tx = (outOctets + outPkts * 20) * 8 / 100% interval * maxBaseRate The interval is defined in seconds. The maxBaseRate is defined by raw bits per second in one direction for the Ethernet port (that is, 1 Gbps). The maxBaseRate for E-Series Ethernet cards is shown in Table 15-14. Note Line utilization numbers express the average of ingress and egress traffic as a percentage of capacity. Note The E-Series Ethernet card is a Layer 2 device or switch and supports Trunk Utilization statistics. The Trunk Utilization statistics are similar to the Line Utilization statistics, but shows the percentage of circuit bandwidth used rather than the percentage of line bandwidth used. The Trunk Utilization statistics are accessed through the card view Maintenance tab. 15.6.1.3 E-Series Ethernet History Window The Ethernet History window lists past Ethernet statistics for the previous time intervals. Depending on the selected time interval, the History window displays the statistics for each port for the number of previous time intervals as shown in Table 15-15. The parameters are defined in Table 15-13 on page 15-29. Table 15-14 maxBaseRate for STS Circuits STS maxBaseRate STS-1 51840000 STS-3c 155000000 STS-6c 311000000 STS-12c 622000000 Table 15-15 Ethernet History Statistics per Time Interval Time Interval Number of Previous Intervals Displayed 1 minute 60 15 minutes 32 1 hour 24 1 day (24 hours) 715-32 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 15 Performance Monitoring 15.6.2 G-Series Ethernet Card Performance Monitoring Parameters 15.6.2 G-Series Ethernet Card Performance Monitoring Parameters CTC provides Ethernet performance information, including line-level parameters, port bandwidth consumption, and historical Ethernet statistics. The G-Series Ethernet performance information is divided into the Statistics, Utilization, and History tabbed windows within the card view Performance tab window. 15.6.2.1 G-Series Ethernet Statistics Window The Ethernet Statistics window lists Ethernet parameters at the line level. The Statistics window provides buttons to change the statistical values shown. The Baseline button resets the displayed statistics values to zero. The Refresh button manually refreshes statistics. Auto-Refresh sets a time interval at which automatic refresh occurs. The G-Series Statistics window also has a Clear button. The Clear button sets the values on the card to zero, but does not reset the G-Series card. Table 15-16 defines the G-Series Ethernet card statistics parameters. Table 15-16 G-Series Ethernet Statistics Parameters Parameter Definition Time Last Cleared A time stamp indicating the last time statistics were reset. Link Status Indicates whether the Ethernet link is receiving a valid Ethernet signal (carrier) from the attached Ethernet device; up means present, and down means not present. Rx Packets Number of packets received since the last counter reset. Rx Bytes Number of bytes received since the last counter reset. Tx Packets Number of packets transmitted since the last counter reset. Tx Bytes Number of bytes transmitted since the last counter reset. Rx Total Errors Total number of receive errors. Rx FCS Number of packets with a FCS error. FCS errors indicate frame corruption during transmission. Rx Alignment Number of packets with received incomplete frames. Rx Runts Measures undersized packets with bad CRC errors. Rx Shorts Measures undersized packets with good CRC errors. Rx Jabbers The total number of frames received that exceed the 1548-byte maximum and contain CRC errors. Rx Giants Number of packets received that are greater than 1530 bytes in length. Rx Pause Frames Number of received Ethernet IEEE 802.3z pause frames. Tx Pause Frames Number of transmitted IEEE 802.3z pause frames. Rx Pkts Dropped Internal Congestion Number of received packets dropped due to overflow in G-Series frame buffer. Tx Pkts Dropped Internal Congestion Number of transmit queue drops due to drops in the G-Series frame buffer. HDLC Errors High-level data link control (HDLC) errors received from SONET/SDH (see Note).15-33 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 15 Performance Monitoring 15.6.2 G-Series Ethernet Card Performance Monitoring Parameters Note Do not use the HDLC errors counter to count the number of frames dropped because of HDLC errors, because each frame can fragment into several smaller frames during HDLC error conditions and spurious HDLC frames can be generated. If HDLC error counters are incrementing when no SONET path problems should be present, it might indicate a problem with the quality of the SONET path. For example, a SONET protection switch generates a set of HDLC errors. However, the actual values of these counters are less significant than the fact that they are changing. 15.6.2.2 G-Series Ethernet Utilization Window The Utilization window shows the percentage of Tx and Rx line bandwidth used by the Ethernet ports during consecutive time segments. The Mode field displays the real-time mode status, such as 100 Full, which is the mode setting configured on the G-Series port. However, if the G-Series port is set to autonegotiate the mode (Auto), this field shows the result of the link negotiation between the G-Series and the peer Ethernet device attached directly to the G-Series port. The Utilization window provides an Interval drop-down list that enables you to set time intervals of 1 minute, 15 minutes, 1 hour, and 1 day. Line utilization is calculated with the following formulas: Rx = (inOctets + inPkts * 20) * 8 / 100% interval * maxBaseRate Tx = (outOctets + outPkts * 20) * 8 / 100% interval * maxBaseRate The interval is defined in seconds. The maxBaseRate is defined by raw bits per second in one direction for the Ethernet port (that is, 1 Gbps). The maxBaseRate for G-Series Ethernet cards is shown in Table 15-14. Note Line utilization numbers express the average of ingress and egress traffic as a percentage of capacity. Note Unlike the E-Series, the G-Series card does not have a display of Trunk Utilization statistics, because the G-Series card is not a Layer 2 device or switch. Rx Unicast Packets Number of unicast packets received since the last counter reset. Tx Unicast Packets Number of unicast packets transmitted. Rx Multicast Packets Number of multicast packets received since the last counter reset. Tx Multicast Packets Number of multicast packets transmitted. Rx Broadcast Packets Number of broadcast packets received since the last counter reset. Tx Broadcast Packets Number or broadcast packets transmitted. Table 15-16 G-Series Ethernet Statistics Parameters (continued) Parameter Definition15-34 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 15 Performance Monitoring 15.6.3 ML-Series Ethernet Card Performance Monitoring Parameters 15.6.2.3 G-Series Ethernet History Window The Ethernet History window lists past Ethernet statistics for the previous time intervals. Depending on the selected time interval, the History window displays the statistics for each port for the number of previous time intervals as shown in Table 15-15 on page 15-31. The listed parameters are defined in Table 15-16 on page 15-32. 15.6.3 ML-Series Ethernet Card Performance Monitoring Parameters CTC provides Ethernet performance information for line-level parameters and historical Ethernet statistics. The ML-Series Ethernet performance information is divided into the Ether Ports, Packet-over-SONET (POS) Ports, and RPR Span tabbed windows within the card view Performance tab window. These tabs may vary depending on the card selected. 15.6.3.1 ML-Series Ether Ports Statistics Window The Ethernet Ether Ports Statistics window lists Ethernet parameters at the line level. The Statistics window provides buttons to change the statistical values shown. The Baseline button resets the displayed statistics values to zero. The Refresh button manually refreshes statistics. Auto-Refresh sets a time interval at which automatic refresh occurs. The ML-Series Statistics window also has a Clear button. The Clear button sets the values on the card to zero, but does not reset the ML-Series card. During each automatic cycle, whether auto-refreshed or manually refreshed (using the Refresh button), statistics are added cumulatively and are not immediately adjusted to equal total received packets until testing ends. To see the final PM count totals, allow a few moments for the PM window statistics to finish testing and update fully. PM counts are also listed in the ML-Series card Performance > History window. Table 15-17 defines the ML-Series Ethernet card Ether Ports PM parameters. Table 15-17 ML-Series Ether Ports PM Parameters Parameter Definition ifInOctets Number of bytes received since the last counter reset. rxTotalPackets Number of packets received. ifInUcastPkts Number of unicast packets received since the last counter reset. ifInMulticast Pkts Number of multicast packets received since the last counter reset. ifInBroadcast Pkts Number of broadcast packets received since the last counter reset. ifInDiscards The number of inbound packets that were chosen to be discarded even though no errors had been detected to prevent their being deliverable to a higher-layer protocol. One possible reason for discarding such a packet could be to free up buffer space. ifInErrors1 The number of inbound packets (or transmission units) that contained errors preventing them from being deliverable to a higher-layer protocol. ifOutOctets Number of bytes transmitted since the last counter reset. txTotalPkts Number of transmitted packets. ifOutUcast Pkts Number of unicast packets transmitted. ifOutMulticast Pkts Number of multicast packets transmitted. ifOutBroadcast Pkts Number or broadcast packets transmitted. 15-35 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 15 Performance Monitoring 15.6.3 ML-Series Ethernet Card Performance Monitoring Parameters dot3StatsAlignmentErrors A count of frames received on a particular interface that are not an integral number of octets in length and do not pass the FCS check. dot3StatsFCSErrors A count of frames received on a particular interface that are an integral number of octets in length but do not pass the FCS check. dot3StatsSingleCollisionF rames1 A count of successfully transmitted frames on a particular interface for which transmission is inhibited by exactly on collision. dot3StatsFrameTooLong1 A count of frames received on a particular interface that exceed the maximum permitted frame size. etherStatsUndersizePkts The total number of packets received that were less than 64 octets long (excluding framing bits, but including FCS octets) and were otherwise well formed. etherStatsOversizePkts The total number of packets received that were longer than 1518 octets (excluding framing bits, but including FCS octets) and were otherwise well formed. Note that for tagged interfaces, this number becomes 1522 bytes. etherStatsFragments1 The total number of packets received that were less than 64 octets in length (excluding framing bits but including FCS octets) and had either a bad FCS with an integral number of octets (FCS Error) or a bad FCS with a nonintegral number of octets (Alignment Error). Note Note: It is entirely normal for etherStatsFragments to increment. This is because it counts both runts (which are normal occurrences due to collisions) and noise hits. etherStatsPkts64Octets1 The total number of packets (including bad packets) received that were 64 octets in length (excluding framing bits but including FCS octets). etherStatsPkts65to127Oct ets1 The total number of packets (including bad packets) received that were between 65 and 127 octets in length inclusive (excluding framing bits but including FCS octets). etherStatsPkts128to255Oc tets1 The total number of packets (including bad packets) received that were between 128 and 255 octets in length inclusive (excluding framing bits but including FCS octets). etherStatsPkts256to511Oc tets1 The total number of packets (including bad packets) received that were between 256 and 511 octets in length inclusive (excluding framing bits but including FCS octets). etherStatsPkts512to1023O ctets1 The total number of packets (including bad packets) received that were between 512 and 1023 octets in length inclusive (excluding framing bits but including FCS octets). etherStatsPkts1024to1518 Octets1 The total number of packets (including bad packets) received that were between 1024 and 1518 octets in length inclusive (excluding framing bits but including FCS octets). etherStatsBroadcastPkts1 The total number of good packets received that were directed to the broadcast address. Note that this does not include multicast packets. Table 15-17 ML-Series Ether Ports PM Parameters (continued) Parameter Definition15-36 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 15 Performance Monitoring 15.6.3 ML-Series Ethernet Card Performance Monitoring Parameters 15.6.3.2 ML-Series Card Ether Ports Utilization Window The Ether Ports Utilization window shows the percentage of Tx and Rx line bandwidth used by the Ethernet ports during consecutive time segments. The Utilization window provides an Interval drop-down list that enables you to set time intervals of 1 minute, 15 minutes, 1 hour, and 1 day. Line utilization is calculated with the following formulas: Rx = (inOctets + inPkts * 20) * 8 / 100% interval * maxBaseRate Tx = (outOctets + outPkts * 20) * 8 / 100% interval * maxBaseRate The interval is defined in seconds. The maxBaseRate is defined by raw bits per second in one direction for the Ethernet port (that is, 1 Gbps). The maxBaseRate for ML-Series Ethernet cards is shown in Table 15-14. Note Line utilization numbers express the average of ingress and egress traffic as a percentage of capacity. etherStatsMulticastPkts 1 The total number of good packets received that were directed to a multicast address. Note that this number does not include packets directed to the broadcast address. etherStatsJabbers The total number of packets received that were longer than 1518 octets (excluding framing bits, but including FCS octets), and had either a bad FCS with an integral number of octets (FCS Error) or a bad FCS with a nonintegral number of octets (Alignment Error). etherStatsOctets1 The total number of octets of data (including those in bad packets) received on the network (excluding framing bits but including FCS octets. etherStatsCollissions Number of transmit packets that are collisions; the port and the attached device transmitting at the same time caused collisions. etherStatsCRCAlignError s 1 The total number of packets received that had a length (excluding framing bits, but including FCS octets) of between 64 and 1518 octets, inclusive, but had either a bad FCS with an integral number of octets (FCS Error) or a bad FCS with a nonintegral number of octets (Alignment Error). etherStatsDropEvents Number of received frames dropped at the port level. rx PauseFrames2 Number of received Ethernet 802.3z pause frames. mediaIndStatsOversize Dropped2 Number of received oversized packages that are dropped. mediaIndStatsTxFrames TooLong2 Number of received frames that are too long. The maximum is the programmed max frame size (for virtual SAN [VSAN] support); if the maximum frame size is set to default, then the maximum is a 2112 byte payload plus the 36 byte header, which is a total of 2148 bytes. 1. ML-MR-10 only 2. ML1000-2 only Table 15-17 ML-Series Ether Ports PM Parameters (continued) Parameter Definition15-37 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 15 Performance Monitoring 15.6.3 ML-Series Ethernet Card Performance Monitoring Parameters 15.6.3.3 ML-Series Card Ether Ports History Window The Ethernet Ether Ports History window lists past Ethernet statistics for the previous time intervals. Depending on the selected time interval, the History window displays the statistics for each port for the number of previous time intervals as shown in Table 15-15 on page 15-31. The listed parameters are defined in Table 15-17 on page 15-34. 15.6.3.4 ML-Series POS Ports Window In the ML-Series POS Ports window, the parameters displayed depend on the framing mode employed by the ML-Series card. The two framing modes for the POS port on the ML-Series card are HDLC and frame-mapped generic framing procedure (GFP-F). For more information on provisioning a framing mode, refer to Cisco ONS 15454 Procedure Guide. Table 15-18 defines the ML-Series Ethernet card POS Ports HDLC parameters. Table 15-19 defines the ML-Series Ethernet card POS Ports GFP-F parameters. Table 15-18 ML-Series POS Ports Parameters for HDLC Mode Parameter Definition ifInOctets Number of bytes received since the last counter reset. rxTotalPkts Number of packets received. ifOutOctets Number of bytes transmitted since the last counter reset. tx TotalPkts Number of transmitted packets. etherStatsDropEvents Number of received frames dropped at the port level. rxPktsDropped Internal Congestion Number of received packets dropped due to overflow in frame buffer. mediaIndStatsRxFrames Truncated Number of received frames with a length of 36 bytes or less. mediaIndStatsRxFrames TooLong Number of received frames that are too long. The maximum is the programmed maximum frame size (for VSAN support); if the maximum frame size is set to default, then the maximum is the 2112 byte payload plus the 36 byte header, which is a total of 2148 bytes. mediaIndStatsRxFrames BadCRC Number of received frames with CRC errors. mediaIndStatsRxShort Pkts Number of received packets that are too small. hdlcInOctets Number of bytes received (from the SONET/SDH path) prior to the bytes undergoing HLDC decapsulation by the policy engine. hdlcRxAborts Number of received packets aborted on input. hdlcOutOctets Number of bytes transmitted (to the SONET/SDH path) after the bytes undergoing HLDC encapsulation by the policy engine.15-38 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 15 Performance Monitoring 15.6.3 ML-Series Ethernet Card Performance Monitoring Parameters 15.6.3.5 ML-Series RPR Span Window The parameters that appear in the ML-Series RPR Span window are the mandatory attributes of the 802.17 MIB. For more information on provisioning a framing mode, refer to Cisco ONS 15454 Procedure Guide. Table 15-20 defines the ML-Series Ethernet card RPR Span parameters. Table 15-19 ML-Series POS Ports Parameters for GFP-F Mode Parameter Meaning etherStatsDropEvents Number of received frames dropped at the port level. rx PktsDroppedInternal Congestion Number of received packets dropped due to overflow in the frame buffer. gfpStatsRxFrame Number of received GFP frames. gfpStatsTxFrame Number of transmitted GFP frames. gfpStatsRxOctets Number of GFP bytes received. gfpStatsTxOctets Number of GFP bytes transmitted. gfpStatsRxSBitErrors Sum of all the single bit errors. In the GFP CORE HDR at the GFP-T receiver, these are correctable. gfpStatsRxMBitErrors Sum of all the multiple bit errors. In the GFP CORE HDR at the GFP-T receiver, these are uncorrectable. gfpStatsRxTypeInvalid Number of receive packets dropped due to Client Data Frame UPI errors. gfpStatsRxCRCErrors Number of packets received with a payload FCS error. gfpStatsLFDRaised Count of core HEC CRC multiple bit errors. Note This count is only of eHec multiple bit errors when in frame. This can be looked at as a count of when the state machine goes out of frame. gfpStatsCSFRaised Number of GFP Client signal fail frames detected at the GFP-T receiver. mediaIndStatsRxFrames Truncated Number of received frames that are too long. The maximum is the programmed maximum frame size (for VSAN support); if the maximum frame size is set to default, then the maximum is the 2112 byte payload plus the 36 byte header, which is a total of 2148 bytes. mediaIndStatsRxFramesTo oLong Number of received frames with CRC error.s mediaIndStatsRxShortPkts Number of received packets that are too small. Table 15-20 ML-Series RPR Span Parameters for 802.17 MIB Parameter Meaning gfpStatsRxSBitErrors Sum of all the single bit errors. In the GFP CORE HDR at the GFP-T receiver, these are correctable. gfpStatsRxMBitErrors Sum of all the multiple bit errors. In the GFP CORE HDR at the GFP-T receiver, these are uncorrectable.15-39 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 15 Performance Monitoring 15.6.3 ML-Series Ethernet Card Performance Monitoring Parameters gfpStatsRxTypeInvalid Number of receive packets dropped due to Client Data Frame UPI errors. rprSpanStatsInUcastClassC Frames Number of received (PHY to MAC) classC unicast frames. rprSpanStatsInUcastClassC Octets Number of received (PHY to MAC) classC unicast octets. rprSpanStatsInMcastClassC Frames Number of received (PHY to MAC) classC multicast and broadcast frames. rprSpanStatsInMcastClassC Octets Number of received (PHY to MAC) classC multicast and broadcast octets. rprSpanStatsInUcastClassB EirFrames Number of received (PHY to MAC) classB EIR unicast frames. rprSpanStatsInUcastClassB EirOctets Number of received (PHY to MAC) classB EIR unicast octets. rprSpanStatsInMcastClassB EirFrames Number of received (PHY to MAC) classB EIR multicast and broadcast frames. rprSpanStatsInMcastClassB EirOctets Number of received (PHY to MAC) classB EIR multicast and broadcast octets. rprSpanStatsInUcastClassB CirFrames Number of received (PHY to MAC) classB CIR unicast frames. rprSpanStatsInUcastClassB CirOctets Number of received (PHY to MAC) classB CIR unicast octets. rprSpanStatsInMcastClassB CirFrames Number of received (PHY to MAC) classB CIR multicast and broadcast frames. rprSpanStatsInMcastClassB CirOctets Number of received (PHY to MAC) classB CIR multicast and broadcast octets. rprSpanStatsInUcastClassA Frames Number of received (PHY to MAC) classA unicast frames. rprSpanStatsInUcastClassA Octets Number of received (PHY to MAC) classA unicast octets. rprSpanStatsInMcastClassA Frames Number of received (PHY to MAC) classA multicast and broadcast frames. rprSpanStatsInMcastClassA Octets Number of received (PHY to MAC) classA multicast and broadcast octets. rprSpanStatsInCtrlFrames Number of received (PHY to MAC) control frames processed by this MAC. This does not include control frames in transit, i.e. a multicast control frame received from a ringlet will be counted as In but not Out. This does not include Fairness or idle frames. rprSpanStatsInOamEcho Frames Number of received (PHY to MAC) OAM echo frames processed by this MAC. rprSpanStatsInOamFlush Frames Number of received (PHY to MAC) OAM flush frames processed by this MAC. Table 15-20 ML-Series RPR Span Parameters for 802.17 MIB (continued) Parameter Meaning15-40 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 15 Performance Monitoring 15.6.3 ML-Series Ethernet Card Performance Monitoring Parameters rprSpanStatsInOamOrgFrames Number of received (PHY to MAC) OAM Org frames processed by this MAC. rprSpanStatsInTopoAtdFrames Number of received (PHY to MAC) Topology ATD frames processed by this MAC. rprSpanStatsInTopoChkSum Frames Number of received (PHY to MAC) topology checksum frames processed by this MAC. rprSpanStatsInTopoTpFrames Number of received (PHY to MAC) topology TP frames processed by this MAC. rprSpanStatsOutUcastClassC Frames Number of transmitted (MAC to PHY) classC unicast frames. rprSpanStatsOutUcastClassC Octets Number of transmitted (MAC to PHY) classC unicast octets. rprSpanStatsOutMcastClassC Frames Number of transmitted (MAC to PHY) classC multicast and broadcast frames. rprSpanStatsOutMcastClassC Octets Number of transmitted (MAC to PHY) classC multicast and broadcast octets. rprSpanStatsOutUcastClassB EirFrames Number of transmitted (MAC to PHY) classB EIR unicast frames rprSpanStatsOutUcastClassB EirOctets The number of transmitted (MAC to PHY) classB EIR unicast octets. rprSpanStatsOutMcastClassB EirFrames The number of transmitted (MAC to PHY) classB EIR multicast and broadcast frames. rprSpanStatsOutMcastClassB EirOctets The number of transmitted (MAC to PHY) classB EIR multicast and broadcast octets. rprSpanStatsOutUcastClassB CirFrames The number of transmitted (MAC to PHY) classB CIR unicast frames. rprSpanStatsOutUcastClassB CirOctets The number of transmitted (MAC to PHY) classB CIR unicast octets. rprSpanStatsOutMcastClassB CirFrames The number of transmitted (MAC to PHY) classB CIR multicast and broadcast frames. rprSpanStatsOutMcastClassB CirOctets The number of transmitted (MAC to PHY) classB CIR multicast and broadcast octets. rprSpanStatsOutUcastClassA Frames The number of transmitted (MAC to PHY) classA unicast frames. rprSpanStatsOutUcastClassA Octets The number of transmitted (MAC to PHY) classA unicast octets. rprSpanStatsOutMcastClassA Frames The number of transmitted (MAC to PHY) classA multicast and broadcast frames. rprSpanStatsOutMcastClassA Octets The number of transmitted (MAC to PHY) classA multicast and broadcast octets. Table 15-20 ML-Series RPR Span Parameters for 802.17 MIB (continued) Parameter Meaning15-41 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 15 Performance Monitoring 15.6.3 ML-Series Ethernet Card Performance Monitoring Parameters rprSpanStatsOutCtrlFrames The number of transmitted (MAC to PHY) control frames generated by this MAC. This does not include control frames in transit, i.e. a multicast control frame received from a ringlet will be counted as In but not Out. This does not include Fairness or idle frames. rprSpanStatsOutOamEcho Frames The number of transmitted (MAC to PHY) OAM echo frames generated by this MAC. rprSpanStatsOutOamFlush Frames The number of transmitted (MAC to PHY) OAM flush frames generated by this MAC. rprSpanStatsOutOamOrg Frames The number of transmitted (MAC to PHY) OAM Org frames generated by this MAC. rprSpanStatsOutTopoAtd Frames The number of transmitted (MAC to PHY) topology ATD frames generated by this MAC. rprSpanStatsOutTopoChkSum Frames The number of transmitted (MAC to PHY) topology checksum frames generated by this MAC. rprSpanStatsOutTopoTp Frames The number of transmitted (MAC to PHY) topology TP frames generated by this MAC. rprClientStatsInUcastClassC Frames The number of MAC to client classC unicast frames. rprClientStatsInUcastClassC Octets The number of MAC to client classC unicast octets. rprClientStatsInMcastClassC Frames The number of MAC to client classC multicast and broadcast frames. rprClientStatsInMcastClassC Octets The number of MAC to client classC multicast and broadcast octets. rprClientStatsInUcastClassB EirFrames The number of MAC to client classB EIR unicast frames. rprClientStatsInUcastClassB EirOctets Number of packets received with a payload FCS error. rprClientStatsInMcastClassB EirFrames Number of MAC to client classB EIR multicast and broadcast frames rprClientStatsInMcastClassB EirOctets Number of MAC to client classB EIR multicast and broadcast octets. rprClientStatsInUcastClassB CirFrames Number of MAC to client classB CIR unicast frames. rprClientStatsInUcastClassB CirOctets Number of MAC to client classB CIR unicast octets. rprClientStatsInMcastClassB CirFrames Number of MAC to client classB CIR multicast and broadcast frames. rprClientStatsInMcastClassB CirOctets Number of MAC to client classB CIR multicast and broadcast octets rprClientStatsInUcastClassA Frames Number of MAC to client classA unicast frames. Table 15-20 ML-Series RPR Span Parameters for 802.17 MIB (continued) Parameter Meaning15-42 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 15 Performance Monitoring 15.6.3 ML-Series Ethernet Card Performance Monitoring Parameters rprClientStatsInUcastClassA Octets Number of MAC to client classA unicast octets. rprClientStatsInMcastClassA Frames Number of MAC to client classA multicast and broadcast frames. rprClientStatsInMcastClassA Octets Number of MAC to client classA multicast and broadcast octets. rprClientStatsInBcastFrames Number of MAC to client broadcast frames. This is used only when deriving the multicast and broadcast packet counters for the interface MIB. rprClientStatsOutUcastClassC Frames Number of client to MAC classC unicast frames. rprClientStatsOutUcastClassC Octets Number of client to MAC classC unicast octets. rprClientStatsOutMcastClassC Frames Number of client to MAC classC multicast and broadcast frames. rprClientStatsOutMcastClassC Octets Number of client to MAC classC multicast and broadcast octets. rprClientStatsOutUcastClassB EirFrames Number of client to MAC classB EIR unicast frames. rprClientStatsOutUcastClassB EirOctets Number of client to MAC classB EIR unicast octets. rprClientStatsOutMcastClassB EirFrames Number of client to MAC classB EIR multicast and broadcast frames. rprClientStatsOutMcastClassB EirOctets Number of client to MAC classB EIR multicast and broadcast octets. rprClientStatsOutUcastClassB CirFrames Number of client to MAC classB CIR unicast frames. rprClientStatsOutUcastClassB CirOctets Number of client to MAC classB CIR unicast octets. rprClientStatsOutMcastClassB CirFrames Number of client to MAC classB CIR multicast and broadcast frames. rprClientStatsOutMcastClassB CirOctets Number of client to MAC classB CIR multicast and broadcast octets. rprClientStatsOutUcastClassA Frames Number of client to MAC classA unicast frames. rprClientStatsOutUcastClassA Octets Number of client to MAC classA unicast octets. rprClientStatsOutMcastClassA Frames Number of client to MAC classA multicast and broadcast frames. rprClientStatsOutMcastClassA Octets Number of client to MAC classA multicast and broadcast octets. Table 15-20 ML-Series RPR Span Parameters for 802.17 MIB (continued) Parameter Meaning15-43 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 15 Performance Monitoring 15.6.4 CE-Series Ethernet Card Performance Monitoring Parameters 15.6.4 CE-Series Ethernet Card Performance Monitoring Parameters CTC provides Ethernet performance information, including line-level parameters, port bandwidth consumption, and historical Ethernet statistics. The CE-Series card Ethernet performance information is divided into Ether Ports and POS Ports tabbed windows within the card view Performance tab window. rprClientStatsOutBcastFrames Number of client to MAC broadcast frames. This is used only when deriving the multicast and broadcast packet counters for the interface MIB. rprErrorStatsBadParityFrames Number of received (PHY to MAC) frames parity value not matching the expected parity value rprErrorStatsBadHecFrames The number of received (PHY to MAC) frames with HEC error rprErrorStatsTtlExpFrames The number of received (PHY to MAC) frames that were dropped due to zero Time To Live (TTL). rprErrorStatsTooLongFrames The number of received (PHY to MAC) frames that exceed the maximum permitted frame size. rprErrorStatsTooShortFrames The number of received (PHY to MAC) frames shortest than the minimum permitted frame size. rprErrorStatsBadFcsFrames The number of received (PHY to MAC) data and control frames where the fcs value did not match the expected fcs value. rprErrorStatsSelfSrcUcastFram es The number of received (PHY to MAC) unicast frames that were transmitted by the station itself. That is, the source MAC is equal to the interface MAC. rprErrorStatsPmdAbortFrames The number of received (PHY to MAC) frames that were aborted by the PMD. rprErrorStatsBadAddrFrames The number of received (PHY to MAC) frames with invalid SA value. rprErrorStatsContainedFrames The number of received (PHY to MAC) frames that were removed due to context containment. rprErrorStatsScffErrors The number of received (PHY to MAC) errored SCFF, with bad parity, bad FCS, or both. gpfStatsCSFRaised The number of total received client management frames. gfpStatsLFDRaised The number of Core HEC CRC Multiple Bit Errors. Note This count is only for cHEC multiple bit error when in frame. It is a count of when the state machine goes out of frame. rprPortCounterError Packets dropped internally by the network processor. Table 15-20 ML-Series RPR Span Parameters for 802.17 MIB (continued) Parameter Meaning15-44 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 15 Performance Monitoring 15.6.4 CE-Series Ethernet Card Performance Monitoring Parameters 15.6.4.1 CE-Series Card Ether Port Statistics Window The Ethernet Ether Ports Statistics window lists Ethernet parameters at the line level. The Statistics window provides buttons to change the statistical values shown. The Baseline button resets the displayed statistics values to zero. The Refresh button manually refreshes statistics. Auto-Refresh sets a time interval at which automatic refresh occurs. The CE-Series Statistics window also has a Clear button. The Clear button sets the values on the card to zero, but does not reset the CE-Series card. During each automatic cycle, whether auto-refreshed or manually refreshed (using the Refresh button), statistics are added cumulatively and are not immediately adjusted to equal total received packets until testing ends. To see the final PM count totals, allow a few moments for the PM window statistics to finish testing and update fully. PM counts are also listed in the CE-Series card Performance > History window. Table 15-21 defines the CE-Series card Ethernet port parameters. Table 15-21 CE-Series Ether Port PM Parameters Parameter Definition Time Last Cleared A time stamp indicating the last time statistics were reset. Link Status Indicates whether the Ethernet link is receiving a valid Ethernet signal (carrier) from the attached Ethernet device; up means present, and down means not present. ifInOctets Number of bytes received since the last counter reset. rxTotalPkts Number of received packets. ifInUcastPkts Number of unicast packets received since the last counter reset. ifInMulticastPkts Number of multicast packets received since the last counter reset. ifInBroadcastPkts Number of broadcast packets received since the last counter reset. ifInDiscards The number of inbound packets that were chosen to be discarded even though no errors had been detected to prevent their being deliverable to a higher-layer protocol. One possible reason for discarding such a packet could be to free buffer space. Note The counter ifInDiscards counts discarded frames regardless of the state (enabled or disabled) of flow control. ifInErrors The number of inbound packets (or transmission units) that contained errors preventing them from being deliverable to a higher-layer protocol. ifOutOctets Number of bytes transmitted since the last counter reset. txTotalPkts Number of transmitted packets. ifOutDiscards1 Number of outbound packets which were chosen to be discarded even though no errors had been detected to prevent their transmission. A possible reason for discarding such packets could be to free up buffer space. ifOutErrors1 Number of outbound packets or transmission units that could not be transmitted because of errors. ifOutUcastPkts2 Number of unicast packets transmitted. ifOutMulticastPkts2 Number of multicast packets transmitted. ifOutBroadcastPkts2 Number of broadcast packets transmitted.15-45 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 15 Performance Monitoring 15.6.4 CE-Series Ethernet Card Performance Monitoring Parameters dot3StatsAlignment Errors2 A count of frames received on a particular interface that are not an integral number of octets in length and do not pass the FCS check. dot3StatsFCSErrors A count of frames received on a particular interface that are an integral number of octets in length but do not pass the FCS check. dot3StatsSingleCollision Frames2 A count of successfully transmitted frames on a particular interface for which transmission is inhibited by exactly on collision. dot3StatsFrameTooLong A count of frames received on a particular interface that exceed the maximum permitted frame size. etherStatsUndersizePkts The total number of packets received that were less than 64 octets long (excluding framing bits, but including FCS octets) and were otherwise well formed. etherStatsFragments The total number of packets received that were less than 64 octets in length (excluding framing bits but including FCS octets) and had either a bad FCS with an integral number of octets (FCS Error) or a bad FCS with a nonintegral number of octets (Alignment Error). Note It is entirely normal for etherStatsFragments to increment. This is because it counts both runts (which are normal occurrences due to collisions) and noise hits. etherStatsPkts64Octets The total number of packets (including bad packets) received that were 64 octets in length (excluding framing bits but including FCS octets). etherStatsPkts65to127 Octets The total number of packets (including bad packets) received that were between 65 and 127 octets in length inclusive (excluding framing bits but including FCS octets). etherStatsPkts128to255 Octets The total number of packets (including bad packets) received that were between 128 and 255 octets in length inclusive (excluding framing bits but including FCS octets). etherStatsPkts256to511 Octets The total number of packets (including bad packets) received that were between 256 and 511 octets in length inclusive (excluding framing bits but including FCS octets). etherStatsPkts512to1023 Octets The total number of packets (including bad packets) received that were between 512 and 1023 octets in length inclusive (excluding framing bits but including FCS octets). etherStatsPkts1024to151 8Octets The total number of packets (including bad packets) received that were between 1024 and 1518 octets in length inclusive (excluding framing bits but including FCS octets). etherStatsBroadcastPkts The total number of good packets received that were directed to the broadcast address. Note that this does not include multicast packets. etherStatsMulticastPkts The total number of good packets received that were directed to a multicast address. Note that this number does not include packets directed to the broadcast address. etherStatsOversizePkts The total number of packets received that were longer than 1518 octets (excluding framing bits, but including FCS octets) and were otherwise well formed. Note that for tagged interfaces, this number becomes 1522 bytes. Table 15-21 CE-Series Ether Port PM Parameters (continued) Parameter Definition15-46 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 15 Performance Monitoring 15.6.4 CE-Series Ethernet Card Performance Monitoring Parameters etherStatsJabbers The total number of packets received that were longer than 1518 octets (excluding framing bits, but including FCS octets), and had either a bad FCS with an integral number of octets (FCS Error) or a bad FCS with a nonintegral number of octets (Alignment Error). etherStatsOctets The total number of octets of data (including those in bad packets) received on the network (excluding framing bits but including FCS octets etherStatsCollisions2 Number of transmit packets that are collisions; the port and the attached device transmitting at the same time caused collisions. etherStatsCRCAlign Errors2 The total number of packets received that had a length (excluding framing bits, but including FCS octets) of between 64 and 1518 octets, inclusive, but had either a bad FCS with an integral number of octets (FCS Error) or a bad FCS with a nonintegral number of octets (Alignment Error). etherStatsDropEvents2 Number of received frames dropped at the port level. rxPauseFrames Number of received pause frames. Note rxPauseFrames is not supported on CE-100T-8 card. txPauseFrames Number of transmitted pause frames. Note txPauseFrames is not supported on CE-100T-8 card. rxPktsDroppedInternalC ongestion1 Number of received packets dropped due to overflow in frame buffer. txPktsDroppedInternalC ongestion1 Number of transmit queue drops due to drops in frame buffer. rxControlFrames1 Number of received control frames. mediaIndStatsRxFrames Truncated1 Number of received frames with length of 36 bytes or less. mediaIndStatsRxFrames TooLong1 Number of received frames that are too long. The maximum is the programmed maximum frame size (for VSAN support); if the maximum frame size is set to default, then the maximum is the 2112 byte payload plus the 36 byte header, which is a total of 2148 bytes. mediaIndStatsRxFrames BadCRC1 Number of received frames with CRC error. mediaIndStatsTxFrames BadCRC1 Number of transmitted frames with CRC error. mediaIndStatsRxShortPk ts1 Number of received packets that are too small. 1. For CE1000-4 only 2. For CE100T-8, CE-MR-10 only Table 15-21 CE-Series Ether Port PM Parameters (continued) Parameter Definition15-47 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 15 Performance Monitoring 15.6.4 CE-Series Ethernet Card Performance Monitoring Parameters 15.6.4.2 CE-Series Card Ether Ports Utilization Window The Ether Ports Utilization window shows the percentage of Tx and Rx line bandwidth used by the Ethernet ports during consecutive time segments. The Utilization window provides an Interval drop-down list that enables you to set time intervals of 1 minute, 15 minutes, 1 hour, and 1 day. Line utilization is calculated with the following formulas: Rx = (inOctets + inPkts * 20) * 8 / 100% interval * maxBaseRate Tx = (outOctets + outPkts * 20) * 8 / 100% interval * maxBaseRate The interval is defined in seconds. The maxBaseRate is defined by raw bits per second in one direction for the Ethernet port (that is, 1 Gbps). The maxBaseRate for CE-Series Ethernet cards is shown in Table 15-14. Note Line utilization numbers express the average of ingress and egress traffic as a percentage of capacity. 15.6.4.3 CE-Series Card Ether Ports History Window The Ethernet Ether Ports History window lists past Ethernet statistics for the previous time intervals. Depending on the selected time interval, the History window displays the statistics for each port for the number of previous time intervals as shown in Table 15-15 on page 15-31. The listed parameters are defined in Table 15-21 on page 15-44. 15.6.4.4 CE-Series Card POS Ports Statistics Parameters The Ethernet POS Ports statistics window lists Ethernet POS parameters at the line level. Table 15-22 defines the CE-Series Ethernet card POS Ports parameters. Table 15-22 CE-Series Card POS Ports Parameters Parameter Definition Time Last Cleared A time stamp indicating the last time that statistics were reset. Link Status Indicates whether the Ethernet link is receiving a valid Ethernet signal (carrier) from the attached Ethernet device; up means present, and down means not present. ifInOctets Number of bytes received since the last counter reset. rxTotalPkts Number of received packets. ifInDiscards1 The number of inbound packets that were chosen to be discarded even though no errors had been detected to prevent their being deliverable to a higher-layer protocol. One possible reason for discarding such a packet could be to free buffer space. Note that due to hardware problems, the drop counter is not very accurate when flow control is enabled. Note The counter ifInDiscards counts discarded frames regardless of the state (enabled or disabled) of flow control.15-48 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 15 Performance Monitoring 15.6.4 CE-Series Ethernet Card Performance Monitoring Parameters 15.6.4.5 CE-Series Card POS Ports Utilization Window The POS Ports Utilization window shows the percentage of Tx and Rx line bandwidth used by the POS ports during consecutive time segments. The Utilization window provides an Interval drop-down list that enables you to set time intervals of 1 minute, 15 minutes, 1 hour, and 1 day. Line utilization is calculated with the following formulas: Rx = (inOctets * 8) / (interval * maxBaseRate) Tx = (outOctets * 8) / (interval * maxBaseRate) The interval is defined in seconds. The maxBaseRate is defined by raw bits per second in one direction for the Ethernet port (that is, 1 Gbps). The maxBaseRate for CE-Series cards is shown in Table 15-14 on page 15-31. Note Line utilization numbers express the average of ingress and egress traffic as a percentage of capacity. ifInErrors1 The number of inbound packets (or transmission units) that contained errors preventing them from being deliverable to a higher-layer protocol. ifOutOctets Number of bytes transmitted since the last counter reset. txTotalPkts Number of transmitted packets. Note that due to hardware problems, the txTotalPkts and txTotalOctets counters are incorrect when flow control is enabled and there are drop packets in the ET3 mapper of the CE-100T-8 card. gfpStatsRxFrame2 Number of received GFP frames. gfpStatsTxFrame2 Number of transmitted GFP frames. gfpStatsRxCRCErrors Number of packets received with a payload FCS error. gfpStatsRxOctets2 Number of GFP bytes received. gfpStatsTxOctets2 Number of GFP bytes transmitted. gfpStatsRxSBitErrors Sum of all the single bit errors. In the GFP CORE HDR at the GFP-T receiver, these are correctable. gfpStatsRxMBitErrors Sum of all the multiple bit errors. In the GFP CORE HDR at the GFP-T receiver, these are uncorrectable. gfpStatsRxTypeInvalid Number of receive packets dropped due to Client Data Frame UPI errors. gfpStatsRxCIDInvalid1 Number of packets with invalid CID. gfpStatsCSFRaised Number of GFP Client signal fail frames detected at the GFP-T receiver. ifInPayloadCrcErrors1 Received payload CRC errors. ifOutPayloadCrcErrors1 Transmitted payload CRC errors. hdlcPktDrops Number of received packets dropped before input. 1. Applicable only for CE100T-8, CE-MR-10 2. Applicable only for CE1000-4 Table 15-22 CE-Series Card POS Ports Parameters (continued) Parameter Definition15-49 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 15 Performance Monitoring 15.7 Performance Monitoring for Optical Cards 15.6.4.6 CE-Series Card POS Ports History Window The Ethernet POS Ports History window lists past Ethernet POS ports statistics for the previous time intervals. Depending on the selected time interval, the History window displays the statistics for each port for the number of previous time intervals as shown in Table 15-15 on page 15-31. The listed parameters are defined in Table 15-22 on page 15-47. 15.7 Performance Monitoring for Optical Cards This section lists PM parameters for ONS 15454 optical cards, including the OC-3, OC-12, OC-48, and OC-192 cards. Figure 15-20 shows the signal types that support near-end and far-end PMs. Figure 15-20 Monitored Signal Types for the OC-3 Cards Note The XX in Figure 15-20 represents all PMs listed in Table 15-23, Table 15-24, and Table 15-25 with the given prefix and/or suffix. Figure 15-21 shows where overhead bytes detected on the ASICs produce PM parameters for the OC3 IR 4 SH 1310 and OC3 IR SH 1310-8 cards. 78985 PTE ONS 15454 OC-3 OC48 Fiber OC-3 Signal OC-3 Signal ONS 15454 OC48 OC-3 STS Path (STS XX-P) PMs Near and Far End Supported PTE15-50 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 15 Performance Monitoring 15.7 Performance Monitoring for Optical Cards Figure 15-21 PM Read Points on the OC-3 Cards Note For PM locations relating to protection switch counts, see the Telcordia GR-253-CORE document. Table 15-23 and Table 15-24 list the PM parameters for OC-3 cards. 78986 ONS 15454 OC-3 Card Pointer Processors BTC ASIC XC Card(s) OC-N CV-S ES-S SES-S SEFS-S CV-L ES-L SES-L UAS-L FC-L PPJC-Pdet NPJC-Pdet PPJC-Pgen NPJC-Pgen Path Level STS CV-P STS ES-P STS FC-P STS SES-P STS UAS-P STS CV-PFE STS ES-PFE STS FC-PFE STS SES-PFE STS UAS-PFE PMs read on BTC ASIC PMs read on PMC Table 15-23 OC-3 Card PMs Section (NE) Line (NE) STS Path (NE) Line (FE) STS Path (FE)1 1. The STS Path (FE) PMs are valid only for the OC3-4 card on ONS 15454. Also, OC-3/12/48 on 15310MA platform, MRC-12, and OC192/STM64-XFP based cards support far-end path PM parameters. All other optical cards do not support far-end path PM parameters. CV-S ES-S SES-S SEF-S CV-L ES-L SES-L UAS-L FC-L PSC (1+1) PSD (1+1) CV-P ES-P SES-P UAS-P FC-P PPJC-PDET NPJC-PDET PPJC-PGEN NPJC-PGEN PPJC-PDET-P PPJC-PGEN-P PJC-DIFF CV-LFE ES-LFE SES-LFE UAS-LFE FC-LFE CV-PFE ES-PFE SES-PFE UAS-PFE FC-PFE15-51 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 15 Performance Monitoring 15.7 Performance Monitoring for Optical Cards Table 15-25 lists the PM parameters for OC-12, OC-48, OC-192, and OC-192-XFP cards. Note If the CV-L(NE and FE) falls in a specific range, then, the user might see discrepancy in the SES and the UAS-L values. However, ES-L will be in the nearest accuracy. For a few seconds, in a given 10 seconds interval, the number of CV-L counted may not cross the CV count criteria for SES, (due to system/application limitation for the below mentioned ranges); as a consequence of which there may not be 10 continuous SES, thus UAS will not be observed. The corresponding (error) range for the line rates is as shown in Table 15-26. Table 15-24 OC3-8 Card PMs Section (NE) Line (NE) Physical Layer (NE) STS Path (NE) Line (FE) STS Path (FE) CV-S ES-S SES-S SEF-S CV-L ES-L SES-L UAS-L FC-L PSC (1+1) PSD (1+1) LBCL OPT OPR CV-P ES-P SES-P UAS-P FC-P PPJC-PDET-P NPJC-PDET-P PPJC-PGEN-P NPJC-PGEN-P PJCS-PDET-P PJCS-PGEN-P PJC-DIFF-P CV-LFE ES-LFE SES-LFE UAS-LFE FC-LFE CV-PFE ES-PFE SES-PFE UAS-PFE FC-PFE Table 15-25 OC-12, OC-48, OC-192, OC-192-XFP Card PMs Section (NE) Line (NE) STS Path (NE) Line (FE) CV-S ES-S SES-S SEF-S CV-L ES-L SES--L UASL FC-L PSC (1+1, 2F BLSR) PSD (1+1, 2F BLSR) PSC-W (4F BLSR) PSD-W (4F BLSR) PSC-S (4F BLSR) PSD-S (4F BLSR) PSC-R (4F BLSR) PSD-R (4F BLSR) CV-P ES-P SES-P UAS-P FC-P PPJC-PDET-P NPJC-PDET-P PPJC-PGEN-P NPJC-PGEN-P PJCS-PGEN-P PJCS-PDET-P PJC-DIFF-P CV-L ES-L SES-L UAS-L FC-L15-52 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 15 Performance Monitoring 15.8 Performance Monitoring for Optical Multirate Cards 15.8 Performance Monitoring for Optical Multirate Cards This section lists PM parameters for the optical mutirate cards MRC-12 and MRC-2.5G-4. Figure 15-22 shows where overhead bytes detected on the ASICs produce PM parameters for the MRC-12 card and the MRC-2.5G-4 card. Figure 15-22 PM Read Points for the MRC-12 and the MRC-2.5G-4 Cards Table 15-27 lists the PM parameters for MRC-12 and MRC-4 cards. Table 15-26 Table of Border Error Rates Line Rate Error Ranges OC3 154-164 OC12 615-625 OC48 2459-2470 OC192 9835-9845 134561 XC Card OC-N iBPIA ASIC iBPIA ASIC Regenerator Section PM (SDH Near-End RS-EB Near-End RS-ES Near-End RS-SES Near-End RS-BBE Near-End RS-OFS Multiplex Section PM (SDH) Near-End MS-EB Near-End MS-ES Near-End MS-SES Near-End MS-UAS Near-End MS-BBE Near-End MS-FC Far-End MS-EB Far-End MS-ES Far-End MS-SES Far-End MS-UAS Far-End MS-BBE Far-End MS-FC Section PM - SONET Near-End CV-S Near-End ES-S Near-End SEFS-S Line PMs (SONET) Near-End CV-L Near-End ES-L Near-End SES-L Near-End UAS-L Near-End FC-L Far-End CV-LFE Far-End ES-LFE Far-End SES-LFE Far-End UAS-LFE ONS 15454 MRC-12/MRC-2.5G-4 Multirate Cards PMs read on Amazon ASIC15-53 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 15 Performance Monitoring 15.9 Performance Monitoring for Storage Access Networking Cards 15.9 Performance Monitoring for Storage Access Networking Cards The following sections define PM parameters and definitions for the SAN card, also known as the FC_MR-4 or Fibre Channel card. CTC provides FC_MR-4 performance information, including line-level parameters, port bandwidth consumption, and historical statistics. The FC_MR-4 card performance information is divided into the Statistics, Utilization, and History tabbed windows within the card view Performance tab window. 15.9.1 FC_MR-4 Statistics Window The Statistics window lists parameters at the line level. The Statistics window provides buttons to change the statistical values shown. The Baseline button resets the displayed statistics values to zero. The Refresh button manually refreshes statistics. Auto-Refresh sets a time interval at which automatic refresh occurs. The Statistics window also has a Clear button. The Clear button sets the values on the card to zero. All counters on the card are cleared. Table 15-28 defines the FC_MR-4 card statistics parameters. Table 15-27 MRC Card PMs Section (NE) Line (NE) Physical Layer (NE) STS Path (NE) Line (FE) STS Path CV-S ES-S SES-S SEF-S CV-L ES-L SES-L UAS-L FC-L PSC (1+1) PSD (1+1) LBC OPT OPR CV-P ES-P SES-P UAS-P FC-P PPJC-PDET-P NPJC-PDET-P PPJC-PGEN-P NPJC-PGEN-P PJCS-PDET-P PJCS-PGEN-P PJC-DIFF-P CV-LFE ES-LFE SES-LFE UAS-LFE FC-LFE CV-PFE ES-PFE SES-PFE UAS-PFE FC-PFE Table 15-28 FC_MR-4 Card Statistics Parameter Definition Time Last Cleared Time stamp indicating the time at which the statistics were last reset. Link Status Indicates whether the Fibre Channel link is receiving a valid Fibre Channel signal (carrier) from the attached Fibre Channel device; up means present, and down means not present. ifInOctets Number of bytes received without error for the Fibre Channel payload.15-54 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 15 Performance Monitoring 15.9.1 FC_MR-4 Statistics Window rxTotalPkts Number of Fibre Channel frames received without errors. ifInDiscards Number of inbound packets that were chosen to be discarded even though no errors had been detected to prevent their being deliverable to a higher-layer protocol. One possible reason for discarding such a packet could be to free up buffer space. ifInErrors Sum of frames that are oversized, undersized, or with cyclic redundancy check (CRC) error. ifOutOctets Number of bytes transmitted without error for the Fibre Channel payload. txTotalPkts Number of Fibre Channel frames transmitted without errors. ifOutDiscards Number of outbound packets which were chosen to be discarded even though no errors had been detected to prevent their transmission. A possible reason for discarding such packets could be to free up buffer space. gfpStatsRxSBitErrors Number of single bit errors in core header error check (CHEC). gfpStatsRxMBitErrors Number of multiple bit errors in CHEC. gfpStatsRxTypeInvalid Number of invalid generic framing procedure (GFP) type field received. This includes unexpected user payload identifier (UPI) type and also errors in CHEC. gfpStatsRxSblkCRCErrors Number of super block CRC errors. gfpStatsRoundTripLatencyUSec Round trip delay for the end-to-end Fibre Channel transport in milliseconds. gfpStatsRxDistanceExtBuffers Number of buffer credit received for GFP-T receiver (valid only if distance extension is enabled). gfpStatsTxDistanceExtBuffers Number of buffer credit transmitted for GFP-T transmitter (valid only if distance extension is enabled). mediaIndStatsRxFramesTruncated Number of Fibre Channel frames received with frame size <= 36 bytes. mediaIndStatsRxFramesTooLong Number of Fibre Channel frames received with frame size higher than the provisioned maximum frame size. mediaIndStatsRxFramesBadCRC Number of Fibre Channel frames received with bad CRC. Table 15-28 FC_MR-4 Card Statistics Parameter Definition15-55 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 15 Performance Monitoring 15.9.2 FC_MR-4 Utilization Window 15.9.2 FC_MR-4 Utilization Window The Utilization window shows the percentage of Tx and Rx line bandwidth used by the ports during consecutive time segments. The Utilization window provides an Interval drop-down list that enables you to set time intervals of 1 minute, 15 minutes, 1 hour, and 1 day. Line utilization is calculated with the following formulas: Rx = (inOctets + inPkts * 24) * 8 / 100% interval * maxBaseRate Tx = (outOctets + outPkts * 24) * 8 / 100% interval * maxBaseRate The interval is defined in seconds. The maxBaseRate is defined by raw bits per second in one direction for the port (that is, 1 Gbps or 2 Gbps). The maxBaseRate for FC_MR-4 cards is shown in Table 15-29. Note Line utilization numbers express the average of ingress and egress traffic as a percentage of capacity. mediaIndStatsTxFramesBadCRC Number of Fibre Channel frames transmitted with bad CRC. fcStatsLinkRecoveries Number of link recoveries. fcStatsRxCredits Number of buffers received to buffer credits T (valid only if distance extension is enable). fcStatsTxCredits Number of buffers transmitted to buffer credits T (valid only if distance extension is enable). fcStatsZeroTxCredits Number of transmit attempts that failed because of unavailable credits. 8b10bInvalidOrderedSets 8b10b loss of sync count on Fibre Channel line side. 8b10bStatsEncodingDispErrors 8b10b disparity violations count on Fibre Channel line side. gfpStatsCSFRaised Number of GFP Client Signal Fail frames detected. Table 15-28 FC_MR-4 Card Statistics Parameter Definition Table 15-29 maxBaseRate for STS Circuits STS maxBaseRate STS-24 850000000 STS-48 850000000 x 21 1. For 1 Gbps of bit rate being transported, there are only 850 Mbps of actual data because of 8b->10b conversion. Similarly, for 2 Gbps of bit rate being transported, there are only 1700 Mbps (850 Mbps x 2) of actual data.15-56 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 15 Performance Monitoring 15.9.3 FC_MR-4 History Window 15.9.3 FC_MR-4 History Window The History window lists past FC_MR-4 statistics for the previous time intervals. Depending on the selected time interval, the History window displays the statistics for each port for the number of previous time intervals as shown in Table 15-30. The listed parameters are defined in Table 15-28 on page 15-53. Table 15-30 FC_MR-4 History Statistics per Time Interval Time Interval Number of Intervals Displayed 1 minute 60 previous time intervals 15 minutes 32 previous time intervals 1 hour 24 previous time intervals 1 day (24 hours) 7 previous time intervalsCHAPTER 16-1 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 16 SNMP This chapter explains Simple Network Management Protocol (SNMP) as implemented by the Cisco ONS 15454. For SNMP setup information, refer to the Cisco ONS 15454 Procedure Guide. Chapter topics include: • 16.1 SNMP Overview, page 16-1 • 16.2 Basic SNMP Components, page 16-2 • 16.3 SNMP External Interface Requirement, page 16-4 • 16.4 SNMP Version Support, page 16-4 • 16.5 SNMP Message Types, page 16-5 • 16.6 SNMP Management Information Bases, page 16-5 • 16.7 SNMP Trap Content, page 16-13 • 16.8 SNMPv1/v2 Community Names, page 16-21 • 16.9 SNMPv1/v2 Proxy Over Firewalls, page 16-21 • 16.10 SNMPv3 Proxy Configuration, page 16-21 • 16.11 Remote Monitoring, page 16-22 16.1 SNMP Overview SNMP is an application-layer communication protocol that allows ONS 15454 network devices to exchange management information among these systems and with other devices outside the network. Through SNMP, network administrators can manage network performance, find and solve network problems, and plan network growth. Up to ten SNMPv1/v2 trap destinations and five concurrent Cisco Transport Controller (CTC) user sessions are allowed per node. The ONS 15454 uses SNMP for asynchronous event notification to a network management system (NMS). Cisco ONS system SNMP implementation uses standard Internet Engineering Task Force (IETF) management information bases (MIBs) to convey node-level inventory, fault, and performance management information for generic DS-1, DS-3, SONET, and Ethernet read-only management. SNMP allows a generic SNMP manager such as HP OpenView Network Node Manager (NNM) or Open Systems Interconnection (OSI) NetExpert to be utilized for limited management functions. 16-2 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 16 SNMP 16.2 Basic SNMP Components The Cisco ONS 15454 supports SNMP Version 1 (SNMPv1), SNMP Version 2c (SNMPv2c), and SNMP Version 3 (SNMPv3). As compared to SNMPv1, SNMPv2c includes additional protocol operations and 64-bit performance monitoring support. SNMPv3 provides authentication, encryption, and message integrity and is more secure. This chapter describes SNMP versions and describes the configuration parameters for the ONS 15454. Note It is recommended that the SNMP Manager timeout value be set to 60 seconds. Under certain conditions, if this value is lower than the recommended time, the TCC card can reset. However, the response time depends on various parameters such as object being queried, complexity, and number of hops in the node, etc. Note In Software Release 8.0 and later, you can retrieve automatic in service (AINS) state and soak time through the SNMP and Transaction Language One (TL1) interfaces. Note The CERENT-MSDWDM-MIB.mib, CERENT-FC-MIB.mib, and CERENT-GENERIC-PM-MIB.mib in the CiscoV2 directory support 64-bit performance monitoring counters. The SNMPv1 MIB in the CiscoV1 directory does not contain 64-bit performance monitoring counters, but supports the lower and higher word values of the corresponding 64-bit counter. The other MIB files in the CiscoV1 and CiscoV2 directories are identical in content and differ only in format. Figure 16-1 illustrates the basic layout idea of an SNMP-managed network. Figure 16-1 Basic Network Managed by SNMP 16.2 Basic SNMP Components In general terms, an SNMP-managed network consists of a management system, agents, and managed devices. 5258216-3 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 16 SNMP 16.2 Basic SNMP Components A management system such as HP OpenView executes monitoring applications and controls managed devices. Management systems execute most of the management processes and provide the bulk of memory resources used for network management. Additionally, a network might be managed by one or several management systems. Figure 16-2 illustrates the relationship between the network manager, the SNMP agent, and the managed devices. Figure 16-2 Example of the Primary SNMP Components An agent (such as SNMP) residing on each managed device translates local management information data—such as performance information or event and error information caught in software traps—into a readable form for the management system. Figure 16-3 illustrates SNMP agent get-requests that transport data to the network management software. Figure 16-3 Agent Gathering Data from a MIB and Sending Traps to the Manager The SNMP agent captures data from MIBs, which are device parameter and network data repositories, or from error or change traps. Management Entity Agent Management Database Agent NMS Management Database Managed Devices Agent Management Database 33930 get, get-next, get-bulk Network device get-response, traps 32632 SNMP Manager NMS MIB SNMP Agent16-4 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 16 SNMP 16.3 SNMP External Interface Requirement A managed element—such as a router, access server, switch, bridge, hub, computer host, or network element (such as an ONS 15454)—is accessed through the SNMP agent. Managed devices collect and store management information, making it available through SNMP to other management systems having the same protocol compatibility. 16.3 SNMP External Interface Requirement Since all SNMP requests come from a third-party application, the only external interface requirement is that a third-party SNMP client application should have the ability to upload RFC 3273 SNMP MIB variables in the etherStatsHighCapacityTable, etherHistoryHighCapacityTable, or mediaIndependentTable. 16.4 SNMP Version Support The ONS 5454 supports SNMPv1, SNMPv2c, and SNMPv3 traps and get requests. The ONS 15454 SNMP MIBs define alarms, traps, and status. Through SNMP, NMS applications can query a management agent for data from functional entities such as Ethernet switches and SONET multiplexers using a supported MIB. Note ONS 15454 MIB files in the CiscoV1 and CiscoV2 directories are almost identical in content except for the difference in 64-bit performance monitoring features. The CiscoV2 directory contains three MIBs with 64-bit performance monitoring counters:. CERENT-MSDWDM-MIB.mib, CERENT-FC-MIB.mib, and CERENT-GENERIC-PM-MIB.mib The CiscoV1 directory does not contain any 64-bit counters, but it does support the lower and higher word values used in 64-bit counters. The two directories also have somewhat different formats. 16.4.1 SNMPv3 Support Cisco ONS 15454 Software R9.0 and later supports SNMPv3 in addition to SNMPv1 and SNMPv2c. SNMPv3 is an interoperable standards-based protocol for network management. SNMPv3 provides secure access to devices by a combination of authentication and encryption packets over the network based on the User Based Security Model (USM) and the View-Based Access Control Model (VACM). • User-Based Security Model—The User-Based Security Model (USM) uses the HMAC algorithm for generating keys for authentication and privacy. SNMPv3 authenticates data based on its origin, and ensures that the data is received intact. SNMPv1 and v2 authenticate data based on the plain text community string, which is less secure when compared to the user-based authentication model. • View-Based Access Control Model—The view-based access control model controls the access to the managed objects. RFC 3415 defines the following five elements that VACM comprises: – Groups—A set of users on whose behalf the MIB objects can be accessed. Each user belongs to a group. The group defines the access policy, notifications that users can receive, and the security model and security level for the users. – Security level—The access rights of a group depend on the security level of the request. – Contexts—Define a named subset of the object instances in the MIB. MIB objects are grouped into collections with different access policies based on the MIB contexts.16-5 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 16 SNMP 16.5 SNMP Message Types – MIB views—Define a set of managed objects as subtrees and families. A view is a collection or family of subtrees. Each subtree is included or excluded from the view. – Access policy—Access is determined by the identity of the user, security level, security model, context, and the type of access (read/write). The access policy defines what SNMP objects can be accessed for reading, writing, and creating. Access to information can be restricted based on these elements. Each view is created with different access control details. An operation is permitted or denied based on the access control details. You can configure SNMPv3 on a node to allow SNMP get and set access to management information and configure a node to send SNMPv3 traps to trap destinations in a secure way. SNMPv3 can be configured in secure mode, non-secure mode, or disabled mode. SNMP, when configured in secure mode, only allows SNMPv3 messages that have the authPriv security level. SNMP messages without authentication or privacy enabled are not allowed. When SNMP is configured in non-secure mode, it allows SNMPv1, SNMPv2, and SNMPv3 message types. 16.5 SNMP Message Types The ONS 15454 SNMP agent communicates with an SNMP management application using SNMP messages. Table 16-1 describes these messages. 16.6 SNMP Management Information Bases A managed object, sometimes called a MIB object, is one of many specific characteristics of a managed device. The MIB consists of hierarchically organized object instances (variables) that are accessed by network-management protocols such as SNMP. Section 16.6.1 IETF-Standard MIBs for the ONS 15454 lists the IETF standard MIBs implemented in the ONS 15454 SNMP agent. Section 16.6.2 Proprietary ONS 15454 MIBs lists the proprietary MIBs implemented in the ONS 15454. Table 16-1 ONS 15454 SNMP Message Types Operation Description get-request Retrieves a value from a specific variable. get-next-request Retrieves the value following the named variable; this operation is often used to retrieve variables from within a table. With this operation, an SNMP manager does not need to know the exact variable name. The SNMP manager searches sequentially to find the needed variable from within the MIB. get-response Replies to a get-request, get-next-request, get-bulk-request, or set-request sent by an NMS. get-bulk-request Fills the get-response with up to the max-repetition number of get-next interactions, similar to a get-next-request. set-request Provides remote network monitoring (RMON) MIB. trap Indicates that an event has occurred. An unsolicited message is sent by an SNMP agent to an SNMP manager.16-6 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 16 SNMP 16.6.1 IETF-Standard MIBs for the ONS 15454 16.6.1 IETF-Standard MIBs for the ONS 15454 Table 16-2 lists the IETF-standard MIBs implemented in the ONS 15454 SNMP agents. You must first compile the MIBs in Table 16-2. Compile the MIBs in Table 16-3 next. Caution If you do not compile MIBs in the correct order, one or more might not compile correctly. Table 16-2 IETF Standard MIBs Implemented in the ONS 15454 System RFC1 Number Module Name Title/Comments — IANAifType-MIB.mib Internet Assigned Numbers Authority (IANA) ifType 1213 RFC1213-MIB-rfc1213.mib Management Information Base for Network 1907 SNMPV2-MIB-rfc1907.mib Management of TCP/IP-based Internets: MIB-II Management Information Base for Version 2 of the Simple Network Management Protocol (SNMPv2) 1253 RFC1253-MIB-rfc1253.mib OSPF Version 2 Management Information Base 1493 BRIDGE-MIB-rfc1493.mib Definitions of Managed Objects for Bridges (This defines MIB objects for managing MAC bridges based on the IEEE 802.1D-1990 standard between Local Area Network [LAN] segments.) 2819 RMON-MIB-rfc2819.mib Remote Network Monitoring Management Information Base 2737 ENTITY-MIB-rfc2737.mib Entity MIB (Version 2) 2233 IF-MIB-rfc2233.mib Interfaces Group MIB using SNMPv2 2358 EtherLike-MIB-rfc2358.mib Definitions of Managed Objects for the Ethernet-like Interface Types 2493 PerfHist-TC-MIB-rfc2493.mib Textual Conventions for MIB Modules Using Performance History Based on 15 Minute Intervals 2495 DS1-MIB-rfc2495.mib Definitions of Managed Objects for the DS1, E1, DS2 and E2 Interface Types 2496 DS3-MIB-rfc2496.mib Definitions of Managed Object for the DS3/E3 Interface Type 2558 SONET-MIB-rfc2558.mib Definitions of Managed Objects for the SONET/SDH Interface Type 2674 P-BRIDGE-MIB-rfc2674.mib Q-BRIDGE-MIB-rfc2674.mib Definitions of Managed Objects for Bridges with Traffic Classes, Multicast Filtering and Virtual LAN Extensions 3273 HC-RMON-MIB The MIB module for managing remote monitoring device implementations, augmenting the original RMON MIB as specified in RFC 2819 and RFC 1513 and RMON-2 MIB as specified in RFC 202116-7 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 16 SNMP 16.6.2 Proprietary ONS 15454 MIBs 16.6.2 Proprietary ONS15454 MIBs Each ONS 15454 is shipped with a software CD containing applicable proprietary MIBs. Table 16-3 lists the proprietary MIBs for the ONS 15454. 3413 SNMP-NOTIFICATION-MIB Defines the MIB objects that provide mechanisms to remotely configure the parameters used by an SNMP entity for generating notifications. 3413 SNMP-TARGET-MIB Defines the MIB objects that provide mechanisms to remotely configure the parameters that are used by an SNMP entity for generating SNMP messages. 3413 SNMP-PROXY-MIB Defines MIB objects that provide mechanisms to remotely configure the parameters used by a proxy forwarding application. 3414 SNMP-USER-BASED-SM-MIB The management information definitions for the SNMP User-Based Security Model. 3415 SNMP-VIEW-BASED-ACM-MIB The management information definitions for the View-Based Access Control Model for SNMP. — CISCO-DOT3-OAM-MIB A Cisco proprietary MIB defined for IEEE 802.3ah ethernet OAM. 1. RFC = Request for Comment Table 16-2 IETF Standard MIBs Implemented in the ONS 15454 System (continued) RFC1 Number Module Name Title/Comments Table 16-3 ONS 15454 Proprietary MIBs MIB Number Module Name 1 CERENT-GLOBAL-REGISTRY.mib 2 CERENT-TC.mib 3 CERENT-454.mib 4 CERENT-GENERIC.mib (not applicable to ONS 15454) 5 CISCO-SMI.mib 6 CISCO-VOA-MIB.mib 7 CERENT-MSDWDM-MIB.mib 8 CERENT-OPTICAL-MONITOR-MIB.mib 9 CERENT-HC-RMON-MIB.mib 10 CERENT-ENVMON-MIB.mib 11 CERENT-GENERIC-PM-MIB.mib 12 BRIDGE-MIB.my 13 CERENT-454-MIB.mib 14 CERENT-ENVMON-MIB.mib16-8 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 16 SNMP 16.6.2 Proprietary ONS 15454 MIBs 15 CERENT-FC-MIB.mib 16 CERENT-GENERIC-MIB.mib 17 CERENT-GENERIC-PM-MIB.mib 18 CERENT-GLOBAL-REGISTRY.mib 19 CERENT-HC-RMON-MIB.mib 20 CERENT-IF-EXT-MIB.mib 21 CERENT-MSDWDM-MIB.mib 22 CERENT-OPTICAL-MONITOR-MIB.mib 23 CERENT-TC.mib 24 CISCO-IGMP-SNOOPING-MIB.mib 25 CISCO-OPTICAL-MONITOR-MIB.mib 26 CISCO-OPTICAL-PATCH-MIB.mib 27 CISCO-SMI.mib 28 CISCO-VOA-MIB.mib 29 CISCO-VTP-MIB.mib 30 INET-ADDRESS-MIB.mib 31 OLD-CISCO-TCP-MIB.my 32 OLD-CISCO-TS-MIB.my 33 RFC1155-SMI.my 34 RFC1213-MIB.my 35 RFC1315-MIB.my 36 BGP4-MIB.my 37 CERENT-454-MIB.mib 38 CERENT-ENVMON-MIB.mib 39 CERENT-FC-MIB.mib 40 CERENT-GENERIC-MIB.mib 41 CERENT-GENERIC-PM-MIB.mib 42 CERENT-GLOBAL-REGISTRY.mib 43 CERENT-HC-RMON-MIB.mib 44 CERENT-IF-EXT-MIB.mib 45 CERENT-MSDWDM-MIB.mib 46 CERENT-OPTICAL-MONITOR-MIB.mib 47 CERENT-TC.mib 48 CISCO-CDP-MIB.my 49 CISCO-CLASS-BASED-QOS-MIB.my Table 16-3 ONS 15454 Proprietary MIBs MIB Number Module Name16-9 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 16 SNMP 16.6.2 Proprietary ONS 15454 MIBs 50 CISCO-CONFIG-COPY-MIB.my 51 CISCO-CONFIG-MAN-MIB.my 52 CISCO-ENTITY-ASSET-MIB.my 53 CISCO-ENTITY-EXT-MIB.my 54 CISCO-ENTITY-VENDORTYPE-OID-MI 55 CISCO-FRAME-RELAY-MIB.my 56 CISCO-FTP-CLIENT-MIB.my 57 CISCO-HSRP-EXT-MIB.my 58 CISCO-HSRP-MIB.my 59 CISCO-IGMP-SNOOPING-MIB.mib 60 CISCO-IMAGE-MIB.my 61 CISCO-IP-STAT-MIB.my 62 CISCO-IPMROUTE-MIB.my 63 CISCO-MEMORY-POOL-MIB.my 64 CISCO-OPTICAL-MONITOR-MIB.mib 65 CISCO-OPTICAL-PATCH-MIB.mib 66 CISCO-PING-MIB.my 67 CISCO-PORT-QOS-MIB.my 68 CISCO-PROCESS-MIB.my 69 CISCO-PRODUCTS-MIB.my 70 CISCO-RTTMON-MIB.my 71 CISCO-SMI.mib 72 CISCO-SMI.my 73 CISCO-SYSLOG-MIB.my 74 CISCO-TC.my 75 CISCO-TCP-MIB.my 76 CISCO-VLAN-IFTABLE-RELATIONSHI 77 CISCO-VOA-MIB.mib 78 CISCO-VTP-MIB.mib 79 CISCO-VTP-MIB.my 80 ENTITY-MIB.my 81 ETHERLIKE-MIB.my 82 HC-PerfHist-TC-MIB.my 83 HC-RMON-MIB.my 84 HCNUM-TC.my Table 16-3 ONS 15454 Proprietary MIBs MIB Number Module Name16-10 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 16 SNMP 16.6.2 Proprietary ONS 15454 MIBs 85 IANA-RTPROTO-MIB.my 86 IANAifType-MIB.my 87 IEEE-802DOT17-RPR-MIB.my 88 IEEE8023-LAG-MIB.my 89 IF-MIB.my 90 IGMP-MIB.my 91 INET-ADDRESS-MIB.my 92 IPMROUTE-STD-MIB.my 93 OSPF-MIB.my 94 PIM-MIB.my 95 RMON-MIB.my 96 RMON2-MIB.my 97 SNMP-FRAMEWORK-MIB.my 98 SNMP-NOTIFICATION-MIB.my 99 SNMP-TARGET-MIB.my 100 SNMPv2-MIB.my 101 SNMPv2-SMI.my 102 SNMPv2-TC.my 103 TCP-MIB.my 104 TOKEN-RING-RMON-MIB.my 105 UDP-MIB.my 106 BRIDGE-MIB-rfc1493.mib 107 DS1-MIB-rfc2495.mib 108 DS3-MIB-rfc2496.mib 109 ENTITY-MIB-rfc2737.mib 110 EtherLike-MIB-rfc2665.mib 111 HC-RMON-rfc3273.mib 112 HCNUM-TC.mib 113 IANAifType-MIB.mib 114 IF-MIB-rfc2233.mib 115 INET-ADDRESS-MIB.mib 116 P-BRIDGE-MIB-rfc2674.mib 117 PerfHist-TC-MIB-rfc2493.mib 118 Q-BRIDGE-MIB-rfc2674.mib 119 RFC1213-MIB-rfc1213.mib Table 16-3 ONS 15454 Proprietary MIBs MIB Number Module Name16-11 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 16 SNMP 16.6.3 Generic Threshold and Performance Monitoring MIBs Note If you cannot compile the proprietary MIBs correctly, log into the Technical Support Website at http://www.cisco.com/techsupport or call Cisco TAC (800) 553-2447. Note When SNMP indicates that a muxponder (MXP) or transponder (TXP) wavelength is unknown, it means that the corresponding card (MXP_2.5G_10E, TXP_MR_10E, MXP_2.5G_10G, TXP_MR_10G, TXP_MR_2.5G, or TXPP_MR_2.5G) works with the first tunable wavelength. For more information about MXP and TXP cards, refer to the Cisco ONS 15454 DWDM Reference Manual. 16.6.3 Generic Threshold and Performance Monitoring MIBs A MIB called CERENT-GENERIC-PM-MIB allows network management stations (NMS) to use a single, generic MIB for accessing threshold and performance monitoring data of different interface types. The MIB is generic in the sense that it is not tied to any particular kind of interface. The MIB objects can be used to obtain threshold values, current performance monitoring (PM) counts, and historic PM statistics for each kind of monitor and any supported interval at the near end and far end. Previously existing MIBs in the ONS 15454 system provide some of these counts. For example, SONET interface 15-minute current PM counts and historic PM statistics are available using the SONET-MIB. DS-1 and DS-3 counts and statistics are available through the DS1-MIB and DS-3 MIB respectively. The generic MIB provides these types of information and also fetches threshold values and single-day statistics. In addition, the MIB supports optics and dense wavelength division multiplexing (DWDM) threshold and performance monitoring information. The CERENT-GENERIC-PM-MIB is organized into three different tables: 120 RFC1253-MIB-rfc1253.mib 121 RIPv2-MIB-rfc1724.mib 122 RMON-MIB-rfc2819.mib 123 RMON2-MIB-rfc2021.mib 124 RMONTOK-rfc1513.mib 125 SNMP-FRAMEWORK-MIB-rfc2571.mib 126 SNMP-MPD-MIB.mib 127 SNMP-NOTIFY-MIB-rfc3413.mib 128 SNMP-PROXY-MIB-rfc3413.mib 129 SNMP-TARGET-MIB-rfc3413.mib 130 SNMP-USER-BASED-SM-MIB-rfc3414.mib 131 SNMP-VIEW-BASED-ACM-MIB-rfc3415.mib 132 SNMPv2-MIB-rfc1907.mib 133 SONET-MIB-rfc2558.mib Table 16-3 ONS 15454 Proprietary MIBs MIB Number Module Name16-12 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 16 SNMP 16.6.3 Generic Threshold and Performance Monitoring MIBs • cerentGenericPmThresholdTable • cerentGenericPmStatsCurrentTable • cerentGenericPmStatsIntervalTable • The cerentGenericPmThresholdTable is used to obtain the threshold values for the monitor types. It is indexed based on the following items: • Interface index (cerentGenericPmThresholdIndex) • Monitor type (cerentGenericPmThresholdMonType). The syntax of cerentGenericPmThresholdMonType is type cerentMonitorType, defined in CERENT-TC.mib. • Location (cerentGenericPmThresholdLocation). The syntax of cerentGenericPmThresholdLocation is type cerentLocation, defined in CERENT-TC.mib. • Time period (cerentGenericPmThresholdPeriod). The syntax of cerentGenericPmThresholdPeriod is type cerentPeriod, defined in CERENT-TC.mib. Threshold values can be provided in 64-bit and 32-bit formats. (For more information about 64-bit counters, see the “16.11.2 HC-RMON-MIB Support” section on page 16-24.) The 64-bit values in cerentGenericPmThresholdHCValue can be used with agents that support SNMPv2. The two 32-bit values (cerentGenericPmThresholdValue and cerentGenericPmThresholdOverFlowValue) can be used by NMSs that only support SNMPv1. The objects compiled in the cerentGenericPmThresholdTable are shown in Table 16-4. The second table within the MIB, cerentGenericPmStatsCurrentTable, compiles the current performance monitoring (PM) values for the monitor types. The table is indexed based on interface index (cerentGenericPmStatsCurrentIndex), monitor type (cerentGenericPmStatsCurrentMonType), location (cerentGenericPmStatsCurrentLocation) and time period (cerentGenericPmStatsCurrentPeriod). The syntax of cerentGenericPmStatsCurrentIndex is type cerentLocation, defined in CERENT-TC.mib. The syntax of cerentGenericPmStatsCurrentMonType is type cerentMonitor, defined in CERENT-TC.mib. The syntax of cerentGenericPmStatsCurrentPeriod is type cerentPeriod, defined in CERENT-TC.mib. The cerentGenericPmStatsCurrentTable validates the current PM value using the cerentGenericPmStatsCurrentValid object and registers the number of valid intervals with historical PM statistics in the cerentGenericPmStatsCurrentValidIntervals object. PM values are provided in 64-bit and 32-bit formats. The 64-bit values in cerentGenericPmStatsCurrentHCValue can be used with agents that support SNMPv2. The two 32-bit values (cerentGenericPmStatsCurrentValue and cerentGenericPmStatsCurrentOverFlowValue) can be used by NMS that only support SNMPv1. The cerentGenericPmStatsCurrentTable is shown in Table 16-5. Table 16-4 cerentGenericPmThresholdTable Index Objects Information Objects cerentGenericPmThresholdIndex cerentGenericPmThresholdValue cerentGenericPmThresholdMonType cerentGenericPmThresholdOverFlowValue cerentGenericPmThresholdLocation cerentGenericPmThresholdHCValue cerentGenericPmThresholdPeriod —16-13 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 16 SNMP 16.7 SNMP Trap Content The third table in the MIB, cerentGenericPmStatsIntervalTable, obtains historic PM values for the monitor types. It validates the current PM value in the cerentGenericPmStatsIntervalValid object. This table is indexed based on interface index (cerentGenericPmStatsIntervalIndex), monitor type (cerentGenericPMStatsIntervalMonType), location (cerentGenericPmStatsIntervalLocation), and period (cerentGenericPmStatsIntervalPeriod). The syntax of cerentGenericPmStatsIntervalIndex is type cerentLocation, defined in CERENT-TC.mib. The syntax of cerentGenericPmStatsIntervalMonType is type cerentMonitor, defined in CERENT-TC.mib. The syntax of cerentGernicPmStatsIntervalPeriod is type cerentPeriod, defined in CERENT-TC.mib. The table provides historic PM values in 64-bit and 32-bit formats. The 64-bit values contained in the cerentGenericPmStatsIntervalHCValue table can be used with SNMPv2 agents. The two 32-bit values (cerentGenericPmStatsIntervalValue and cerentGenericPmStatsIntervalOverFlowValue) can be used by SNMPv1 NMS. The cerentGenericPmStatsIntervalTable is shown in Table 16-6. 16.7 SNMP Trap Content The ONS 15454 uses SNMP traps to generate all alarms and events, such as raises and clears. The traps contain the following information: • Object IDs that uniquely identify each event with information about the generating entity (the slot or port; synchronous transport signal [STS] and Virtual Tributary [VT]; bidirectional line switched ring [BLSR], Spanning Tree Protocol [STP], etc.). • Severity and service effect of the alarm (critical, major, minor, or event; service-affecting or non-service-affecting). • Date and time stamp showing when the alarm occurred. Table 16-5 32-Bit cerentGenericPmStatsCurrentTable Index Objects Informational Objects cerentGenericPmStatsCurrentIndex cerentGenericPmStatsCurrentValue cerentGenericPmStatsCurrentMonType cerentGenericPmStatsCurrentOverFlowValue cerentGenericPmStatsCurrentLocation cerentGenericPmStatsCurrentHCValue cerentGenericPmStatsCurrentPeriod cerentGenericPmStatsCurrentValidData — cerentGenericPmStatsCurrentValidIntervals Table 16-6 32-Bit cerentGenericPmStatsIntervalTable Index Objects Informational Objects cerentGenericPmStatsIntervalIndex cerentGenericPmStatsIntervalValue cerentGenericPmStatsIntervalMonType cerentGenericPmStatsIntervalOverFlowValue cerentGenericPmStatsIntervalLocation cerentGenericPmStatsIntervalHCValue cerentGenericPmStatsIntervalPeriod cerentGenericPmStatsIntervalValidData cerentGenericPmStatsIntervalNumber —16-14 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 16 SNMP 16.7.1 Generic and IETF Traps 16.7.1 Generic and IETF Traps The ONS 15454 supports the generic IETF traps listed in Table 16-7. 16.7.2 Variable Trap Bindings Each SNMP trap contains variable bindings that are used to create the MIB tables. ONS 15454 traps and variable bindings are listed in Table 16-8. For each group (such as Group A), all traps within the group are associated with all of its variable bindings. Table 16-7 Supported Generic IETF Traps Trap From RFC No. MIB Description coldStart RFC1907-MIB Agent up, cold start. warmStart RFC1907-MIB Agent up, warm start. authenticationFailure RFC1907-MIB Community string does not match. newRoot RFC1493/ BRIDGE-MIB Sending agent is the new root of the spanning tree. topologyChange RFC1493/ BRIDGE-MIB A port in a bridge has changed from Learning to Forwarding or Forwarding to Blocking. entConfigChange RFC2737/ ENTITY-MIB The entLastChangeTime value has changed. dsx1LineStatusChange RFC2495/ DS1-MIB The value of an instance of dsx1LineStatus has changed. The trap can be used by an NMS to trigger polls. When the line status change results from a higher-level line status change (for example, a DS-3), no traps for the DS-1 are sent. dsx3LineStatusChange RFC2496/ DS3-MIB The value of an instance of dsx3LineStatus has changed. This trap can be used by an NMS to trigger polls. When the line status change results in a lower-level line status change (for example, a DS-1), no traps for the lower-level are sent. risingAlarm RFC2819/ RMON-MIB The SNMP trap that is generated when an alarm entry crosses the rising threshold and the entry generates an event that is configured for sending SNMP traps. fallingAlarm RFC2819/ RMON-MIB The SNMP trap that is generated when an alarm entry crosses the falling threshold and the entry generates an event that is configured for sending SNMP traps.16-15 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 16 SNMP 16.7.2 Variable Trap Bindings Table 16-8 Supported ONS 15454 SNMPv2 Trap Variable Bindings Group Trap Name(s) Associated with Variable Binding Number SNMPv2 Variable Bindings Description A dsx1LineStatusChange (from RFC 2495) (1) dsx1LineStatus This variable indicates the line status of the interface. It contains loopback, failure, received alarm and transmitted alarm information. (2) dsx1LineStatusLastChange The value of MIB II’s sysUpTime object at the time this DS1 entered its current line status state. If the current state was entered prior to the last proxy-agent reinitialization, the value of this object is zero. (3) cerent454NodeTime The time that an event occurred. (4) cerent454AlarmState The alarm severity and service-affecting status. Severities are Minor, Major, and Critical. Service-affecting statuses are Service-Affecting and Non-Service Affecting. (5) snmpTrapAddress The address of the SNMP trap. B dsx3LineStatusChange (from RFC 2496) (1) dsx3LineStatus This variable indicates the line status of the interface. It contains loopback state information and failure state information. (2) dsx3LineStatusLastChange The value of MIB II's sysUpTime object at the time this DS3/E3 entered its current line status state. If the current state was entered prior to the last reinitialization of the proxy-agent, then the value is zero. (3) cerent454NodeTime The time that an event occurred. B (cont.) (4) cerent454AlarmState The alarm severity and service-affecting status. Severities are Minor, Major, and Critical. Service-affecting statuses are Service-Affecting and Non-Service Affecting. (5) snmpTrapAddress The address of the SNMP trap.16-16 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 16 SNMP 16.7.2 Variable Trap Bindings C coldStart (from RFC 1907) (1) cerent454NodeTime The time that the event occurred. warmStart (from RFC 1907) (2) cerent454AlarmState The alarm severity and service-affecting status. Severities are Minor, Major, and Critical. Service-affecting statuses are Service-Affecting and Non-Service Affecting. newRoot (from RFC) (3) snmpTrapAddress The address of the SNMP trap. topologyChange (from RFC) — — entConfigChange (from RFC 2737) — — authenticationFailure (from RFC 1907) — — D1 risingAlarm (from RFC 2819) (1) alarmIndex This variable uniquely identifies each entry in the alarm table. When an alarm in the table clears, the alarm indexes change for each alarm listed. (2) alarmVariable The object identifier of the variable being sampled. (3) alarmSampleType The method of sampling the selected variable and calculating the value to be compared against the thresholds. (4) alarmValue The value of the statistic during the last sampling period. Table 16-8 Supported ONS 15454 SNMPv2 Trap Variable Bindings (continued) Group Trap Name(s) Associated with Variable Binding Number SNMPv2 Variable Bindings Description16-17 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 16 SNMP 16.7.2 Variable Trap Bindings D1 (cont.) (5) alarmRisingThreshold When the current sampled value is greater than or equal to this threshold, and the value at the last sampling interval was less than this threshold, a single event is generated. A single event is also generated if the first sample after this entry is greater than or equal to this threshold. (6) cerent454NodeTime The time that an event occurred. (7) cerent454AlarmState The alarm severity and service-affecting status. Severities are Minor, Major, and Critical. Service-affecting statuses are Service-Affecting and Non-Service Affecting. (8) snmpTrapAddress The address of the SNMP trap. D2 fallingAlarm (from RFC 2819) (1) alarmIndex This variable uniquely identifies each entry in the alarm table. When an alarm in the table clears, the alarm indexes change for each alarm listed. (2) alarmVariable The object identifier of the variable being sampled. (3) alarmSampleType The method of sampling the selected variable and calculating the value to be compared against the thresholds. (4) alarmValue The value of the statistic during the last sampling period. (5) alarmFallingThreshold When the current sampled value is less than or equal to this threshold, and the value at the last sampling interval was greater than this threshold, a single event is generated. A single is also generated if the first sample after this entry is less than or equal to this threshold. (6) cerent454NodeTime The time that an event occurred. Table 16-8 Supported ONS 15454 SNMPv2 Trap Variable Bindings (continued) Group Trap Name(s) Associated with Variable Binding Number SNMPv2 Variable Bindings Description16-18 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 16 SNMP 16.7.2 Variable Trap Bindings D2 (cont.) (7) cerent454AlarmState The alarm severity and service-affecting status. Severities are Minor, Major, and Critical. Service-affecting statuses are Service-Affecting and Non-Service Affecting. (8) snmpTrapAddress The address of the SNMP trap. E failureDetectedExternal ToTheNE (from CERENT-454-mib) (1) cerent454NodeTime The time that an event occurred. (2) cerent454AlarmState The alarm severity and service-affecting status. Severities are Minor, Major, and Critical. Service-affecting statuses are Service-Affecting and Non-Service Affecting. (3) cerent454AlarmObjectType The entity that raised the alarm. The NMS should use this value to decide which table to poll for further information about the alarm. (4) cerent454AlarmObjectIndex Every alarm is raised by an object entry in a specific table. This variable is the index of objects in each table; if the alarm is interface-related, this is the index of the interface in the interface table. (5) cerent454AlarmSlotNumber The slot of the object that raised the alarm. If a slot is not relevant to the alarm, the slot number is zero. (6) cerent454AlarmPortNumber The port of the object that raised the alarm. If a port is not relevant to the alarm, the port number is zero. (7) cerent454AlarmLineNumber The object line that raised the alarm. If a line is not relevant to the alarm, the line number is zero. (8) cerent454AlarmObjectName The TL1-style user-visible name that uniquely identifies an object in the system. Table 16-8 Supported ONS 15454 SNMPv2 Trap Variable Bindings (continued) Group Trap Name(s) Associated with Variable Binding Number SNMPv2 Variable Bindings Description16-19 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 16 SNMP 16.7.2 Variable Trap Bindings E (cont.) (9) cerent454AlarmAdditionalInfo Additional information for the alarm object. In the current version of the MIB, this object contains provisioned description for alarms that are external to the NE. If there is no additional information, the value is zero. (10) snmpTrapAddress The address of the SNMP trap. F performanceMonitor ThresholdCrossingAlert (from CERENT-454-mib) (1) cerent454NodeTime The time that an event occurred. (2) cerent454AlarmState The alarm severity and service-affecting status. Severities are Minor, Major, and Critical. Service-affecting statuses are Service-Affecting and Non-Service Affecting. (3) cerent454AlarmObjectType The entity that raised the alarm. The NMS should use this value to decide which table to poll for further information about the alarm. (4) cerent454AlarmObjectIndex Every alarm is raised by an object entry in a specific table. This variable is the index of objects in each table; if the alarm is interface-related, this is the index of the interface in the interface table. (5) cerent454AlarmSlotNumber The slot of the object that raised the alarm. If a slot is not relevant to the alarm, the slot number is zero. (6) cerent454AlarmPortNumber The port of the object that raised the alarm. If a port is not relevant to the alarm, the port number is zero. (7) cerent454AlarmLineNumber The object line that raised the alarm. If a line is not relevant to the alarm, the line number is zero. (8) cerent454AlarmObjectName The TL1-style user-visible name that uniquely identifies an object in the system. (9) cerent454ThresholdMonitorType This object indicates the type of metric being monitored. Table 16-8 Supported ONS 15454 SNMPv2 Trap Variable Bindings (continued) Group Trap Name(s) Associated with Variable Binding Number SNMPv2 Variable Bindings Description16-20 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 16 SNMP 16.7.2 Variable Trap Bindings F (cont.) (10) cerent454ThresholdLocation Indicates whether the event occurred at the near or far end. (11) cerent454ThresholdPeriod Indicates the sampling interval period. (12) cerent454ThresholdSetValue The value of this object is the threshold provisioned by the NMS. (13) cerent454ThresholdCurrentValue — (14) cerent454ThresholdDetectType — (15) snmpTrapAddress The address of the SNMP trap. G All other traps (from CERENT-454-MIB) not listed above (1) cerent454NodeTime The time that an event occurred. (2) cerent454AlarmState The alarm severity and service-affecting status. Severities are Minor, Major, and Critical. Service-affecting statuses are Service-Affecting and Non-Service Affecting. (3) cerent454AlarmObjectType The entity that raised the alarm. The NMS should use this value to decide which table to poll for further information about the alarm. (4) cerent454AlarmObjectIndex Every alarm is raised by an object entry in a specific table. This variable is the index of objects in each table; if the alarm is interface-related, this is the index of the interface in the interface table. (5) cerent454AlarmSlotNumber The slot of the object that raised the alarm. If a slot is not relevant to the alarm, the slot number is zero. (6) cerent454AlarmPortNumber The port of the object that raised the alarm. If a port is not relevant to the alarm, the port number is zero. (7) cerent454AlarmLineNumber The object line that raised the alarm. If a line is not relevant to the alarm, the line number is zero. Table 16-8 Supported ONS 15454 SNMPv2 Trap Variable Bindings (continued) Group Trap Name(s) Associated with Variable Binding Number SNMPv2 Variable Bindings Description16-21 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 16 SNMP 16.8 SNMPv1/v2 Community Names 16.8 SNMPv1/v2 Community Names Community names are used to group SNMPv1/v2 trap destinations. All ONS 15454 trap destinations can be provisioned as part of SNMP communities in CTC. When community names are assigned to traps, the ONS 15454 treats the request as valid if the community name matches one that is provisioned in CTC. In this case, all agent-managed MIB variables are accessible to that request. If the community name does not match the provisioned list, SNMP drops the request. 16.9 SNMPv1/v2 Proxy Over Firewalls SNMP and NMS applications have traditionally been unable to cross firewalls used for isolating security risks inside or from outside networks. CTC enables network operations centers (NOCs) to access performance monitoring data such as RMON statistics or autonomous messages across firewalls by using an SNMP proxy element installed on a firewall. The application-level proxy transports SNMP protocol data units (PDU) between the NMS and NEs, allowing requests and responses between the NMS and NEs and forwarding NE autonomous messages to the NMS. The proxy agent requires little provisioning at the NOC and no additional provisioning at the NEs. The firewall proxy is intended for use in a gateway network element-end network element (GNE-ENE) topology with many NEs through a single NE gateway. Up to 64 SNMP requests (such as get, getnext, or getbulk) are supported at any time behind single or multiple firewalls. The proxy interoperates with common NMS such as HP OpenView. For security reasons, the SNMP proxy feature must be enabled at all receiving and transmitting NEs to function. For instructions to do this, refer to the Cisco ONS 15454 Procedure Guide. 16.10 SNMPv3 Proxy Configuration The GNE can act as a proxy for the ENEs and forward SNMP requests to other SNMP entities (ENEs) irrespective of the types of objects that are accessed. For this, you need to configure two sets of users, one between the GNE and NMS, and the other between the GNE and ENE. In addition to forwarding requests from the NMS to the ENE, the GNE also forwards responses and traps from the ENE to the NMS. G (cont.) (8) cerent454AlarmObjectName The TL1-style user-visible name that uniquely identifies an object in the system. (9) snmpTrapAddress The address of the SNMP trap. Table 16-8 Supported ONS 15454 SNMPv2 Trap Variable Bindings (continued) Group Trap Name(s) Associated with Variable Binding Number SNMPv2 Variable Bindings Description16-22 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 16 SNMP 16.11 Remote Monitoring The proxy forwarder application is defined in RFC 3413. Each entry in the Proxy Forwarder Table consists of the following parameters: • Proxy Type—Defines the type of message that may be forwarded based on the translation parameters defined by this entry. If the Proxy Type is read or write, the proxy entry is used for forwarding SNMP requests and their response between the NMS and the ENE. If the Proxy Type is trap, the entry is used for forwarding SNMP traps from the ENE to the NMS. • Context Engine ID/Context Name—Specifies the ENE to which the incoming requests should be forwarded or the ENE whose traps should be forwarded to the NMS by the GNE. • TargetParamsIn—Points to the Target Params Table that specifies the GNE user who proxies on behalf of an ENE user. When the proxy type is read or write, TargetParamsIn specifies the GNE user who receives requests from an NMS, and forwards requests to the ENE. When the proxy type is trap, TargetParamsIn specifies the GNE user who receives notifications from the ENE and forwards them to the NMS. TargetParamsIn and the contextEngineID or the contextName columns are used to determine the row in the Proxy Forwarder Table that could be used for forwarding the received message. • Single Target Out—Refers to the Target Address Table. After you select a row in the Proxy Forwarder Table for forwarding, this object is used to get the target address and the target parameters that are used for forwarding the request. This object is used for requests with proxy types read or write, which only requires one target. • Multiple Target Out (Tag)—Refers to a group of entries in the Target Address Table. Notifications are forwarded using this tag. The Multiple Target Out tag is only relevant when proxy type is Trap and is used to send notifications to one or more NMSs. 16.11 Remote Monitoring The ONS 15454 incorporates RMON to allow network operators to monitor Ethernet card performance and events. The RMON thresholds are user-provisionable in CTC. Refer to the Cisco ONS 15454 Procedure Guide for instructions. Note Typical RMON operations, other than threshold provisioning, are invisible to the CTC user. ONS 15454 system RMON is based on the IETF-standard MIB RFC 2819 and includes the following five groups from the standard MIB: Ethernet Statistics, History Control, Ethernet History, Alarm, and Event. Certain statistics measured on the ML-Series Ethernet cards are mapped to a standard MIB if one exists. Otherwise, they are mapped to a nonstandard MIB variable. The naming convention used by the standard/nonstandard MIB is not the same as the statistics variable used by the card. Because of this, statistics of this type that are obtained through get-requests, get-next-requests, and SNMP traps do not match the name used on the card or as seen by CTC/TL1. • For example, the STATS_MediaIndStatsRxFramesTooLong statistics are mapped to cMediaIndependentInFramesTooLong variable in CERENT MIB, whereas the STATS_RxTotalPkts is mapped to mediaIndependentInPkts in HC-RMON-rfc3273.mib16-23 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 16 SNMP 16.11.1 64-Bit RMON Monitoring over DCC 16.11.1 64-Bit RMON Monitoring over DCC The ONS 15454 DCC is implemented over the IP protocol, which is not compatible with Ethernet. The system builds Ethernet equipment History and Statistics tables using high data level control (HDLC) statistics that are gathered over the data communications channel (DCC) that is running point-to-point protocol (PPP). RMON DCC monitors the health of remote DCC connections for IP and Ethernet. RMON DCC contains two MIBS for DCC interfaces. They are: • cMediaIndependentTable—Standard, RFC3273; the proprietary extension of the HC-RMON MIB used for reporting statistics • cMediaIndependentHistoryTable—Proprietary MIB used to support history 16.11.1.1 Row Creation in MediaIndependentTable The SetRequest PDU contains all needed values to activate a row of the mediaIndependentTable in a single operation as well as assign the status variable to createRequest (2). In order to create the row and status, the SetRequest PDU for entry creation must have a value of zero for each of the object IDs. That is, all object IDs (OIDs) should be of the type OID.0. In order to create a row, the SetRequest PDU should contain the following: • mediaIndependentDataSource and its desired value • mediaIndependentOwner and its desired value (up to 32 characters) • mediaIndependentStatus with a value of createRequest (2) The mediaIndependentTable creates a row if the SetRequest PDU is valid according to these rules. The SNMP agent decides the value of mediaIndependentIndex when the row is created, and a value can change if an Ethernet interface is added or deleted. The values are not sequentially allotted or contiguously numbered. The newly created row will have an mediaIndependentTable value of valid (1). If the row already exists, or if the SetRequest PDU values are insufficient or do not make sense, the SNMP agent returns an error code. Note mediaIndependentTable entries are not preserved if the SNMP agent is restarted. The mediaIndependentTable deletes a row if the SetRequest PDU contains a mediaIndependentStatus with a value of invalid (4). The varbind’s OID instance value identifies the row for deletion. You can recreate a deleted row in the table if desired. 16.11.1.2 Row Creation in cMediaIndependentHistoryControlTable SNMP row creation and deletion for the cMediaIndependentHistoryControlTable follows the same processes as for the MediaIndependentTable; only the variables differ. In order to create a row, the SetRequest PDU should contain the following: • cMediaIndependentHistoryControlDataSource and its desired value • cMediaIndependentHistoryControlOwner and its desired value • cMediaIndependentHistoryControlStatus with a value of createRequest (2)16-24 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 16 SNMP 16.11.2 HC-RMON-MIB Support 16.11.2 HC-RMON-MIB Support For the ONS 15454, the implementation of the high-capacity remote monitoring information base (HC-RMON-MIB, or RFC 3273) enables 64-bit support of existing RMON tables. This support is provided with the etherStatsHighCapacityTable and the etherHistoryHighCapacityTable. An additional table, the mediaIndependentTable, and an additional object, hcRMONCapabilities, are also added for this support. All of these elements are accessible by any third-party SNMP client should have the ability to upload RFC 3273 SNMP MIB variables in the etherStatsHighCapacityTable, etherHistoryHighCapacityTable, or mediaIndependentTable. 16.11.3 Ethernet Statistics RMON Group The Ethernet Statistics group contains the basic statistics monitored for each subnetwork in a single table called the etherStatsTable. 16.11.3.1 Row Creation in etherStatsTable The SetRequest PDU for creating a row in this table contains all needed values to activate a table row in a single operation as well as assign the status variable to createRequest. The SetRequest PDU OID) entries must have an instance value, or type OID, of 0. In order to create a row, the SetRequest PDU should contain the following: • The etherStatsDataSource and its desired value • The etherStatsOwner and its desired value (up to 32 characters) • The etherStatsStatus with a value of createRequest (2) The etherStatsTable creates a row if the SetRequest PDU is valid according to these rules. The SNMP agent decides the value of etherStatsIndex when the row is created and this value changes when an Ethernet interface is added or deleted; it is not sequentially allotted or contiguously numbered. A newly created row will have an etherStatsStatus value of valid (1). If the etherStatsTable row already exists, or if the SetRequest PDU values are insufficient or do not make sense, the SNMP agent returns an error code. Note EtherStatsTable entries are not preserved if the SNMP agent is restarted. 16.11.3.2 Get Requests and GetNext Requests Get requests and getNext requests for the etherStatsMulticastPkts and etherStatsBroadcastPkts columns return a value of zero because the variables are not supported by ONS 15454 Ethernet cards. 16.11.3.3 Row Deletion in etherStatsTable To delete a row in the etherStatsTable, the SetRequest PDU should contain an etherStatsStatus “invalid” value (4). The OID marks the row for deletion. If required, a deleted row can be recreated.16-25 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 16 SNMP 16.11.4 History Control RMON Group 16.11.3.4 64-Bit etherStatsHighCapacityTable The Ethernet statistics group contains 64-bit statistics in the etherStatsHighCapacityTable, which provides 64-bit RMON support for the HC-RMON-MIB. The etherStatsHighCapacityTable is an extension of the etherStatsTable that adds 16 new columns for performance monitoring data in 64-bit format. There is a one-to-one relationship between the etherStatsTable and etherStatsHighCapacityTable when rows are created or deleted in either table. 16.11.4 History Control RMON Group The History Control group defines sampling functions for one or more monitor interfaces in the historyControlTable. The values in this table, as specified in RFC 2819, are derived from the historyControlTable and etherHistoryTable. 16.11.4.1 History Control Table The RMON is sampled at one of four possible intervals. Each interval, or period, contains specific history values called buckets. Table 16-9 lists the four sampling periods and corresponding buckets. The historyControlTable maximum row size is determined by multiplying the number of ports on a card by the number of sampling periods. For example, an ONS 15454 E100 card contains 24 ports, which multiplied by periods allows 96 rows in the table. An E1000 card contains 14 ports, which multiplied by four periods allows 56 table rows. 16.11.4.2 Row Creation in historyControlTable To activate a historyControlTable row, the SetRequest PDU must contain all needed values and have a status variable value of 2 (createRequest). All OIDs in the SetRequest PDU should be type OID.0 for entry creation. To create a SetRequest PDU for the historyControlTable, the following values are required: • The historyControlDataSource and its desired value • The historyControlBucketsRequested and it desired value • The historyControlInterval and its desired value • The historyControlOwner and its desired value • The historyControlStatus with a value of createRequest (2) The historyControlBucketsRequested OID value is ignored because the number of buckets allowed for each sampling period, based upon the historyControlInterval value, is already fixed as listed in Table 16-9. Table 16-9 RMON History Control Periods and History Categories Sampling Periods (historyControlValue Variable) Total Values, or Buckets (historyControl Variable) 15 minutes 32 24 hours 7 1 minute 60 60 minutes 2416-26 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 16 SNMP 16.11.5 Ethernet History RMON Group The historyControlInterval value cannot be changed from the four allowed choices. If you use another value, the SNMP agent selects the closest smaller time period from the set buckets. For example, if the set request specifies a 25-minute interval, this falls between the 15-minute (32 bucket) variable and the 60-minute (24 bucket) variable. The SNMP agent automatically selects the lower, closer value, which is 15 minutes, so it allows 32 buckets. If the SetRequest PDU is valid, a historyControlTable row is created. If the row already exists, or if the SetRequest PDU values do not make sense or are insufficient, the SNMP agent does not create the row and returns an error code. 16.11.4.3 Get Requests and GetNext Requests These PDUs are not restricted. 16.11.4.4 Row Deletion in historyControl Table To delete a row from the table, the SetRequest PDU should contain a historyControlStatus value of 4 (invalid). A deleted row can be recreated. 16.11.5 Ethernet History RMON Group The ONS 15454 implements the etherHistoryTable as defined in RFC 2819. The group is created within the bounds of the historyControlTable and does not deviate from the RFC in its design. 16.11.5.1 64-Bit etherHistoryHighCapacityTable 64-bit Ethernet history for the HC-RMON-MIB is implemented in the etherHistoryHighCapacityTable, which is an extension of the etherHistoryTable. The etherHistoryHighCapacityTable adds four columns for 64-bit performance monitoring data. These two tables have a one-to-one relationship. Adding or deleting a row in one table will effect the same change in the other. 16.11.6 Alarm RMON Group The Alarm group consists of the alarmTable, which periodically compares sampled values with configured thresholds and raises an event if a threshold is crossed. This group requires the implementation of the event group, which follows this section. 16.11.6.1 Alarm Table The NMS uses the alarmTable to determine and provision network performance alarmable thresholds. 16.11.6.2 Row Creation in alarmTable To create a row in the alarmTable, all OIDs in the SetRequest PDU should be type OID.0. The table has a maximum number of 256 rows. To create a SetRequest PDU for the alarmTable, the following values are required: • The alarmInterval and its desired value16-27 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 16 SNMP 16.11.6 Alarm RMON Group • The alarmVariable and its desired value • The alarmSampleType and its desired value • The alarmStartupAlarm and its desired value • The alarmOwner and its desired value • The alarmStatus with a value of createRequest (2) If the SetRequest PDU is valid, a historyControlTable row is created. If the row already exists, or if the SetRequest PDU values do not make sense or are insufficient, the SNMP agent does not create the row and returns an error code. In addition to the required values, the following restrictions must be met in the SetRequest PDU: • The alarmOwner is a string of length 32 characters. • The alarmRisingEventIndex always takes value 1. • The alarmFallingEventIndex always takes value 2. • The alarmStatus has only two values supported in SETs: createRequest (2) and invalid (4). • The AlarmVariable is of the type OID.ifIndex, where ifIndex gives the interface this alarm is created on and OID is one of the OIDs supported in Table 16-10. Table 16-10 OIDs Supported in the AlarmTable No. Column Name OID Status 1 ifInOctets {1.3.6.1.2.1.2.2.1.10} — 2 IfInUcastPkts {1.3.6.1.2.1.2.2.1.11} — 3 ifInMulticastPkts {1.3.6.1.2.1.31.1.1.1.2} Unsupported in E100/E1000 4 ifInBroadcastPkts {1.3.6.1.2.1.31.1.1.1.3} Unsupported in E100/E1000 5 ifInDiscards {1.3.6.1.2.1.2.2.1.13} Unsupported in E100/E1000 6 ifInErrors {1.3.6.1.2.1.2.2.1.14} — 7 ifOutOctets {1.3.6.1.2.1.2.2.1.16} — 8 ifOutUcastPkts {1.3.6.1.2.1.2.2.1.17} — 9 ifOutMulticastPkts {1.3.6.1.2.1.31.1.1.1.4} Unsupported in E100/E1000 10 ifOutBroadcastPkts {1.3.6.1.2.1.31.1.1.1.5} Unsupported in E100/E1000 11 ifOutDiscards {1.3.6.1.2.1.2.2.1.19} Unsupported in E100/E1000 12 Dot3StatsAlignmentErrors {1.3.6.1.2.1.10.7.2.1.2} — 13 Dot3StatsFCSErrors {1.3.6.1.2.1.10.7.2.1.3} — 14 Dot3StatsSingleCollisionFrames {1.3.6.1.2.1.10.7.2.1.4} — 15 Dot3StatsMultipleCollisionFrames {1.3.6.1.2.1.10.7.2.1.5} — 16 Dot3StatsDeferredTransmissions {1.3.6.1.2.1.10.7.2.1.7} — 17 Dot3StatsLateCollisions {1.3.6.1.2.1.10.7.2.1.8} — 18 Dot3StatsExcessiveCollisions {13.6.1.2.1.10.7.2.1.9} — 19 Dot3StatsFrameTooLong {1.3.6.1.2.1.10.7.2.1.13} — 20 Dot3StatsCarrierSenseErrors {1.3.6.1.2.1.10.7.2.1.11} Unsupported in E100/E1000 21 Dot3StatsSQETestErrors {1.3.6.1.2.1.10.7.2.1.6} Unsupported in E100/E100016-28 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 16 SNMP 16.11.7 Event RMON Group 16.11.6.3 Get Requests and GetNext Requests These PDUs are not restricted. 16.11.6.4 Row Deletion in alarmTable To delete a row from the table, the SetRequest PDU should contain an alarmStatus value of 4 (invalid). A deleted row can be recreated. Note Entries in the alarmTable are preserved if the SNMP agent is restarted. 16.11.7 Event RMON Group The Event group controls event generation and notification. It consists of two tables: the eventTable, which is a read-only list of events to be generated, and the logTable, which is a writable set of data describing a logged event. The ONS 15454 implements the logTable as specified in RFC 2819. 16.11.7.1 Event Table The eventTable is read-only and unprovisionable. The table contains one row for rising alarms and another for falling ones. This table has the following restrictions: 22 etherStatsUndersizePkts {1.3.6.1.2.1.16.1.1.1.9} — 23 etherStatsFragments {1.3.6.1.2.1.16.1.1.1.11} — 24 etherStatsPkts64Octets {1.3.6.1.2.1.16.1.1.1.14} — 25 etherStatsPkts65to127Octets {1.3.6.1.2.1.16.1.1.1.15} — 26 etherStatsPkts128to255Octets {1.3.6.1.2.1.16.1.1.1.16} — 27 etherStatsPkts256to511Octets {1.3.6.1.2.1.16.1.1.1.17} — 28 etherStatsPkts512to1023Octets {1.3.6.1.2.1.16.1.1.1.18} — 29 etherStatsPkts1024to1518Octets {1.3.6.1.2.1.16.1.1.1.19} — 30 EtherStatsBroadcastPkts {1.3.6.1.2.1.16.1.1.1.6} — 31 EtherStatsMulticastPkts {1.3.6.1.2.1.16.1.1.1.7} — 32 EtherStatsOversizePkts {1.3.6.1.2.1.16.1.1.1.10} — 33 EtherStatsJabbers {1.3.6.1.2.1.16.1.1.1.12} — 34 EtherStatsOctets {1.3.6.1.2.1.16.1.1.1.4} — 35 EtherStatsCollisions {1.3.6.1.2.1.16.1.1.1.13} — 36 EtherStatsCollisions {1.3.6.1.2.1.16.1.1.1.8} — 37 EtherStatsDropEvents {1.3.6.1.2.1.16.1.1.1.3} Unsupported in E100/E1000 and G1000 Table 16-10 OIDs Supported in the AlarmTable (continued) No. Column Name OID Status16-29 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 16 SNMP 16.11.7 Event RMON Group • The eventType is always log-and-trap (4). • The eventCommunity value is always a zero-length string, indicating that this event causes the trap to be despatched to all provisioned destinations. • The eventOwner column value is always “monitor.” • The eventStatus column value is always valid(1). 16.11.7.2 Log Table The logTable is implemented exactly as specified in RFC 2819. The logTable is based upon data that is locally cached in a controller card. If there is a controller card protection switch, the existing logTable is cleared and a new one is started on the newly active controller card. The table contains as many rows as provided by the alarm controller.16-30 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Chapter 16 SNMP 16.11.7 Event RMON GroupA-1 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 APPENDIX A Hardware Specifications Note The terms “Unidirectional Path Switched Ring” and “UPSR” may appear in Cisco literature. These terms do not refer to using Cisco ONS 15xxx products in a unidirectional path switched ring configuration. Rather, these terms, as well as “Path Protected Mesh Network” and “PPMN,” refer generally to Cisco's path protection feature, which may be used in any topological network configuration. Cisco does not recommend using its path protection feature in any particular topological network configuration. This appendix contains hardware and software specifications for the ONS 15454. The following sections are included: • A.1 Shelf Specifications, page A-1 • A.2 SFP, XFP, and GBIC Specifications, page A-5 • A.3 General Card Specifications, page A-7 • A.4 Common Control Card Specifications, page A-12 • A.5 Electrical Card Specifications, page A-17 • A.6 Optical Card Specifications, page A-28 • A.7 Ethernet Card Specifications, page A-49 • A.8 Storage Access Networking Card Specifications, page A-53 A.1 Shelf Specifications This section provides specifications for shelf bandwidth; a list of topologies; Cisco Transport Controller (CTC) specifications; LAN, TL1, modem, alarm, and electrical interface assembly (EIA) interface specifications; timing, power, and environmental specifications; and shelf dimensions. A.1.1 Bandwidth The ONS 15454 has the following bandwidth specifications: • Total bandwidth: 240 Gbps • Data plane bandwidth: 160 Gbps • SONET plane bandwidth: 80 GbpsA-2 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix A Hardware Specifications A.1.2 Configurations A.1.2 Configurations The ONS 15454 can be configured as follows: • Two-fiber path protection • Path protected mesh network (PPMN) • Two-fiber bidirectional line switch ring (BLSR) • Four-fiber BLSR • Add-drop multiplexer (ADM) • Terminal mode • Regenerator mode • Hubbed rings • Multihubbed rings • Point-to-point • Linear • Linear with optical add/drop multiplexing (OADM) A.1.3 Cisco Transport Controller CTC, the ONS 15454 craft interface software, has the following specifications: • 10BaseT • TCC2/TCC2P access: RJ-45 connector • Backplane access: LAN pin field A.1.4 External LAN Interface The ONS 15454 external LAN interface has the following specifications: • 10BaseT Ethernet • Backplane access: LAN pin field A.1.5 TL1 Craft Interface The ONS 15454 TL1 craft interface has the following specifications: • Speed: 9600 bps • TCC2/TCC2P access: EIA/TIA-232 DB-9 type connector • Backplane access: CRAFT pin field A.1.6 Modem Interface The ONS 15454 modem interface has the following specifications: A-3 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix A Hardware Specifications A.1.7 Alarm Interface • Hardware flow control • TCC2/TCC2P: EIA/TIA-232 DB-9 type connector A.1.7 Alarm Interface The ONS 15454 alarm interface has the following specifications: • Visual: Critical, Major, Minor, Remote • Audible: Critical, Major, Minor, Remote • Alarm contacts: 0.045 mm, –48 V, 50 mA • Backplane access: Alarm pin fields A.1.8 EIA Interface The ONS 15454 EIA interface has the following specifications: • SMB: AMP #415504-3 75-ohm, 4-leg connectors • BNC: Trompeter #UCBJ224 75-ohm 4 leg connector (King and ITT are also compatible) • AMP Champ: AMP#552246-1 with #552562-2 bail locks A.1.9 BITS Interface The ONS 15454 building integrated timing supply (BITS) interface has the following specifications: • 2 DS-1 BITS inputs • 2 derived DS-1 outputs • Backplane access: BITS pin field A.1.10 System Timing The ONS 15454 has the following system timing specifications: • Stratum 3 per Telcordia GR-253-CORE • Free running accuracy: +/–4.6 ppm • Holdover stability: 3.7 x10–7 per day, including temperature (< 255 slips in first 24 hours) • Reference: External BITS, line, internal A.1.11 System Power The ONS 15454 ANSI has the following power specifications: • Nominal Input Voltage: –48 VDC • Power consumption: Configuration dependent; 55 W (fan tray only) • Power requirements: A-4 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix A Hardware Specifications A.1.12 Fan Tray – Nominal: –48 VDC – Input Voltage Range: –40.5 to –57.0 VDC • Power terminals: #6 Lug • ANSI shelf fusing: 100–A fuse panel (minimum 30 A fuse per shelf) HD shelf fusing: 100–A fuse panel (minimum 30 A fuse per shelf) The ONS 15454 ETSI has the following power specifications: • Nominal Input Voltage: –48 VDC • Power consumption: Configuration dependent; 53 W (fan tray only) • Power requirements: – Nominal: –48 VDC – Input Voltage Range: –40.5 to –57.0 VDC • Power terminals: 3WK3 Combo-D power cable connector (MIC-A/P and MIC-C/T/P faceplates) • Fusing: 100 A fuse panel; minimum 30 A fuse per shelf A.1.12 Fan Tray Table A-1 lists power requirements for the fan-tray assembly. A.1.13 System Environmental Specifications The ONS 15454 has the following environmental specifications: • Operating temperature: 0 to +55 degrees Celsius; –40 to +65 degrees Celsius with industrial temperature rated cards • Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95 percent relative humidity A.1.14 Dimensions The ONS 15454 shelf assembly has the following dimensions: • Height: 18.25 in. (46.3 cm) • Width: 19 or 23 in. (48.3 cm or 58.4 cm) with mounting ears attached • Depth: 12.018 in. (30.5 cm) for standard door and 13.810 in. (35 cm) for deep door • Weight: 55 lb (24.947 kg) empty Table A-1 Fan Tray Assembly Power Requirements Fan Tray Assembly Watts Amps BTU/Hr FTA2 53 1.21 198 FTA3 -T 129.60 2.7 442.21 15454-CC-FTA 115 2.4 393A-5 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix A Hardware Specifications A.2 SFP, XFP, and GBIC Specifications A.2 SFP, XFP, and GBIC Specifications Table A-2 lists the specifications for the available Small Form-factor Pluggables (SFPs), 10 Gbps Pluggables (XFPs) and GBICs. In the table, the following acronyms are used: • ESCON = Enterprise System Connection • FICON = fiber connectivity • GE = Gigabit Ethernet • FE = Fast Ethernet • E = Ethernet (10 Mbps) • FC = Fibre Channel • HDTV = high definition television • CWDM = coarse wavelength division multiplexing Table A-2 SFP, XFP, and GBIC Specifications SFP/XFP Product ID Interface Transmitter Output Power Min/Max (dBm) Receiver Input Power Min/Max (dBm) 15454-SFP-LC-SX/ 15454E-SFP-LC-SX GE –9.5 to 0 –17 to 01 15454-SFP-LC-LX/ 15454E-SFP-LC-LX GE –9.5 to –3 –19 to –32 15454-SFP3-1-IR= OC-3 –15 to –8 –28 to –8 15454E-SFP-L.1.1= STM-1 –15 to –8 –34 to –10 15454-SFP12-4-IR= OC-12, D1 Video –15 to –8 –28 to –8 15454E-SFP-L.4.1= STM-4, D1 Video –15 to –8 –28 to –8 15454-SFP-OC48-IR= OC-48, DV6000 (C-Cor) –5 to 0 –18 to 0 ONS-SE-2G-S1= OC-48, STM-16 –10 to –3 –18 to –3 15454E-SFP-L.16.1= STM-16, DV6000 (C-Cor) –5 to 0 –18 to 0 15454-SFP-200/ 15454E-SFP-200 ESCON –20.5 to –15 –14 to –293 15454-SFP-GEFC-SX=/ 15454E-SFP-GEFC-S= FC (1 and 2 Gbps), FICON, GE –9.5 to 0 –17 to 01 15454-SFP-GE+-LX=/ 15454E-SFP-GE+-LX= FC (1 and 2 Gbps), FICON, GE, HDTV –9.5 to –3 –19 to –32 ONS-SE-200-MM= ESCON –20.5 to –15 –14 to –293 ONS-SE-G2F-SX= Fibre Channel (1 and 2 Gbps), GE –9.5 to 0 –17 to 01 ONS-SE-G2F-LX= Fibre Channel (1 and 2 Gbps), FICON, GE, HDTV –9.5 to –3 –19 to –32 ONS-SC-GE-SX= GE –9.5 to 0 –17 to 01 ONS-SC-GE-LX= GE –9.5 to –3 –19 to –32A-6 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix A Hardware Specifications A.2 SFP, XFP, and GBIC Specifications ONS-SI-2G-S1 OC-48 SR –10 to –3 –18 to –3 ONS-SI-2G-I1 OC-48 IR1 –5 to 0 –18 to 0 ONS-SI-2G-L1 OC-48 LR1 -2 to +3 –27 to –9 ONS-SI-2G-L2 OC-48 LR2 -2 to +3 –28 to –9 ONS-SC-2G-28.74 through ONS-SC-2G-60.6 OC-48 DWDM 0 to +4 –28 to –9 ONS-SI-622-I1 OC-3/OC-12 IR1 Dual rate –15 to –8 –28 to –8 ONS-SI-622-L1 OC-12 LR1 –3 to +2 –28 to –8 ONS-SI-622-L2 OC-12 LR2 –3 to +2 –28 to –8 ONS-SE-622-1470 through ONS-SE-622-1610 OC-12/STM-4 CWDM 0 to +5 –28 to –3 (BER 10-10) ONS-SI-155-I1 OC-3 IR1 –15 to –8 –28 to –8 ONS-SI-155-L1 OC-3 LR1 –5 to 0 –34 to –10 ONS-SI-155-L2 OC-3 LR2 –5 to 0 –34 to –10 ONS-SE-155-1470 through ONS-SE-155-1610 OC-3 CWDM 0 to +5 –34 to –3 (BER 10-10) ONS-XC-10G-S1 OC-192 SR1 –6 to –15 –11 to –14 ONS-XC-10G-I2 OC-192 IR2 –1 to +2 –14 to +2 ONS-XC-10G-L2 OC-192 LR2 0 to +4 –24 to –7 ONS-XC-10G-30.3= through ONS-XC-10G-61.4= OC-192/STM64/10GE –1 to +3 –27 to –7 ONS-SE-100-FX FE –20 to –14 –31 to –14 ONS-SE-100-LX10 FE –15 to –8 –28 to –8 15454-GBIC-SX FC, GE –9.5 to –3.5 –19 to –3 15454E-GBIC-SX GE, FC — — 15454-GBIC-LX/LH GE, FC –9 to –3 –19 to –3 15454E-GBIC-LX/LH GE, FC –9 to –3 –19 to –3 ONS-GX-2FC-MMI FC –10 to –2.5 –22 ONS-GX-2FC-SML FC –9 to –3 –23.5 ONS-SI-155-SR-MM= OC-3, STM-1 -20 to -14 -30 to -14 Table A-2 SFP, XFP, and GBIC Specifications (continued) SFP/XFP Product ID Interface Transmitter Output Power Min/Max (dBm) Receiver Input Power Min/Max (dBm)A-7 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix A Hardware Specifications A.3 General Card Specifications A.3 General Card Specifications This section provides power specifications and temperature ranges for all ONS 15454 cards. A.3.1 Power Table A-3 provides power consumption information for the ONS 15454 cards. ONS-SI-622-SR-MM= OC-12, STM-4 -20 to -14 (50 micrometer) -24 to -14 (62.5 micrometer) -26 to -14 ONS-SC-Z3-1470= through ONS-SC-Z3-1610= OC48/STM16/GE 0 to +4 –28 to –9 (BER 10-10) ONS-SE-Z1= OC-3/STM1 OC-12/STM-4 OC-48/STM-16 Fibre Channel (1 and 2 Gbps) GE –5 to 0 –18 (OC-48/STM-16) –22 (GE) –23 (OC-12/STM-4) –23 (OC-3/STM-1) ONS-SI-2G-S1 OC-48/STM-16 –10 to –3 –18 to –3 ONS-SE-155-1470 through ONS-SE-155-1610 OC-3/STM-1 0 to +5 –34 to –3 (BER 10-10) ONS-SI-GE-SX GE –9.5 to 0 –17 to 01 ONS-SI-GE-LX GE –9.5 to –3 –19 to –32 ONS-SI-GE-ZX GE 0 to +5 –23 to –3 ONS-SI-100-FX FE — — ONS-SI-100-LX10 FE — — ONS-SE-ZE-EL E, FE, or GE — — ONS-SE-100-BX10U FE –14 to –8 -8 to –28.2 ONS-SE-100-BX10D FE –14 to –8 -8 to –28.2 ONS-XC-10G-C 10GE 0 to +3 –24 to –7 1. Minimum Stressed Sensitivity (10-12): -12.5(62.5um) and -13.5(50um) dBm 2. Minimum Stressed Sensitivity (10–12): -14.4 dBm 3. Based on any valid 8B/10B code pattern measured at, or extrapolated to, 10E-15 BER measured at center of eye 4. ONS-SC-2G-28.7, ONS-SC-2G-33.4, ONS-SC-2G-41.3, ONS-SC-2G-49.3, and ONS-SC-2G-57.3 are supported from Release 8.5 and later. 5. SONET/SDH application Table A-2 SFP, XFP, and GBIC Specifications (continued) SFP/XFP Product ID Interface Transmitter Output Power Min/Max (dBm) Receiver Input Power Min/Max (dBm)A-8 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix A Hardware Specifications A.3.1 Power Table A-3 Individual Card Power Requirements Card Type Card Name Watts Amperes BTU/Hr. Control Cards TCC2 19.20 0.4 66.8 TCC2P 27.00 0.56 92.2 XCVT 34.40 0.72 117.46 XC10G 48 1 163.68 XC-VXC-10G 67 1.4 228.62 AIC-I 4.8 0.1 15.3 AEP 3 (from +5 VDC from AIC-I) 10.2 FTA3 Fan Tray –48 VDC 129.60 2.7 442.21 FTA4 Fan Tray –48 VDC 115 2.4 393 Electrical Cards EC1-12 36.60 0.76 124.97 DS1-14 12.60 0.26 43.02 DS1N-14 12.60 0.26 43.02 DS1/E1-56 36.00 0.76 124.97 DS3-12 38.20 0.79 130.43 DS3/EC1-48 30 0.58 95.6 DS3N-12 38.20 0.79 130.43 DS3i-N-12 30 0.63 102.4 DS3-12E 26.80 0.56 91.51 DS3N-12E 26.80 0.56 91.51 DS3XM-12 Transmux 34 0.71 116.1 DS3XM-6 Transmux 20 0.42 68A-9 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix A Hardware Specifications A.3.1 Power Optical Cards OC3 IR 4 19.20 0.40 65.56 OC3 IR 4/STM1 SH 1310 19.20 0.40 65.56 OC3 IR 4/STM1SH 1310-8 26.00 0.48 78.5 OC12 IR 1310 10.90 0.23 37.22 OC12 LR 1310 9.28 0.2 31.68 OC12 LR 1550 9.28 0.2 31.68 OC12 LR/STM4 LH 1310 9.00 0.2 31.68 OC12 LR/STM4 LH 1550 9.28 0.2 31.68 OC12 IR/STM4 SH 1310-4 35.60 0.74 121.6 OC48 IR 1310 32.20 0.67 109.94 OC48 LR 1550 26.80 0.56 91.50 OC48 IR/STM16 SH AS 1310 37.20 0.77 127.01 OC48 LR/STM16 LH AS 1550 37.20 0.77 127.01 OC48 ELR/STM16 EH 100 GHz 31.20 0.65 106.53 OC48 ELR 200 GHz 31.20 0.65 106.53 OC192 SR/STM64 IO H 1310 41.80 0.90 132.00 OC192 IR/STM64 SH 1550 48.00 1.00 163.68 OC192 LR/STM64 LH 1550 41.80 0.90 132.00 OC192 LR/STM64 LH 15xx.xx 62.40 1.30 214.00 15454_MRC-12 38 0.79 129.66 MRC-2.5G-4 38 0.79 129.66 OC192SR1/STM64IO Short Reach and OC-192/STM64 Any Reach1 40 0.83 136.49 Ethernet Cards E100T-12 65 1.35 221.93 E100T-G 65 1.35 221.93 E1000-2 53.50 1.11 182.67 E1000-2-G 53.50 1.11 182.67 G1K-4 63.00 (including GBICs2 ) 1.31 215.11 ML100T-12 53 1.10 181.00 ML1000-2 49 (including SFPs) 1.02 167.30 ML100X-8 65 1.35 221.93 ML-MR-10 100 N/A N/A CE-100T-8 53.14 1.10 181.30 CE-1000-4 60 1.25 204.80 CE-MR-10 95 1.35 221.93 Table A-3 Individual Card Power Requirements (continued) Card Type Card Name Watts Amperes BTU/Hr.A-10 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix A Hardware Specifications A.3.2 Temperature A.3.2 Temperature Table A-4 provides temperature ranges and product names for ONS 15454 cards. Note The I-Temp symbol is displayed on the faceplate of an I-Temp compliant card. A card without this symbol is C-Temp compliant. Storage Access Networking FC_MR-4 60 1.25 212.00 1. These cards are designated as OC192-XFP in CTC. 2. GBICs = Gigabit Interface Converters Table A-3 Individual Card Power Requirements (continued) Card Type Card Name Watts Amperes BTU/Hr. Table A-4 Card Temperature Ranges and Product Names Card Type Card Name C-Temp Product Name (32 to 131 degrees Fahrenheit, 0 to +55 degrees Celsius) I-Temp Product Name (–40 to 149 degrees Fahrenheit, –40 to +65 degrees Celsius) Control Cards TCC2 — 15454-TCC2 TCC2P — 15454-TCC2P XCVT 15454-XC-VT 15454-XC-VT-T XC10G 15454-XC-10G — XC-VXC-10G — 15454-XC-VXC-10G-T AIC-I — 15454-AIC-I AEP — 15454-AEP Electrical EC1-12 15454-EC1-12 15454-EC1-12-T DS1-14 15454-DS1-14 15454-DS1-14-T DS1N-14 15454-DS1N-14 15454-DS1N-14-T DS1/E1-56 — 15454-DS1E1-56 DS3-12 15454-DS3-12 15454-DS3-12-T DS3/EC1-48 — 15454-DS3_EC1-48 DS3N-12 15454-DS3N-12 15454-DS3N-12-T DS3i-N-12 15454-DS3i-N-12 — DS3-12E — 15454-DS3-12E-T DS3N-12E — 15454-DS3N-12E-T DS3XM-12 (Transmux) — 15454-DS3XM-12 DS3XM-6 (Transmux) 15454-DS3XM-6 15454-DS3XM-6-TA-11 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix A Hardware Specifications A.3.2 Temperature Optical OC3 IR 4/STM1 SH 1310 15454-OC34IR1310 15454-OC34I13-T OC3 IR/STM1 SH 1310-8 15454-OC3I8-1310 — OC12 IR/STM4 SH 1310 15454-OC121IR1310 15454-OC121I13-T OC12 LR/STM4 LH 1310 15454-OC121LR1310 15454-OC121L13-T OC12 LR/STM4 LH 1550 15454-OC121LR1550 15454-OC121L15-T OC12 IR/STM4 SH 1310-4 15454-OC12I4-1310 — OC48 IR 1310 15454-OC481IR1310 — OC48 LR 1550 15454-OC481LR1550 — OC48 IR/STM16 SH AS 1310 15454-OC481IR1310A — OC48 LR/STM16 LH AS 1550 15454-OC481LR1550A — OC48 ELR/STM16 EH 100 GHz 15454-OC48E-1-xx.xx (all wavelengths) — OC48 ELR/STM16 EH 200 GHz 15454-OC48E-xx.xx (all wavelengths) — OC 192 SR/STM64 IO 1310 15454-OC192IO1310 — OC192 IR/STM64 SH 1550 15454-OC192IR1550 — OC192 LR/STM64 LH 1550 15454-OC192LR1550 — OC192 LR/STM64 LH ITU 15xx.xx 15454-OC192LR15xx — 15454_MRC-12 — 15454-MRC-12-T MRC-2.5G-4 — 15454-MRC-I-4 OC-192/STM-64 SR1 Short Reach1 15454_OC-192/STM-64 SR1 Short Reach — OC-192/STM-64 Any Reach1 15454_OC-192/STM-64 Any Reach — Table A-4 Card Temperature Ranges and Product Names (continued) Card Type Card Name C-Temp Product Name (32 to 131 degrees Fahrenheit, 0 to +55 degrees Celsius) I-Temp Product Name (–40 to 149 degrees Fahrenheit, –40 to +65 degrees Celsius)A-12 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix A Hardware Specifications A.4 Common Control Card Specifications A.4 Common Control Card Specifications This section provides specifications for the TCC2, TCC2P, XCVT, XC10G, XC-VXC-10G, and AIC-I cards. For compliance information, refer to the Cisco Optical Transport Products Safety and Compliance Information document. A.4.1 TCC2 Card Specifications The TCC2 card has the following specifications: • CTC software – Interface: EIA/TIA-232 (local craft access, on TCC2 faceplate) – Interface: 10BaseT LAN (on TCC2 faceplate) – Interface: 10BaseT LAN (through the backplane) • Synchronization – Stratum 3, per Telcordia GR-253-CORE – Free running access: Accuracy +/– 4.6 ppm – Holdover stability: 3.7 * 10 exp – 7 per day including temperature (< 255 slips in first 24 hours) Ethernet E100T-12 15454-E100T — E100T-G 15454-E100T-G — E1000-2 15454-E1000-2 — E1000-2-G 15454-E1000-2-G — G1K-4 15454-G1K-4 — ML100T-12 15454-ML100T-12 — ML1000-2 15454-ML1000-2 — ML100X-8 — 15454-ML100X-8 ML-MR-10 — 15454-ML-MR-10 CE-100T-8 15454-CE100T-8 — CE-1000-4 15454-CE1000-4 — CE-MR-10 15454-CE-MR-10 — Storage Access Networking FC_MR-4 15454-FC_MR-4 — 1. Designated as OC192-XFP in CTC. Table A-4 Card Temperature Ranges and Product Names (continued) Card Type Card Name C-Temp Product Name (32 to 131 degrees Fahrenheit, 0 to +55 degrees Celsius) I-Temp Product Name (–40 to 149 degrees Fahrenheit, –40 to +65 degrees Celsius)A-13 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix A Hardware Specifications A.4.2 TCC2P Card Specifications – Reference: External BITS, line, internal • Supply voltage monitoring – Both supply voltage inputs are monitored. – Normal operation: –40.5 to –56.7 V – Undervoltage: Major alarm – Overvoltage: Major alarm • Environmental – Operating temperature: –40 to +149 degrees Fahrenheit (–40 to +65 degrees Celsius) – Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95 percent relative humidity – Power consumption: 26.00 W, 0.54 A at –48 V, 88.8 BTU/hr • Dimensions – Height: 12.650 in. (321.3 mm) – Width: 0.716 in. (18.2 mm) – Depth: 9.000 in. (228.6 mm) – Depth with backplane connector: 9.250 in. (235 mm) – Weight not including clam shell: 1.5 lb (0.7 kg) A.4.2 TCC2P Card Specifications The TCC2P card has the following specifications: • CTC software – Interface: EIA/TIA-232 (local craft access, on TCC2P faceplate) – Interface: 10BaseT LAN (on TCC2P faceplate) – Interface: 10BaseT LAN (via backplane) • Synchronization – Stratum 3, per Telcordia GR-253-CORE – Free running access: Accuracy +/– 4.6 ppm – Holdover stability: 3.7 * 10 exp – 7 per day including temperature (< 255 slips in first 24 hours) – Reference: External BITS, line, internal • Supply voltage monitoring – Both supply voltage inputs are monitored. – Normal operation: –40.5 to –56.7 V (in –48 VDC systems) – Undervoltage: Major alarm – Overvoltage: Major alarm • Environmental – Operating temperature: –40 to +149 degrees Fahrenheit (–40 to +65 degrees Celsius) A-14 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix A Hardware Specifications A.4.3 XCVT Card Specifications – Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95 percent relative humidity – Power consumption: 27.00 W, 0.56 A at –48 V, 92.2 BTU/hr • Dimensions – Height: 12.650 in. (321.3 mm) – Width: 0.716 in. (18.2 mm) – Depth: 9.000 in. (228.6 mm) – Depth with backplane connector: 9.250 in. (235 mm) – Weight not including clam shell: 1.5 lb (0.7 kg) A.4.3 XCVT Card Specifications The XCVT card has the following specifications: • Environmental – Operating temperature: C-Temp (15454-XC-VT): 32 to 131 degrees Fahrenheit (0 to +55 degrees Celsius) I-Temp (15454-XC-VT-T): –40 to 149 degrees Fahrenheit (–40 to +65 degrees Celsius) – Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95 percent relative humidity – Power consumption: 34.40 W, 0.72 A, 117.46 BTU/hr • Dimensions – Height: 12.650 in. (321.3 mm) – Width: 0.716 in. (18.2 mm) – Depth: 9.000 in. (228.6 mm) – Card weight: 1.9 lb (0.8 kg) A.4.4 XC10G Card Specifications The XC10G card has the following specifications: • Environmental – Operating temperature: C-Temp (15454-XC-10G): 32 to 131 degrees Fahrenheit (0 to +55 degrees Celsius) – Operating humidity: 5 to 85 percent, noncondensing – Power consumption: 48 W, 1.00 A, 163.68 BTU/hr • Dimensions – Height: 12.650 in. (321.3 mm) – Width: 0.716 in. (18.2 mm) – Depth: 9.000 in. (228.6 mm) – Card weight: 1.5 lb (0.6 kg)A-15 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix A Hardware Specifications A.4.5 XC-VXC-10G Card Specifications A.4.5 XC-VXC-10G Card Specifications The XC-VXC-10G card has the following specifications: • Environmental – Operating temperature: I-Temp (15454-XC-VXC-10G-T): –40 to 149 degrees Fahrenheit (–40 to +65 degrees Celsius) – Operating humidity: 5 to 85 percent, noncondensing – Power consumption: 67 W, 1.4 A, 228.62 BTU/hr • Dimensions – Height: 12.650 in. (321.3 mm) – Width: 0.716 in. (18.2 mm) – Depth: 9.000 in. (228.6 mm) – Card weight: 1.5 lb (0.6 kg) A.4.6 AIC-I Card Specifications The AIC-I card has the following specifications: • Alarm inputs – Number of inputs: 12 without alarm extension panel (AEP), 32 with AEP – Opto coupler isolated – Label is customer provisionable. – Severity is customer provisionable. – Common 32 V output for all alarm inputs – Each input limited to 2 mA – Termination: Wire-wrap on backplane without AEP, on AEP connectors with AEP • Alarm outputs – Number of outputs: 4 (user configurable as inputs) without AEP, 16 with AEP – Switched by opto MOS (metal oxide semiconductor) – Triggered by definable alarm condition – Maximum allowed open circuit voltage: 60 VDC – Maximum allowed closed circuit current: 100 mA – Termination: Wire-wrap on backplane without AEP, on AEP connectors with AEP • Express orderwire/Local orderwire (EOW/LOW) – ITU-T G.711, ITU-T G.712, Telcordia GR-253-CORE – A-law, mu-law Note Due to the nature of mixed coding, in a mixed-mode configuration (A-law/mu-law) the orderwire is not ITU-T G.712 compliant.A-16 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix A Hardware Specifications A.4.7 AEP Specifications – Orderwire party line – Dual tone multifrequency (DTMF) signaling • User data channel (UDC) – Bit rate: 64 kbps, bidirectional – ITU-T G.703 – Input/output impedance: 120 ohm – Termination: RJ-11 connectors • Data communications channel (DCC) – Bit rate: 576 kbps – EIA/TIA-485/V11 – Input/output impedance: 120 ohm – Termination: RJ-45 connectors • ACC connection for additional alarm interfaces – Connection to AEP • Power monitoring alarming states: – Power failure (0 to –38 VDC) – Undervoltage (–38 to –40.5 VDC) – Overvoltage (beyond –56.7 VDC) • Environmental – Operating temperature: –40 to 149 degrees Fahrenheit (–40 to +65 degrees Celsius) – Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95 percent relative humidity – Power consumption (including AEP, if used): 8.00 W, 0.17 A, 27.3 BTU/hr • Dimensions – Height: 12.650 in. (321.3 mm) – Width: 0.716 in. (18.2 mm) – Depth: 9.000 in. (228.6 mm) – Card weight: 1.8 lb (0.82 kg) A.4.7 AEP Specifications The AEP has the following specifications: • Alarm inputs – Number of inputs: 32 – Optocoupler isolated – Label customer provisionable – Severity customer provisionable – Common 32 V output for all alarm inputsA-17 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix A Hardware Specifications A.5 Electrical Card Specifications – Each input limited to 2 mA – Termination: 50-pin AMP champ connector • Alarm outputs – Number of outputs: 16 – Switched by opto MOS – Triggered by definable alarm condition – Maximum allowed open circuit voltage: 60 VDC – Maximum allowed closed circuit current: 100 mA – Termination: 50-pin AMP champ connector • Environmental – Overvoltage protection: as in ITU-T G.703 Annex B – Operating temperature: –40 to +65 degrees Celsius – Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95 percent relative humidity – Power consumption: 3.00 W max., from +5 VDC from AIC-I, 10.2 BTU/hr max. • Dimensions of AEP board – Height: 0.79 in. (20 mm) – Width: 13.0 in. (330 mm) – Depth: 3.5 in. (89 mm) – Weight: 0.4 lb (0.18 kg) A.5 Electrical Card Specifications This section provides specifications for the EC1-12, DS1-14, DS1N-14, DS1/E1-56, DS3/EC1-48, DS3-12, DS3N-12, DS3i-N-12, DS3-12E, DS3N-12E, DS3XM-6, DS3XM-12, and filler cards. For compliance information, refer to the Cisco Optical Transport Products Safety and Compliance Information document. A.5.1 EC1-12 Card Specifications The EC1-12 card has the following specifications: • Input – Bit rate: 51.84 Mbps +/– 20 ppm – Frame format: SONET – Line code: B3ZS – Termination: Unbalanced coaxial cable – Input impedance: 75 ohms +/– 5 percent – Cable loss: Max 450 feet 734A, RG-59, 728A/Max 79 feet RG-179 – AIS: TR-TSY-000191 compliantA-18 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix A Hardware Specifications A.5.2 DS1-14 and DS1N-14 Card Specifications • Output – Bit rate: 51.84 Mbps +/– 20 ppm – Frame format: SONET – Line code: B3ZS – Termination: Unbalanced coaxial cable – Input impedance: 75 ohms +/–5 percent – Cable loss: Max 450 feet 734A, RG-59, 728A/Max 79 feet RG-179 – AIS: TR-TSY-000191 compliant – Power level: –1.8 +/– 5.7 dBm – Pulse shape: ANSI T1.102-1988 Figure 8 – Pulse amplitude: 0.36 to 0.85 V peak – Loopback modes: Terminal and facility – Line build out: 0 to 225 feet (0 to 68.8 meters); 226 to 450 feet (68.9 to 137.2 meters) • Electrical interface: BNC or SMB connectors • Operating temperature – C-Temp (15454-EC1-12): 0 to 131 degrees Fahrenheit (0 to +55 degrees Celsius) – I-Temp (15454-EC1-12-T): –40 to 149 degrees Fahrenheit (–40 to +65 degrees Celsius) Note The I-Temp symbol is displayed on the faceplate of an I-Temp compliant card. A card without this symbol is C-Temp compliant. • Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95 percent relative humidity • Power consumption: 36.60 W, 0.76 A, 124.97 BTU/hr • Dimensions – Height: 12.650 in. (321.3 mm) – Width: 0.716 in. (18.2 mm) – Depth: 9.000 in. (228.6 mm) – Card weight: 2.0 lb (0.9 kg) A.5.2 DS1-14 and DS1N-14 Card Specifications The DS1-14 and DS1N-14 cards have the following specifications: • Input – Bit rate: 1.544 Mbps +/– 32 ppm – Frame format: Off, SF (D4), ESF – Line code: AMI, B8ZS – Termination: Wire-wrap, AMP Champ – Input impedance: 100 ohms A-19 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix A Hardware Specifications A.5.3 DS1/E1-56 Card Specifications – Cable loss: Max 655 feet ABAM #22 AWG – AIS: TR-TSY-000191 compliant • Output – Bit rate: 1.544 Mbps +/– 32 ppm – Frame format: Off, SF (D4), ESF – Line code: AMI, B8ZS – Termination: Wire-wrap, AMP Champ – Input impedance: 100 ohms – Cable loss: Max 655 feet ABAM #22 AWG – AIS: TR-TSY-000191 compliant – Power level: 12.5 to 17.9 dBm centered at 772 KHz, –16.4 to –11.1 dBm centered at 1544 KHz – Pulse shape: Telcordia GR-499-CORE Figure 9-5 – Pulse amplitude: 2.4 to 3.6 V peak – Loopback modes: Terminal and facility • Electrical interface: BNC or SMB connectors • Surge protection: Telcordia GR-1089 • Operating temperature – C-Temp (15454-DS1-14 and 15454-DS1N-14): 0 to 131 degrees Fahrenheit (0 to +55 degrees Celsius) – I-Temp (15454-DS1-14-T and 15454-DS1N-14-T): –40 to 149 degrees Fahrenheit (–40 to +65 degrees Celsius) Note The I-Temp symbol is displayed on the faceplate of an I-Temp compliant card. A card without this symbol is C-Temp compliant. • Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95 percent relative humidity • Power consumption: 12.60 W, 0.26 A, 43.02 BTU/hr • Dimensions – Height: 12.650 in. (321.3 mm) – Width: 0.716 in. (18.2 mm) – Depth: 9.000 in. (228.6 mm) – Card weight: 1.8 lb (0.8 kg) A.5.3 DS1/E1-56 Card Specifications The DS1/E1-56 card has the following specifications: • Input – Bit rate: 1.544 Mbps ± 32 ppm (DS-1); 2.048 Mbps ±50ppm (E1)A-20 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix A Hardware Specifications A.5.3 DS1/E1-56 Card Specifications – Frame format: Off, SF (D4), ESF (DS-1); E1 multiframe, E1 CRC multiframe, and unframed (ITU) (E1) – Line code: AMI, B8ZS (DS-1); HDB3 (E1) – Termination: Balanced, twisted pair, #22/24 AWG – Input impedance: 100 ohms +/– 5 percent (DS1); 120 ohms =/–5% (E1) – Cable loss: Max 655 feet ABAM #22/24 AWG (DS1); Compliant per ITU-T G.703 (E1) – AIS: TR-TSY-000191 compliant • Output – Bit rate: 1.544 Mbps ± 32 ppm (DS-1); 2.048 Mbps ±50ppm (E1) – Frame format: Off, SF (D4), ESF (DS-1); E1 multiframe, E1 CRC multiframe, and unframed (ITU) (E1) – Line code: AMI, B8ZS (DS-1); HDB3 (E1) – Termination: Balanced, twisted pair, #22/24 AWG – Input impedance: 100 ohms +/– 5 percent (DS1); 120 ohms =/–5% (E1) – Cable loss: Max 655 feet ABAM #22/24 AWG (DS1); Compliant per ITU-T G.703 (E1) – AIS: TR-TSY-000191 compliant – Power level: 12.6 to 17.9 dBm centered at 772 KHz – Pulse shape: Telcordia GR-499-CORE Figure 9-5 (DS-1); ITU-T G.703, Figure 15 (E1) – Pulse amplitude: 2.4 to 3.6 V peak (DS-1); 2.7 to 3.3 V peak (E1) – Loopback modes: Terminal and facility • Electrical interface: SCSI (UBIC) connectors. UBIC-H: DS-1 and E1; UBIC-V: DS-1 only. • Surge protection: Telcordia GR-1089 • Operating temperature – I-Temp (15454-DS1E1-56):–40 to 149 degrees Fahrenheit (–40 to +65 degrees Celsius) Note The I-Temp symbol is displayed on the faceplate of an I-Temp compliant card. A card without this symbol is C-Temp compliant. • Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95 percent relative humidity • Power consumption: 36.00 W, 0.76 A, 124.97 BTU/hr • Dimensions – Height: 12.650 in. (321.3 mm) – Width: 0.716 in. (18.2 mm) – Depth: 9.000 in. (228.6 mm) – Card weight: 2.0 lb (0.9 kg)A-21 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix A Hardware Specifications A.5.4 DS3/EC1-48 Card Specifications A.5.4 DS3/EC1-48 Card Specifications The DS3/EC1-48 card has the following specifications: • Input – Bit rate: 44.736 Mbps +/– 20 ppm – Frame format: DS-3 ANSI T1.107-1988 – Line code: B3ZS – Termination: Unbalanced coaxial cable – Input impedance: 75 ohms +/–5 percent – Cable loss: Max 450 feet with 734A or 728A, Max 79 feet with RG-179 – AIS: TR-TSY-000191 compliant • Output – Bit rate: 44.736 Mbps +/– 20 ppm – Frame format: DS-3 ANSI T1.107-1988 – Line code: B3ZS – Termination: Unbalanced coaxial cable – Input impedance: 75 ohms +/–5 percent – Cable loss: Max 900 feet with 734A or 728A cable, Max 79 feet with RG-179 – AIS: TR-TSY-000191 compliant – Power level: –1.8 to +5.7 dBm – Pulse shape: ANSI T1.102-1988 Figure 8 – Pulse amplitude: 0.36 to 0.85 V peak – Loopback modes: Terminal and facility – Line build out: 0 to 225 feet (0 to 68.8 meters); 226 to 450 feet (68.9 to 137.2 meters) • Electrical interface: BNC or SMB connectors • Surge protection: Telcordia GR-1089 • Operating temperature: – I-Temp (15454-DS3_EC1-48): –40 to 149 degrees Fahrenheit (–40 to +65 degrees Celsius) Note The I-Temp symbol is displayed on the faceplate of an I-Temp compliant card. A card without this symbol is C-Temp compliant. • Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95 percent relative humidity • Power consumption: 60W, 1.25A at -48V, 95.6 BTU/hr • Dimensions – Height: 12.650 in. (321.3 mm) – Width: 0.716 in. (18.2 mm) – Depth: 9.000 in. (228.6 mm)A-22 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix A Hardware Specifications A.5.5 DS3-12 and DS3N-12 Card Specifications – Weight: 1.7 lb (0.7 kg) A.5.5 DS3-12 and DS3N-12 Card Specifications The DS3-12 and DS3N-12 cards have the following specifications: • Input – Bit rate: 44.736 Mbps +/– 20 ppm – Frame format: DS-3 ANSI T1.107-1988 – Line code: B3ZS – Termination: Unbalanced coaxial cable – Input impedance: 75 ohms +/–5 percent – Cable loss: Max 450 feet 734A, RG-59, 728A/Max 79 feet RG-179 – AIS: TR-TSY-000191 compliant • Output – Bit rate: 44.736 Mbps +/– 20 ppm – Frame format: DS-3 ANSI T1.107-1988 – Line code: B3ZS – Termination: Unbalanced coaxial cable – Input impedance: 75 ohms +/–5 percent – Cable loss: Max 450 feet 734A, RG-59, 728A/Max 79 feet RG-179 – AIS: TR-TSY-000191 compliant – Power level: –1.8 to +5.7 dBm – Pulse shape: ANSI T1.102-1988 Figure 8 – Pulse amplitude: 0.36 to 0.85 V peak-to-peak – Loopback modes: Terminal and facility – Line build out: 0 to 225 feet (0 to 68.8 meters); 226 to 450 feet (68.9 to 137.2 meters) • Electrical interface: BNC or SMB connectors • Surge protection: Telcordia GR-1089 • Operating temperature C-Temp (15454-DS3-12 and 15454-DS3N-12): 0 to 131 degrees Fahrenheit (0 to +55 degrees Celsius) – I-Temp (15454-DS3-12-T and 15454-DS3N-12-T): –40 to 149 degrees Fahrenheit (–40 to +65 degrees Celsius) Note The I-Temp symbol is displayed on the faceplate of an I-Temp compliant card. A card without this symbol is C-Temp compliant. • Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95 percent relative humidityA-23 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix A Hardware Specifications A.5.6 DS3i-N-12 Card Specifications • Power consumption: 38.20 W, 0.79 A, 130.43 BTU/hr • Dimensions – Height: 12.650 in. (321.3 mm) – Width: 0.716 in. (18.2 mm) – Depth: 9.000 in. (228.6 mm) – DS3-12 card weight: 1.7 lb (0.7 kg) – DS3N-12 card weight: 1.8 lb (0.8 kg) A.5.6 DS3i-N-12 Card Specifications The DS3i-N-12 card has the following specifications: • Input – Bit rate: 44.736 Mbps +/–20 ppm – Frame format: ITU-T G.704, ITU-T G.752/DS-3 ANSI T1.107-1988 – Line code: B3ZS – Termination: Unbalanced coaxial cable – Input impedance: 75 ohms +/– 5 percent – Cable loss: Maximum 137 m (450 ft): 734A, RG59, 728A Maximum 24 m (79 ft): RG179 – AIS: ITU-T G.704 compliant • Output – Bit rate: 44.736 Mbps +/– 20 ppm – Frame format: ITU-T G.704, ITU-T G.752/DS-3 ANSI T1.107-1988 – Line code: B3ZS – Termination: Unbalanced coaxial cable – Output impedance: 75 ohms +/–5 percent – AIS: ITU-T G.704 compliant – Power level: –1.8 to +5.7 dBm Note The power level is for a signal of all ones and is measured at a center frequency of 22.368 MHz (3 +/–1 kHz) bandwidth.) – Pulse shape: ITU-T G.703, Figure 14/ANSI T1.102-1988, Figure 8 – Pulse amplitude: 0.36 to 0.85 V peak-to-peak – Loopback modes: Terminal and facility – Line build out: 0 to 225 feet (0 to 68.8 meters); 226 to 450 feet (68.9 to 137.2 meters) • Electrical interface connectors: SMB, BNC • EnvironmentalA-24 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix A Hardware Specifications A.5.7 DS3-12E and DS3N-12E Card Specifications – Overvoltage protection: As in ITU-T G.703 Annex B – Operating temperature: +23 to +113 degrees Fahrenheit (–5 to +45 degrees Celsius) – Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95 percent relative humidity – Power consumption: 26.80 W, 0.56 A at –48 V, 91.5 BTU/hr • Dimensions – Height: 12.650 in. (321.3 mm) – Width: 0.716 in. (18.2 mm) – Depth: 9.000 in. (228.6 mm) – Depth with backplane connector: 9.250 in. (235 mm) – Weight not including clam shell: 1.9 lb (0.8 kg) A.5.7 DS3-12E and DS3N-12E Card Specifications The DS3-12E and DS3N-12E cards have the following specifications: • Input – Bit rate: 44.736 Mbps +/– 20 ppm – Frame format: DS-3 ANSI T1.107-1988 – Line code: B3ZS – Termination: Unbalanced coaxial cable – Input impedance: 75 ohms +/–5 percent – Cable loss: Max 450 feet 734A, RG-59, 728A/Max 79 feet RG-179 – AIS: TR-TSY-000191 compliant • Output – Bit rate: 44.736 Mbps +/– 20 ppm – Frame format: DS-3 ANSI T1.107-1988 – Line code: B3ZS – Termination: Unbalanced coaxial cable – Input impedance: 75 ohms +/–5 percent – Cable loss: Max 450 feet 734A, RG-59, 728A/Max 79 feet RG-179 – AIS: TR-TSY-000191 compliant – Power level: –1.8 to +5.7 dBm Note The power level is for a signal of all ones and is measured at a center frequency of 22.368 MHz (3 +/–1 kHz) bandwidth. – Pulse shape: ANSI T1.102-1988 Figure 8 – Pulse amplitude: 0.36 to 0.85 V peak-to-peak – Loopback modes: Terminal and facilityA-25 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix A Hardware Specifications A.5.8 DS3XM-12 Card Specifications – Line build out: 0 to 225 feet (0 to 68.8 meters); 226 to 450 feet (68.9 to 137.2 meters) • Electrical interface: Connectors: BNC or SMB • Surge protection: Telcordia GR-1089 • Operating temperature: I-Temp (15454-DS3-12E-T and 15454-DS3N-12E-T): –40 to 149 degrees Fahrenheit (–40 to +65 degrees Celsius) Note The I-Temp symbol is displayed on the faceplate of an I-Temp compliant card. A card without this symbol is C-Temp compliant. • Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95 percent relative humidity • Power consumption: 26.80 W, 0.56 A, 91.51 BTU/hr • Dimensions – Height: 12.650 in. (321.3 mm) – Width: 0.716 in. (18.2 mm) – Depth: 9.000 in. (228.6 mm) – Depth with backplane connector: 9.250 in. (235.0 mm) – DS3-12E card weight: 1.8 lb (0.8 kg) – DS3N-12E card weight: 1.9 lb (0.8 kg) A.5.8 DS3XM-12 Card Specifications The DS3XM-12 card has the following specifications: • Input – Bit rate: 44.736 Mbps +/–20 ppm – Frame format: DS-3 ANSI T1.107-1988 – Line code: B3ZS – Termination: Unbalanced coaxial cable – Input impedance: 75 ohms +/–5 percent – Cable loss: Max 450 feet 734A, RG-59, 728A/Max 79 feet RG-179 – AIS: TR-TSY-000191 compliant • Output – Bit rate: 44.736 Mbps +/– 20 ppm – Frame format: DS-3 ANSI T1.107-1988 – Line code: B3ZS – Termination: Unbalanced coaxial cable – Input impedance: 75 ohms +/–5 percent – Cable loss: Max 450 feet 734A, RG-59, 728A/Max 79 feet RG-179 – AIS: TR-TSY-000191 compliantA-26 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix A Hardware Specifications A.5.9 DS3XM-6 Card Specifications – Power level: –1.8 to +5.7 dBm – Pulse shape: ANSI T1.102-1988 Figure 8 – Pulse amplitude: 0.36 to 0.85 V peak-to-peak – Loopback modes: Terminal and facility – Line build out: 0 to 225 feet (0 to 68.8 meters); 226 to 450 feet (68.9 to 137.2 meters) • Interface: BNC, SMB, UBIC and MiniBNC connectors • Surge protection: Telcordia GR-1089 • Operating temperature: – I-Temp (15454-DS3XM-12): –40 to 149 degrees Fahrenheit (–40 to +65 degrees Celsius) Note The I-Temp symbol is displayed on the faceplate of an I-Temp compliant card. A card without this symbol is C-Temp compliant. • Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95 percent relative humidity • Power consumption: 34 W, 0.71A at –48 V, 116.1 BTU/hr • Dimensions – Height: 12.65 in. (321.3 mm) – Width: 0.716 in. (18.2 mm) – Depth: 9.00 in. (228.6 mm) – Card weight: 1.8 lb (0.8 kg) A.5.9 DS3XM-6 Card Specifications The DS3XM-6 card has the following specifications: • Input – Bit rate: 44.736 Mbps +/–20 ppm – Frame format: DS-3 ANSI T1.107-1988 – Line code: B3ZS – Termination: Unbalanced coaxial cable – Input impedance: 75 ohms +/–5 percent – Cable loss: Max 450 feet 734A, RG-59, 728A/Max 79 feet RG-179 – AIS: TR-TSY-000191 compliant • Output – Bit rate: 44.736 Mbps +/– 20 ppm – Frame format: DS-3 ANSI T1.107-1988 – Line code: B3ZS – Termination: Unbalanced coaxial cable – Input impedance: 75 ohms +/–5 percentA-27 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix A Hardware Specifications A.5.10 FILLER Card Specifications – Cable loss: Max 450 feet 734A, RG-59, 728A/Max 79 feet RG-179 – AIS: TR-TSY-000191 compliant – Power level: –1.8 to +5.7 dBm – Pulse shape: ANSI T1.102-1988 Figure 8 – Pulse amplitude: 0.36 to 0.85 V peak-to-peak – Loopback modes: Terminal and facility – Line build out: 0 to 225 feet (0 to 68.8 meters); 226 to 450 feet (68.9 to 137.2 meters) • Interface: BNC or SMB connectors • Surge protection: Telcordia GR-1089 • Operating temperature: – C-Temp (15454-DS3XM-6): 0 to 131 degrees Fahrenheit (0 to +55 degrees Celsius) – I-Temp (15454-DS3XM-6-T): –40 to 149 degrees Fahrenheit (–40 to +65 degrees Celsius) Note The I-Temp symbol is displayed on the faceplate of an I-Temp compliant card. A card without this symbol is C-Temp compliant. • Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95 percent relative humidity • Power consumption: 20 W, 0.42 A, 68 BTU/hr • Dimensions – Height: 12.650 in. (321.3 mm) – Width: 0.716 in. (18.2 mm) – Depth: 9.000 in. (228.6 mm) – Card weight: 1.8 lb (0.8 kg) A.5.10 FILLER Card Specifications The FILLER cards have the following specifications: • Environmental – Operating temperature: C-Temp: -40 to +149 degree Fahrenheit (-40 to +65 degrees Celsius) – Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95 percent relative humidity • Dimensions – Height: 12.650 in. (321.3 mm) – Width: 0.716 in. (18.2 mm) – Depth: 9.000 in. (228.6 mm) – Card weight: 0.4 lb (0.19 kg)A-28 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix A Hardware Specifications A.6 Optical Card Specifications A.6 Optical Card Specifications This section provides specifications for the OC3 IR4/STM1 SH 1310 (four-port), OC3 IR/STM1 SH 1310-8 (eight-port), OC12 IR/STM4 SH 1310, OC12 LR/STM4 LH 1310, OC12 LR STM4 LH 1550, OC12 IR/STM4 SH 1310-4 (four-port), OC48 IR 1310, OC48 LR 1550, OC48 IR/STM16 SH AS 1310, OC48 LR/STM16 LH AS 1550, OC48 ELR 100 GHz, OC48 ELR 200 GHz, OC192 SR/STM64 IO 1310, OC192 IR/STM64 SH 1550, OC192 LR/STM64 LH 1550, OC192 LR/STM64 LH ITU 15xx.xx, 15454_MRC-12 (12-port), MRC-2.5G-4, OC192SR1/STM64IO Short Reach, and OC192/STM64 Any Reach cards. For compliance information, refer to the Cisco Optical Transport Products Safety and Compliance Information. A.6.1 OC3 IR 4/STM1 SH 1310 Card Specifications The OC3 IR 4/STM1 SH 1310 card has the following specifications: • Line – Bit rate: 155.52 Mbps – Code: Scrambled non-return to zero (NRZ) – Fiber: 1310-nm single-mode – Loopback modes: Terminal and facility – Connector: SC – Compliance: Telcordia GR-253-CORE, ITU-T G.707, ITU-T G.957 • Transmitter – Maximum transmitter output power: –8 dBm – Minimum transmitter output power: –15 dBm – Center wavelength: 1274 to 1356 nm – Nominal wavelength: 1310 nm – Transmitter: Fabry Perot (FP) laser – Extinction Ratio: 8.2 dB – Dispersion Ratio: 96 ps/nm • Receiver – Maximum receiver level: –8 dBm at BER 1 * 10 exp – 12 – Minimum receiver level: –28 dBm at BER 1 * 10 exp – 12 – Receiver: InGaAs/InP photodetector – Link loss budget: 13 dB – Receiver input wavelength range: 1274 to 1356 nm – Jitter tolerance: Telcordia GR-253/ITU-T G.823 compliant • Environmental – Operating temperature: C-Temp (15454-OC34IR1310): +23 to +113 degrees Fahrenheit (–5 to +45 degrees Celsius)A-29 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix A Hardware Specifications A.6.2 OC3 IR/STM1SH 1310-8 Card Specifications I-Temp (15454-OC34I13-T): –40 to 149 degrees Fahrenheit (–40 to +65 degrees Celsius) – Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95 percent relative humidity – Power consumption: 19.20 W, 0.40 A at –48 V, 65.56 BTU/hr • Dimensions – Height: 12.650 in. (321.3 mm) – Width: 0.716 in. (18.2 mm) – Depth: 9.000 in. (228.6 mm) – Depth with backplane connector: 9.250 in. (235 mm) – Weight not including clam shell: 1.0 lb (0.4 kg) A.6.2 OC3 IR/STM1SH 1310-8 Card Specifications The OC3 IR/STM1SH 1310-8 card has the following specifications: • Line – Bit rate: 155.52 Mbps – Code: Scrambled NRZ – Fiber: 1310-nm single-mode – Loopback modes: Terminal and facility – Connector: LC – Compliance: Telcordia GR-253-CORE, ITU-T G.707, ITU-T G.957 • Transmitter – Maximum transmitter output power: –8 dBm – Minimum transmitter output power: –15 dBm – Center wavelength: 1261 to 1360 nm – Nominal wavelength: 1310 nm – Transmitter: Fabry Perot laser – Extinction ratio: 8.2 dB – Dispersion tolerance: 96 ps/nm • Receiver – Maximum receiver level: –8 dBm at BER 1 * 10 exp – 12 – Minimum receiver level: –28 dBm at BER 1 * 10 exp – 12 – Receiver: InGaAs/InP photodetector – Link loss budget: 13 dB – Receiver input wavelength range: 1261 to 1360 nm – Jitter tolerance: Telcordia GR-253/ITU-T G.823 compliant • Environmental – Operating temperature: +23 to +113 degrees Fahrenheit (–5 to +45 degrees Celsius) A-30 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix A Hardware Specifications A.6.3 OC12 IR/STM4 SH 1310 Card Specifications – Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95 percent relative humidity – Power consumption: 23.00 W, 0.48 A at –48 V, 78.5 BTU/hr • Dimensions – Height: 12.650 in. (321.3 mm) – Width: 0.716 in. (18.2 mm) – Depth: 9.000 in. (228.6 mm) – Depth with backplane connector: 9.250 in. (235 mm) – Weight not including clam shell: 1.0 lb (0.4 kg) A.6.3 OC12 IR/STM4 SH 1310 Card Specifications The OC12 IR/STM4 SH 1310 card has the following specifications: • Line – Bit rate: 622.08 Mbps – Code: Scrambled NRZ – Fiber: 1310-nm single-mode – Loopback modes: Terminal and facility – Connectors: SC – Compliance: Telcordia GR-253-CORE, ITU-T G.707, ITU-T G.957 • Transmitter – Maximum transmitter output power: –8 dBm – Minimum transmitter output power: –15 dBm – Center wavelength: 1274 to 1356 nm – Nominal wavelength: 1310 nm – Transmitter: Fabry Perot laser – Extinction ratio: 8.2 dB – Dispersion tolerance: 96 ps/nm • Receiver – Maximum receiver level: –8 dBm at BER 1 * 10 exp – 12 – Minimum receiver level: –28 dBm at BER 1 * 10 exp – 12 – Receiver: InGa As/InP photodetector – Link loss budget: 13 dB – Receiver input wavelength range: 1274 to 1356 nm – Jitter tolerance: Telcordia GR-253/ITU-T G.823 compliant • Environmental – Operating temperature: C-Temp (15454-OC121IR1310): +23 to +131 degrees Fahrenheit (–5 to +55 degrees Celsius)A-31 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix A Hardware Specifications A.6.4 OC12 LR/STM4 LH 1310 Card Specifications I-Temp (15454-OC121I13-T): –40 to +149 degrees Fahrenheit (–40 to +65 degrees Celsius) – Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95 percent relative humidity – Power consumption: 10.90 W, 0.23 A at –48 V, 37.22 BTU/hr • Dimensions – Height: 12.650 in. (321.3 mm) – Width: 0.716 in. (18.2 mm) – Depth: 9.000 in. (228.6 mm) – Weight not including clam shell: 1.4 lb (0.6 kg) A.6.4 OC12 LR/STM4 LH 1310 Card Specifications The OC12 LR/STM4 LH 1310 card has the following specifications: • Line – Bit rate: 622.08 Mbps – Code: Scrambled NRZ – Fiber: 1310-nm single-mode – Loopback modes: Terminal and facility – Connectors: SC – Compliance: Telcordia SONET, Telcordia GR-253-CORE, ITU-T G.707, ITU-T G.957 • Transmitter – Maximum transmitter output power: +2 dBm – Minimum transmitter output power: –3 dBm – Center wavelength: 1280 to 1335 nm – Nominal wavelength: 1310 nm – Transmitter: Distributed feedback (DFB) laser – Extinction ratio: 10 dB – Dispersion tolerance: 190 ps/nm • Receiver – Maximum receiver level: –8 dBm at BER 1 * 10 exp – 12 – Minimum receiver level: –28 dBm at BER 1 * 10 exp – 12 – Receiver: InGaAs/InP photodetector – Link loss budget: 25 dB – Receiver input wavelength range: 1280 to 1335 nm – Jitter tolerance: Telcordia GR-253/ITU-T G.823 compliant • Environmental – Operating temperature: C-Temp (15454-OC121LR1310): +23 to +131 degrees Fahrenheit (–5 to +55 degrees Celsius)A-32 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix A Hardware Specifications A.6.5 OC12 LR/STM4 LH 1550 Card Specifications I-Temp (15454-OC121L13-T): –40 to +149 degrees Fahrenheit (–40 to +65 degrees Celsius) – Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95 percent relative humidity – Power consumption: 9.28 W, 0.25 A, 41 BTU/hr • Dimensions – Height: 12.650 in. (321.3 mm) – Width: 0.716 in. (18.2 mm) – Depth: 9.000 in. (228.6 mm) – Weight not including clam shell: 1.4 lb (0.6 kg) A.6.5 OC12 LR/STM4 LH 1550 Card Specifications The OC12 LR/STM4 LH 1550 card has the following specifications: • Line – Bit rate: 622.08 Mbps – Code: Scrambled NRZ – Fiber: 1550-nm single-mode – Loopback modes: Terminal and facility – Connectors: SC – Compliance: Telcordia SONET, Telcordia GR-253-CORE, ITU-T G.707, ITU-T G.957 • Transmitter – Maximum transmitter output power: +2 dBm – Minimum transmitter output power: –3 dBm – Center wavelength: 1480 to 1580 nm – Nominal wavelength: 1550 nm – Transmitter: DFB laser – Dispersion tolerance: 1440 ps/nm • Receiver – Maximum receiver level: –8 dBm at BER 1 * 10 exp – 12 – Minimum receiver level: –28 dBm at BER 1 * 10 exp – 12 – Receiver: InGaAs/InP photodetector – Link loss budget: 25 dB – Receiver input wavelength range: 1480 to 1580 nm – Jitter tolerance: Telcordia GR-253/ITU-T G.823 compliant • Environmental – Operating temperature: C-Temp (15454-OC121LR1550): +23 to +131 degrees Fahrenheit (–5 to +55 degrees Celsius) I-Temp (15454-OC121L15-T): –40 to +149 degrees Fahrenheit (–40 to +65 degrees Celsius)A-33 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix A Hardware Specifications A.6.6 OC12 IR/STM4 SH 1310-4 Specifications – Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95 percent relative humidity – Power consumption: 9.28 W, 0.19 A, 31.68 BTU/hr • Dimensions – Height: 12.650 in. (321.3 mm) – Width: 0.716 in. (18.2 mm) – Depth: 9.000 in. (228.6 mm) – Weight not including clam shell: 1.4 lb (0.6 kg) A.6.6 OC12 IR/STM4 SH 1310-4 Specifications The OC12 IR/STM4 SH 1310-4 card has the following specifications: • Line – Bit rate: 622.08 Mbps – Code: Scrambled NRZ – Fiber: 1310-nm single-mode – Loopback modes: Terminal and facility – Connector: SC – Compliance: Telcordia GR-253-CORE, ITU-T G.707, ITU-T G.957 • Transmitter – Maximum transmitter output power: –8 dBm – Minimum transmitter output power: –15 dBm – Center wavelength: 1274 to 1356 nm – Nominal wavelength: 1310 nm – Transmitter: Fabry Perot laser – Extinction ratio: 10 dB – Dispersion tolerance: 190 ps/nm • Receiver – Maximum receiver level: –8 dBm – Minimum receiver level: –30 dBm – Receiver: InGaAs/InP photodetector – Link loss budget: 15 dB – Receiver input wavelength range: 1274 to 1356 nm – Jitter tolerance: Telcordia GR-253/ITU-T G.823 compliant • Operating temperature – C-Temp: +23 to +131 degrees Fahrenheit (–5 to +55 degrees Celsius) • Operating humidityA-34 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix A Hardware Specifications A.6.7 OC48 IR 1310 Card Specifications – 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95 percent relative humidity • Power consumption – 28 W, 0.58 A, 100 BTU/hr • Dimensions – Height: 12.650 in. (321.3 mm) – Width: 0.716 in. (18.2 mm) – Depth: 9.000 in. (228.6 mm) – Weight not including clam shell: 1.0 lb (0.4 kg) Note Minimum transmit power, minimum receive power, and link loss budget might exceed standard specifications. A.6.7 OC48 IR 1310 Card Specifications The OC48 IR 1310 card has the following specifications: • Line – Bit rate: 2.49 Gbps – Code: Scrambled NRZ – Fiber: 1310-nm single-mode – Loopback modes: Terminal and facility – Connectors: SC – Compliance: Telcordia GR-253-CORE • Transmitter – Maximum transmitter output power: 0 dBm – Minimum transmitter output power: –5 dBm – Center wavelength: 1280 to 1350 nm – Nominal wavelength: 1310 nm – Transmitter: Uncooled direct modulated DFB • Receiver – Maximum receiver level: 0 dBm – Minimum receiver level: –18 dBm – Receiver: InGaAs InP photodetector – Link loss budget: 13 dB minimum – Receiver input wavelength range: 1280 to 1350 nm • Environmental – Operating temperature: C-Temp (15454-OC481IR1310): +23 to +131 degrees Fahrenheit (–5 to +55 degrees Celsius)A-35 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix A Hardware Specifications A.6.8 OC48 LR 1550 Card Specifications – Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95 percent relative humidity – Power consumption: 32.20 W, 0.67 A, 109.94 BTU/hr • Dimensions – Height: 12.650 in. (321.3 mm) – Width: 0.716 in. (18.2 mm) – Depth: 9.000 in. (228.6 mm) – Weight not including clam shell: 1.8 lb (0.8 kg) A.6.8 OC48 LR 1550 Card Specifications The OC48 LR 1550 card has the following specifications: • Line – Bit rate: 2.49 Gbps – Code: Scrambled NRZ – Fiber: 1550-nm single-mode – Loopback modes: Terminal and facility – Connectors: SC – Compliance: Telcordia GR-253-CORE • Transmitter – Maximum transmitter output power: +3 dBm – Minimum transmitter output power: –2 dBm – Center wavelength: 1520 to 1580 nm – Nominal wavelength: 1550 nm – Transmitter: DFB laser • Receiver – Maximum receiver level: –8 dBm – Minimum receiver level: –28 dBm – Receiver: InGaAs avalanche photo diode (APD) photodetector – Link loss budget: 26 dB minimum, with 1 dB dispersion penalty – Receiver input wavelength range: 1520 to 1580 nm • Environmental – Operating temperature: C-Temp (15454-OC481LR1550): +23 to +131 degrees Fahrenheit (–5 to +55 degrees Celsius) – Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95 percent relative humidity – Power consumption: 26.80 W, 0.56 A, 91.50 BTU/hr • DimensionsA-36 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix A Hardware Specifications A.6.9 OC48 IR/STM16 SH AS 1310 Card Specifications – Height: 12.650 in. (321.3 mm) – Width: 0.716 in. (18.2 mm) – Depth: 9.000 in. (228.6 mm) – Weight not including clam shell: 1.8 lb (0.8 kg) A.6.9 OC48 IR/STM16 SH AS 1310 Card Specifications The OC48 IR/STM16 SH AS 1310 card has the following specifications: • Line – Bit rate: 2.49 Gbps – Code: Scrambled NRZ – Fiber: 1310-nm single-mode – Loopback modes: Terminal and facility – Connectors: SC – Compliance: Telcordia GR-253-CORE, ITU-T G.707, ITU-T G.957 • Transmitter – Maximum transmitter output power: 0 dBm – Minimum transmitter output power: –5 dBm – Center wavelength: 1280 to 1350 nm – Nominal wavelength: 1310 nm – Transmitter: DFB laser – Dispersion tolerance: 96 ps/nm • Receiver – Maximum receiver level: 0 dBm – Minimum receiver level: –18 dBm – Receiver: InGaAs InP photodetector – Link loss budget: 13 dB minimum – Receiver input wavelength range: 1280 to 1350 nm – Jitter tolerance: Telcordia GR-253/ITU-T G.823 compliant • Environmental – Operating temperature: C-Temp (15454-OC481IR1310A): +23 to +131 degrees Fahrenheit (–5 to +55 degrees Celsius) – Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95 percent relative humidity – Power consumption: 37.20 W, 0.77 A, 127.01 BTU/hr • Dimensions – Height: 12.650 in. (321.3 mm) – Width: 0.716 in. (18.2 mm)A-37 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix A Hardware Specifications A.6.10 OC48 LR/STM16 LH AS 1550 Card Specifications – Depth: 9.000 in. (228.6 mm) – Weight not including clam shell: 2.2 lb (0.9 kg) A.6.10 OC48 LR/STM16 LH AS 1550 Card Specifications The OC48 LR/STM16 SH AS 1550 card has the following specifications: • Line – Bit rate: 2.49 Gbps – Code: Scrambled NRZ – Fiber: 1550-nm single-mode – Loopback modes: Terminal and facility – Connectors: SC – Compliance: Telcordia GR-253-CORE, ITU-T G.707, ITU-T G.957 • Transmitter – Maximum transmitter output power: +3 dBm – Minimum transmitter output power: –2 dBm – Center wavelength: 1520 to 1580 nm – Nominal wavelength: 1550 nm – Transmitter: DFB laser – Dispersion ratio: 3600 ps/nm • Receiver – Maximum receiver level: –8 dBm – Minimum receiver level: –28 dBm – Receiver: InGaAs APD photodetector – Link loss budget: 26 dB minimum, with 1 dB dispersion penalty – Receiver input wavelength range: 1520 to 1580 nm – Jitter tolerance: Telcordia GR-253/ITU-T G.823 compliant • Environmental – Operating temperature: C-Temp (15454-OC481LR1550A): +23 to +131 degrees Fahrenheit (–5 to +55 degrees Celsius) – Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95 percent relative humidity – Power consumption: 37.20 W, 0.77 A, 127.01 BTU/hr • Dimensions – Height: 12.650 in. (321.3 mm) – Width: 0.716 in. (18.2 mm) – Depth: 9.000 in. (228.6 mm) – Weight not including clam shell: 2.2 lb (0.9 kg)A-38 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix A Hardware Specifications A.6.11 OC48 ELR/STM 16 EH 100 GHz Card Specifications A.6.11 OC48 ELR/STM 16 EH 100 GHz Card Specifications The OC48 ELR 100 GHz card has the following specifications: • Line – Bit rate: 2.49 Gbps – Code: Scrambled NRZ – Fiber: 1550-nm single-mode – Loopback modes: Terminal and facility – Connectors: SC – Compliance: Telcordia GR-253-CORE, ITU-T G.692, ITU-T G.958 • Transmitter – Maximum transmitter output power: 0 dBm – Minimum transmitter output power: –2 dBm – Center wavelength accuracy: +/– 0.12 nm – Transmitter: Electro-absorption laser – Dispersion tolerance: 5400 ps/nm • Receiver – Maximum receiver level: –9 dBm – Minimum receiver level: –27 dBm at 1E–12 BER – Receiver: InGaAs APD photodetector – Link loss budget: 25 dB minimum at 1E–12 BER (not including the power dispersion penalty) – Dispersion penalty: 2 dB for a dispersion of up to 5400 ps/nm – Receiver input wavelength range: 1520 to 1580 nm – Jitter tolerance: Telcordia GR-253/ITU-T G.823 compliant • Environmental – Operating temperature: C-Temp: +23 to +131 degrees Fahrenheit (–5 to +55 degrees Celsius) – Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95 percent relative humidity – Power consumption: 31.20 W, 0.65 A, 106.53 BTU/hr • Dimensions – Height: 12.650 in. (321.3 mm) – Width: 0.716 in. (18.2 mm) – Depth: 9.000 in. (228.6 mm) – Weight not including clam shell: 2.4 lb (1.1 kg) A.6.12 OC48 ELR 200 GHz Card Specifications The OC48 ELR 200 GHz card has the following specifications:A-39 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix A Hardware Specifications A.6.13 OC192 SR/STM64 IO 1310 Card Specifications • Line – Bit rate: 2.49 Gbps – Code: Scrambled NRZ – Fiber: 1550-nm single-mode – Loopback modes: Terminal and facility – Connectors: SC – Compliance: Telcordia GR-253-CORE, ITU-T G692, ITU-T G958 • Transmitter – Maximum transmitter output power: 0 dBm – Minimum transmitter output power: –2 dBm – Center wavelength accuracy: +/– 0.25 nm – Transmitter: Electro-absorption laser – Dispersion tolerance: 3600 ps/nm • Receiver – Maximum receiver level: –8 dBm – Minimum receiver level: –28 dBm – Receiver: InGaAs APD photodetector – Link loss budget: 26 dB minimum, with 1 dB dispersion penalty – Receiver input wavelength range: 1520 to 1580 nm – Jitter tolerance: Telcordia GR-253/ITU-T G.823 compliant • Environmental – Operating temperature: C-Temp: +23 to +131 degrees Fahrenheit (–5 to +55 degrees Celsius) – Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95 percent relative humidity – Power consumption: 31.20 W, 0.65 A, 106.53 BTU/hr • Dimensions – Height: 12.650 in. (321.3 mm) – Width: 0.716 in. (18.2 mm) – Depth: 9.000 in. (228.6 mm) – Weight not including clam shell: 2.9 lb (1.3 kg) A.6.13 OC192 SR/STM64 IO 1310 Card Specifications The OC192 SR/STM64 IO 1310 card has the following specifications: • Line – Bit rate: 9.95328 Gbps – Code: Scrambled NRZ A-40 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix A Hardware Specifications A.6.14 OC192 IR/STM64 SH 1550 Card Specifications – Fiber: 1310-nm single-mode – Maximum chromatic dispersion allowance: 6.6 ps/nm – Loopback modes: Terminal and facility – Connectors: SC – Compliance: Telcordia GR-253-CORE, ITU-T G.707, ITU-T G.957, ITU-T G.691 • Transmitter – Maximum transmitter output power: –1 dBm – Minimum transmitter output power: –6 dBm – Center wavelength: 1290 to 1330 nm – Nominal wavelength: 1310 nm – Transmitter: Directly modulated laser • Receiver – Maximum receiver level: –1 dBm at BER 1 * 10 exp – 12 – Minimum receiver level: –11 dBm at BER 1 * 10 exp – 12 – Receiver: PIN diode – Link loss budget: 5 dB minimum, plus 1 dB dispersion penalty at BER = 1 * 10 exp – 12 including dispersion – Receiver input wavelength range: 1290 to 1330 nm – Dispersion tolerance: 6.6 ps/nm • Environmental – Operating temperature: +23 to +131 degrees Fahrenheit (–5 to +55 degrees Celsius) – Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95 percent relative humidity – Power consumption: 47.00 W, 0.98 A at –48 V, 160.5 BTU/hr • Dimensions – Height: 12.650 in. (321.3 mm) – Width: 0.716 in. (18.2 mm) – Depth: 9.000 in. (228.6 mm) – Depth with backplane connector: 9.250 in. (235 mm) – Weight not including clam shell: 3.1 lb (1.3 kg) A.6.14 OC192 IR/STM64 SH 1550 Card Specifications The OC192 IR/STM64 SH 1550 card has the following specifications: • Line – Bit rate: 9.95328 Gbps – Code: Scrambled NRZ – Fiber: 1550-nm single-mode A-41 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix A Hardware Specifications A.6.15 OC192 LR/STM64 LH 1550 Card Specifications – Maximum chromatic dispersion allowance: 800 ps/nm – Loopback modes: Terminal and facility Note You must use a 3 to 15 dB fiber attenuator (5 dB recommended) when working with the OC192 IR/STM64 SH 1550 card in a loopback. Do not use fiber loopbacks with the OC192 IR/STM64 SH 1550 card. Using fiber loopbacks can cause irreparable damage to the OC192 IR/STM64 SH 1550 card. – Connectors: SC – Compliance: Telcordia GR-253-CORE, ITU-T G.707, ITU-T G.957, ITU-T G.691 • Transmitter – Maximum transmitter output power: +2 dBm – Minimum transmitter output power: –1 dBm – Center wavelength: 1530 to 1565 nm – Nominal wavelength: 1550 nm – Transmitter: Cooled EA (European accreditation) modulated laser • Receiver – Maximum receiver level: –1 dBm at BER 1 * 10 exp – 12 – Minimum receiver level: –14 dBm at BER 1 * 10 exp – 12 – Receiver: PIN diode – Link loss budget: 13 dB minimum, plus 2 dB dispersion penalty at BER = 1 * 10 exp – 12 including dispersion – Receiver input wavelength range: 1530 to 1565 nm – Dispersion tolerance: 800 ps/nm • Environmental – Operating temperature: +23 to +131 degrees Fahrenheit (–5 to +55 degrees Celsius) – Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95 percent relative humidity – Power consumption: 50.00 W, 1.04 A at –48 V, 170.7 BTU/hr • Dimensions – Height: 12.650 in. (321.3 mm) – Width: 0.716 in. (18.2 mm) – Depth: 9.000 in. (228.6 mm) – Depth with backplane connector: 9.250 in. (235 mm) – Weight not including clam shell: 3.1 lb (1.3 kg) A.6.15 OC192 LR/STM64 LH 1550 Card Specifications The OC192 LR/STM64 LH 1550 card has the following specifications: • LineA-42 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix A Hardware Specifications A.6.15 OC192 LR/STM64 LH 1550 Card Specifications – Bit rate: 9.95328 Gbps – Code: Scrambled NRZ – Fiber: 1550-nm single-mode – Loopback modes: Terminal and facility Note You must use a fiber attenuator when connecting a fiber loopback to an OC192 LR/STM64 LH 1550 card. Use a 19 to 24 dB attenuator for 15454-OC192LR1550 or a 14 to 28 dB attenuator for 15454-OC192-LR2 (20 dB is recommended). Never connect a direct fiber loopback. – Connectors: SC – Compliance: Telcordia GR-253-CORE, ITU-T G.707, ITU-T G.957 • Transmitter – Maximum transmitter output power: +10 dBm (15454-OC192LR1550); +7 dBm (15454-OC192-LR2) – Minimum transmitter output power: +7 dBm (15454-OC192LR1550); +4 dBm (15454-OC192-LR2) – Center wavelength: 1530 to 1565 nm – Nominal wavelength: 1550 nm – Maximum chromatic dispersion allowed: 1600 ps/nm – Transmitter: LN (Lithium Niobate) external modulator transmitter • Receiver – Maximum receiver level: –10 dBm (15454-OC192LR1550); –7 dBm (15454-OC192LR1550) – Minimum receiver level: –19 dBm (15454-OC192LR1550); –24 dBm from 1530 to 1565 nm –20 dBm from 1290 to 1330 nm (15454-OC192-LR2) – Receiver: APD/TIA – Link loss budget: 24 dB minimum, with no dispersion or 22 dB optical path loss at BER = 1 – exp (–12) including dispersion – Receiver input wavelength range: 1530 to 1565 nm – Jitter tolerance: Telcordia GR-253/ITU-T G.823 compliant • Environmental – Operating temperature: C-Temp (15454-OC192LR1550): +23 to +131 degrees Fahrenheit (–5 to +55 degrees Celsius) – Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95 percent relative humidity – Power consumption: 72.20 W, 1.50 A, 246.52 BTU/hr (15454-OC192LR1550); 52.00 W, 1.08 A at –48 V, 177.6 BTU/hr (15454-OC192-LR2)A-43 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix A Hardware Specifications A.6.16 OC192 LR/STM64 LH ITU 15xx.xx Card Specifications • Dimensions – Height: 12.650 in. (321.3 mm) – Width: 0.716 in. (18.2 mm) – Depth: 9.000 in. (228.6 mm) – Weight not including clam shell: 3.1 lb (1.3 kg) A.6.16 OC192 LR/STM64 LH ITU 15xx.xx Card Specifications The OC192 LR/STM64 LH ITU 15xx.xx card has the following specifications: • Line – Bit rate: 9.95328 Gbps – Code: Scrambled NRZ – Fiber: 1550-nm single-mode – Maximum chromatic dispersion allowance: In deployments with a dispersion compensation unit (DCU): +/– 1000 ps/nm, with optical signal-to-noise ration (OSNR) of 19 dB (0.5 nm resolution bandwidth [RBW]) In deployments without a DCU: +/– 1200 ps/nm, with OSNR of 23 dB (0.5 nm RBW) – Loopback modes: Terminal and facility Note You must use a 20-dB fiber attenuator (15 to 25 dB) when working with the OC192 LR/STM64 LH 15xx.xx card in a loopback. Do not use fiber loopbacks with the OC192 LR/STM64 LH 15xx.xx card. Using fiber loopbacks causes irreparable damage to this card. – Connectors: SC – Compliance: Telcordia GR-253-CORE, ITU-T G.707, ITU-T G.691, ITU-T G.957 • Transmitter – Maximum transmitter output power: +6 dBm – Minimum transmitter output power: +3 dBm – Center wavelength: See wavelength plan – Center wavelength accuracy: +/– 0.040 nm – Transmitter: LN external modulator transmitter • Receiver – Maximum receiver level: –8 dBm at BER 1 * 10 exp – 12 – Minimum receiver level: –22 dBm at BER 1 * 10 exp – 12 – Receiver: APD – Link loss budget: 25 dB minimum, plus 2 dB dispersion penalty at BER = 1 * 10 exp – 12 including dispersion – Receiver input wavelength range: 1529 to 1565 nm • EnvironmentalA-44 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix A Hardware Specifications A.6.17 15454_MRC-12 Card Specifications – Operating temperature: +23 to +131 degrees Fahrenheit (–5 to +55 degrees Celsius) – Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95 percent relative humidity – Power consumption: 52.00 W, 1.08 A at –48 V, 177.6 BTU/hr • Dimensions – Height: 12.650 in. (321.3 mm) – Width: 0.716 in. (18.2 mm) – Depth: 9.000 in. (228.6 mm) – Depth with backplane connector: 9.250 in. (235 mm) – Weight not including clam shell: 3.1 lb (1.3 kg) • Currently available wavelengths and versions of OC192 LR/STM64 LH ITU 15xx.xx card: ITU grid blue band: – 1534.25 +/– 0.040 nm, OC192 LR/STM64 LH ITU 1534.25 – 1535.04 +/– 0.040 nm, OC192 LR/STM64 LH ITU 1535.04 – 1535.82 +/– 0.040 nm, OC192 LR/STM64 LH ITU 1535.82 – 1536.61 +/– 0.040 nm, OC192 LR/STM64 LH ITU 1536.61 – 1538.19 +/– 0.040 nm, OC192 LR/STM64 LH ITU 1538.19 – 1538.98 +/– 0.040 nm, OC192 LR/STM64 LH ITU 1538.98 – 1539.77 +/– 0.040 nm, OC192 LR/STM64 LH ITU 1539.77 – 1540.56 +/– 0.040 nm, OC192 LR/STM64 LH ITU 1540.56 ITU grid red band: – 1550.12 +/– 0.040 nm, OC192 LR/STM64 LH ITU 1550.12 – 1550.92 +/– 0.040 nm, OC192 LR/STM64 LH ITU 1550.92 – 1551.72 +/– 0.040 nm, OC192 LR/STM64 LH ITU 1551.72 – 1552.52 +/– 0.040 nm, OC192 LR/STM64 LH ITU 1552.52 – 1554.13 +/– 0.040 nm, OC192 LR/STM64 LH ITU 1554.13 – 1554.94 +/– 0.040 nm, OC192 LR/STM64 LH ITU 1554.94 – 1555.75 +/– 0.040 nm, OC192 LR/STM64 LH ITU 1555.75 – 1556.55 +/– 0.040 nm, OC192 LR/STM64 LH ITU 1556.55 A.6.17 15454_MRC-12 Card Specifications The 15454_MRC-12 card has the following specifications: • Line – Bit rate: up to OC-48 (2488.320 Mbps), depending on SFPA-45 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix A Hardware Specifications A.6.17 15454_MRC-12 Card Specifications Note Each optical interface on the card can be configured as OC-3, OC-12, or OC-48, depending on the available backplane bandwidth and existing provisioned lines. In general, the card supports all different rates on the line side as long as the accumulated bandwidth does not exceed the total backplane allowed bandwidth. – Fiber: 1550-nm single-mode – Connectors: LC duplex connector for each SFP – Compliance: Telcordia GR-253-CORE • Transmitter – Maximum transmitter output power: Depends on SFP (see A.2 SFP, XFP, and GBIC Specifications, page A-5) – Minimum transmitter output power: Depends on SFP (see A.2 SFP, XFP, and GBIC Specifications, page A-5) – Center wavelength: See wavelength plan – Center wavelength accuracy: 1 nm to 4 nm, depending on SFP – Transmitter: FP and DFB laser • Receiver – Maximum receiver level: Depends on SFP (see A.2 SFP, XFP, and GBIC Specifications, page A-5) – Minimum receiver level: Depends on SFP (see A.2 SFP, XFP, and GBIC Specifications, page A-5) – Receiver: PIN PD – Receiver input wavelength range: Depends on SFP • Environmental – Operating temperature: –40 to +149 degrees Fahrenheit (–40 to +65 degrees Celsius) – Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95 percent relative humidity – Power consumption: 38.00 W, 0.79 A at –48 V, 129.66 BTU/hr • Dimensions – Height: 12.650 in. (321.3 mm) – Width: 0.716 in. (18.2 mm) – Depth: 9.000 in. (228.6 mm) – Depth with backplane connector: 9.250 in. (235 mm) – Weight not including clam shell: 3.1 lb (1.3 kg) • Wavelength plan. Currently available wavelengths and versions of the 15454_MRC-12 card: – For ONS-SC-2G-28.7 through ONS-SC-2G-60.0 SFPs: 1528.77 nm to 1560.61 nm (32 distinct wavelengths at 100 GHz spacing) Note ONS-SC-2G-28.7, ONS-SC-2G-33.4, ONS-SC-2G-41.3, ONS-SC-2G-49.3, and ONS-SC-2G-57.3 are supported from Release 8.5 and later.A-46 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix A Hardware Specifications A.6.18 MRC-2.5G-4 Card Specifications – For ONS-SE-622-1470 through ONS-SE-622-1610 SFPs: 1470 to 1610 nm (eight distinct wavelengths at 2500 GHz spacing) – For ONS_SE-155-1470 through ONS-SE-155-1610 SFPs: 1470 to 1610 nm (eight distinct wavelengths at 2500 GHz spacing) A.6.18 MRC-2.5G-4 Card Specifications The MRC-2.5G-4 card has the following specifications: • Line – Bit rate: up to OC-48 (2488.320 Mbps), depending on SFP Note Each optical interface on the card can be configured as OC-3, OC-12, or OC-48, depending on the available backplane bandwidth and existing provisioned lines. In general, the card supports all different rates on the line side as long as the accumulated bandwidth does not exceed the total backplane allowed bandwidth. – Fiber: 1550-nm single-mode – Connectors: LC duplex connector for each SFP – Compliance: Telcordia GR-253-CORE • Transmitter – Maximum transmitter output power: Depends on SFP (see A.2 SFP, XFP, and GBIC Specifications, page A-5) – Minimum transmitter output power: Depends on SFP (see A.2 SFP, XFP, and GBIC Specifications, page A-5) – Center wavelength: See wavelength plan – Center wavelength accuracy: 1 nm to 4 nm, depending on SFP – Transmitter: FP and DFB laser • Receiver – Maximum receiver level: Depends on SFP (see A.2 SFP, XFP, and GBIC Specifications, page A-5) – Minimum receiver level: Depends on SFP (see A.2 SFP, XFP, and GBIC Specifications, page A-5) – Receiver: PIN PD – Receiver input wavelength range: Depends on SFP • Environmental – Operating temperature: –40 to +149 degrees Fahrenheit (–40 to +65 degrees Celsius) – Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95 percent relative humidity – Power consumption: 38.00 W, 0.79 A at –48 V, 129.66 BTU/hr • Dimensions – Height: 12.650 in. (321.3 mm)A-47 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix A Hardware Specifications A.6.19 OC192SR1/STM64IO Short Reach Card Specifications – Width: 0.716 in. (18.2 mm) – Depth: 9.000 in. (228.6 mm) – Depth with backplane connector: 9.250 in. (235 mm) – Weight not including clam shell: 3.1 lb (1.3 kg) • Wavelength plan. Currently available wavelengths and versions of the MRC-2.5G-4 card: – For ONS-SC-2G-30.3 through ONS-SC-2G-60.0 SFPs: 1528.77 nm to 1560.61 nm (32 distinct wavelengths at 100 GHz spacing) Note ONS-SC-2G-28.7, ONS-SC-2G-33.4, ONS-SC-2G-41.3, ONS-SC-2G-49.3, and ONS-SC-2G-57.3 are supported from Release 8.5 and later. – For ONS-SE-622-1470 through ONS-SE-622-1610 SFPs: 1470 to 1610 nm (eight distinct wavelengths at 2500 GHz spacing) – For ONS_SE-155-1470 through ONS-SE-155-1610 SFPs: 1470 to 1610 nm (eight distinct wavelengths at 2500 GHz spacing) A.6.19 OC192SR1/STM64IO Short Reach Card Specifications Note The OC192SR1/STM64IO Short Reach card is designated as OC192-XFP in CTC. The OC192SR1/STM64IO Short Reach card has the following specifications: • Line – Bit rate: OC-192 (9.9520 Gbps) – Fiber: 1310-nm single-mode – Connectors: LC duplex connector for the XFP – Compliance: Telcordia GR-253-CORE • Transmitter – Maximum transmitter output power: –1 dBm – Minimum transmitter output power: –6 dBm • Receiver – Maximum receiver level: –1 dBm – Minimum receiver level: –11 dBm – Receiver input wavelength range: 1260 to 1565 nm • Environmental – Operating temperature: 32 to +131 degrees Fahrenheit (0 to +55 degrees Celsius) – Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95 percent relative humidity – Power consumption: 40.00 W, 0.83 A at –48 V, 136.49 BTU/hr • DimensionsA-48 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix A Hardware Specifications A.6.20 OC192/STM64 Any Reach Card Specifications – Height: 12.650 in. (321.3 mm) – Width: 0.716 in. (18.2 mm) – Depth: 9.000 in. (228.6 mm) – Depth with backplane connector: 9.250 in. (235 mm) – Weight not including clam shell: 3.1 lb (1.3 kg) A.6.20 OC192/STM64 Any Reach Card Specifications Note The OC192/STM64 Any Reach card is designated as OC192-XFP in CTC. The OC192/STM64 Any Reach card has the following specifications: • Line – Bit rate: OC-192 (9.9520 Gbps) – Fiber: 1310-nm single-mode for ONS-XC-10G-S1 XFP, 1550-nm single mode for ONS-XC-10G-I2 and ONS-XC-10G-L2 XFPs – Connectors: LC duplex connector for the XFPs – Compliance: Telcordia GR-253-CORE • Transmitter – Maximum transmitter output power: Depends on SFP (see A.2 SFP, XFP, and GBIC Specifications, page A-5) – Minimum transmitter output power: Depends on SFP (see A.2 SFP, XFP, and GBIC Specifications, page A-5) • Receiver – Maximum receiver level: Depends on SFP (see A.2 SFP, XFP, and GBIC Specifications, page A-5) – Minimum receiver level: Depends on SFP (see A.2 SFP, XFP, and GBIC Specifications, page A-5) – Receiver input wavelength range: 1260 to 1565 nm • Environmental – Operating temperature: 32 to +131 degrees Fahrenheit (0 to +55 degrees Celsius) – Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95 percent relative humidity – Power consumption: 40.00 W, 0.83 A at –48 V, 136.49 BTU/hr • Dimensions – Height: 12.650 in. (321.3 mm) – Width: 0.716 in. (18.2 mm) – Depth: 9.000 in. (228.6 mm) – Depth with backplane connector: 9.250 in. (235 mm) – Weight not including clam shell: 3.1 lb (1.3 kg) A-49 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix A Hardware Specifications A.7 Ethernet Card Specifications A.7 Ethernet Card Specifications This section includes specifications for the E100T-12, E100T-G, E1000-2, E1000-2-G, CE-1000-4, CE-100T-8, CE-MR-10, G1K-4, ML100T-12, ML1000-2, ML-MR-10, and ML100X-8 cards. For compliance information, refer to the Cisco Optical Transport Products Safety and Compliance Information document. A.7.1 E100T-12 Card Specifications The E100T-12 card has the following specifications: • Environmental – Operating temperature C-Temp (15454-E100T): 32 to 131 degrees Fahrenheit (0 to +55 degrees Celsius) – Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95 percent relative humidity – Power consumption: 65 W, 1.35 A, 221.93 BTU/hr • Dimensions – Height: 12.650 in. (321.3 mm) – Width: 0.716 in. (18.2 mm) – Depth: 9.000 in. (228.6 mm) – Card weight: 2.3 lb (1.0 kg) A.7.2 E100T-G Card Specifications The E100T-G card has the following specifications: • Environmental – Operating temperature: C-Temp (15454-E100T-G): 32 to 131 degrees Fahrenheit (0 to +55 degrees Celsius) – Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95 percent relative humidity – Power consumption: 65 W, 1.35 A, 221.93 BTU/hr • Dimensions – Height: 12.650 in. (321.3 mm) – Width: 0.716 in. (18.2 mm) – Depth: 9.000 in. (228.6 mm) – Card weight: 2.3 lb (1.0 kg) A.7.3 E1000-2 Card Specifications The E1000-2 card has the following specifications:A-50 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix A Hardware Specifications A.7.4 E1000-2-G Card Specifications • Environmental – Operating temperature: C-Temp (15454-E1000-2): 32 to 131 degrees Fahrenheit (0 to +55 degrees Celsius) – Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95 percent relative humidity – Power consumption: 53.50 W, 1.11 A, 182.67 BTU/hr • Dimensions – Height: 12.650 in. (321.3 mm) – Width: 0.716 in. (18.2 mm) – Depth: 9.000 in. (228.6 mm) – Card weight: 2.1 lb (0.9 kg) A.7.4 E1000-2-G Card Specifications The E1000-2-G card has the following specifications: • Environmental – Operating temperature: C-Temp (15454-E1000-2-G): 32 to 131 degrees Fahrenheit (0 to +55 degrees Celsius) – Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95 percent relative humidity – Power consumption: 53.50 W, 1.11 A, 182.67 BTU/hr • Dimensions – Height: 12.650 in. (321.3 mm) – Width: 0.716 in. (18.2 mm) – Depth: 9.000 in. (228.6 mm) – Card weight: 2.1 lb (0.9 kg) A.7.5 CE-1000-4 Card Specifications The CE-1000-4 card has the following specifications: • Environmental – Operating temperature: +23 to +131 degrees Fahrenheit (-5 to +55 degrees Celsius) – Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95 percent relative humidity – Power consumption: 60 W, 1.25 A at -48 V, 204.8 BTU/hr • Dimensions – Height: 12.650 in. (321.310 mm) – Width: 0.716 in. (18.2 mm) – Depth: 9.000 in. (228.6 mm)A-51 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix A Hardware Specifications A.7.6 CE-100T-8 Card Specifications – Card weight: 2.1 lb (0.9 kg) A.7.6 CE-100T-8 Card Specifications The CE-100T-8 card has the following specifications: • Environmental – Operating temperature C-Temp (15454-CE100T): 32 to 131 degrees Fahrenheit (0 to +55 degrees Celsius) – Operating humidity: 0 to 95 percent, noncondensing – Power consumption: 53 W, 1.1 A, 181.3 BTU/hr • Dimensions – Height: 12.650 in. (321.3 mm) – Width: 0.913 in. (23.19 mm) – Depth: 9.073 in. (230.45 mm) – Card weight: 1.8 lb (0.82 kg) A.7.7 CE-MR-10 Card Specifications The CE-MR-10 card has the following specifications: • Environmental – Operating temperature C-Temp (15454-CE-MR-10): 32 to 131 degrees Fahrenheit (0 to +50 degrees Celsius) – Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95 percent relative humidity – Power consumption: 95 • Dimensions – Height: 12.650 in. (321.3 mm) – Width: 0.716 in. (18.2 mm) – Depth: 9.000 in. (228.6 mm) – Depth with backplane connector: 9.250 in. (235 mm) – Weight not including clam shell: 2.3 lb (1.0 kg) A.7.8 G1K-4 Card Specifications The G1K-4 card has the following specifications: • Environmental – Operating temperature: +23 to +131 degrees Fahrenheit (–5 to +55 degrees Celsius) – Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95 percent relative humidityA-52 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix A Hardware Specifications A.7.9 ML100T-12 Card Specifications – Power consumption: 63.00 W, 1.31 A at –48 V, 215.1 BTU/hr • Dimensions – Height: 12.650 in. (321.3 mm) – Width: 0.716 in. (18.2 mm) – Depth: 9.000 in. (228.6 mm) – Depth with backplane connector: 9.250 in. (235 mm) – Weight not including clam shell: 2.1 lb (0.9 kg) A.7.9 ML100T-12 Card Specifications The ML100T-12 card has the following specifications: • Environmental – Operating temperature: +23 to +131 degrees Fahrenheit (–5 to +55 degrees Celsius) – Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95 percent relative humidity – Power consumption: 53.00 W, 1.10 A at –48 V, 181.0 BTU/hr • Dimensions – Height: 12.650 in. (321.3 mm) – Width: 0.716 in. (18.2 mm) – Depth: 9.000 in. (228.6 mm) – Depth with backplane connector: 9.250 in. (235 mm) – Weight not including clam shell: 2.3 lb (1.0 kg) A.7.10 ML1000-2 Card Specifications The ML1000-2 card has the following specifications: • Environmental – Operating temperature: +23 to +131 degrees Fahrenheit (–5 to +55 degrees Celsius) – Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95 percent relative humidity – Power consumption: 49.00 W, 1.02 A at –48 V, 167.3 BTU/hr • Dimensions – Height: 12.650 in. (321.3 mm) – Width: 0.716 in. (18.2 mm) – Depth: 9.000 in. (228.6 mm) – Depth with backplane connector: 9.250 in. (235 mm) – Weight not including clam shell: 0.9 kg (2.1 lb)A-53 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix A Hardware Specifications A.7.11 ML100X-8 Card Specifications A.7.11 ML100X-8 Card Specifications The ML100X-8 card has the following specifications: • Environmental – Operating temperature: +23 to +131 degrees Fahrenheit (–40 to +65 degrees Celsius) – Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95 percent relative humidity – Power consumption: 65.00 W, 1.35 A at –48 V, 221.93 BTU/hr • Dimensions – Height: 12.650 in. (321.3 mm) – Width: 0.716 in. (18.2 mm) – Depth: 9.000 in. (228.6 mm) – Depth with backplane connector: 9.250 in. (235 mm) – Weight not including clam shell: 0.9 kg (2.1 lb) A.7.12 ML-MR-10 Card Specifications The ML-MR-10 card has the following specifications: • Environmental – Operating temperature: +23 to +131 degrees Fahrenheit (–40 to +65 degrees Celsius) – Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95 percent relative humidity – Power consumption: 100 W • Dimensions – Height: 12.650 in. (321.3 mm) – Width: 0.716 in. (18.2 mm) – Depth: 9.000 in. (228.6 mm) – Depth with backplane connector: 9.250 in. (235 mm) – Weight not including clam shell: 0.9 kg (2.1 lb) A.8 Storage Access Networking Card Specifications This section describes the FC_MR-4 (Fibre Channel) card specifications. For compliance information, refer to the Cisco Optical Transport Products Safety and Compliance Information document. • Fibre Channel Support: FC-0 and FC-1 layers of ANSI X3.230 FC-PH • GBIC Line Interface – Bit Rate: 1.0625 Gbit/s single-rate or 1.0625/2.125 dual-rate Gbit/s Fibre Channel (FC) – Wavelength/Fiber/Reach: A-54 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix A Hardware Specifications A.8 Storage Access Networking Card Specifications 850 nm, multimode fiber, 550 m (SX) 1310 nm, single-mode fiber, 10 km (LX) 1550 nm/, single-mode fiber, 80 km (ZX) – Hot pluggable – Auto-detection • Transmitter – Maximum transmitter output power: depends on GBIC type (see Table A-2) – Minimum transmitter output power: depends on GBIC type (see Table A-2) • Receiver – Maximum receiver level: depends on GBIC type (see Table A-2) – Minimum receiver level: depends on GBIC type (see Table A-2) • Environmental – Operating temperature C-Temp (15454-E100T): 23 to 131 degrees Fahrenheit (–5 to +55 degrees Celsius) – Operating humidity: 5 to 85 percent non condensing. Operation is guaranteed for 96 hours at 95 percent relative humidity – Power consumption: 60 W, 1.35 A, 221.93 BTU/hr • Dimensions – Height: 12.650 in. (321.3 mm) – Width: 0.716 in. (18.2 mm) – Depth: 9.000 in. (228.6 mm) – Card weight: 2.59 lb (1.17 kg)B-1 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 APPENDIX B Administrative and Service States This appendix describes administrative and service states for Cisco ONS 15454 cards, ports, and cross-connects. For circuit state information, refer to Chapter 12, “Circuits and Tunnels.” Entity states in Software Release 5.0 and later are based on the generic state model defined in Telcordia GR-1093-CORE, Issue 2 and ITU-T X.731. This appendix contains the following sections: • B.1 Service States, page B-1 • B.2 Administrative States, page B-2 • B.3 Service State Transitions, page B-3 B.1 Service States Service states include a Primary State (PST), a Primary State Qualifier (PSTQ), and one or more Secondary States (SST). Table B-1 lists the service state PSTs and PSTQs supported by the ONS 15454. Table B-2 defines the SSTs supported by the ONS 15454. Table B-1 ONS 15454 Service State Primary States and Primary State Qualifiers Primary State, Primary State Qualifier Definition IS-NR (In-Service and Normal) The entity is fully operational and will perform as provisioned. OOS-AU (Out-of-Service and Autonomous) The entity is not operational because of an autonomous event. OOS-AUMA (Out-of-Service and Autonomous Management) The entity is not operational because of an autonomous event and has also been manually removed from service. OOS-MA (Out-of-Service and Management) The entity has been manually removed from service.B-2 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix B Administrative and Service States B.2 Administrative States B.2 Administrative States Administrative states are used to manage service states. Administrative states consist of a PST and an SST. Table B-3 lists the administrative states supported by the ONS 15454. See Table B-2 for SST definitions. Note A change in the administrative state of an entity does not change the service state of supporting or supported entities. Table B-2 ONS 15454 Secondary States Secondary State Definition AINS (Automatic In-Service) The entity is delayed before transitioning to the IS-NR service state. The transition to IS-NR depends on the correction of conditions, or on a soak timer. Alarm reporting is suppressed, but traffic is carried. Raised fault conditions, whether or not their alarms are reported, can be retrieved on the CTC Conditions tab or by using the TL1 RTRV-COND command. DSBLD (Disabled) The entity was manually removed from service and does not provide its provisioned functions. All services are disrupted; the entity is unable to carry traffic. Note OC-N ports and connections in the DSBLD state continue to send an Alarm Indication Signal Line (AIS-L). FLT (Fault) The entity has a raised alarm or condition. LPBK (Loopback) The entity is in loopback mode. MEA (Mismatched Equipment) An improper card is installed. For example, an installed card is not compatible with the card preprovisioning or the slot. This SST applies only to cards. MT (Maintenance) The entity has been manually removed from service for a maintenance activity but still performs its provisioned functions. Alarm reporting is suppressed, but traffic is carried. Raised fault conditions, whether or not their alarms are reported, can be retrieved on the CTC Conditions tab or by using the TL1 RTRV-COND command. OOG (Out of Group) The virtual concatenation (VCAT) member cross-connect is not used to carry VCAT group traffic. This state is used to put a member circuit out of the group and to stop sending traffic. OOS-MA,OOG only applies to the cross-connects on an end node where VCAT resides. The cross-connects on intermediate nodes are in the OOS-MA,MT service state. SWDL (Software Download) The card is involved in a software and database download. This SST applies only to cards. UAS (Unassigned) The card is not provisioned in the database. This SST applies only to cards. UEQ (Unequipped) The card is not physically present (that is, an empty slot). This SST applies only to cards.B-3 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix B Administrative and Service States B.3 Service State Transitions B.3 Service State Transitions This section describes the transition from one service state to the next for cards, ports, and cross-connects. A service state transition is based on the action performed on the entity. Note When an entity is put in the OOS,MT administrative state, the ONS 15454 suppresses all standing alarms on that entity. All alarms and events appear on the Conditions tab. You can change this behavior for the LPBKFACILITY and LPBKTERMINAL alarms. To display these alarms on the Alarms tab, set the NODE.general.ReportLoopbackConditionsOnOOS-MTPorts to TRUE on the NE Defaults tab. B.3.1 Card Service State Transitions Table B-4 lists card service state transitions. Table B-3 ONS 15454 Administrative States Administrative State (PST,SST) Definition IS Puts the entity in service. IS,AINS Puts the entity in automatic in-service. OOS,DSBLD Removes the entity from service and disables it. OOS,MT Removes the entity from service for maintenance. OOS,OOG (VCAT circuits only) Removes a VCAT cross-connect cross-connect from service and from the group of members. Note Only CE-100T-8 cards in link capacity adjustment scheme (LCAS) mode and FC_MR-4 (enhanced mode) cards in software LCAS (SW-LCAS) mode accept the OOG state. Table B-4 ONS 15454 Card Service State Transitions Current Service State Action Next Service State IS-NR Change the administrative state to OOS,MT. OOS-MA,MT Delete the card. OOS-AUMA,UAS Remove the card. OOS-AU,UEQ Reset the card. OOS-AU,SWDL Alarm/condition is raised. OOS-AU,FLT OOS-AU,AINS & MEA Remove the card. OOS-AU,AINS & UEQ Delete the card. OOS-AUMA,UAS if the card is valid OOS-AUMA,MEA & UAS if the card is invalidB-4 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix B Administrative and Service States B.3.1 Card Service State Transitions OOS-AU,AINS & SWDL Restart completed. IS-NR Remove the card. OOS-AU,AINS & UEQ OOS-AU,AINS & UEQ Insert a valid card. OOS-AU,AINS & SWDL Insert an invalid card. OOS-AU,AINS & MEA Delete the card. OOS-AUMA,UAS & UEQ OOS-AU,FLT Remove the card. OOS-AU,UEQ Delete the card. OOS-AUMA,UAS Change the administrative state to OOS,MT. OOS-AUMA,FLT & MT Reset the card. OOS-AU,SWDL Alarm/condition is cleared. IS-NR OOS-AU,MEA Remove the card. OOS-AU,UEQ Delete the card. OOS-AUMA,UAS if the card is valid OOS-AUMA,MEA & UAS if the card is invalid Change the administrative state to OOS,MT. OOS-AUMA,MEA & MT OOS-AU,SWDL Restart completed. IS-NR Remove the card. OOS-AU,UEQ OOS-AU,UEQ Insert a valid card. OOS-AU,SWDL Insert an invalid card. OOS-AU,MEA Delete the card. OOS-AUMA,UAS & UEQ Change the administrative state to OOS,MT. OOS-AUMA,MT & UEQ OOS-AUMA,FLT & MT Remove the card. OOS-AUMA,MT & UEQ Delete the card. OOS-AUMA,UAS Change the administrative state to IS. OOS-AU,FLT Reset the card. OOS-AUMA,MT & SWDL Alarm/condition is cleared. OOS-MA,MT OOS-AUMA,MEA & MT Change the administrative state to IS. OOS-AU,MEA Remove the card. OOS-AUMA,MT & UEQ Delete the card. OOS-AUMA,UAS if the card is valid OOS-AUMA,MEA & UAS if the card is invalid Table B-4 ONS 15454 Card Service State Transitions (continued) Current Service State Action Next Service StateB-5 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix B Administrative and Service States B.3.2 Port and Cross-Connect Service State Transitions B.3.2 Port and Cross-Connect Service State Transitions Table B-5 lists the port and cross-connect service state transitions. Port states do not impact cross-connect states with one exception. A cross-connect in the OOS-AU,AINS service state cannot transition autonomously into the IS-NR service state until the parent port is in the IS-NR service state. You cannot transition a port from the IS-NR service state to the OOS-MA,DSBLD service state. You must first put the port in the OOS-MA,MT service state. Once a port is in the OOS-MA,MT state, the NODE.general.ForceToOosDsbldStateChange default setting of TRUE allows you to put a port in OOS-MA,DSBLD even if the following conditions exist: • The port is a timing source. • The port is used for line, section, or tunneling DCC. • The port supports 1+1 protection or bidirectional line switched rings (BLSRs). • Cross-connects are present on the port. • Overhead connections or overhead terminations are in use (such as express orderwire, local orderwire, or user data channels [UDCs]). OOS-AUMA,MEA & UAS Remove the card. OOS-AUMA,UAS & UEQ Provision the card. OOS-AU,MEA OOS-AUMA,MT & SWDL Restart completed. OOS-MA,MT Remove the card. OOS-AUMA,MT & UEQ OOS-AUMA,MT & UEQ Change the administrative state to IS. OOS-AU,UEQ Insert a valid card. OOS-AUMA,MT & SWDL Insert an invalid card. OOS-AUMA,MEA & MT Delete the card. OOS-AUMA,UAS & UEQ OOS-AUMA,UAS Remove the card. OOS-AUMA,UAS & UEQ Provision an invalid card. OOS-AU,MEA Provision a valid card. OOS-AU,SWDL OOS-AUMA,UAS & UEQ Insert a valid card. OOS-AU,SWDL Insert an invalid card. OOS-AUMA,MEA & UAS Preprovision a card. OOS-AU,AINS & UEQ OOS-MA,MT Change the administrative state to IS. IS-NR Delete the card. OOS-AUMA,UAS Remove the card. OOS-AUMA,MT & UEQ Reset the card. OOS-AUMA,MT & SWDL Alarm/condition is raised. OOS-AUMA,FLT & MT Table B-4 ONS 15454 Card Service State Transitions (continued) Current Service State Action Next Service StateB-6 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix B Administrative and Service States B.3.2 Port and Cross-Connect Service State Transitions To change this behavior so that you cannot put a port in OOS-MA,DSBLD if any of these conditions exist, set the NODE.general.ForceToOosDsbldStateChange default setting to FALSE. For the procedure to change node defaults, refer to the “Maintain the Node” chapter in the Cisco ONS 15454 Procedure Guide. The following ports do not support all of the service states listed in Table B-5: • E-Series Ethernet ports do not support service states; these ports are either enabled or disabled. • FC_MR-4 ports support the IS-NR; OOS-MA,DSBLD; and OOS-MA,MT service states; they do not support the OOS-AU,AINS service state. Note Deleting a port or cross-connect removes the entity from the system. The deleted entity does not transition to another service state. Note The DS1 port service state on the DS3XM-12 card is based on the DS3 service state. Table B-5 ONS 15454 Port and Cross-Connect Service State Transitions Current Service State Action Next Service State IS-NR Put the port or cross-connect in the OOS,MT administrative state. OOS-MA,MT Put the port or cross-connect in the IS,AINS administrative state. OOS-AU,AINS1 Put the VCAT cross-connect in the OOS,OOG administrative state. OOS-MA,MT & OOG Alarm/condition is raised. OOS-AU,FLT OOS-AU,FLT & OOG for a VCAT cross-connect (Cross-connect only) Put the cross-connect in the OOS,DSBLD administrative state. OOS-MA,DSBLD OOS-MA,DSBLD & OOG for a VCAT cross-connect OOS-AU,AINS Put the port or cross-connect in the IS administrative state. IS-NR Put the port or cross-connect in the OOS,MT administrative state. OOS-MA,MT Put the port or cross-connect in the OOS,DSBLD administrative state. OOS-MA,DSBLD OOS-MA,DSBLD & OOG for a VCAT cross-connect Put the VCAT cross-connect in the OOS,OOG administrative state. OOS-MA,MT and OOG Alarm/condition is raised. OOS-AU,AINS & FLT OOS-AU,AINS & FLT & OOG for a VCAT cross-connectB-7 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix B Administrative and Service States B.3.2 Port and Cross-Connect Service State Transitions OOS-AU,AINS & FLT Alarm/condition is cleared. OOS-AU,AINS Put the port or cross-connect in the IS administrative state. OOS-AU,FLT Put the port or cross-connect in the OOS,DSBLD administrative state. OOS-MA,DSBLD Put the port or cross-connect in the OOS,MT administrative state. OOS-AUMA,FLT & MT Put the VCAT cross-connect in the OOS,OOG administrative state. OOS-AUMA,FLT & MT & OOG OOS-AU,AINS & FLT & OOG Alarm/condition is cleared. OOS-AU,AINS or OOS-MA,MT • If an In Group member is IS-NR or OOS-AU,AINS, the member transitions to OOS-AU,AINS • If an In Group member is OOS-MA,MT, the member transitions to OOS-MA,MT Put the VCAT cross-connect in the IS administrative state. OOS-AU,FLT & OOG Put the VCAT cross-connect in the OOS,DSBLD administrative state. OOS-MA,DSBLD & OOG Put the VCAT cross-connect in the OOS,MT administrative state. OOS-AUMA,FLT & MT & OOG OOS-AU,FLT Alarm/condition is cleared. IS-NR Put the port or cross-connect in the IS,AINS administrative state. OOS-AU,AINS & FLT Put the port or cross-connect in the OOS,DSBLD administrative state. OOS-MA,DSBLD OOS-MA,DSBLD & OOG for a VCAT cross-connect Put the port or cross-connect in the OOS,MT administrative state OOS-AUMA,FLT & MT Put the VCAT cross-connect in the OOS,OOG administrative state. OOS-AUMA,FLT & MT & OOG Table B-5 ONS 15454 Port and Cross-Connect Service State Transitions (continued) Current Service State Action Next Service StateB-8 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix B Administrative and Service States B.3.2 Port and Cross-Connect Service State Transitions OOS-AU,FLT & OOG Alarm/condition is cleared. IS-NR or OOS-MA,MT • If an In Group member is IS-NR or OOS-AU,AINS, the member transitions to IS-NR. • If an In Group member is OOS-MA,MT, the member transitions to OOS-MA,MT Put the VCAT cross-connect in the IS,AINS administrative state. OOS-AU,AINS & FLT & OOG Put the VCAT cross-connect in the OOS,DSBLD administrative state. OOS-MA,DSBLD & OOG Put the VCAT cross-connect in the OOS,MT administrative state. OOS-AUMA,FLT & MT & OOG OOS-AUMA,FLT & LPBK & MT Release the loopback. OOS-AUMA,FLT & MT Alarm/condition is cleared. OOS-MA,LPBK & MT OOS-AUMA,FLT & LPBK & MT & OOG Release the loopback. OOS-AUMA,FLT & MT & OOG Alarm/condition is cleared. OOS-MT,MT & OOG OOS-AUMA,FLT & MT Alarm/condition is cleared. OOS-MA,MT Put the port or cross-connect in the IS administrative state. OOS-AU,FLT Put the port or cross-connect in the IS,AINS administrative state. OOS-AU,AINS & FLT Put the port or cross-connect in the OOS,DSBLD administrative state. OOS-MA,DSBLD OOS-MA,DSBLD & OOG for a VCAT cross-connect Put the port or cross-connect in a loopback. OOS-AUMA,FLT & LPBK & MT Put the VCAT cross-connect in the OOS,OOG administrative state. OOS-AUMA,FLT & MT & OOG Table B-5 ONS 15454 Port and Cross-Connect Service State Transitions (continued) Current Service State Action Next Service StateB-9 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix B Administrative and Service States B.3.2 Port and Cross-Connect Service State Transitions OOS-AUMA,FLT & MT & OOG Alarm/condition is cleared. OOS-MA,MT & OOG Put the VCAT cross-connect in the IS administrative state. Note VCAT In Group members are in the OOS-AU,FLT or IS-NR service state. OOS-AU,FLT & OOG Put the VCAT cross-connect in the IS,AINS administrative state. Note VCAT In Group members are in the OOS-AU,AINS & FLT or IS-NR service state. OOS-AU,AINS & FLT & OOG Put the VCAT cross-connect in the OOS,DSBLD administrative state. OOS-MA,DSBLD & OOG Put the VCAT cross-connect in the OOS,MT administrative state. Note VCAT In Group members are in the OOS-MA,FLT & MT service state. OOS-MA,FLT & MT Operate a loopback. OOS-MA,FLT & LPBK & MT & OOG OOS-MA,DSBLD Put the port or cross-connect in the IS administrative state. IS-NR Put the port or cross-connect in the IS,AINS administrative state. OOS-AU,AINS Put the port or cross-connect in the OOS,MT administrative state. OOS-MA,MT Put the VCAT cross-connect in the OOS,OOG administrative state. OOS-MA,MT & OOG OOS-MA,LPBK & MT Release the loopback. Note While in OOS-MA,LPBK & MT, both Cisco Transport Controller (CTC) and Transaction Language One (TL1) allow a cross-connect to be deleted, which also removes the loopback. This applies only to the cross-connect, not the ports. OOS-MA,MT Alarm/condition is raised. OOS-AUMA,FLT & LPBK & MT OOS-AUMA,FLT & LPBK & MT & OOG for a VCAT cross-connect Table B-5 ONS 15454 Port and Cross-Connect Service State Transitions (continued) Current Service State Action Next Service StateB-10 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix B Administrative and Service States B.3.3 Pluggable Equipment Service State Transitions B.3.3 Pluggable Equipment Service State Transitions The service state transitions for pluggable equipment are the same as for other equipment with the exceptions listed in Table B-6. Note Pluggable equipment (pluggable interface modules [PIMs] and pluggable port modules [PPMs]) will transition out of the UAS state when inserted if the software can read the EEPROM and identify information on the pluggable equipment. If the software cannot read the pluggable equipment, the equipment is considered invalid and will not transition out of the UAS state. OOS-MA,LPBK & MT & OOG Alarm/condition is raised. OOS-AUMA,FLT & LPBK & MT & OOG OOS-MA,MT Put the port or cross-connect in the IS administrative state. IS-NR Put the port or cross-connect in the IS,AINS administrative state. OOS-AU,AINS Put the port or cross-connect in the OOS,DSBLD administrative state. OOS-MA,DSBLD OOS-MA,DSBLD & OOG for a VCAT cross-connect Put the port or cross-connect in a loopback. OOS-MA,LPBK & MT Put the VCAT cross-connect in the OOS,OOG administrative state. OOS-MA,MT & OOG Alarm/condition is raised. OOS-AUMA,FLT & MT OOS-AUMA,FLT & MT & OOG for a VCAT cross-connect OOG-MA,MT & OOG Alarm/condition is raised. OOS-AUMA,FLT & MT & OOG 1. For a VCAT cross-connect, an IS-NR to OOS-AU,AINS transition will not occur with a Loss of Multiframe (LOM) or Sequence Mismatch (SQM) condition on the member. Table B-5 ONS 15454 Port and Cross-Connect Service State Transitions (continued) Current Service State Action Next Service State Table B-6 ONS 15454 Pluggable Equipment Service State Transitions Current Service State Action Next Service State IS-NR Reset the pluggable equipment. IS-NR Provision an unsupported service rate. OOS-AU,MEA Pluggable equipment does not work with the board configuration.B-11 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix B Administrative and Service States B.3.3 Pluggable Equipment Service State Transitions OOS-AU,AINS & UEQ Insert valid pluggable equipment. IS-NR Insert pluggable equipment with the incorrect rate. OOS-AU,MEA Pluggable equipment does not work with the board configuration. OOS-AU,MEA Delete unsupported service rate or modify provisioning so that the pluggable equipment is no longer a mismatch. IS-NR OOS-AU,UEQ Insert valid pluggable equipment. IS-NR OOS-AUMA,MEA & MT Delete unsupported service rate or modify provisioning so that the pluggable equipment is no longer a mismatch. OOS-MA,MT OOS-AUMA,MT & UEQ Insert valid pluggable equipment. OOS-MA,MT OOS-AUMA,UAS Provision valid pluggable equipment. IS-NR OOS-AUMA,UAS & UEQ Insert valid pluggable equipment. IS-NR Insert pluggable equipment with the incorrect rate. OOS-AU,MEA Pluggable equipment does not work with the board configuration. OOS-MA,MT Reset the pluggable equipment. OOS-MA,MT Provision an unsupported service rate. OOS-AUMA,MEA & MT Pluggable equipment does not work with the board configuration. Table B-6 ONS 15454 Pluggable Equipment Service State Transitions (continued) Current Service State Action Next Service StateB-12 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix B Administrative and Service States B.3.3 Pluggable Equipment Service State TransitionsC-1 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 APPENDIX C Network Element Defaults Note The terms “Unidirectional Path Switched Ring” and “UPSR” may appear in Cisco literature. These terms do not refer to using Cisco ONS 15xxx products in a unidirectional path switched ring configuration. Rather, these terms, as well as “Path Protected Mesh Network” and “PPMN,” refer generally to Cisco's path protection feature, which may be used in any topological network configuration. Cisco does not recommend using its path protection feature in any particular topological network configuration. This appendix describes the factory-configured (default) network element (NE) settings for the Cisco ONS 15454. It includes descriptions of card, node, and Cisco Transport Controller (CTC) default settings. To import, export, or edit the settings, refer to the “Maintain the Node” chapter of the Cisco ONS 15454 Procedure Guide. Cards supported by this platform that are not listed in this appendix are not supported by user-configurable NE defaults settings. To change card settings individually (that is, without directly changing the NE defaults), refer to the “Change Card Settings” chapter of the Cisco ONS 15454 Procedure Guide. To change node settings, refer to the “Change Node Settings” chapter of the Cisco ONS 15454 Procedure Guide. This appendix includes the following sections: • C.1 Network Element Defaults Description, page C-1 • C.2 Card Default Settings, page C-2 • C.3 Node Default Settings, page C-99 • C.4 CTC Default Settings, page C-119 C.1 Network Element Defaults Description The NE defaults are preinstalled on each Cisco ONS 15454 Advanced Timing, Communications, and Control (TCC2) and Advanced Timing, Communications, and Control Plus (TCC2P) card. Cisco also ships a file named 15454-defaults.txt on the CTC software CD in case you want to import the defaults onto existing TCC2/TCC2P cards. The NE defaults include card-level, CTC, and node-level defaults. Changes to card provisioning that are made manually using the procedures in the “Change Card Settings” chapter in the Cisco ONS 15454 Procedure Guide override default settings. If you use the CTC Defaults editor (on the node view Provisioning > Defaults tab) or import a new defaults file, any changes to card or port settings that result only affect cards that are installed or preprovisioned after the defaults have changed. C-2 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2 Card Default Settings Changes that are made manually to most node-level default settings override the current settings, whether default or provisioned. If you change node-level default settings, either by using the Defaults editor or by importing a new defaults file, the new defaults reprovision the node immediately for all settings except those relating to protection (1+1 bidirectional switching, 1+1 reversion time, 1+1 revertive switching, bidirectional line switched ring [BLSR] ring reversion time, BLSR ring revertive switching, BLSR span reversion time, and BLSR span revertive switching). Settings relating to protection apply to subsequent provisioning. Note Changing some node-level provisioning through NE defaults can cause CTC disconnection or a reboot of the node in order for the provisioning to take effect. Before you change a default, check in the Side Effects column of the Defaults editor (right-click a column header and select Show Column > Side Effects) and be prepared for the occurrence of any side effects listed for that default. C.2 Card Default Settings The tables in this section list the default settings for each SONET card. Cisco provides several types of user-configurable defaults for Cisco ONS 15454 optical, electrical, storage access networking, and Ethernet (or data) cards. Types of card defaults can be broadly grouped by function, as outlined in the following subsections. For information about individual card settings, refer to the “Change Card Settings” chapter of the Cisco ONS 15454 Procedure Guide. Note When the card level defaults are changed, the new provisioning done after the defaults have changed is affected. Existing provisioning remains unaffected. Note To view DWDM card defaults consult the Cisco ONS 15454 DWDM Reference Manual. The following types of defaults are defined for SONET cards. C.2.1 Configuration Defaults Most card-level and port-level configuration defaults correspond to settings found in the CTC card-level Provisioning tabs. Note The full set of Automatic Laser Shutdown (ALS) configuration defaults can be found in the CTC card-level Maintenance > ALS tab for supported cards. ALS defaults are supported for OC3-8, OC-48ELR, OC-192, OC192-XFP, MRC-2.5G-4, and MRC-12 cards. Configuration defaults that correspond to settings that are reachable from the CTC card-level Provisioning tabs (except as noted) include the following types of options (arranged by CTC subtab): • Line—(DS-N, EC1-12, OC-N, MRC-12, MRC-2.5G-4, G-series, and CE-series cards) Line-level configuration settings.C-3 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.2 Threshold Defaults Note MRC-12 and MRC-2.5G-4 line configuration defaults are defined on a per OC-N rate basis. • SONET STS—(OC-N and EC1-12 cards) SONET STS-level configuration settings. • Port—(FC_MR-4 cards only) Port line-level configuration, distance extension, and enhanced FC/FICON ISL settings. • Card—(DS1/E1-56, ML-series, and FC_MR-4 cards) Transport mode, operating mode, enable/disable retiming, and port to Virtual Tributary (VT) mapping standard settings (DS1/E1-56 only); or FC_MR-4 card mode settings (FC_MR-4 only); or framing mode (ML-series cards). • DS1—(DS3XM-12 cards only) DS-1 rate virtual port-level line configuration settings. • Broadband Ports—(DS3/EC1-48 cards only) Set the port rate as DS3, EC1, or unassigned (DS3 is the default). • DS3—(DS3/EC1-48 cards only) DS-3 rate port-level line configuration settings. • EC1—(DS3/EC1-48 cards only) EC-1 rate port-level line configuration, section trace, and SONET STS settings. • ALS (card-level Maintenance > ALS tab)—(OC3-8, OC-48ELR, OC-192, OC192-XFP, MRC-2.5G-4, and MRC-12 cards) ALS configuration defaults. • IOS (card-level IOS tab)—(ML-series and RAN-SVC cards) Console port and RADIUS server access settings. • Ether Ports—(CE-series cards) Line configuration settings (including 802 class of service [IEEE 802.1p CoS] and IP type of service [ToS]). • POS Ports—(CE-series cards) Line configuration settings. Note Line configuration defaults for the CE-100T-8 card apply to both Ethernet port and packet-over-SONET (POS) port settings where the same setting exists for both. Note For further information about each card, consult the appropriate card reference chapter, that is,Chapter 3, “Electrical Cards,” Chapter 4, “Optical Cards,” Chapter 5, “Ethernet Cards,” and Chapter 6, “Storage Access Networking Cards.” Note For further information about IOS configuration defaults for ML-series cards, refer to the Cisco ONS 15454 and Cisco ONS 15454 SDH Ethernet Card Software Feature and Configuration Guide. C.2.2 Threshold Defaults Threshold default settings define the default cumulative values (thresholds) beyond which a threshold crossing alert (TCA) will be raised, making it possible to monitor the network and detect errors early. Card threshold default settings are provided as follows: • PM thresholds—(DS-N, EC-1, OC-N, MRC-2.5G-4, and MRC-12 cards) Can be expressed in counts or seconds; includes line, electrical path, and SONET thresholds.C-4 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card • Physical Layer thresholds—(OC3-8, OC-192, OC-192XFP, MRC-2.5G-4, and MRC-12 cards) Expressed in percentages; includes optics thresholds. Threshold defaults are defined for near end and/or far end, at 15-minute and one-day intervals. Thresholds are further broken down by type, such as Section, Line, STS, or VT for performance monitoring (PM) thresholds, and TCA (warning) or Alarm for physical thresholds. PM threshold types define the layer to which the threshold applies. Physical threshold types define the level of response expected when the threshold is crossed. Note For full descriptions of the thresholds you can set for each card, see Chapter 15, “Performance Monitoring.” Note For additional information regarding PM parameter threshold defaults as defined by Telcordia specifications, refer to Telcordia GR-820-CORE and GR-253-CORE. C.2.3 Defaults by Card In the tables that follow, card defaults are defined by the default name, its factory-configured value, and the domain of allowable values that you can assign to it. Note Some default values, such as certain thresholds, are interdependent. Before changing a value, review the domain for that default and any other related defaults for potential dependencies. C.2.3.1 DS-1 Card Default Settings Table C-1 lists the DS-1 (DS1-14 and DS1N-14) card default settings. Table C-1 DS-1 Card Default Settings Default Name Default Value Default Domain DS1.config.AINSSoakTime 08:00 (hours:mins) 00:00, 00:15, 00:30 .. 48:00 DS1.config.LineCoding AMI B8ZS, AMI DS1.config.LineLength 0 - 131 ft 0 - 131 ft, 132 - 262 ft, 263 - 393 ft, 394 - 524 ft, 525 - 655 ft DS1.config.LineType D4 ESF, D4, UNFRAMED DS1.config.SDBER 1.00E-07 1E-5, 1E-6, 1E-7, 1E-8, 1E-9 DS1.config.SendAISOnFacilityLoopback TRUE TRUE, FALSE DS1.config.SendAISOnTerminalLoopback FALSE TRUE, FALSE DS1.config.SendAISVOnDefects FALSE FALSE, TRUE DS1.config.State IS,AINS IS, OOS,DSBLD, OOS,MT, IS,AINS DS1.config.TreatLOFAsDefect FALSE FALSE, TRUE DS1.pmthresholds.line.farend.15min.ES 65 (seconds) 0 - 900C-5 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card DS1.pmthresholds.line.farend.1day.ES 648 (seconds) 0 - 86400 DS1.pmthresholds.line.nearend.15min.CV 13340 (BPV count) 0 - 1388700 DS1.pmthresholds.line.nearend.15min.ES 65 (seconds) 0 - 900 DS1.pmthresholds.line.nearend.15min.LOSS 10 (seconds) 0 - 900 DS1.pmthresholds.line.nearend.15min.SES 10 (seconds) 0 - 900 DS1.pmthresholds.line.nearend.1day.CV 133400 (BPV count) 0 - 133315200 DS1.pmthresholds.line.nearend.1day.ES 648 (seconds) 0 - 86400 DS1.pmthresholds.line.nearend.1day.LOSS 10 (seconds) 0 - 86400 DS1.pmthresholds.line.nearend.1day.SES 100 (seconds) 0 - 86400 DS1.pmthresholds.path.farend.15min.CSS 25 (seconds) 0 - 900 DS1.pmthresholds.path.farend.15min.CV 13296 (BIP count) 0 - 38700 DS1.pmthresholds.path.farend.15min.ES 65 (seconds) 0 - 900 DS1.pmthresholds.path.farend.15min.ESA 25 (seconds) 0 - 900 DS1.pmthresholds.path.farend.15min.ESB 25 (seconds) 0 - 900 DS1.pmthresholds.path.farend.15min.FC 0 (count) 0 - 90 DS1.pmthresholds.path.farend.15min.SEFS 25 (seconds) 0 - 900 DS1.pmthresholds.path.farend.15min.SES 10 (seconds) 0 - 900 DS1.pmthresholds.path.farend.15min.UAS 10 (seconds) 0 - 900 DS1.pmthresholds.path.farend.1day.CSS 25 (seconds) 0 - 86400 DS1.pmthresholds.path.farend.1day.CV 132960 (BIP count) 0 - 3715200 DS1.pmthresholds.path.farend.1day.ES 648 (seconds) 0 - 86400 DS1.pmthresholds.path.farend.1day.ESA 25 (seconds) 0 - 86400 DS1.pmthresholds.path.farend.1day.ESB 25 (seconds) 0 - 86400 DS1.pmthresholds.path.farend.1day.FC 0 (count) 0 - 8640 DS1.pmthresholds.path.farend.1day.SEFS 25 (seconds) 0 - 86400 DS1.pmthresholds.path.farend.1day.SES 100 (seconds) 0 - 86400 DS1.pmthresholds.path.farend.1day.UAS 10 (seconds) 0 - 86400 DS1.pmthresholds.path.nearend.15min.AISS 10 (seconds) 0 - 900 DS1.pmthresholds.path.nearend.15min.CV 13296 (BIP count) 0 - 38700 DS1.pmthresholds.path.nearend.15min.ES 65 (seconds) 0 - 900 DS1.pmthresholds.path.nearend.15min.FC 0 (count) 0 - 90 DS1.pmthresholds.path.nearend.15min.SAS 2 (seconds) 0 - 900 DS1.pmthresholds.path.nearend.15min.SES 10 (seconds) 0 - 900 DS1.pmthresholds.path.nearend.15min.UAS 10 (seconds) 0 - 900 DS1.pmthresholds.path.nearend.1day.AISS 10 (seconds) 0 - 86400 DS1.pmthresholds.path.nearend.1day.CV 132960 (BIP count) 0 - 3715200 Table C-1 DS-1 Card Default Settings (continued) Default Name Default Value Default DomainC-6 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card DS1.pmthresholds.path.nearend.1day.ES 648 (seconds) 0 - 86400 DS1.pmthresholds.path.nearend.1day.FC 0 (count) 0 - 8640 DS1.pmthresholds.path.nearend.1day.SAS 17 (seconds) 0 - 86400 DS1.pmthresholds.path.nearend.1day.SES 100 (seconds) 0 - 86400 DS1.pmthresholds.path.nearend.1day.UAS 10 (seconds) 0 - 86400 DS1.pmthresholds.sts.farend.15min.CV 15 (B3 count) 0 - 2160000 DS1.pmthresholds.sts.farend.15min.ES 12 (seconds) 0 - 900 DS1.pmthresholds.sts.farend.15min.FC 10 (count) 0 - 72 DS1.pmthresholds.sts.farend.15min.SES 3 (seconds) 0 - 900 DS1.pmthresholds.sts.farend.15min.UAS 10 (seconds) 0 - 900 DS1.pmthresholds.sts.farend.1day.CV 125 (B3 count) 0 - 207360000 DS1.pmthresholds.sts.farend.1day.ES 100 (seconds) 0 - 86400 DS1.pmthresholds.sts.farend.1day.FC 10 (count) 0 - 6912 DS1.pmthresholds.sts.farend.1day.SES 7 (seconds) 0 - 86400 DS1.pmthresholds.sts.farend.1day.UAS 10 (seconds) 0 - 86400 DS1.pmthresholds.sts.nearend.15min.CV 15 (B3 count) 0 - 2160000 DS1.pmthresholds.sts.nearend.15min.ES 12 (seconds) 0 - 900 DS1.pmthresholds.sts.nearend.15min.FC 10 (count) 0 - 72 DS1.pmthresholds.sts.nearend.15min.SES 3 (seconds) 0 - 900 DS1.pmthresholds.sts.nearend.15min.UAS 10 (seconds) 0 - 900 DS1.pmthresholds.sts.nearend.1day.CV 125 (B3 count) 0 - 207360000 DS1.pmthresholds.sts.nearend.1day.ES 100 (seconds) 0 - 86400 DS1.pmthresholds.sts.nearend.1day.FC 10 (count) 0 - 6912 DS1.pmthresholds.sts.nearend.1day.SES 7 (seconds) 0 - 86400 DS1.pmthresholds.sts.nearend.1day.UAS 10 (seconds) 0 - 86400 DS1.pmthresholds.vt.farend.15min.CV 15 (BIP8 count) 0 - 2160000 DS1.pmthresholds.vt.farend.15min.ES 12 (seconds) 0 - 900 DS1.pmthresholds.vt.farend.15min.SES 3 (seconds) 0 - 900 DS1.pmthresholds.vt.farend.15min.UAS 10 (seconds) 0 - 900 DS1.pmthresholds.vt.farend.1day.CV 125 (BIP8 count) 0 - 207360000 DS1.pmthresholds.vt.farend.1day.ES 100 (seconds) 0 - 86400 DS1.pmthresholds.vt.farend.1day.SES 7 (seconds) 0 - 86400 DS1.pmthresholds.vt.farend.1day.UAS 10 (seconds) 0 - 86400 DS1.pmthresholds.vt.nearend.15min.CV 15 (BIP8 count) 0 - 2160000 DS1.pmthresholds.vt.nearend.15min.ES 12 (seconds) 0 - 900 DS1.pmthresholds.vt.nearend.15min.SES 3 (seconds) 0 - 900 Table C-1 DS-1 Card Default Settings (continued) Default Name Default Value Default DomainC-7 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card C.2.3.2 DS1/E1-56 Card Default Settings Table C-2 lists the DS1/E1-56 card default settings. DS1.pmthresholds.vt.nearend.15min.UAS 10 (seconds) 0 - 900 DS1.pmthresholds.vt.nearend.1day.CV 125 (BIP8 count) 0 - 207360000 DS1.pmthresholds.vt.nearend.1day.ES 100 (seconds) 0 - 86400 DS1.pmthresholds.vt.nearend.1day.SES 7 (seconds) 0 - 86400 DS1.pmthresholds.vt.nearend.1day.UAS 10 (seconds) 0 - 86400 Table C-1 DS-1 Card Default Settings (continued) Default Name Default Value Default Domain Table C-2 DS1/E1-56 Card Default Settings Default Name Default Value Default Domain DS1-E1-56.config.OperatingMode All DS1 All DS1, All E1 DS1-E1-56.config.PortToVtMappingMode GR253 Industry when OperatingMode All E1; GR253, Industry when OperatingMode All DS1 DS1-E1-56.DS1-PORT.config.AINSSoakTime 08:00 (hours:mins) 00:00, 00:15, 00:30 .. 48:00 DS1-E1-56.DS1-PORT.config.Ds1Mapping Asynchronous Asynchronous when LineType UNFRAMED, UNFRAMED; Asynchronous, Byte Synchronous when LineType ESF, D4, E1_MF, E1_CRCMF, AUTO FRAME, J_ESF DS1-E1-56.DS1-PORT.config.FdlMode T1.403 T1.403 when LineType UNFRAMED, AUTO FRAME; T1.403, BFDL when LineType ESF, D4, J_ESF DS1-E1-56.DS1-PORT.config.FeInhibitLpbk TRUE TRUE, FALSE DS1-E1-56.DS1-PORT.config.LineCoding AMI B8ZS, AMI DS1-E1-56.DS1-PORT.config.LineLength 0 - 131 ft 0 - 131 ft, 132 - 262 ft, 263 - 393 ft, 394 - 524 ft, 525 - 655 ft DS1-E1-56.DS1-PORT.config.LineType UNFRAMED ESF, D4, UNFRAMED, AUTO FRAME, J_ESF DS1-E1-56.DS1-PORT.config.RetimingEnabled FALSE TRUE, FALSE DS1-E1-56.DS1-PORT.config.SDBER 1.00E-07 1E-5, 1E-6, 1E-7, 1E-8, 1E-9 DS1-E1-56.DS1-PORT.config.SendAISOnFacilityLoopback TRUE TRUE, FALSE DS1-E1-56.DS1-PORT.config.SendAISOnTerminalLoopbac k TRUE TRUE, FALSE DS1-E1-56.DS1-PORT.config.SendAISVOnDefects FALSE FALSE, TRUE DS1-E1-56.DS1-PORT.config.SendDoNotUse FALSE TRUE, FALSE DS1-E1-56.DS1-PORT.config.SFBER 1.00E-04 1E-3, 1E-4, 1E-5C-8 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card DS1-E1-56.DS1-PORT.config.sonet.AdminSSMIn STU PRS, STU, ST2, ST3, SMC, ST4, DUS, RES when //.//.//.//.NODE.timing.general.SSMMessa geSet Generation 1; PRS, STU, ST2, TNC, ST3E, ST3, SMC, ST4, DUS, RES when //.//.//.//.NODE.timing.general.SSMMessa geSet Generation 2; PRS, STU, ST2, ST3, SMC, ST4, DUS, RES when //.//.//.//.NODE.timing.general.SSMMessa geSet N/A DS1-E1-56.DS1-PORT.config.State OOS,DSBLD OOS,DSBLD when LineType AUTO FRAME; IS, OOS,DSBLD, OOS,MT, IS,AINS when LineType ESF, D4, UNFRAMED, J_ESF DS1-E1-56.DS1-PORT.config.SyncMsgIn FALSE FALSE when LineType D4, E1_MF, E1_CRCMF, UNFRAMED, AUTO FRAME; FALSE, TRUE when LineType ESF, J_ESF DS1-E1-56.DS1-PORT.config.TreatLOFAsDefect TRUE FALSE, TRUE DS1-E1-56.DS1-PORT.pmthresholds.line.farend.15min.ES 65 (seconds) 0 - 900 DS1-E1-56.DS1-PORT.pmthresholds.line.farend.1day.ES 648 (seconds) 0 - 86400 DS1-E1-56.DS1-PORT.pmthresholds.line.nearend.15min.CV 13340 (BPV count) 0 - 1388700 DS1-E1-56.DS1-PORT.pmthresholds.line.nearend.15min.ES 65 (seconds) 0 - 900 DS1-E1-56.DS1-PORT.pmthresholds.line.nearend.15min.LO SS 10 (seconds) 0 - 900 DS1-E1-56.DS1-PORT.pmthresholds.line.nearend.15min.SE S 10 (seconds) 0 - 900 DS1-E1-56.DS1-PORT.pmthresholds.line.nearend.1day.CV 133400 (BPV count) 0 - 133315200 DS1-E1-56.DS1-PORT.pmthresholds.line.nearend.1day.ES 648 (seconds) 0 - 86400 DS1-E1-56.DS1-PORT.pmthresholds.line.nearend.1day.LOS S 10 (seconds) 0 - 86400 DS1-E1-56.DS1-PORT.pmthresholds.line.nearend.1day.SES 100 (seconds) 0 - 86400 DS1-E1-56.DS1-PORT.pmthresholds.path.farend.15min.CSS 25 (seconds) 0 - 900 DS1-E1-56.DS1-PORT.pmthresholds.path.farend.15min.CV 13296 (BIP count) 0 - 38700 DS1-E1-56.DS1-PORT.pmthresholds.path.farend.15min.ES 65 (seconds) 0 - 900 DS1-E1-56.DS1-PORT.pmthresholds.path.farend.15min.ESA 25 (seconds) 0 - 900 DS1-E1-56.DS1-PORT.pmthresholds.path.farend.15min.ESB 25 (seconds) 0 - 900 DS1-E1-56.DS1-PORT.pmthresholds.path.farend.15min.ESF E 65 (seconds) 0 - 900 Table C-2 DS1/E1-56 Card Default Settings (continued) Default Name Default Value Default DomainC-9 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card DS1-E1-56.DS1-PORT.pmthresholds.path.farend.15min.ESN E 65 (seconds) 0 - 900 DS1-E1-56.DS1-PORT.pmthresholds.path.farend.15min.FC 10 (count) 0 - 72 DS1-E1-56.DS1-PORT.pmthresholds.path.farend.15min.SEF S 25 (seconds) 0 - 900 DS1-E1-56.DS1-PORT.pmthresholds.path.farend.15min.SES 10 (seconds) 0 - 900 DS1-E1-56.DS1-PORT.pmthresholds.path.farend.15min.SES FE 10 (seconds) 0 - 900 DS1-E1-56.DS1-PORT.pmthresholds.path.farend.15min.SES NE 10 (seconds) 0 - 900 DS1-E1-56.DS1-PORT.pmthresholds.path.farend.15min.UA S 10 (seconds) 0 - 900 DS1-E1-56.DS1-PORT.pmthresholds.path.farend.15min.UA SFE 10 (seconds) 0 - 900 DS1-E1-56.DS1-PORT.pmthresholds.path.farend.15min.UA SNE 10 (seconds) 0 - 900 DS1-E1-56.DS1-PORT.pmthresholds.path.farend.1day.CSS 25 (seconds) 0 - 86400 DS1-E1-56.DS1-PORT.pmthresholds.path.farend.1day.CV 132960 (BIP count) 0 - 3715200 DS1-E1-56.DS1-PORT.pmthresholds.path.farend.1day.ES 648 (seconds) 0 - 86400 DS1-E1-56.DS1-PORT.pmthresholds.path.farend.1day.ESA 25 (seconds) 0 - 86400 DS1-E1-56.DS1-PORT.pmthresholds.path.farend.1day.ESB 25 (seconds) 0 - 86400 DS1-E1-56.DS1-PORT.pmthresholds.path.farend.1day.ESFE 648 (seconds) 0 - 86400 DS1-E1-56.DS1-PORT.pmthresholds.path.farend.1day.ESNE 648 (seconds) 0 - 86400 DS1-E1-56.DS1-PORT.pmthresholds.path.farend.1day.FC 40 (count) 0 - 6912 DS1-E1-56.DS1-PORT.pmthresholds.path.farend.1day.SEFS 25 (seconds) 0 - 86400 DS1-E1-56.DS1-PORT.pmthresholds.path.farend.1day.SES 100 (seconds) 0 - 86400 DS1-E1-56.DS1-PORT.pmthresholds.path.farend.1day.SESF E 100 (seconds) 0 - 86400 DS1-E1-56.DS1-PORT.pmthresholds.path.farend.1day.SESN E 100 (seconds) 0 - 86400 DS1-E1-56.DS1-PORT.pmthresholds.path.farend.1day.UAS 10 (seconds) 0 - 86400 DS1-E1-56.DS1-PORT.pmthresholds.path.farend.1day.UASF E 10 (seconds) 0 - 86400 DS1-E1-56.DS1-PORT.pmthresholds.path.farend.1day.UAS NE 10 (seconds) 0 - 86400 DS1-E1-56.DS1-PORT.pmthresholds.path.nearend.15min.AI SS 10 (seconds) 0 - 900 DS1-E1-56.DS1-PORT.pmthresholds.path.nearend.15min.C V 13296 (BIP count) 0 - 38700 Table C-2 DS1/E1-56 Card Default Settings (continued) Default Name Default Value Default DomainC-10 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card DS1-E1-56.DS1-PORT.pmthresholds.path.nearend.15min.ES 65 (seconds) 0 - 900 DS1-E1-56.DS1-PORT.pmthresholds.path.nearend.15min.FC 10 (count) 0 - 72 DS1-E1-56.DS1-PORT.pmthresholds.path.nearend.15min.SA S 2 (seconds) 0 - 900 DS1-E1-56.DS1-PORT.pmthresholds.path.nearend.15min.SE S 10 (seconds) 0 - 900 DS1-E1-56.DS1-PORT.pmthresholds.path.nearend.15min.U AS 10 (seconds) 0 - 900 DS1-E1-56.DS1-PORT.pmthresholds.path.nearend.1day.AIS S 10 (seconds) 0 - 86400 DS1-E1-56.DS1-PORT.pmthresholds.path.nearend.1day.CV 132960 (BIP count) 0 - 3715200 DS1-E1-56.DS1-PORT.pmthresholds.path.nearend.1day.ES 648 (seconds) 0 - 86400 DS1-E1-56.DS1-PORT.pmthresholds.path.nearend.1day.FC 40 (count) 0 - 6912 DS1-E1-56.DS1-PORT.pmthresholds.path.nearend.1day.SAS 17 (seconds) 0 - 86400 DS1-E1-56.DS1-PORT.pmthresholds.path.nearend.1day.SES 100 (seconds) 0 - 86400 DS1-E1-56.DS1-PORT.pmthresholds.path.nearend.1day.UAS 10 (seconds) 0 - 86400 DS1-E1-56.DS1-PORT.pmthresholds.sts.farend.15min.ES 12 (seconds) 0 - 900 DS1-E1-56.DS1-PORT.pmthresholds.sts.farend.15min.FC 10 (count) 0 - 72 DS1-E1-56.DS1-PORT.pmthresholds.sts.farend.15min.SES 3 (seconds) 0 - 900 DS1-E1-56.DS1-PORT.pmthresholds.sts.farend.15min.UAS 10 (seconds) 0 - 900 DS1-E1-56.DS1-PORT.pmthresholds.sts.farend.1day.ES 100 (seconds) 0 - 86400 DS1-E1-56.DS1-PORT.pmthresholds.sts.farend.1day.FC 40 (count) 0 - 6912 DS1-E1-56.DS1-PORT.pmthresholds.sts.farend.1day.SES 7 (seconds) 0 - 86400 DS1-E1-56.DS1-PORT.pmthresholds.sts.farend.1day.UAS 10 (seconds) 0 - 86400 DS1-E1-56.DS1-PORT.pmthresholds.sts.nearend.15min.ES 12 (seconds) 0 - 900 DS1-E1-56.DS1-PORT.pmthresholds.sts.nearend.15min.FC 10 (count) 0 - 72 DS1-E1-56.DS1-PORT.pmthresholds.sts.nearend.15min.SES 3 (seconds) 0 - 900 DS1-E1-56.DS1-PORT.pmthresholds.sts.nearend.15min.UAS 10 (seconds) 0 - 900 DS1-E1-56.DS1-PORT.pmthresholds.sts.nearend.1day.ES 100 (seconds) 0 - 86400 DS1-E1-56.DS1-PORT.pmthresholds.sts.nearend.1day.FC 40 (count) 0 - 6912 DS1-E1-56.DS1-PORT.pmthresholds.sts.nearend.1day.SES 7 (seconds) 0 - 86400 DS1-E1-56.DS1-PORT.pmthresholds.sts.nearend.1day.UAS 10 (seconds) 0 - 86400 DS1-E1-56.DS1-PORT.pmthresholds.vt.farend.15min.ES 12 (seconds) 0 - 900 DS1-E1-56.DS1-PORT.pmthresholds.vt.farend.15min.FC 10 (count) 0 - 72 DS1-E1-56.DS1-PORT.pmthresholds.vt.farend.15min.SES 3 (seconds) 0 - 900 DS1-E1-56.DS1-PORT.pmthresholds.vt.farend.15min.UAS 10 (seconds) 0 - 900 Table C-2 DS1/E1-56 Card Default Settings (continued) Default Name Default Value Default DomainC-11 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card DS1-E1-56.DS1-PORT.pmthresholds.vt.farend.1day.ES 100 (seconds) 0 - 86400 DS1-E1-56.DS1-PORT.pmthresholds.vt.farend.1day.FC 40 (count) 0 - 6912 DS1-E1-56.DS1-PORT.pmthresholds.vt.farend.1day.SES 7 (seconds) 0 - 86400 DS1-E1-56.DS1-PORT.pmthresholds.vt.farend.1day.UAS 10 (seconds) 0 - 86400 DS1-E1-56.DS1-PORT.pmthresholds.vt.nearend.15min.ES 12 (seconds) 0 - 900 DS1-E1-56.DS1-PORT.pmthresholds.vt.nearend.15min.FC 10 (count) 0 - 72 DS1-E1-56.DS1-PORT.pmthresholds.vt.nearend.15min.SES 3 (seconds) 0 - 900 DS1-E1-56.DS1-PORT.pmthresholds.vt.nearend.15min.UAS 10 (seconds) 0 - 900 DS1-E1-56.DS1-PORT.pmthresholds.vt.nearend.1day.ES 100 (seconds) 0 - 86400 DS1-E1-56.DS1-PORT.pmthresholds.vt.nearend.1day.FC 40 (count) 0 - 6912 DS1-E1-56.DS1-PORT.pmthresholds.vt.nearend.1day.SES 7 (seconds) 0 - 86400 DS1-E1-56.DS1-PORT.pmthresholds.vt.nearend.1day.UAS 10 (seconds) 0 - 86400 DS1-E1-56.E1-PORT.config.AINSSoakTime 08:00 (hours:mins) 00:00, 00:15, 00:30 .. 48:00 DS1-E1-56.E1-PORT.config.LineCoding HDB3 HDB3 DS1-E1-56.E1-PORT.config.LineType E1_UNFRAM ED E1_MF, E1_CRCMF, AUTO FRAME, UNFRAMED DS1-E1-56.E1-PORT.config.RetimingEnabled FALSE TRUE, FALSE DS1-E1-56.E1-PORT.config.SaBit SA Bit 4 SA Bit 4, SA Bit 5, SA Bit 6, SA Bit 7, SA Bit 8 DS1-E1-56.E1-PORT.config.SDBER 1.00E-07 1E-5, 1E-6, 1E-7, 1E-8, 1E-9 DS1-E1-56.E1-PORT.config.SendAISOnFacilityLoopback TRUE TRUE, FALSE DS1-E1-56.E1-PORT.config.SendAISOnTerminalLoopback TRUE TRUE, FALSE DS1-E1-56.E1-PORT.config.SendAISVOnDefects FALSE FALSE, TRUE DS1-E1-56.E1-PORT.config.SendDoNotUse FALSE TRUE, FALSE DS1-E1-56.E1-PORT.config.SFBER 1.00E-04 1E-3, 1E-4, 1E-5 DS1-E1-56.E1-PORT.config.sonet.AdminSSMIn STU PRS, STU, ST2, ST3, SMC, ST4, DUS, RES when //.//.//.//.NODE.timing.general.SSMMessa geSet Generation 1; PRS, STU, ST2, TNC, ST3E, ST3, SMC, ST4, DUS, RES when //.//.//.//.NODE.timing.general.SSMMessa geSet Generation 2; PRS, STU, ST2, ST3, SMC, ST4, DUS, RES when //.//.//.//.NODE.timing.general.SSMMessa geSet N/A DS1-E1-56.E1-PORT.config.State OOS,DSBLD OOS,DSBLD when LineType AUTO FRAME; IS, OOS,DSBLD, OOS,MT, IS,AINS when LineType E1_MF, E1_CRCMF, UNFRAMED Table C-2 DS1/E1-56 Card Default Settings (continued) Default Name Default Value Default DomainC-12 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card DS1-E1-56.E1-PORT.config.SyncMsgIn FALSE FALSE, TRUE DS1-E1-56.E1-PORT.config.TreatLOFAsDefect TRUE FALSE, TRUE DS1-E1-56.E1-PORT.pmthresholds.line.nearend.15min.CV 9 (BPV count) 0 - 1388700 DS1-E1-56.E1-PORT.pmthresholds.line.nearend.15min.ES 65 (seconds) 0 - 900 DS1-E1-56.E1-PORT.pmthresholds.line.nearend.15min.LOS S 10 (seconds) 0 - 900 DS1-E1-56.E1-PORT.pmthresholds.line.nearend.15min.SES 10 (seconds) 0 - 900 DS1-E1-56.E1-PORT.pmthresholds.line.nearend.1day.CV 90 (BPV count) 0 - 133315200 DS1-E1-56.E1-PORT.pmthresholds.line.nearend.1day.ES 648 (seconds) 0 - 86400 DS1-E1-56.E1-PORT.pmthresholds.line.nearend.1day.LOSS 10 (seconds) 0 - 900 DS1-E1-56.E1-PORT.pmthresholds.line.nearend.1day.SES 100 (seconds) 0 - 86400 DS1-E1-56.E1-PORT.pmthresholds.path.nearend.15min.AIS S 10 (seconds) 0 - 900 DS1-E1-56.E1-PORT.pmthresholds.path.nearend.15min.BBE 9 (count) 0 - 287100 DS1-E1-56.E1-PORT.pmthresholds.path.nearend.15min.EB 9 (count) 0 - 450000 DS1-E1-56.E1-PORT.pmthresholds.path.nearend.15min.ES 65 (seconds) 0 - 900 DS1-E1-56.E1-PORT.pmthresholds.path.nearend.15min.SES 10 (seconds) 0 - 900 DS1-E1-56.E1-PORT.pmthresholds.path.nearend.15min.UAS 10 (seconds) 0 - 900 DS1-E1-56.E1-PORT.pmthresholds.path.nearend.1day.AISS 10 (seconds) 0 - 86400 DS1-E1-56.E1-PORT.pmthresholds.path.nearend.1day.BBE 90 (count) 0 - 27561600 DS1-E1-56.E1-PORT.pmthresholds.path.nearend.1day.EB 90 (count) 0 - 43200000 DS1-E1-56.E1-PORT.pmthresholds.path.nearend.1day.ES 648 (seconds) 0 - 86400 DS1-E1-56.E1-PORT.pmthresholds.path.nearend.1day.SES 100 (seconds) 0 - 86400 DS1-E1-56.E1-PORT.pmthresholds.path.nearend.1day.UAS 10 (seconds) 0 - 86400 DS1-E1-56.E1-PORT.pmthresholds.sts.farend.15min.ES 12 (seconds) 0 - 900 DS1-E1-56.E1-PORT.pmthresholds.sts.farend.15min.FC 10 (count) 0 - 72 DS1-E1-56.E1-PORT.pmthresholds.sts.farend.15min.SES 3 (seconds) 0 - 900 DS1-E1-56.E1-PORT.pmthresholds.sts.farend.15min.UAS 10 (seconds) 0 - 900 DS1-E1-56.E1-PORT.pmthresholds.sts.farend.1day.ES 100 (seconds) 0 - 86400 DS1-E1-56.E1-PORT.pmthresholds.sts.farend.1day.FC 40 (count) 0 - 6912 DS1-E1-56.E1-PORT.pmthresholds.sts.farend.1day.SES 7 (seconds) 0 - 86400 DS1-E1-56.E1-PORT.pmthresholds.sts.farend.1day.UAS 10 (seconds) 0 - 86400 DS1-E1-56.E1-PORT.pmthresholds.sts.nearend.15min.ES 12 (seconds) 0 - 900 DS1-E1-56.E1-PORT.pmthresholds.sts.nearend.15min.FC 10 (count) 0 - 72 DS1-E1-56.E1-PORT.pmthresholds.sts.nearend.15min.SES 3 (seconds) 0 - 900 DS1-E1-56.E1-PORT.pmthresholds.sts.nearend.15min.UAS 10 (seconds) 0 - 900 DS1-E1-56.E1-PORT.pmthresholds.sts.nearend.1day.ES 100 (seconds) 0 - 86400 Table C-2 DS1/E1-56 Card Default Settings (continued) Default Name Default Value Default DomainC-13 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card C.2.3.3 DS-3 Card Default Settings Table C-3 lists the DS-3 card default settings. DS1-E1-56.E1-PORT.pmthresholds.sts.nearend.1day.FC 40 (count) 0 - 6912 DS1-E1-56.E1-PORT.pmthresholds.sts.nearend.1day.SES 7 (seconds) 0 - 86400 DS1-E1-56.E1-PORT.pmthresholds.sts.nearend.1day.UAS 10 (seconds) 0 - 86400 DS1-E1-56.E1-PORT.pmthresholds.vt.farend.15min.ES 65 (seconds) 0 - 900 DS1-E1-56.E1-PORT.pmthresholds.vt.farend.15min.FC 10 (count) 0 - 72 DS1-E1-56.E1-PORT.pmthresholds.vt.farend.15min.SES 10 (seconds) 0 - 900 DS1-E1-56.E1-PORT.pmthresholds.vt.farend.15min.UAS 10 (seconds) 0 - 900 DS1-E1-56.E1-PORT.pmthresholds.vt.farend.1day.ES 648 (seconds) 0 - 86400 DS1-E1-56.E1-PORT.pmthresholds.vt.farend.1day.FC 40 (count) 0 - 6912 DS1-E1-56.E1-PORT.pmthresholds.vt.farend.1day.SES 100 (seconds) 0 - 86400 DS1-E1-56.E1-PORT.pmthresholds.vt.farend.1day.UAS 10 (seconds) 0 - 86400 DS1-E1-56.E1-PORT.pmthresholds.vt.nearend.15min.ES 65 (seconds) 0 - 900 DS1-E1-56.E1-PORT.pmthresholds.vt.nearend.15min.FC 10 (count) 0 - 72 DS1-E1-56.E1-PORT.pmthresholds.vt.nearend.15min.SES 10 (seconds) 0 - 900 DS1-E1-56.E1-PORT.pmthresholds.vt.nearend.15min.UAS 10 (seconds) 0 - 900 DS1-E1-56.E1-PORT.pmthresholds.vt.nearend.1day.ES 648 (seconds) 0 - 86400 DS1-E1-56.E1-PORT.pmthresholds.vt.nearend.1day.FC 40 (count) 0 - 6912 DS1-E1-56.E1-PORT.pmthresholds.vt.nearend.1day.SES 100 (seconds) 0 - 86400 DS1-E1-56.E1-PORT.pmthresholds.vt.nearend.1day.UAS 10 (seconds) 0 - 86400 Table C-2 DS1/E1-56 Card Default Settings (continued) Default Name Default Value Default Domain Table C-3 DS-3 Card Default Settings Default Name Default Value Default Domain DS3.config.AINSSoakTime 08:00 (hours:mins) 00:00, 00:15, 00:30 .. 48:00 DS3.config.LineLength 0 - 225 ft 0 - 225 ft, 226 - 450 ft DS3.config.SDBER 1.00E-07 1E-5, 1E-6, 1E-7, 1E-8, 1E-9 DS3.config.SendAISOnFacilityLoopback TRUE TRUE, FALSE DS3.config.SFBER 1.00E-04 1E-3, 1E-4, 1E-5 DS3.config.State IS,AINS IS, OOS,DSBLD, OOS,MT, IS,AINS DS3.pmthresholds.line.nearend.15min.CV 387 (BPV count) 0 - 38700 DS3.pmthresholds.line.nearend.15min.ES 25 (seconds) 0 - 900 DS3.pmthresholds.line.nearend.15min.LOSS 10 (seconds) 0 - 900 DS3.pmthresholds.line.nearend.15min.SES 4 (seconds) 0 - 900 DS3.pmthresholds.line.nearend.1day.CV 3865 (BPV count) 0 - 3715200C-14 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card C.2.3.4 DS3/EC1-48 Card Default Settings Table C-4 lists the DS3/EC1-48 card default settings. DS3.pmthresholds.line.nearend.1day.ES 250 (seconds) 0 - 86400 DS3.pmthresholds.line.nearend.1day.LOSS 10 (seconds) 0 - 86400 DS3.pmthresholds.line.nearend.1day.SES 40 (seconds) 0 - 86400 DS3.pmthresholds.sts.farend.15min.CV 15 (G1 count) 0 - 2160000 DS3.pmthresholds.sts.farend.15min.ES 12 (seconds) 0 - 900 DS3.pmthresholds.sts.farend.15min.FC 10 (count) 0 - 72 DS3.pmthresholds.sts.farend.15min.SES 3 (seconds) 0 - 900 DS3.pmthresholds.sts.farend.15min.UAS 10 (seconds) 0 - 900 DS3.pmthresholds.sts.farend.1day.CV 125 (G1 count) 0 - 207360000 DS3.pmthresholds.sts.farend.1day.ES 100 (seconds) 0 - 86400 DS3.pmthresholds.sts.farend.1day.FC 10 (count) 0 - 6912 DS3.pmthresholds.sts.farend.1day.SES 7 (seconds) 0 - 86400 DS3.pmthresholds.sts.farend.1day.UAS 10 (seconds) 0 - 86400 DS3.pmthresholds.sts.nearend.15min.CV 15 (B3 count) 0 - 2160000 DS3.pmthresholds.sts.nearend.15min.ES 12 (seconds) 0 - 900 DS3.pmthresholds.sts.nearend.15min.FC 10 (count) 0 - 72 DS3.pmthresholds.sts.nearend.15min.SES 3 (seconds) 0 - 900 DS3.pmthresholds.sts.nearend.15min.UAS 10 (seconds) 0 - 900 DS3.pmthresholds.sts.nearend.1day.CV 125 (B3 count) 0 - 207360000 DS3.pmthresholds.sts.nearend.1day.ES 100 (seconds) 0 - 86400 DS3.pmthresholds.sts.nearend.1day.FC 10 (count) 0 - 6912 DS3.pmthresholds.sts.nearend.1day.SES 7 (seconds) 0 - 86400 DS3.pmthresholds.sts.nearend.1day.UAS 10 (seconds) 0 - 86400 Table C-3 DS-3 Card Default Settings (continued) Default Name Default Value Default Domain Table C-4 DS3/EC1-48 Card Default Settings Default Name Default Value Default Domain DS3-EC1-48.Broadband.portAssignment DS3-PORT UNASSIGNED, DS3-PORT, EC1-PORT DS3-EC1-48.DS3-PORT.config.AINSSoakTime 08:00 (hours:mins) 00:00, 00:15, 00:30 .. 48:00 DS3-EC1-48.DS3-PORT.config.FeInhibitLpbk TRUE TRUE, FALSE DS3-EC1-48.DS3-PORT.config.LineLength 0 - 225 ft 0 - 225 ft, 226 - 450 ft DS3-EC1-48.DS3-PORT.config.LineType UNFRAME D UNFRAMED, M13, C BIT, AUTO PROVISION FMTC-15 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card DS3-EC1-48.DS3-PORT.config.SDBER 1.00E-07 1E-5, 1E-6, 1E-7, 1E-8, 1E-9 DS3-EC1-48.DS3-PORT.config.SendAISOnFacilityLoopback TRUE TRUE, FALSE DS3-EC1-48.DS3-PORT.config.SendAISOnTerminalLoopback FALSE TRUE, FALSE DS3-EC1-48.DS3-PORT.config.SFBER 1.00E-04 1E-3, 1E-4, 1E-5 DS3-EC1-48.DS3-PORT.config.State IS,AINS IS, OOS,DSBLD, OOS,MT, IS,AINS DS3-EC1-48.DS3-PORT.pmthresholds.cpbitpath.farend.15min.CV 382 (BIP count) 0 - 38700 DS3-EC1-48.DS3-PORT.pmthresholds.cpbitpath.farend.15min.ES 25 (seconds) 0 - 900 DS3-EC1-48.DS3-PORT.pmthresholds.cpbitpath.farend.15min.SAS 2 (seconds) 0 - 900 DS3-EC1-48.DS3-PORT.pmthresholds.cpbitpath.farend.15min.SES 4 (seconds) 0 - 900 DS3-EC1-48.DS3-PORT.pmthresholds.cpbitpath.farend.15min.UAS 10 (seconds) 0 - 900 DS3-EC1-48.DS3-PORT.pmthresholds.cpbitpath.farend.1day.CV 3820 (BIP count) 0 - 3715200 DS3-EC1-48.DS3-PORT.pmthresholds.cpbitpath.farend.1day.ES 250 (seconds) 0 - 86400 DS3-EC1-48.DS3-PORT.pmthresholds.cpbitpath.farend.1day.SAS 8 (seconds) 0 - 86400 DS3-EC1-48.DS3-PORT.pmthresholds.cpbitpath.farend.1day.SES 40 (seconds) 0 - 86400 DS3-EC1-48.DS3-PORT.pmthresholds.cpbitpath.farend.1day.UAS 10 (seconds) 0 - 86400 DS3-EC1-48.DS3-PORT.pmthresholds.cpbitpath.nearend.15min.CV 382 (BIP count) 0 - 38700 DS3-EC1-48.DS3-PORT.pmthresholds.cpbitpath.nearend.15min.ES 25 (seconds) 0 - 900 DS3-EC1-48.DS3-PORT.pmthresholds.cpbitpath.nearend.15min.SAS 2 (seconds) 0 - 900 DS3-EC1-48.DS3-PORT.pmthresholds.cpbitpath.nearend.15min.SES 4 (seconds) 0 - 900 DS3-EC1-48.DS3-PORT.pmthresholds.cpbitpath.nearend.15min.UAS 10 (seconds) 0 - 900 DS3-EC1-48.DS3-PORT.pmthresholds.cpbitpath.nearend.1day.CV 3820 (BIP count) 0 - 3715200 DS3-EC1-48.DS3-PORT.pmthresholds.cpbitpath.nearend.1day.ES 250 (seconds) 0 - 86400 DS3-EC1-48.DS3-PORT.pmthresholds.cpbitpath.nearend.1day.SAS 8 (seconds) 0 - 86400 DS3-EC1-48.DS3-PORT.pmthresholds.cpbitpath.nearend.1day.SES 40 (seconds) 0 - 86400 DS3-EC1-48.DS3-PORT.pmthresholds.cpbitpath.nearend.1day.UAS 10 (seconds) 0 - 86400 DS3-EC1-48.DS3-PORT.pmthresholds.line.nearend.15min.CV 387 (BPV count) 0 - 38700 DS3-EC1-48.DS3-PORT.pmthresholds.line.nearend.15min.ES 25 (seconds) 0 - 900 DS3-EC1-48.DS3-PORT.pmthresholds.line.nearend.15min.LOSS 10 (seconds) 0 - 900 DS3-EC1-48.DS3-PORT.pmthresholds.line.nearend.15min.SES 4 (seconds) 0 - 900 DS3-EC1-48.DS3-PORT.pmthresholds.line.nearend.1day.CV 3865 (BPV count) 0 - 3715200 Table C-4 DS3/EC1-48 Card Default Settings (continued) Default Name Default Value Default DomainC-16 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card DS3-EC1-48.DS3-PORT.pmthresholds.line.nearend.1day.ES 250 (seconds) 0 - 86400 DS3-EC1-48.DS3-PORT.pmthresholds.line.nearend.1day.LOSS 10 (seconds) 0 - 86400 DS3-EC1-48.DS3-PORT.pmthresholds.line.nearend.1day.SES 40 (seconds) 0 - 86400 DS3-EC1-48.DS3-PORT.pmthresholds.pbitpath.nearend.15min.AISS 10 (seconds) 0 - 900 DS3-EC1-48.DS3-PORT.pmthresholds.pbitpath.nearend.15min.CV 382 (BIP count) 0 - 38700 DS3-EC1-48.DS3-PORT.pmthresholds.pbitpath.nearend.15min.ES 25 (seconds) 0 - 900 DS3-EC1-48.DS3-PORT.pmthresholds.pbitpath.nearend.15min.SAS 2 (seconds) 0 - 900 DS3-EC1-48.DS3-PORT.pmthresholds.pbitpath.nearend.15min.SES 4 (seconds) 0 - 900 DS3-EC1-48.DS3-PORT.pmthresholds.pbitpath.nearend.15min.UAS 10 (seconds) 0 - 900 DS3-EC1-48.DS3-PORT.pmthresholds.pbitpath.nearend.1day.AISS 10 (seconds) 0 - 86400 DS3-EC1-48.DS3-PORT.pmthresholds.pbitpath.nearend.1day.CV 3820 (BIP count) 0 - 3715200 DS3-EC1-48.DS3-PORT.pmthresholds.pbitpath.nearend.1day.ES 250 (seconds) 0 - 86400 DS3-EC1-48.DS3-PORT.pmthresholds.pbitpath.nearend.1day.SAS 8 (seconds) 0 - 86400 DS3-EC1-48.DS3-PORT.pmthresholds.pbitpath.nearend.1day.SES 40 (seconds) 0 - 86400 DS3-EC1-48.DS3-PORT.pmthresholds.pbitpath.nearend.1day.UAS 10 (seconds) 0 - 86400 DS3-EC1-48.DS3-PORT.pmthresholds.sts.farend.15min.CV 15 (G1 count) 0 - 2160000 DS3-EC1-48.DS3-PORT.pmthresholds.sts.farend.15min.ES 12 (seconds) 0 - 900 DS3-EC1-48.DS3-PORT.pmthresholds.sts.farend.15min.FC 10 (count) 0 - 72 DS3-EC1-48.DS3-PORT.pmthresholds.sts.farend.15min.SES 3 (seconds) 0 - 900 DS3-EC1-48.DS3-PORT.pmthresholds.sts.farend.15min.UAS 10 (seconds) 0 - 900 DS3-EC1-48.DS3-PORT.pmthresholds.sts.farend.1day.CV 125 (G1 count) 0 - 207360000 DS3-EC1-48.DS3-PORT.pmthresholds.sts.farend.1day.ES 100 (seconds) 0 - 86400 DS3-EC1-48.DS3-PORT.pmthresholds.sts.farend.1day.FC 10 (count) 0 - 6912 DS3-EC1-48.DS3-PORT.pmthresholds.sts.farend.1day.SES 7 (seconds) 0 - 86400 DS3-EC1-48.DS3-PORT.pmthresholds.sts.farend.1day.UAS 10 (seconds) 0 - 86400 DS3-EC1-48.DS3-PORT.pmthresholds.sts.nearend.15min.CV 15 (B3 count) 0 - 2160000 DS3-EC1-48.DS3-PORT.pmthresholds.sts.nearend.15min.ES 12 (seconds) 0 - 900 DS3-EC1-48.DS3-PORT.pmthresholds.sts.nearend.15min.FC 10 (count) 0 - 72 DS3-EC1-48.DS3-PORT.pmthresholds.sts.nearend.15min.SES 3 (seconds) 0 - 900 DS3-EC1-48.DS3-PORT.pmthresholds.sts.nearend.15min.UAS 10 (seconds) 0 - 900 Table C-4 DS3/EC1-48 Card Default Settings (continued) Default Name Default Value Default DomainC-17 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card DS3-EC1-48.DS3-PORT.pmthresholds.sts.nearend.1day.CV 125 (B3 count) 0 - 207360000 DS3-EC1-48.DS3-PORT.pmthresholds.sts.nearend.1day.ES 100 (seconds) 0 - 86400 DS3-EC1-48.DS3-PORT.pmthresholds.sts.nearend.1day.FC 10 (count) 0 - 6912 DS3-EC1-48.DS3-PORT.pmthresholds.sts.nearend.1day.SES 7 (seconds) 0 - 86400 DS3-EC1-48.DS3-PORT.pmthresholds.sts.nearend.1day.UAS 10 (seconds) 0 - 86400 DS3-EC1-48.EC1-PORT.config.line.AINSSoakTime 08:00 (hours:mins) 00:00, 00:15, 00:30 .. 48:00 DS3-EC1-48.EC1-PORT.config.line.LineLength 0 - 225 ft 0 - 225 ft, 226 - 450 ft DS3-EC1-48.EC1-PORT.config.line.PJStsMon# 0 (STS #) 0 - 1 DS3-EC1-48.EC1-PORT.config.line.SDBER 1.00E-07 1E-5, 1E-6, 1E-7, 1E-8, 1E-9 DS3-EC1-48.EC1-PORT.config.line.SendAISOnFacilityLoopback TRUE TRUE, FALSE DS3-EC1-48.EC1-PORT.config.line.SendAISOnTerminalLoopback FALSE TRUE, FALSE DS3-EC1-48.EC1-PORT.config.line.SFBER 1.00E-04 1E-3, 1E-4, 1E-5 DS3-EC1-48.EC1-PORT.config.line.State IS,AINS IS, OOS,DSBLD, OOS,MT, IS,AINS DS3-EC1-48.EC1-PORT.config.sts.IPPMEnabled FALSE TRUE, FALSE DS3-EC1-48.EC1-PORT.pmthresholds.line.farend.15min.CV 1312 (B2 count) 0 - 137700 DS3-EC1-48.EC1-PORT.pmthresholds.line.farend.15min.ES 87 (seconds) 0 - 900 DS3-EC1-48.EC1-PORT.pmthresholds.line.farend.15min.FC 10 (count) 0 - 72 DS3-EC1-48.EC1-PORT.pmthresholds.line.farend.15min.SES 1 (seconds) 0 - 900 DS3-EC1-48.EC1-PORT.pmthresholds.line.farend.15min.UAS 3 (seconds) 0 - 900 DS3-EC1-48.EC1-PORT.pmthresholds.line.farend.1day.CV 13120 (B2 count) 0 - 8850600 DS3-EC1-48.EC1-PORT.pmthresholds.line.farend.1day.ES 864 (seconds) 0 - 86400 DS3-EC1-48.EC1-PORT.pmthresholds.line.farend.1day.FC 40 (count) 0 - 72 DS3-EC1-48.EC1-PORT.pmthresholds.line.farend.1day.SES 4 (seconds) 0 - 86400 DS3-EC1-48.EC1-PORT.pmthresholds.line.farend.1day.UAS 10 (seconds) 0 - 86400 DS3-EC1-48.EC1-PORT.pmthresholds.line.nearend.15min.CV 1312 (B2 count) 0 - 137700 DS3-EC1-48.EC1-PORT.pmthresholds.line.nearend.15min.ES 87 (seconds) 0 - 900 DS3-EC1-48.EC1-PORT.pmthresholds.line.nearend.15min.FC 10 (count) 0 - 72 DS3-EC1-48.EC1-PORT.pmthresholds.line.nearend.15min.SES 1 (seconds) 0 - 900 DS3-EC1-48.EC1-PORT.pmthresholds.line.nearend.15min.UAS 3 (seconds) 0 - 900 DS3-EC1-48.EC1-PORT.pmthresholds.line.nearend.1day.CV 13120 (B2 count) 0 - 13219200 Table C-4 DS3/EC1-48 Card Default Settings (continued) Default Name Default Value Default DomainC-18 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card DS3-EC1-48.EC1-PORT.pmthresholds.line.nearend.1day.ES 864 (seconds) 0 - 86400 DS3-EC1-48.EC1-PORT.pmthresholds.line.nearend.1day.FC 40 (count) 0 - 6912 DS3-EC1-48.EC1-PORT.pmthresholds.line.nearend.1day.SES 4 (seconds) 0 - 86400 DS3-EC1-48.EC1-PORT.pmthresholds.line.nearend.1day.UAS 10 (seconds) 0 - 86400 DS3-EC1-48.EC1-PORT.pmthresholds.section.nearend.15min.CV 10000 (B1 count) 0 - 138600 DS3-EC1-48.EC1-PORT.pmthresholds.section.nearend.15min.ES 500 (seconds) 0 - 900 DS3-EC1-48.EC1-PORT.pmthresholds.section.nearend.15min.SEFS 500 (seconds) 0 - 900 DS3-EC1-48.EC1-PORT.pmthresholds.section.nearend.15min.SES 500 (seconds) 0 - 900 DS3-EC1-48.EC1-PORT.pmthresholds.section.nearend.1day.CV 100000 (B1 count) 0 - 13305600 DS3-EC1-48.EC1-PORT.pmthresholds.section.nearend.1day.ES 5000 (seconds) 0 - 86400 DS3-EC1-48.EC1-PORT.pmthresholds.section.nearend.1day.SEFS 5000 (seconds) 0 - 86400 DS3-EC1-48.EC1-PORT.pmthresholds.section.nearend.1day.SES 5000 (seconds) 0 - 86400 DS3-EC1-48.EC1-PORT.pmthresholds.sts1.farend.15min.CV 15 (B3 count) 0 - 2160000 DS3-EC1-48.EC1-PORT.pmthresholds.sts1.farend.15min.ES 12 (seconds) 0 - 900 DS3-EC1-48.EC1-PORT.pmthresholds.sts1.farend.15min.FC 10 (count) 0 - 72 DS3-EC1-48.EC1-PORT.pmthresholds.sts1.farend.15min.SES 3 (seconds) 0 - 900 DS3-EC1-48.EC1-PORT.pmthresholds.sts1.farend.15min.UAS 10 (seconds) 0 - 900 DS3-EC1-48.EC1-PORT.pmthresholds.sts1.farend.1day.CV 125 (B3 count) 0 - 207360000 DS3-EC1-48.EC1-PORT.pmthresholds.sts1.farend.1day.ES 100 (seconds) 0 - 86400 DS3-EC1-48.EC1-PORT.pmthresholds.sts1.farend.1day.FC 10 (count) 0 - 6912 DS3-EC1-48.EC1-PORT.pmthresholds.sts1.farend.1day.SES 7 (seconds) 0 - 86400 DS3-EC1-48.EC1-PORT.pmthresholds.sts1.farend.1day.UAS 10 (seconds) 0 - 86400 DS3-EC1-48.EC1-PORT.pmthresholds.sts1.nearend.15min.CV 15 (B3 count) 0 - 2160000 DS3-EC1-48.EC1-PORT.pmthresholds.sts1.nearend.15min.ES 12 (seconds) 0 - 900 DS3-EC1-48.EC1-PORT.pmthresholds.sts1.nearend.15min.FC 10 (count) 0 - 72 DS3-EC1-48.EC1-PORT.pmthresholds.sts1.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000 DS3-EC1-48.EC1-PORT.pmthresholds.sts1.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000 Table C-4 DS3/EC1-48 Card Default Settings (continued) Default Name Default Value Default DomainC-19 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card C.2.3.5 DS3E Card Default Settings Table C-5 lists the DS3E card default settings. DS3-EC1-48.EC1-PORT.pmthresholds.sts1.nearend.15min.PJCDIFF 60 (count) 0 - 14400000 DS3-EC1-48.EC1-PORT.pmthresholds.sts1.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900 DS3-EC1-48.EC1-PORT.pmthresholds.sts1.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900 DS3-EC1-48.EC1-PORT.pmthresholds.sts1.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000 DS3-EC1-48.EC1-PORT.pmthresholds.sts1.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000 DS3-EC1-48.EC1-PORT.pmthresholds.sts1.nearend.15min.SES 3 (seconds) 0 - 900 DS3-EC1-48.EC1-PORT.pmthresholds.sts1.nearend.15min.UAS 10 (seconds) 0 - 900 DS3-EC1-48.EC1-PORT.pmthresholds.sts1.nearend.1day.CV 125 (B3 count) 0 - 207360000 DS3-EC1-48.EC1-PORT.pmthresholds.sts1.nearend.1day.ES 100 (seconds) 0 - 86400 DS3-EC1-48.EC1-PORT.pmthresholds.sts1.nearend.1day.FC 10 (count) 0 - 6912 DS3-EC1-48.EC1-PORT.pmthresholds.sts1.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000 DS3-EC1-48.EC1-PORT.pmthresholds.sts1.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000 DS3-EC1-48.EC1-PORT.pmthresholds.sts1.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000 DS3-EC1-48.EC1-PORT.pmthresholds.sts1.nearend.1day.PJCS-PDET 9600 (seconds) 0 - 86400 DS3-EC1-48.EC1-PORT.pmthresholds.sts1.nearend.1day.PJCS-PGEN 9600 (seconds) 0 - 86400 DS3-EC1-48.EC1-PORT.pmthresholds.sts1.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000 DS3-EC1-48.EC1-PORT.pmthresholds.sts1.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000 DS3-EC1-48.EC1-PORT.pmthresholds.sts1.nearend.1day.SES 7 (seconds) 0 - 86400 DS3-EC1-48.EC1-PORT.pmthresholds.sts1.nearend.1day.UAS 10 (seconds) 0 - 86400 Table C-4 DS3/EC1-48 Card Default Settings (continued) Default Name Default Value Default Domain Table C-5 DS3E Card Default Settings Default Name Default Value Default Domain DS3E.config.AINSSoakTime 08:00 (hours:mins) 00:00, 00:15, 00:30 .. 48:00 DS3E.config.FeInhibitLpbk TRUE TRUE, FALSE DS3E.config.LineLength 0 - 225 ft 0 - 225 ft, 226 - 450 ft DS3E.config.LineType UNFRAMED UNFRAMED, M13, C BIT, AUTO PROVISION FMT DS3E.config.SDBER 1.00E-07 1E-5, 1E-6, 1E-7, 1E-8, 1E-9 DS3E.config.SendAISOnFacilityLoopback TRUE TRUE, FALSEC-20 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card DS3E.config.SFBER 1.00E-04 1E-3, 1E-4, 1E-5 DS3E.config.State IS,AINS IS, OOS,DSBLD, OOS,MT, IS,AINS DS3E.pmthresholds.cpbitpath.farend.15min.CV 382 (BIP count) 0 - 38700 DS3E.pmthresholds.cpbitpath.farend.15min.ES 25 (seconds) 0 - 900 DS3E.pmthresholds.cpbitpath.farend.15min.SAS 2 (seconds) 0 - 900 DS3E.pmthresholds.cpbitpath.farend.15min.SES 4 (seconds) 0 - 900 DS3E.pmthresholds.cpbitpath.farend.15min.UAS 10 (seconds) 0 - 900 DS3E.pmthresholds.cpbitpath.farend.1day.CV 3820 (BIP count) 0 - 3715200 DS3E.pmthresholds.cpbitpath.farend.1day.ES 250 (seconds) 0 - 86400 DS3E.pmthresholds.cpbitpath.farend.1day.SAS 8 (seconds) 0 - 86400 DS3E.pmthresholds.cpbitpath.farend.1day.SES 40 (seconds) 0 - 86400 DS3E.pmthresholds.cpbitpath.farend.1day.UAS 10 (seconds) 0 - 86400 DS3E.pmthresholds.cpbitpath.nearend.15min.CV 382 (BIP count) 0 - 38700 DS3E.pmthresholds.cpbitpath.nearend.15min.ES 25 (seconds) 0 - 900 DS3E.pmthresholds.cpbitpath.nearend.15min.SES 4 (seconds) 0 - 900 DS3E.pmthresholds.cpbitpath.nearend.15min.UAS 10 (seconds) 0 - 900 DS3E.pmthresholds.cpbitpath.nearend.1day.CV 3820 (BIP count) 0 - 3715200 DS3E.pmthresholds.cpbitpath.nearend.1day.ES 250 (seconds) 0 - 86400 DS3E.pmthresholds.cpbitpath.nearend.1day.SAS 8 (seconds) 0 - 86400 DS3E.pmthresholds.cpbitpath.nearend.1day.SES 40 (seconds) 0 - 86400 DS3E.pmthresholds.cpbitpath.nearend.1day.UAS 10 (seconds) 0 - 86400 DS3E.pmthresholds.line.nearend.15min.CV 387 (BPV count) 0 - 38700 DS3E.pmthresholds.line.nearend.15min.ES 25 (seconds) 0 - 900 DS3E.pmthresholds.line.nearend.15min.LOSS 10 (seconds) 0 - 900 DS3E.pmthresholds.line.nearend.15min.SES 4 (seconds) 0 - 900 DS3E.pmthresholds.line.nearend.1day.CV 3865 (BPV count) 0 - 3715200 DS3E.pmthresholds.line.nearend.1day.ES 250 (seconds) 0 - 86400 DS3E.pmthresholds.line.nearend.1day.LOSS 10 (seconds) 0 - 86400 DS3E.pmthresholds.line.nearend.1day.SES 40 (seconds) 0 - 86400 DS3E.pmthresholds.pbitpath.nearend.15min.AISS 10 (seconds) 0 - 900 DS3E.pmthresholds.pbitpath.nearend.15min.CV 382 (BIP count) 0 - 38700 DS3E.pmthresholds.pbitpath.nearend.15min.ES 25 (seconds) 0 - 900 DS3E.pmthresholds.pbitpath.nearend.15min.SAS 2 (seconds) 0 - 900 DS3E.pmthresholds.pbitpath.nearend.15min.SES 4 (seconds) 0 - 900 DS3E.pmthresholds.pbitpath.nearend.15min.UAS 10 (seconds) 0 - 900 DS3E.pmthresholds.pbitpath.nearend.1day.AISS 10 (seconds) 0 - 86400 Table C-5 DS3E Card Default Settings (continued) Default Name Default Value Default DomainC-21 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card C.2.3.6 DS3I Card Default Settings Table C-6 lists the DS3I card default settings. DS3E.pmthresholds.pbitpath.nearend.1day.CV 3820 (BIP count) 0 - 3715200 DS3E.pmthresholds.pbitpath.nearend.1day.ES 250 (seconds) 0 - 86400 DS3E.pmthresholds.pbitpath.nearend.1day.SAS 8 (seconds) 0 - 86400 DS3E.pmthresholds.pbitpath.nearend.1day.SES 40 (seconds) 0 - 86400 DS3E.pmthresholds.pbitpath.nearend.1day.UAS 10 (seconds) 0 - 86400 DS3E.pmthresholds.sts.farend.15min.CV 15 (G1 count) 0 - 2160000 DS3E.pmthresholds.sts.farend.15min.ES 12 (seconds) 0 - 900 DS3E.pmthresholds.sts.farend.15min.FC 10 (count) 0 - 72 DS3E.pmthresholds.sts.farend.15min.SES 3 (seconds) 0 - 900 DS3E.pmthresholds.sts.farend.15min.UAS 10 (seconds) 0 - 900 DS3E.pmthresholds.sts.farend.1day.CV 125 (G1 count) 0 - 207360000 DS3E.pmthresholds.sts.farend.1day.ES 100 (seconds) 0 - 86400 DS3E.pmthresholds.sts.farend.1day.FC 10 (count) 0 - 6912 DS3E.pmthresholds.sts.farend.1day.SES 7 (seconds) 0 - 86400 DS3E.pmthresholds.sts.farend.1day.UAS 10 (seconds) 0 - 86400 DS3E.pmthresholds.sts.nearend.15min.CV 15 (B3 count) 0 - 2160000 DS3E.pmthresholds.sts.nearend.15min.ES 12 (seconds) 0 - 900 DS3E.pmthresholds.sts.nearend.15min.FC 10 (count) 0 - 72 DS3E.pmthresholds.sts.nearend.15min.SES 3 (seconds) 0 - 900 DS3E.pmthresholds.sts.nearend.15min.UAS 10 (seconds) 0 - 900 DS3E.pmthresholds.sts.nearend.1day.CV 125 (B3 count) 0 - 207360000 DS3E.pmthresholds.sts.nearend.1day.ES 100 (seconds) 0 - 86400 DS3E.pmthresholds.sts.nearend.1day.FC 10 (count) 0 - 6912 DS3E.pmthresholds.sts.nearend.1day.SES 7 (seconds) 0 - 86400 DS3E.pmthresholds.sts.nearend.1day.UAS 10 (seconds) 0 - 86400 Table C-5 DS3E Card Default Settings (continued) Default Name Default Value Default Domain Table C-6 DS3I Card Default Settings Default Name Default Value Default Domain DS3I.config.AINSSoakTime 08:00 (hours:mins) 00:00, 00:15, 00:30 .. 48:00 DS3I.config.FeInhibitLpbk TRUE TRUE, FALSE DS3I.config.LineLength 0 - 225 ft 0 - 225 ft, 226 - 450 ftC-22 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card DS3I.config.LineType C BIT UNFRAMED, M13, C BIT, AUTO PROVISION FMT DS3I.config.SDBER 1.00E-07 1E-5, 1E-6, 1E-7, 1E-8, 1E-9 DS3I.config.SendAISOnFacilityLoopback TRUE TRUE, FALSE DS3I.config.SFBER 1.00E-04 1E-3, 1E-4, 1E-5 DS3I.config.State IS,AINS IS, OOS,DSBLD, OOS,MT, IS,AINS DS3I.pmthresholds.cpbitpath.farend.15min.CVCP 382 (BIP count) 0 - 38700 DS3I.pmthresholds.cpbitpath.farend.15min.ESCP 25 (seconds) 0 - 900 DS3I.pmthresholds.cpbitpath.farend.15min.SASCP 2 (seconds) 0 - 900 DS3I.pmthresholds.cpbitpath.farend.15min.SESCP 4 (seconds) 0 - 900 DS3I.pmthresholds.cpbitpath.farend.15min.UASCP 10 (seconds) 0 - 900 DS3I.pmthresholds.cpbitpath.farend.1day.CVCP 3820 (BIP count) 0 - 3715200 DS3I.pmthresholds.cpbitpath.farend.1day.ESCP 250 (seconds) 0 - 86400 DS3I.pmthresholds.cpbitpath.farend.1day.SASCP 8 (seconds) 0 - 86400 DS3I.pmthresholds.cpbitpath.farend.1day.SESCP 40 (seconds) 0 - 86400 DS3I.pmthresholds.cpbitpath.farend.1day.UASCP 10 (seconds) 0 - 86400 DS3I.pmthresholds.cpbitpath.nearend.15min.CVCP 382 (BIP count) 0 - 38700 DS3I.pmthresholds.cpbitpath.nearend.15min.ESCP 25 (seconds) 0 - 900 DS3I.pmthresholds.cpbitpath.nearend.15min.SASCP 2 (seconds) 0 - 900 DS3I.pmthresholds.cpbitpath.nearend.15min.SESCP 4 (seconds) 0 - 900 DS3I.pmthresholds.cpbitpath.nearend.15min.UASCP 10 (seconds) 0 - 900 DS3I.pmthresholds.cpbitpath.nearend.1day.CVCP 3820 (BIP count) 0 - 3715200 DS3I.pmthresholds.cpbitpath.nearend.1day.ESCP 250 (seconds) 0 - 86400 DS3I.pmthresholds.cpbitpath.nearend.1day.SASCP 8 (seconds) 0 - 86400 DS3I.pmthresholds.cpbitpath.nearend.1day.SESCP 40 (seconds) 0 - 86400 DS3I.pmthresholds.cpbitpath.nearend.1day.UASCP 10 (seconds) 0 - 86400 DS3I.pmthresholds.line.nearend.15min.CV 387 (BPV count) 0 - 38700 DS3I.pmthresholds.line.nearend.15min.ES 25 (seconds) 0 - 900 DS3I.pmthresholds.line.nearend.15min.LOSS 10 (seconds) 0 - 900 DS3I.pmthresholds.line.nearend.15min.SES 4 (seconds) 0 - 900 DS3I.pmthresholds.line.nearend.1day.CV 3865 (BPV count) 0 - 3715200 DS3I.pmthresholds.line.nearend.1day.ES 250 (seconds) 0 - 86400 DS3I.pmthresholds.line.nearend.1day.LOSS 10 (seconds) 0 - 86400 DS3I.pmthresholds.line.nearend.1day.SES 40 (seconds) 0 - 86400 DS3I.pmthresholds.pbitpath.nearend.15min.AISSP 10 (seconds) 0 - 900 DS3I.pmthresholds.pbitpath.nearend.15min.CVP 382 (BIP count) 0 - 38700 Table C-6 DS3I Card Default Settings (continued) Default Name Default Value Default DomainC-23 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card C.2.3.7 DS3XM-6 Card Default Settings Table C-7 lists the DS3XM-6 card default settings. DS3I.pmthresholds.pbitpath.nearend.15min.ESP 25 (seconds) 0 - 900 DS3I.pmthresholds.pbitpath.nearend.15min.SASP 2 (seconds) 0 - 900 DS3I.pmthresholds.pbitpath.nearend.15min.SESP 4 (seconds) 0 - 900 DS3I.pmthresholds.pbitpath.nearend.15min.UASP 10 (seconds) 0 - 900 DS3I.pmthresholds.pbitpath.nearend.1day.AISSP 10 (seconds) 0 - 86400 DS3I.pmthresholds.pbitpath.nearend.1day.CVP 3820 (BIP count) 0 - 3715200 DS3I.pmthresholds.pbitpath.nearend.1day.ESP 250 (seconds) 0 - 86400 DS3I.pmthresholds.pbitpath.nearend.1day.SASP 8 (seconds) 0 - 86400 DS3I.pmthresholds.pbitpath.nearend.1day.SESP 40 (seconds) 0 - 86400 DS3I.pmthresholds.pbitpath.nearend.1day.UASP 10 (seconds) 0 - 86400 DS3I.pmthresholds.sts.farend.15min.CV 15 (G1 count) 0 - 2160000 DS3I.pmthresholds.sts.farend.15min.ES 12 (seconds) 0 - 900 DS3I.pmthresholds.sts.farend.15min.FC 10 (count) 0 - 72 DS3I.pmthresholds.sts.farend.15min.SES 3 (seconds) 0 - 900 DS3I.pmthresholds.sts.farend.15min.UAS 10 (seconds) 0 - 900 DS3I.pmthresholds.sts.farend.1day.CV 125 (G1 count) 0 - 207360000 DS3I.pmthresholds.sts.farend.1day.ES 100 (seconds) 0 - 86400 DS3I.pmthresholds.sts.farend.1day.FC 10 (count) 0 - 6912 DS3I.pmthresholds.sts.farend.1day.SES 7 (seconds) 0 - 86400 DS3I.pmthresholds.sts.farend.1day.UAS 10 (seconds) 0 - 86400 DS3I.pmthresholds.sts.nearend.15min.CV 15 (B3 count) 0 - 2160000 DS3I.pmthresholds.sts.nearend.15min.ES 12 (seconds) 0 - 900 DS3I.pmthresholds.sts.nearend.15min.FC 10 (count) 0 - 72 DS3I.pmthresholds.sts.nearend.15min.SES 3 (seconds) 0 - 900 DS3I.pmthresholds.sts.nearend.15min.UAS 10 (seconds) 0 - 900 DS3I.pmthresholds.sts.nearend.1day.CV 125 (B3 count) 0 - 207360000 DS3I.pmthresholds.sts.nearend.1day.ES 100 (seconds) 0 - 86400 DS3I.pmthresholds.sts.nearend.1day.FC 10 (count) 0 - 6912 DS3I.pmthresholds.sts.nearend.1day.SES 7 (seconds) 0 - 86400 DS3I.pmthresholds.sts.nearend.1day.UAS 10 (seconds) 0 - 86400 Table C-6 DS3I Card Default Settings (continued) Default Name Default Value Default DomainC-24 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card Table C-7 DS3XM-6 Card Default Settings Default Name Default Value Default Domain DS3XM.config.AINSSoakTime 08:00 (hours:mins) 00:00, 00:15, 00:30 .. 48:00 DS3XM.config.FeInhibitLpbk TRUE TRUE, FALSE DS3XM.config.LineLength 0 - 225 ft 0 - 225 ft, 226 - 450 ft DS3XM.config.LineType M13 M13, C BIT DS3XM.config.SDBER 1.00E-07 1E-5, 1E-6, 1E-7, 1E-8, 1E-9 DS3XM.config.SendAISOnFacilityLoopback TRUE TRUE, FALSE DS3XM.config.SendAISOnTerminalLoopback FALSE TRUE, FALSE DS3XM.config.SFBER 1.00E-04 1E-3, 1E-4, 1E-5 DS3XM.config.State IS,AINS IS, OOS,DSBLD, OOS,MT, IS,AINS DS3XM.pmthresholds.cpbitpath.farend.15min.CV 382 (BIP count) 0 - 38700 DS3XM.pmthresholds.cpbitpath.farend.15min.ES 25 (seconds) 0 - 900 DS3XM.pmthresholds.cpbitpath.farend.15min.SAS 2 (seconds) 0 - 900 DS3XM.pmthresholds.cpbitpath.farend.15min.SES 4 (seconds) 0 - 900 DS3XM.pmthresholds.cpbitpath.farend.15min.UAS 10 (seconds) 0 - 900 DS3XM.pmthresholds.cpbitpath.farend.1day.CV 3820 (BIP count) 0 - 3715200 DS3XM.pmthresholds.cpbitpath.farend.1day.ES 250 (seconds) 0 - 86400 DS3XM.pmthresholds.cpbitpath.farend.1day.SAS 8 (seconds) 0 - 86400 DS3XM.pmthresholds.cpbitpath.farend.1day.SES 40 (seconds) 0 - 86400 DS3XM.pmthresholds.cpbitpath.farend.1day.UAS 10 (seconds) 0 - 86400 DS3XM.pmthresholds.cpbitpath.nearend.15min.CV 382 (BIP count) 0 - 38700 DS3XM.pmthresholds.cpbitpath.nearend.15min.ES 25 (seconds) 0 - 900 DS3XM.pmthresholds.cpbitpath.nearend.15min.SAS 2 (seconds) 0 - 900 DS3XM.pmthresholds.cpbitpath.nearend.15min.SES 4 (seconds) 0 - 900 DS3XM.pmthresholds.cpbitpath.nearend.15min.UAS 10 (seconds) 0 - 900 DS3XM.pmthresholds.cpbitpath.nearend.1day.CV 3820 (BIP count) 0 - 3715200 DS3XM.pmthresholds.cpbitpath.nearend.1day.ES 250 (seconds) 0 - 86400 DS3XM.pmthresholds.cpbitpath.nearend.1day.SAS 8 (seconds) 0 - 86400 DS3XM.pmthresholds.cpbitpath.nearend.1day.SES 40 (seconds) 0 - 86400 DS3XM.pmthresholds.cpbitpath.nearend.1day.UAS 10 (seconds) 0 - 86400 DS3XM.pmthresholds.ds1path.nearend.15min.AISS 10 (seconds) 0 - 900 DS3XM.pmthresholds.ds1path.nearend.15min.ES 65 (seconds) 0 - 900 DS3XM.pmthresholds.ds1path.nearend.15min.SAS 2 (seconds) 0 - 900 DS3XM.pmthresholds.ds1path.nearend.15min.SES 10 (seconds) 0 - 900 DS3XM.pmthresholds.ds1path.nearend.15min.UAS 10 (seconds) 0 - 900 DS3XM.pmthresholds.ds1path.nearend.1day.AISS 10 (seconds) 0 - 86400 DS3XM.pmthresholds.ds1path.nearend.1day.ES 648 (seconds) 0 - 86400C-25 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card DS3XM.pmthresholds.ds1path.nearend.1day.SAS 17 (seconds) 0 - 86400 DS3XM.pmthresholds.ds1path.nearend.1day.SES 100 (seconds) 0 - 86400 DS3XM.pmthresholds.ds1path.nearend.1day.UAS 10 (seconds) 0 - 86400 DS3XM.pmthresholds.line.nearend.15min.CV 387 (BPV count) 0 - 38700 DS3XM.pmthresholds.line.nearend.15min.ES 25 (seconds) 0 - 900 DS3XM.pmthresholds.line.nearend.15min.LOSS 10 (seconds) 0 - 900 DS3XM.pmthresholds.line.nearend.15min.SES 4 (seconds) 0 - 900 DS3XM.pmthresholds.line.nearend.1day.CV 3865 (BPV count) 0 - 3715200 DS3XM.pmthresholds.line.nearend.1day.ES 250 (seconds) 0 - 86400 DS3XM.pmthresholds.line.nearend.1day.LOSS 10 (seconds) 0 - 86400 DS3XM.pmthresholds.line.nearend.1day.SES 40 (seconds) 0 - 86400 DS3XM.pmthresholds.pbitpath.nearend.15min.AISS 10 (seconds) 0 - 900 DS3XM.pmthresholds.pbitpath.nearend.15min.CV 382 (BIP count) 0 - 38700 DS3XM.pmthresholds.pbitpath.nearend.15min.ES 25 (seconds) 0 - 900 DS3XM.pmthresholds.pbitpath.nearend.15min.SAS 2 (seconds) 0 - 900 DS3XM.pmthresholds.pbitpath.nearend.15min.SES 4 (seconds) 0 - 900 DS3XM.pmthresholds.pbitpath.nearend.15min.UAS 10 (seconds) 0 - 900 DS3XM.pmthresholds.pbitpath.nearend.1day.AISS 10 (seconds) 0 - 86400 DS3XM.pmthresholds.pbitpath.nearend.1day.CV 3820 (BIP count) 0 - 3715200 DS3XM.pmthresholds.pbitpath.nearend.1day.ES 250 (seconds) 0 - 86400 DS3XM.pmthresholds.pbitpath.nearend.1day.SAS 8 (seconds) 0 - 86400 DS3XM.pmthresholds.pbitpath.nearend.1day.SES 40 (seconds) 0 - 86400 DS3XM.pmthresholds.pbitpath.nearend.1day.UAS 10 (seconds) 0 - 86400 DS3XM.pmthresholds.sts.farend.15min.CV 15 (B3 count) 0 - 2160000 DS3XM.pmthresholds.sts.farend.15min.ES 12 (seconds) 0 - 900 DS3XM.pmthresholds.sts.farend.15min.FC 10 (count) 0 - 72 DS3XM.pmthresholds.sts.farend.15min.SES 3 (seconds) 0 - 900 DS3XM.pmthresholds.sts.farend.15min.UAS 10 (seconds) 0 - 900 DS3XM.pmthresholds.sts.farend.1day.CV 125 (B3 count) 0 - 207360000 DS3XM.pmthresholds.sts.farend.1day.ES 100 (seconds) 0 - 86400 DS3XM.pmthresholds.sts.farend.1day.FC 10 (count) 0 - 6912 DS3XM.pmthresholds.sts.farend.1day.SES 7 (seconds) 0 - 86400 DS3XM.pmthresholds.sts.farend.1day.UAS 10 (seconds) 0 - 86400 DS3XM.pmthresholds.sts.nearend.15min.CV 15 (B3 count) 0 - 2160000 DS3XM.pmthresholds.sts.nearend.15min.ES 12 (seconds) 0 - 900 DS3XM.pmthresholds.sts.nearend.15min.FC 10 (count) 0 - 72 Table C-7 DS3XM-6 Card Default Settings (continued) Default Name Default Value Default DomainC-26 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card C.2.3.8 DS3XM-12 Card Default Settings Table C-8 lists the DS3XM-12 card default settings. DS3XM.pmthresholds.sts.nearend.15min.SES 3 (seconds) 0 - 900 DS3XM.pmthresholds.sts.nearend.15min.UAS 10 (seconds) 0 - 900 DS3XM.pmthresholds.sts.nearend.1day.CV 125 (B3 count) 0 - 207360000 DS3XM.pmthresholds.sts.nearend.1day.ES 100 (seconds) 0 - 86400 DS3XM.pmthresholds.sts.nearend.1day.FC 10 (count) 0 - 6912 DS3XM.pmthresholds.sts.nearend.1day.SES 7 (seconds) 0 - 86400 DS3XM.pmthresholds.sts.nearend.1day.UAS 10 (seconds) 0 - 86400 DS3XM.pmthresholds.vt.farend.15min.CV 15 (BIP8 count) 0 - 2160000 DS3XM.pmthresholds.vt.farend.15min.ES 12 (seconds) 0 - 900 DS3XM.pmthresholds.vt.farend.15min.SES 3 (seconds) 0 - 900 DS3XM.pmthresholds.vt.farend.15min.UAS 10 (seconds) 0 - 900 DS3XM.pmthresholds.vt.farend.1day.CV 125 (BIP8 count) 0 - 207360000 DS3XM.pmthresholds.vt.farend.1day.ES 100 (seconds) 0 - 86400 DS3XM.pmthresholds.vt.farend.1day.SES 7 (seconds) 0 - 86400 DS3XM.pmthresholds.vt.farend.1day.UAS 10 (seconds) 0 - 86400 DS3XM.pmthresholds.vt.nearend.15min.CV 15 (BIP8 count) 0 - 2160000 DS3XM.pmthresholds.vt.nearend.15min.ES 12 (seconds) 0 - 900 DS3XM.pmthresholds.vt.nearend.15min.SES 3 (seconds) 0 - 900 DS3XM.pmthresholds.vt.nearend.15min.UAS 10 (seconds) 0 - 900 DS3XM.pmthresholds.vt.nearend.1day.CV 125 (BIP8 count) 0 - 207360000 DS3XM.pmthresholds.vt.nearend.1day.ES 100 (seconds) 0 - 86400 DS3XM.pmthresholds.vt.nearend.1day.SES 7 (seconds) 0 - 86400 DS3XM.pmthresholds.vt.nearend.1day.UAS 10 (seconds) 0 - 86400 Table C-7 DS3XM-6 Card Default Settings (continued) Default Name Default Value Default Domain Table C-8 DS3XM-12 Card Default Settings Default Name Default Value Default Domain DS3XM12.config.AINSSoakTime 08:00 (hours:mins) 00:00, 00:15, 00:30 .. 48:00 DS3XM12.config.FeInhibitLpbk TRUE TRUE, FALSE DS3XM12.config.LineLength 0 - 225 ft (feet) 0 - 225 ft, 226 - 450 ft DS3XM12.config.LineType M13 M13, C BIT DS3XM12.config.SDBER 1.00E-07 1E-5, 1E-6, 1E-7, 1E-8, 1E-9 DS3XM12.config.SendAISOnFacilityLoopback TRUE TRUE, FALSE DS3XM12.config.SendAISOnTerminalLoopback FALSE TRUE, FALSEC-27 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card DS3XM12.config.SFBER 1.00E-04 1E-3, 1E-4, 1E-5 DS3XM12.config.State OOS,DSBLD IS, OOS,DSBLD, OOS,MT, IS,AINS DS3XM12.ds1config.FdlMode T1.403 T1.403, BFDL when LineType ESF, D4; T1.403 when LineType UNFRAMED, AUTO FRAME DS3XM12.ds1config.LineType AUTO FRAME ESF, D4, UNFRAMED, AUTO FRAME DS3XM12.pmthresholds.cpbitpath.farend.15min.CV 382 (BIP count) 0 - 38700 DS3XM12.pmthresholds.cpbitpath.farend.15min.ES 25 (seconds) 0 - 900 DS3XM12.pmthresholds.cpbitpath.farend.15min.SAS 2 (seconds) 0 - 900 DS3XM12.pmthresholds.cpbitpath.farend.15min.SES 4 (seconds) 0 - 900 DS3XM12.pmthresholds.cpbitpath.farend.15min.UAS 10 (seconds) 0 - 900 DS3XM12.pmthresholds.cpbitpath.farend.1day.CV 3820 (BIP count) 0 - 3715200 DS3XM12.pmthresholds.cpbitpath.farend.1day.ES 250 (seconds) 0 - 86400 DS3XM12.pmthresholds.cpbitpath.farend.1day.SAS 8 (seconds) 0 - 86400 DS3XM12.pmthresholds.cpbitpath.farend.1day.SES 40 (seconds) 0 - 86400 DS3XM12.pmthresholds.cpbitpath.farend.1day.UAS 10 (seconds) 0 - 86400 DS3XM12.pmthresholds.cpbitpath.nearend.15min.CV 382 (BIP count) 0 - 38700 DS3XM12.pmthresholds.cpbitpath.nearend.15min.ES 25 (seconds) 0 - 900 DS3XM12.pmthresholds.cpbitpath.nearend.15min.SAS 2 (seconds) 0 - 900 DS3XM12.pmthresholds.cpbitpath.nearend.15min.SES 4 (seconds) 0 - 900 DS3XM12.pmthresholds.cpbitpath.nearend.15min.UAS 10 (seconds) 0 - 900 DS3XM12.pmthresholds.cpbitpath.nearend.1day.CV 3820 (BIP count) 0 - 3715200 DS3XM12.pmthresholds.cpbitpath.nearend.1day.ES 250 (seconds) 0 - 86400 DS3XM12.pmthresholds.cpbitpath.nearend.1day.SAS 8 (seconds) 0 - 86400 DS3XM12.pmthresholds.cpbitpath.nearend.1day.SES 40 (seconds) 0 - 86400 DS3XM12.pmthresholds.cpbitpath.nearend.1day.UAS 10 (seconds) 0 - 86400 DS3XM12.pmthresholds.ds1path.farend.15min.AISS 10 (seconds) 0 - 900 DS3XM12.pmthresholds.ds1path.farend.15min.CSS 25 (seconds) 0 - 900 DS3XM12.pmthresholds.ds1path.farend.15min.CV 13296 (count) 0 - 287100 DS3XM12.pmthresholds.ds1path.farend.15min.ES 65 (seconds) 0 - 900 DS3XM12.pmthresholds.ds1path.farend.15min.ESA 25 (seconds) 0 - 900 DS3XM12.pmthresholds.ds1path.farend.15min.ESB 25 (seconds) 0 - 900 DS3XM12.pmthresholds.ds1path.farend.15min.ESFE 65 (seconds) 0 - 900 DS3XM12.pmthresholds.ds1path.farend.15min.ESNE 65 (seconds) 0 - 900 DS3XM12.pmthresholds.ds1path.farend.15min.SEFS 25 (seconds) 0 - 900 DS3XM12.pmthresholds.ds1path.farend.15min.SES 10 (seconds) 0 - 900 DS3XM12.pmthresholds.ds1path.farend.15min.SESFE 10 (seconds) 0 - 900 Table C-8 DS3XM-12 Card Default Settings (continued) Default Name Default Value Default DomainC-28 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card DS3XM12.pmthresholds.ds1path.farend.15min.SESNE 10 (seconds) 0 - 900 DS3XM12.pmthresholds.ds1path.farend.15min.UAS 10 (seconds) 0 - 900 DS3XM12.pmthresholds.ds1path.farend.15min.UASFE 10 (seconds) 0 - 900 DS3XM12.pmthresholds.ds1path.farend.15min.UASNE 10 (seconds) 0 - 900 DS3XM12.pmthresholds.ds1path.farend.1day.AISS 10 (seconds) 0 - 86400 DS3XM12.pmthresholds.ds1path.farend.1day.CSS 25 (seconds) 0 - 86400 DS3XM12.pmthresholds.ds1path.farend.1day.CV 132960 (count) 0 - 27561600 DS3XM12.pmthresholds.ds1path.farend.1day.ES 648 (seconds) 0 - 86400 DS3XM12.pmthresholds.ds1path.farend.1day.ESA 25 (seconds) 0 - 86400 DS3XM12.pmthresholds.ds1path.farend.1day.ESB 25 (seconds) 0 - 86400 DS3XM12.pmthresholds.ds1path.farend.1day.ESFE 648 (seconds) 0 - 86400 DS3XM12.pmthresholds.ds1path.farend.1day.ESNE 648 (seconds) 0 - 86400 DS3XM12.pmthresholds.ds1path.farend.1day.SEFS 25 (seconds) 0 - 86400 DS3XM12.pmthresholds.ds1path.farend.1day.SES 100 (seconds) 0 - 86400 DS3XM12.pmthresholds.ds1path.farend.1day.SESFE 100 (seconds) 0 - 86400 DS3XM12.pmthresholds.ds1path.farend.1day.SESNE 100 (seconds) 0 - 86400 DS3XM12.pmthresholds.ds1path.farend.1day.UAS 10 (seconds) 0 - 86400 DS3XM12.pmthresholds.ds1path.farend.1day.UASFE 10 (seconds) 0 - 86400 DS3XM12.pmthresholds.ds1path.farend.1day.UASNE 10 (seconds) 0 - 86400 DS3XM12.pmthresholds.ds1path.nearend.15min.AISS 10 (seconds) 0 - 900 DS3XM12.pmthresholds.ds1path.nearend.15min.CV 13296 (count) 0 - 287100 DS3XM12.pmthresholds.ds1path.nearend.15min.ES 65 (seconds) 0 - 900 DS3XM12.pmthresholds.ds1path.nearend.15min.FC 10 (seconds) 0 - 900 DS3XM12.pmthresholds.ds1path.nearend.15min.SAS 2 (seconds) 0 - 900 DS3XM12.pmthresholds.ds1path.nearend.15min.SES 10 (seconds) 0 - 900 DS3XM12.pmthresholds.ds1path.nearend.15min.UAS 10 (seconds) 0 - 900 DS3XM12.pmthresholds.ds1path.nearend.1day.AISS 10 (seconds) 0 - 86400 DS3XM12.pmthresholds.ds1path.nearend.1day.CV 132960 (count) 0 - 27561600 DS3XM12.pmthresholds.ds1path.nearend.1day.ES 648 (seconds) 0 - 86400 DS3XM12.pmthresholds.ds1path.nearend.1day.FC 10 (seconds) 0 - 86400 DS3XM12.pmthresholds.ds1path.nearend.1day.SAS 17 (seconds) 0 - 86400 DS3XM12.pmthresholds.ds1path.nearend.1day.SES 100 (seconds) 0 - 86400 DS3XM12.pmthresholds.ds1path.nearend.1day.UAS 10 (seconds) 0 - 86400 DS3XM12.pmthresholds.line.nearend.15min.CV 387 (BPV count) 0 - 38700 DS3XM12.pmthresholds.line.nearend.15min.ES 25 (seconds) 0 - 900 DS3XM12.pmthresholds.line.nearend.15min.LOSS 10 (seconds) 0 - 900 Table C-8 DS3XM-12 Card Default Settings (continued) Default Name Default Value Default DomainC-29 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card DS3XM12.pmthresholds.line.nearend.15min.SES 4 (seconds) 0 - 900 DS3XM12.pmthresholds.line.nearend.1day.CV 3865 (BPV count) 0 - 3715200 DS3XM12.pmthresholds.line.nearend.1day.ES 250 (seconds) 0 - 86400 DS3XM12.pmthresholds.line.nearend.1day.LOSS 10 (seconds) 0 - 86400 DS3XM12.pmthresholds.line.nearend.1day.SES 40 (seconds) 0 - 86400 DS3XM12.pmthresholds.pbitpath.nearend.15min.AISS 10 (seconds) 0 - 900 DS3XM12.pmthresholds.pbitpath.nearend.15min.CV 382 (BIP count) 0 - 38700 DS3XM12.pmthresholds.pbitpath.nearend.15min.ES 25 (seconds) 0 - 900 DS3XM12.pmthresholds.pbitpath.nearend.15min.SAS 2 (seconds) 0 - 900 DS3XM12.pmthresholds.pbitpath.nearend.15min.SES 4 (seconds) 0 - 900 DS3XM12.pmthresholds.pbitpath.nearend.15min.UAS 10 (seconds) 0 - 900 DS3XM12.pmthresholds.pbitpath.nearend.1day.AISS 10 (seconds) 0 - 86400 DS3XM12.pmthresholds.pbitpath.nearend.1day.CV 3820 (BIP count) 0 - 3715200 DS3XM12.pmthresholds.pbitpath.nearend.1day.ES 250 (seconds) 0 - 86400 DS3XM12.pmthresholds.pbitpath.nearend.1day.SAS 8 (seconds) 0 - 86400 DS3XM12.pmthresholds.pbitpath.nearend.1day.SES 40 (seconds) 0 - 86400 DS3XM12.pmthresholds.pbitpath.nearend.1day.UAS 10 (seconds) 0 - 86400 DS3XM12.pmthresholds.sts.farend.15min.CV 15 (B3 count) 0 - 2160000 DS3XM12.pmthresholds.sts.farend.15min.ES 12 (seconds) 0 - 900 DS3XM12.pmthresholds.sts.farend.15min.FC 10 (count) 0 - 72 DS3XM12.pmthresholds.sts.farend.15min.SES 3 (seconds) 0 - 900 DS3XM12.pmthresholds.sts.farend.15min.UAS 10 (seconds) 0 - 900 DS3XM12.pmthresholds.sts.farend.1day.CV 125 (B3 count) 0 - 207360000 DS3XM12.pmthresholds.sts.farend.1day.ES 100 (seconds) 0 - 86400 DS3XM12.pmthresholds.sts.farend.1day.FC 10 (count) 0 - 6912 DS3XM12.pmthresholds.sts.farend.1day.SES 7 (seconds) 0 - 86400 DS3XM12.pmthresholds.sts.farend.1day.UAS 10 (seconds) 0 - 86400 DS3XM12.pmthresholds.sts.nearend.15min.CV 15 (B3 count) 0 - 2160000 DS3XM12.pmthresholds.sts.nearend.15min.ES 12 (seconds) 0 - 900 DS3XM12.pmthresholds.sts.nearend.15min.FC 10 (count) 0 - 72 DS3XM12.pmthresholds.sts.nearend.15min.SES 3 (seconds) 0 - 900 DS3XM12.pmthresholds.sts.nearend.15min.UAS 10 (seconds) 0 - 900 DS3XM12.pmthresholds.sts.nearend.1day.CV 125 (B3 count) 0 - 207360000 DS3XM12.pmthresholds.sts.nearend.1day.ES 100 (seconds) 0 - 86400 DS3XM12.pmthresholds.sts.nearend.1day.FC 10 (count) 0 - 6912 DS3XM12.pmthresholds.sts.nearend.1day.SES 7 (seconds) 0 - 86400 Table C-8 DS3XM-12 Card Default Settings (continued) Default Name Default Value Default DomainC-30 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card C.2.3.9 EC1-12 Card Default Settings Table C-9 lists the EC1-12 card default settings. DS3XM12.pmthresholds.sts.nearend.1day.UAS 10 (seconds) 0 - 86400 DS3XM12.pmthresholds.vt.farend.15min.CV 15 (BIP8 count) 0 - 2160000 DS3XM12.pmthresholds.vt.farend.15min.ES 12 (seconds) 0 - 900 DS3XM12.pmthresholds.vt.farend.15min.SES 3 (seconds) 0 - 900 DS3XM12.pmthresholds.vt.farend.15min.UAS 10 (seconds) 0 - 900 DS3XM12.pmthresholds.vt.farend.1day.CV 125 (BIP8 count) 0 - 207360000 DS3XM12.pmthresholds.vt.farend.1day.ES 100 (seconds) 0 - 86400 DS3XM12.pmthresholds.vt.farend.1day.SES 7 (seconds) 0 - 86400 DS3XM12.pmthresholds.vt.farend.1day.UAS 10 (seconds) 0 - 86400 DS3XM12.pmthresholds.vt.nearend.15min.CV 15 (BIP8 count) 0 - 2160000 DS3XM12.pmthresholds.vt.nearend.15min.ES 12 (seconds) 0 - 900 DS3XM12.pmthresholds.vt.nearend.15min.SES 3 (seconds) 0 - 900 DS3XM12.pmthresholds.vt.nearend.15min.UAS 10 (seconds) 0 - 900 DS3XM12.pmthresholds.vt.nearend.1day.CV 125 (BIP8 count) 0 - 207360000 DS3XM12.pmthresholds.vt.nearend.1day.ES 100 (seconds) 0 - 86400 DS3XM12.pmthresholds.vt.nearend.1day.SES 7 (seconds) 0 - 86400 DS3XM12.pmthresholds.vt.nearend.1day.UAS 10 (seconds) 0 - 86400 Table C-8 DS3XM-12 Card Default Settings (continued) Default Name Default Value Default Domain Table C-9 EC1-12 Card Default Settings Default Name Default Value Default Domain EC1.config.line.AINSSoakTime 08:00 (hours:mins) 00:00, 00:15, 00:30 .. 48:00 EC1.config.line.LineLength 0 - 225 ft 0 - 225 ft, 226 - 450 ft EC1.config.line.PJStsMon# 0 (STS #) 0 - 1 EC1.config.line.RxEqualization TRUE TRUE, FALSE EC1.config.line.SDBER 1.00E-07 1E-5, 1E-6, 1E-7, 1E-8, 1E-9 EC1.config.line.SendAISOnFacilityLoopback TRUE TRUE, FALSE EC1.config.line.SFBER 1.00E-04 1E-3, 1E-4, 1E-5 EC1.config.line.State IS,AINS IS, OOS,DSBLD, OOS,MT, IS,AINS EC1.config.sts.IPPMEnabled FALSE TRUE, FALSE EC1.pmthresholds.line.farend.15min.CV 1312 (B2 count) 0 - 137700 EC1.pmthresholds.line.farend.15min.ES 87 (seconds) 0 - 900 EC1.pmthresholds.line.farend.15min.FC 10 (count) 0 - 72 EC1.pmthresholds.line.farend.15min.SES 1 (seconds) 0 - 900C-31 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card EC1.pmthresholds.line.farend.15min.UAS 3 (seconds) 0 - 900 EC1.pmthresholds.line.farend.1day.CV 13120 (B2 count) 0 - 8850600 EC1.pmthresholds.line.farend.1day.ES 864 (seconds) 0 - 86400 EC1.pmthresholds.line.farend.1day.FC 40 (count) 0 - 72 EC1.pmthresholds.line.farend.1day.SES 4 (seconds) 0 - 86400 EC1.pmthresholds.line.farend.1day.UAS 10 (seconds) 0 - 86400 EC1.pmthresholds.line.nearend.15min.CV 1312 (B2 count) 0 - 137700 EC1.pmthresholds.line.nearend.15min.ES 87 (seconds) 0 - 900 EC1.pmthresholds.line.nearend.15min.FC 10 (count) 0 - 72 EC1.pmthresholds.line.nearend.15min.SES 1 (seconds) 0 - 900 EC1.pmthresholds.line.nearend.15min.UAS 3 (seconds) 0 - 900 EC1.pmthresholds.line.nearend.1day.CV 13120 (B2 count) 0 - 13219200 EC1.pmthresholds.line.nearend.1day.ES 864 (seconds) 0 - 86400 EC1.pmthresholds.line.nearend.1day.FC 40 (count) 0 - 6912 EC1.pmthresholds.line.nearend.1day.SES 4 (seconds) 0 - 86400 EC1.pmthresholds.line.nearend.1day.UAS 10 (seconds) 0 - 86400 EC1.pmthresholds.section.nearend.15min.CV 10000 (B1 count) 0 - 138600 EC1.pmthresholds.section.nearend.15min.ES 500 (seconds) 0 - 900 EC1.pmthresholds.section.nearend.15min.SEFS 500 (seconds) 0 - 900 EC1.pmthresholds.section.nearend.15min.SES 500 (seconds) 0 - 900 EC1.pmthresholds.section.nearend.1day.CV 100000 (B1 count) 0 - 13305600 EC1.pmthresholds.section.nearend.1day.ES 5000 (seconds) 0 - 86400 EC1.pmthresholds.section.nearend.1day.SEFS 5000 (seconds) 0 - 86400 EC1.pmthresholds.section.nearend.1day.SES 5000 (seconds) 0 - 86400 EC1.pmthresholds.sts1.farend.15min.CV 15 (B3 count) 0 - 2160000 EC1.pmthresholds.sts1.farend.15min.ES 12 (seconds) 0 - 900 EC1.pmthresholds.sts1.farend.15min.FC 10 (count) 0 - 72 EC1.pmthresholds.sts1.farend.15min.SES 3 (seconds) 0 - 900 EC1.pmthresholds.sts1.farend.15min.UAS 10 (seconds) 0 - 900 EC1.pmthresholds.sts1.farend.1day.CV 125 (B3 count) 0 - 207360000 EC1.pmthresholds.sts1.farend.1day.ES 100 (seconds) 0 - 86400 EC1.pmthresholds.sts1.farend.1day.FC 10 (count) 0 - 6912 EC1.pmthresholds.sts1.farend.1day.SES 7 (seconds) 0 - 86400 EC1.pmthresholds.sts1.farend.1day.UAS 10 (seconds) 0 - 86400 EC1.pmthresholds.sts1.nearend.15min.CV 15 (B3 count) 0 - 2160000 EC1.pmthresholds.sts1.nearend.15min.ES 12 (seconds) 0 - 900 Table C-9 EC1-12 Card Default Settings (continued) Default Name Default Value Default DomainC-32 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card C.2.3.10 FC_MR-4 Card Default Settings Table C-10 lists the FC_MR-4 card default settings. EC1.pmthresholds.sts1.nearend.15min.FC 10 (count) 0 - 72 EC1.pmthresholds.sts1.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000 EC1.pmthresholds.sts1.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000 EC1.pmthresholds.sts1.nearend.15min.PJCDIFF 60 (count) 0 - 14400000 EC1.pmthresholds.sts1.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900 EC1.pmthresholds.sts1.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900 EC1.pmthresholds.sts1.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000 EC1.pmthresholds.sts1.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000 EC1.pmthresholds.sts1.nearend.15min.SES 3 (seconds) 0 - 900 EC1.pmthresholds.sts1.nearend.15min.UAS 10 (seconds) 0 - 900 EC1.pmthresholds.sts1.nearend.1day.CV 125 (B3 count) 0 - 207360000 EC1.pmthresholds.sts1.nearend.1day.ES 100 (seconds) 0 - 86400 EC1.pmthresholds.sts1.nearend.1day.FC 10 (count) 0 - 6912 EC1.pmthresholds.sts1.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000 EC1.pmthresholds.sts1.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000 EC1.pmthresholds.sts1.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000 EC1.pmthresholds.sts1.nearend.1day.PJCS-PDET 9600 (seconds) 0 - 86400 EC1.pmthresholds.sts1.nearend.1day.PJCS-PGEN 9600 (seconds) 0 - 86400 EC1.pmthresholds.sts1.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000 EC1.pmthresholds.sts1.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000 EC1.pmthresholds.sts1.nearend.1day.SES 7 (seconds) 0 - 86400 EC1.pmthresholds.sts1.nearend.1day.UAS 10 (seconds) 0 - 86400 Table C-9 EC1-12 Card Default Settings (continued) Default Name Default Value Default DomainC-33 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card C.2.3.11 Ethernet Card Default Settings Table C-11 lists the ML1000, ML100T, ML-100X-8, ML-MR-10, CE-1000-4, CE-100T-8, and CE-MR-10 card default settings. Table C-10 FC_MR-4 Card Default Settings Default Name Default Value Default Domain FC-MR.config.card.Mode Fibre Channel/FICO N Enhanced Fibre Channel Line Rate, Fibre Channel/FICON Enhanced when //.port.MediaType Undefined; Fibre Channel/FICON Enhanced when //.port.MediaType FICON - 1 Gbps ISL, FICON - 2 Gbps ISL; Fibre Channel Line Rate, Fibre Channel/FICON Enhanced when //.port.MediaType Fibre Channel - 1 Gbps ISL, Fibre Channel - 2 Gbps ISL FC-MR.config.port.AINSSoakTime 08:00 (hours:mins) 00:00, 00:15, 00:30 .. 48:00 FC-MR.config.port.distanceExtension.AutoadjustGFPBufferThreshold TRUE TRUE, FALSE FC-MR.config.port.distanceExtension.AutoDetect TRUE TRUE, FALSE FC-MR.config.port.distanceExtension.NumCredits 32 2 - 256 FC-MR.config.port.distanceExtension.NumGFPBuffers 16 16, 32, 48 .. 1200 FC-MR.config.port.DistanceExtensionVsLinkRecovery Distance Extension Neither Distance Extension nor Link Recovery, Distance Extension, LinkRecovery when MediaType Undefined; Distance Extension when MediaType FICON - 1 Gbps ISL, FICON - 2 Gbps ISL; Neither Distance Extension nor Link Recovery, Distance Extension, LinkRecovery when MediaType Fibre Channel - 1 Gbps ISL, Fibre Channel - 2 Gbps ISL FC-MR.config.port.enhancedFibreChannelFicon.IngressIdleFiltering TRUE TRUE, FALSE FC-MR.config.port.enhancedFibreChannelFicon.MaxFrameSize 2148 2148, 2152, 2156, 2160, 2164, 2168, 2172 FC-MR.config.port.MediaType Undefined Fibre Channel - 1 Gbps ISL, Fibre Channel - 2 Gbps ISL, FICON - 1 Gbps ISL, FICON - 2 Gbps ISL, Undefined FC-MR.config.port.State OOS,DSBLD IS, OOS,DSBLD, OOS,MT, IS,AINSC-34 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card Table C-11 Ethernet Card Default Settings Default Name Default Value Default Domain CE-1000-4.config.AINSSoakTime 08:00 (hours:mins) 00:00, 00:15, 00:30 .. 48:00 CE-1000-4.config.State OOS,DSBLD IS, OOS,DSBLD, OOS,MT, IS,AINS CE-1000-4.etherPortConfig.AutoNegotiation TRUE TRUE, FALSE CE-1000-4.etherPortConfig.FlowControl Symmetric None, Symmetric, Pass Through CE-1000-4.etherPortConfig.liTimer 200 (ms) 200 - 5000 CE-1000-4.etherPortConfig.MTU 10004 (bytes) 1548, 10004 CE-1000-4.posPortConfig.FramingType GFP-F HDLC, GFP-F CE-100T-8.config.AINSSoakTime 00:15 (hours:mins) 00:00, 00:15, 00:30 .. 48:00 CE-100T-8.config.State OOS,DSBLD IS, OOS,DSBLD, OOS,MT, IS,AINS CE-100T-8.etherPortConfig.802-1Q-VlanCoS 7 (count) 0 - 7 CE-100T-8.etherPortConfig.IP-ToS 255 (count) 0 - 255 CE-100T-8.etherPortConfig.liTimer 200 (ms) 200 - 5000 CE-MR.config.AINSSoakTime 08:00 (hours:mins) 00:00, 00:15, 00:30 .. 48:00 CE-MR.config.card.Mode MANUAL AUTOMATIC, MANUAL CE-MR.config.State OOS,DSBLD IS, OOS,DSBLD, OOS,MT, IS,AINS CE-MR.etherPortConfig.802-1Q-VlanCoS 7 (count) 0 - 7 CE-MR.etherPortConfig.IP-ToS 255 (count) 0 - 255 CE-MR.etherPortConfig.liTimer 200 (ms) 200 - 5000 ML1000.config.card.Mode HDLC HDLC, GFP-F, RPR 802.17 ML1000.config.PreServiceAlarmSuppression FALSE TRUE, FALSE ML1000.config.SoakTime 08:00 (hours:mins) 00:00, 00:15, 00:30 .. 48:00 ML1000.ios.consolePortAccess TRUE TRUE, FALSE ML1000.ios.radiusServerAccess FALSE TRUE, FALSE ML100T.config.card.Mode HDLC HDLC, GFP-F, RPR 802.17 ML100T.config.PreServiceAlarmSuppression FALSE TRUE, FALSE ML100T.config.SoakTime 08:00 (hours:mins) 00:00, 00:15, 00:30 .. 48:00 ML100T.ios.consolePortAccess TRUE TRUE, FALSE ML100T.ios.radiusServerAccess FALSE TRUE, FALSE ML100X-8.config.card.Mode HDLC HDLC, GFP-F, RPR 802.17 ML100X-8.config.PreServiceAlarmSuppression FALSE TRUE, FALSE ML100X-8.config.SoakTime 08:00 (hours:mins) 00:00, 00:15, 00:30 .. 48:00 ML100X-8.ios.consolePortAccess TRUE TRUE, FALSE ML100X-8.ios.radiusServerAccess FALSE TRUE, FALSE ML-MR.config.card.Mode MANUAL AUTOMATIC, MANUAL ML-MR.ios.consolePortAccess TRUE TRUE, FALSE ML-MR.config.PreServiceAlarmSuppression FALSE TRUE, FALSEC-35 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card C.2.3.12 OC-3 Card Default Settings Table C-12 lists the OC-3 (OC3 IR 4/STM1 SH 1310) card default settings. ML-MR.ios.radiusServerAccess FALSE TRUE, FALSE ML-MR.config.SoakTime 08:00 (hours:mins) 00:00, 00:15, 00:30 .. 48:00 Table C-11 Ethernet Card Default Settings (continued) Default Name Default Value Default Domain Table C-12 OC-3 Card Default Settings Default Name Default Value Default Domain OC3.config.line.AINSSoakTime 08:00 (hours:mins) 00:00, 00:15, 00:30 .. 48:00 OC3.config.line.PJStsMon# 0 (STS #) 0 - 3 OC3.config.line.SDBER 1.00E-07 1E-5, 1E-6, 1E-7, 1E-8, 1E-9 OC3.config.line.sdh.AdminSSMIn STU G811, STU, G812T, G812L, SETS, DUS OC3.config.line.sdh.SendDoNotUse FALSE FALSE when SendDoNotUse TRUE; FALSE, TRUE when SendDoNotUse FALSE OC3.config.line.sdh.SendDoNotUse FALSE FALSE, TRUE OC3.config.line.sdh.SyncMsgIn TRUE FALSE, TRUE OC3.config.line.SendAISOnFacilityLoopback FALSE TRUE, FALSE OC3.config.line.SendAISOnTerminalLoopback FALSE FALSE OC3.config.line.SFBER 1.00E-04 1E-3, 1E-4, 1E-5 OC3.config.line.sonet.AdminSSMIn STU PRS, STU, ST2, ST3, SMC, ST4, DUS, RES when //.//.//.//.NODE.timing.general.SSMMessage Set Generation 1; PRS, STU, ST2, TNC, ST3E, ST3, SMC, ST4, DUS, RES when //.//.//.//.NODE.timing.general.SSMMessage Set Generation 2; PRS, STU, ST2, ST3, SMC, ST4, DUS, RES when //.//.//.//.NODE.timing.general.SSMMessage Set N/A OC3.config.line.sonet.SendDoNotUse FALSE FALSE when SendDoNotUse TRUE; FALSE, TRUE when SendDoNotUse FALSE OC3.config.line.sonet.SendDoNotUse FALSE FALSE, TRUE OC3.config.line.sonet.SyncMsgIn TRUE FALSE, TRUE OC3.config.line.State IS,AINS IS, OOS,DSBLD, OOS,MT, IS,AINS OC3.config.sts.IPPMEnabled FALSE TRUE, FALSE OC3.pmthresholds.line.farend.15min.CV 1312 (B2 count) 0 - 137700 OC3.pmthresholds.line.farend.15min.ES 87 (seconds) 0 - 900 OC3.pmthresholds.line.farend.15min.FC 10 (count) 0 - 72 OC3.pmthresholds.line.farend.15min.SES 1 (seconds) 0 - 900C-36 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card OC3.pmthresholds.line.farend.15min.UAS 3 (seconds) 0 - 900 OC3.pmthresholds.line.farend.1day.CV 13120 (B2 count) 0 - 13219200 OC3.pmthresholds.line.farend.1day.ES 864 (seconds) 0 - 86400 OC3.pmthresholds.line.farend.1day.FC 40 (count) 0 - 6912 OC3.pmthresholds.line.farend.1day.SES 4 (seconds) 0 - 86400 OC3.pmthresholds.line.farend.1day.UAS 10 (seconds) 0 - 86400 OC3.pmthresholds.line.nearend.15min.CV 1312 (B2 count) 0 - 137700 OC3.pmthresholds.line.nearend.15min.ES 87 (seconds) 0 - 900 OC3.pmthresholds.line.nearend.15min.FC 10 (count) 0 - 72 OC3.pmthresholds.line.nearend.15min.PSC 1 (count) 0 - 600 OC3.pmthresholds.line.nearend.15min.PSD 300 (seconds) 0 - 900 OC3.pmthresholds.line.nearend.15min.SES 1 (seconds) 0 - 900 OC3.pmthresholds.line.nearend.15min.UAS 3 (seconds) 0 - 900 OC3.pmthresholds.line.nearend.1day.CV 13120 (B2 count) 0 - 13219200 OC3.pmthresholds.line.nearend.1day.ES 864 (seconds) 0 - 86400 OC3.pmthresholds.line.nearend.1day.FC 40 (count) 0 - 6912 OC3.pmthresholds.line.nearend.1day.PSC 5 (count) 0 - 57600 OC3.pmthresholds.line.nearend.1day.PSD 600 (seconds) 0 - 86400 OC3.pmthresholds.line.nearend.1day.SES 4 (seconds) 0 - 86400 OC3.pmthresholds.line.nearend.1day.UAS 10 (seconds) 0 - 86400 OC3.pmthresholds.section.nearend.15min.CV 10000 (B1 count) 0 - 138600 OC3.pmthresholds.section.nearend.15min.ES 500 (seconds) 0 - 900 OC3.pmthresholds.section.nearend.15min.SEFS 500 (seconds) 0 - 900 OC3.pmthresholds.section.nearend.15min.SES 500 (seconds) 0 - 900 OC3.pmthresholds.section.nearend.1day.CV 100000 (B1 count) 0 - 13305600 OC3.pmthresholds.section.nearend.1day.ES 5000 (seconds) 0 - 86400 OC3.pmthresholds.section.nearend.1day.SEFS 5000 (seconds) 0 - 86400 OC3.pmthresholds.section.nearend.1day.SES 5000 (seconds) 0 - 86400 OC3.pmthresholds.sts1.nearend.15min.CV 15 (B3 count) 0 - 2160000 OC3.pmthresholds.sts1.nearend.15min.ES 12 (seconds) 0 - 900 OC3.pmthresholds.sts1.nearend.15min.FC 10 (count) 0 - 72 OC3.pmthresholds.sts1.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000 OC3.pmthresholds.sts1.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000 OC3.pmthresholds.sts1.nearend.15min.PJCDIFF 60 (count) 0 - 14400000 OC3.pmthresholds.sts1.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900 OC3.pmthresholds.sts1.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900 Table C-12 OC-3 Card Default Settings (continued) Default Name Default Value Default DomainC-37 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card OC3.pmthresholds.sts1.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000 OC3.pmthresholds.sts1.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000 OC3.pmthresholds.sts1.nearend.15min.SES 3 (seconds) 0 - 900 OC3.pmthresholds.sts1.nearend.15min.UAS 10 (seconds) 0 - 900 OC3.pmthresholds.sts1.nearend.1day.CV 125 (B3 count) 0 - 207360000 OC3.pmthresholds.sts1.nearend.1day.ES 100 (seconds) 0 - 86400 OC3.pmthresholds.sts1.nearend.1day.FC 10 (count) 0 - 6912 OC3.pmthresholds.sts1.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000 OC3.pmthresholds.sts1.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000 OC3.pmthresholds.sts1.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000 OC3.pmthresholds.sts1.nearend.1day.PJCS-PDET 9600 (seconds) 0 - 86400 OC3.pmthresholds.sts1.nearend.1day.PJCS-PGEN 9600 (seconds) 0 - 86400 OC3.pmthresholds.sts1.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000 OC3.pmthresholds.sts1.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000 OC3.pmthresholds.sts1.nearend.1day.SES 7 (seconds) 0 - 86400 OC3.pmthresholds.sts1.nearend.1day.UAS 10 (seconds) 0 - 86400 OC3.pmthresholds.sts3c.nearend.15min.CV 25 (B3 count) 0 - 2160000 OC3.pmthresholds.sts3c.nearend.15min.ES 20 (seconds) 0 - 900 OC3.pmthresholds.sts3c.nearend.15min.FC 10 (count) 0 - 72 OC3.pmthresholds.sts3c.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000 OC3.pmthresholds.sts3c.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000 OC3.pmthresholds.sts3c.nearend.15min.PJCDIFF 60 (count) 0 - 14400000 OC3.pmthresholds.sts3c.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900 OC3.pmthresholds.sts3c.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900 OC3.pmthresholds.sts3c.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000 OC3.pmthresholds.sts3c.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000 OC3.pmthresholds.sts3c.nearend.15min.SES 3 (seconds) 0 - 900 OC3.pmthresholds.sts3c.nearend.15min.UAS 10 (seconds) 0 - 900 OC3.pmthresholds.sts3c.nearend.1day.CV 250 (B3 count) 0 - 207360000 OC3.pmthresholds.sts3c.nearend.1day.ES 200 (seconds) 0 - 86400 OC3.pmthresholds.sts3c.nearend.1day.FC 10 (count) 0 - 6912 OC3.pmthresholds.sts3c.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000 OC3.pmthresholds.sts3c.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000 OC3.pmthresholds.sts3c.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000 OC3.pmthresholds.sts3c.nearend.1day.PJCS-PDET 9600 (seconds) 0 - 86400 OC3.pmthresholds.sts3c.nearend.1day.PJCS-PGEN 9600 (seconds) 0 - 86400 Table C-12 OC-3 Card Default Settings (continued) Default Name Default Value Default DomainC-38 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card C.2.3.13 OC3-8 Card Default Settings Table C-13 lists the eight-port OC3-8 (OC3 IR/STM1 SH 1310-8) card default settings. OC3.pmthresholds.sts3c.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000 OC3.pmthresholds.sts3c.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000 OC3.pmthresholds.sts3c.nearend.1day.SES 7 (seconds) 0 - 86400 OC3.pmthresholds.sts3c.nearend.1day.UAS 10 (seconds) 0 - 86400 Table C-12 OC-3 Card Default Settings (continued) Default Name Default Value Default Domain Table C-13 OC3-8 Card Default Settings Default Name Default Value Default Domain OC3-8.config.line.AINSSoakTime 08:00 (hours:mins) 00:00, 00:15, 00:30 .. 48:00 OC3-8.config.line.AlsMode Disabled Disabled, Auto Restart, Manual Restart, Manual Restart for Test OC3-8.config.line.AlsRecoveryPulseDuration 2.0 (seconds) 2.0, 2.1, 2.2 .. 100.0 when AlsMode Disabled, Auto Restart, Manual Restart; 80.0, 80.1, 80.2 .. 100.0 when AlsMode Manual Restart for Test OC3-8.config.line.AlsRecoveryPulseInterval 100 (seconds) 60 - 300 OC3-8.config.line.PJStsMon# 0 (STS #) 0 - 3 OC3-8.config.line.SDBER 1.00E-07 1E-5, 1E-6, 1E-7, 1E-8, 1E-9 OC3-8.config.line.sdh.AdminSSMIn STU G811, STU, G812T, G812L, SETS, DUS OC3-8.config.line.sdh.SendDoNotUse FALSE FALSE when SendDoNotUse TRUE; FALSE, TRUE when SendDoNotUse FALSE OC3-8.config.line.sdh.SendDoNotUse FALSE FALSE, TRUE OC3-8.config.line.sdh.SyncMsgIn TRUE FALSE, TRUE OC3-8.config.line.SendAISOnFacilityLoopback TRUE TRUE, FALSE OC3-8.config.line.SendAISOnTerminalLoopback FALSE FALSE OC3-8.config.line.SFBER 1.00E-04 1E-3, 1E-4, 1E-5 OC3-8.config.line.sonet.AdminSSMIn STU PRS, STU, ST2, ST3, SMC, ST4, DUS, RES when //.//.//.//.NODE.timing.general.SSMMessage Set Generation 1; PRS, STU, ST2, TNC, ST3E, ST3, SMC, ST4, DUS, RES when //.//.//.//.NODE.timing.general.SSMMessage Set Generation 2; PRS, STU, ST2, ST3, SMC, ST4, DUS, RES when //.//.//.//.NODE.timing.general.SSMMessage Set N/A OC3-8.config.line.sonet.SendDoNotUse FALSE FALSE when SendDoNotUse TRUE; FALSE, TRUE when SendDoNotUse FALSEC-39 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card OC3-8.config.line.sonet.SendDoNotUse FALSE FALSE, TRUE OC3-8.config.line.sonet.SyncMsgIn TRUE FALSE, TRUE OC3-8.config.line.State IS,AINS IS, OOS,DSBLD, OOS,MT, IS,AINS OC3-8.config.sts.IPPMEnabled FALSE TRUE, FALSE OC3-8.physicalthresholds.alarm.LBC-HIGH 200 (%) LBC-LOW, LBC-LOW + 1, LBC-LOW + 2 .. 255 OC3-8.physicalthresholds.alarm.LBC-LOW 20 (%) 0, 1, 2 .. LBC-HIGH OC3-8.physicalthresholds.alarm.OPR-HIGH 200 (%) OPR-LOW, OPR-LOW + 1, OPR-LOW + 2 .. 255 OC3-8.physicalthresholds.alarm.OPR-LOW 50 (%) -1, 0, 1 .. OPR-HIGH OC3-8.physicalthresholds.alarm.OPT-HIGH 120 (%) OPT-LOW, OPT-LOW + 1, OPT-LOW + 2 .. 255 OC3-8.physicalthresholds.alarm.OPT-LOW 80 (%) 0, 1, 2 .. OPT-HIGH OC3-8.physicalthresholds.warning.15min.LBC-HIGH 200 (%) LBC-LOW, LBC-LOW + 1, LBC-LOW + 2 .. 255 OC3-8.physicalthresholds.warning.15min.LBC-LOW 20 (%) 0, 1, 2 .. LBC-HIGH OC3-8.physicalthresholds.warning.15min.OPR-HIGH 200 (%) OPR-LOW, OPR-LOW + 1, OPR-LOW + 2 .. 255 OC3-8.physicalthresholds.warning.15min.OPR-LOW 50 (%) -1, 0, 1 .. OPR-HIGH OC3-8.physicalthresholds.warning.15min.OPT-HIGH 120 (%) OPT-LOW, OPT-LOW + 1, OPT-LOW + 2 .. 255 OC3-8.physicalthresholds.warning.15min.OPT-LOW 80 (%) 0, 1, 2 .. OPT-HIGH OC3-8.physicalthresholds.warning.1day.LBC-HIGH 200 (%) LBC-LOW, LBC-LOW + 1, LBC-LOW + 2 .. 255 OC3-8.physicalthresholds.warning.1day.LBC-LOW 20 (%) 0, 1, 2 .. LBC-HIGH OC3-8.physicalthresholds.warning.1day.OPR-HIGH 200 (%) OPR-LOW, OPR-LOW + 1, OPR-LOW + 2 .. 255 OC3-8.physicalthresholds.warning.1day.OPR-LOW 50 (%) -1, 0, 1 .. OPR-HIGH OC3-8.physicalthresholds.warning.1day.OPT-HIGH 120 (%) OPT-LOW, OPT-LOW + 1, OPT-LOW + 2 .. 255 OC3-8.physicalthresholds.warning.1day.OPT-LOW 80 (%) 0, 1, 2 .. OPT-HIGH OC3-8.pmthresholds.line.farend.15min.CV 1312 (B2 count) 0 - 137700 OC3-8.pmthresholds.line.farend.15min.ES 87 (seconds) 0 - 900 OC3-8.pmthresholds.line.farend.15min.FC 10 (count) 0 - 72 OC3-8.pmthresholds.line.farend.15min.SES 1 (seconds) 0 - 900 OC3-8.pmthresholds.line.farend.15min.UAS 3 (seconds) 0 - 900 OC3-8.pmthresholds.line.farend.1day.CV 13120 (B2 count) 0 - 13219200 OC3-8.pmthresholds.line.farend.1day.ES 864 (seconds) 0 - 86400 OC3-8.pmthresholds.line.farend.1day.FC 40 (count) 0 - 6912 Table C-13 OC3-8 Card Default Settings (continued) Default Name Default Value Default DomainC-40 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card OC3-8.pmthresholds.line.farend.1day.SES 4 (seconds) 0 - 86400 OC3-8.pmthresholds.line.farend.1day.UAS 10 (seconds) 0 - 86400 OC3-8.pmthresholds.line.nearend.15min.CV 1312 (B2 count) 0 - 137700 OC3-8.pmthresholds.line.nearend.15min.ES 87 (seconds) 0 - 900 OC3-8.pmthresholds.line.nearend.15min.FC 10 (count) 0 - 72 OC3-8.pmthresholds.line.nearend.15min.PSC 1 (count) 0 - 600 OC3-8.pmthresholds.line.nearend.15min.PSD 300 (seconds) 0 - 900 OC3-8.pmthresholds.line.nearend.15min.SES 1 (seconds) 0 - 900 OC3-8.pmthresholds.line.nearend.15min.UAS 3 (seconds) 0 - 900 OC3-8.pmthresholds.line.nearend.1day.CV 13120 (B2 count) 0 - 13219200 OC3-8.pmthresholds.line.nearend.1day.ES 864 (seconds) 0 - 86400 OC3-8.pmthresholds.line.nearend.1day.FC 40 (count) 0 - 6912 OC3-8.pmthresholds.line.nearend.1day.PSC 5 (count) 0 - 57600 OC3-8.pmthresholds.line.nearend.1day.PSD 600 (seconds) 0 - 86400 OC3-8.pmthresholds.line.nearend.1day.SES 4 (seconds) 0 - 86400 OC3-8.pmthresholds.line.nearend.1day.UAS 10 (seconds) 0 - 86400 OC3-8.pmthresholds.section.nearend.15min.CV 10000 (B1 count) 0 - 138600 OC3-8.pmthresholds.section.nearend.15min.ES 500 (seconds) 0 - 900 OC3-8.pmthresholds.section.nearend.15min.SEFS 500 (seconds) 0 - 900 OC3-8.pmthresholds.section.nearend.15min.SES 500 (seconds) 0 - 900 OC3-8.pmthresholds.section.nearend.1day.CV 100000 (B1 count) 0 - 13305600 OC3-8.pmthresholds.section.nearend.1day.ES 5000 (seconds) 0 - 86400 OC3-8.pmthresholds.section.nearend.1day.SEFS 5000 (seconds) 0 - 86400 OC3-8.pmthresholds.section.nearend.1day.SES 5000 (seconds) 0 - 86400 OC3-8.pmthresholds.sts1.nearend.15min.CV 15 (B3 count) 0 - 2160000 OC3-8.pmthresholds.sts1.nearend.15min.ES 12 (seconds) 0 - 900 OC3-8.pmthresholds.sts1.nearend.15min.FC 10 (count) 0 - 72 OC3-8.pmthresholds.sts1.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000 OC3-8.pmthresholds.sts1.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000 OC3-8.pmthresholds.sts1.nearend.15min.PJCDIFF 60 (count) 0 - 14400000 OC3-8.pmthresholds.sts1.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900 OC3-8.pmthresholds.sts1.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900 OC3-8.pmthresholds.sts1.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000 OC3-8.pmthresholds.sts1.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000 OC3-8.pmthresholds.sts1.nearend.15min.SES 3 (seconds) 0 - 900 OC3-8.pmthresholds.sts1.nearend.15min.UAS 10 (seconds) 0 - 900 Table C-13 OC3-8 Card Default Settings (continued) Default Name Default Value Default DomainC-41 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card OC3-8.pmthresholds.sts1.nearend.1day.CV 125 (B3 count) 0 - 207360000 OC3-8.pmthresholds.sts1.nearend.1day.ES 100 (seconds) 0 - 86400 OC3-8.pmthresholds.sts1.nearend.1day.FC 10 (count) 0 - 6912 OC3-8.pmthresholds.sts1.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000 OC3-8.pmthresholds.sts1.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000 OC3-8.pmthresholds.sts1.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000 OC3-8.pmthresholds.sts1.nearend.1day.PJCS-PDET 9600 (seconds) 0 - 86400 OC3-8.pmthresholds.sts1.nearend.1day.PJCS-PGEN 9600 (seconds) 0 - 86400 OC3-8.pmthresholds.sts1.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000 OC3-8.pmthresholds.sts1.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000 OC3-8.pmthresholds.sts1.nearend.1day.SES 7 (seconds) 0 - 86400 OC3-8.pmthresholds.sts1.nearend.1day.UAS 10 (seconds) 0 - 86400 OC3-8.pmthresholds.sts3c.nearend.15min.CV 25 (B3 count) 0 - 2160000 OC3-8.pmthresholds.sts3c.nearend.15min.ES 20 (seconds) 0 - 900 OC3-8.pmthresholds.sts3c.nearend.15min.FC 10 (count) 0 - 72 OC3-8.pmthresholds.sts3c.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000 OC3-8.pmthresholds.sts3c.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000 OC3-8.pmthresholds.sts3c.nearend.15min.PJCDIFF 60 (count) 0 - 14400000 OC3-8.pmthresholds.sts3c.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900 OC3-8.pmthresholds.sts3c.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900 OC3-8.pmthresholds.sts3c.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000 OC3-8.pmthresholds.sts3c.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000 OC3-8.pmthresholds.sts3c.nearend.15min.SES 3 (seconds) 0 - 900 OC3-8.pmthresholds.sts3c.nearend.15min.UAS 10 (seconds) 0 - 900 OC3-8.pmthresholds.sts3c.nearend.1day.CV 250 (B3 count) 0 - 207360000 OC3-8.pmthresholds.sts3c.nearend.1day.ES 200 (seconds) 0 - 86400 OC3-8.pmthresholds.sts3c.nearend.1day.FC 10 (count) 0 - 6912 OC3-8.pmthresholds.sts3c.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000 OC3-8.pmthresholds.sts3c.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000 OC3-8.pmthresholds.sts3c.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000 OC3-8.pmthresholds.sts3c.nearend.1day.PJCS-PDET 9600 (seconds) 0 - 691200000 OC3-8.pmthresholds.sts3c.nearend.1day.PJCS-PGEN 9600 (seconds) 0 - 86400 OC3-8.pmthresholds.sts3c.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000 OC3-8.pmthresholds.sts3c.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000 OC3-8.pmthresholds.sts3c.nearend.1day.SES 7 (seconds) 0 - 86400 OC3-8.pmthresholds.sts3c.nearend.1day.UAS 10 (seconds) 0 - 86400 Table C-13 OC3-8 Card Default Settings (continued) Default Name Default Value Default DomainC-42 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card C.2.3.14 OC-12 Card Default Settings Table C-14 lists the OC-12 (OC12 IR/STM4 SH 1310, OC12 LR/STM4 LH 1310, and OC12 LR/STM4 LH 1550) card default settings. Table C-14 OC-12 Card Default Settings Default Name Default Value Default Domain OC12.config.line.AINSSoakTime 08:00 (hours:mins) 00:00, 00:15, 00:30 .. 48:00 OC12.config.line.PJStsMon# 0 (STS #) 0 - 12 OC12.config.line.SDBER 1.00E-07 1E-5, 1E-6, 1E-7, 1E-8, 1E-9 OC12.config.line.sdh.AdminSSMIn STU G811, STU, G812T, G812L, SETS, DUS OC12.config.line.sdh.SendDoNotUse FALSE FALSE when SendDoNotUse TRUE; FALSE, TRUE when SendDoNotUse FALSE OC12.config.line.sdh.SendDoNotUse FALSE FALSE, TRUE OC12.config.line.sdh.SyncMsgIn TRUE FALSE, TRUE OC12.config.line.SFBER 1.00E-04 1E-3, 1E-4, 1E-5 OC12.config.line.SendAISOnFacilityLoopback TRUE TRUE, FALSE OC12.config.line.SendAISOnTerminalLoopback FALSE FALSE OC12.config.line.sonet.AdminSSMIn STU PRS, STU, ST2, ST3, SMC, ST4, DUS, RES when //.//.//.//.NODE.timing.general.SSMMessag eSet Generation 1; PRS, STU, ST2, TNC, ST3E, ST3, SMC, ST4, DUS, RES when //.//.//.//.NODE.timing.general.SSMMessag eSet Generation 2; PRS, STU, ST2, ST3, SMC, ST4, DUS, RES when //.//.//.//.NODE.timing.general.SSMMessag eSet N/A OC12.config.line.sonet.SendDoNotUse FALSE FALSE when SendDoNotUse TRUE; FALSE, TRUE when SendDoNotUse FALSE OC12.config.line.sonet.SendDoNotUse FALSE FALSE, TRUE OC12.config.line.sonet.SyncMsgIn TRUE FALSE, TRUE OC12.config.line.State IS,AINS IS, OOS,DSBLD, OOS,MT, IS,AINS OC12.config.sts.IPPMEnabled FALSE TRUE, FALSE OC12.pmthresholds.line.farend.15min.CV 5315 (B2 count) 0 - 552600 OC12.pmthresholds.line.farend.15min.ES 87 (seconds) 0 - 900 OC12.pmthresholds.line.farend.15min.FC 10 (count) 0 - 72 OC12.pmthresholds.line.farend.15min.SES 1 (seconds) 0 - 900 OC12.pmthresholds.line.farend.15min.UAS 3 (seconds) 0 - 900 OC12.pmthresholds.line.farend.1day.CV 53150 (B2 count) 0 - 53049600C-43 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card OC12.pmthresholds.line.farend.1day.ES 864 (seconds) 0 - 86400 OC12.pmthresholds.line.farend.1day.FC 40 (count) 0 - 6912 OC12.pmthresholds.line.farend.1day.SES 4 (seconds) 0 - 86400 OC12.pmthresholds.line.farend.1day.UAS 10 (seconds) 0 - 86400 OC12.pmthresholds.line.nearend.15min.CV 5315 (B2 count) 0 - 552600 OC12.pmthresholds.line.nearend.15min.ES 87 (seconds) 0 - 900 OC12.pmthresholds.line.nearend.15min.FC 10 (count) 0 - 72 OC12.pmthresholds.line.nearend.15min.PSC 1 (count) 0 - 600 OC12.pmthresholds.line.nearend.15min.PSC-W 1 (count) 0 - 600 OC12.pmthresholds.line.nearend.15min.PSD 300 (seconds) 0 - 900 OC12.pmthresholds.line.nearend.15min.PSD-W 300 (seconds) 0 - 900 OC12.pmthresholds.line.nearend.15min.SES 1 (seconds) 0 - 900 OC12.pmthresholds.line.nearend.15min.UAS 3 (seconds) 0 - 900 OC12.pmthresholds.line.nearend.1day.CV 53150 (B2 count) 0 - 53049600 OC12.pmthresholds.line.nearend.1day.ES 864 (seconds) 0 - 86400 OC12.pmthresholds.line.nearend.1day.FC 40 (count) 0 - 6912 OC12.pmthresholds.line.nearend.1day.PSC 5 (count) 0 - 57600 OC12.pmthresholds.line.nearend.1day.PSC-W 5 (count) 0 - 57600 OC12.pmthresholds.line.nearend.1day.PSD 600 (seconds) 0 - 86400 OC12.pmthresholds.line.nearend.1day.PSD-W 600 (seconds) 0 - 86400 OC12.pmthresholds.line.nearend.1day.SES 4 (seconds) 0 - 86400 OC12.pmthresholds.line.nearend.1day.UAS 10 (seconds) 0 - 86400 OC12.pmthresholds.section.nearend.15min.CV 10000 (B1 count) 0 - 553500 OC12.pmthresholds.section.nearend.15min.ES 500 (seconds) 0 - 900 OC12.pmthresholds.section.nearend.15min.SEFS 500 (seconds) 0 - 900 OC12.pmthresholds.section.nearend.15min.SES 500 (seconds) 0 - 900 OC12.pmthresholds.section.nearend.1day.CV 100000 (B1 count) 0 - 53136000 OC12.pmthresholds.section.nearend.1day.ES 5000 (seconds) 0 - 86400 OC12.pmthresholds.section.nearend.1day.SEFS 5000 (seconds) 0 - 86400 OC12.pmthresholds.section.nearend.1day.SES 5000 (seconds) 0 - 86400 OC12.pmthresholds.sts1.nearend.15min.CV 15 (B3 count) 0 - 2160000 OC12.pmthresholds.sts1.nearend.15min.ES 12 (seconds) 0 - 900 OC12.pmthresholds.sts1.nearend.15min.FC 10 (count) 0 - 72 OC12.pmthresholds.sts1.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000 OC12.pmthresholds.sts1.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000 Table C-14 OC-12 Card Default Settings (continued) Default Name Default Value Default DomainC-44 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card OC12.pmthresholds.sts1.nearend.15min.PJCDIFF 60 (count) 0 - 14400000 OC12.pmthresholds.sts1.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900 OC12.pmthresholds.sts1.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900 OC12.pmthresholds.sts1.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000 OC12.pmthresholds.sts1.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000 OC12.pmthresholds.sts1.nearend.15min.SES 3 (seconds) 0 - 900 OC12.pmthresholds.sts1.nearend.15min.UAS 10 (seconds) 0 - 900 OC12.pmthresholds.sts1.nearend.1day.CV 125 (B3 count) 0 - 207360000 OC12.pmthresholds.sts1.nearend.1day.ES 100 (seconds) 0 - 86400 OC12.pmthresholds.sts1.nearend.1day.FC 10 (count) 0 - 6912 OC12.pmthresholds.sts1.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000 OC12.pmthresholds.sts1.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000 OC12.pmthresholds.sts1.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000 OC12.pmthresholds.sts1.nearend.1day.PJCS-PDET 9600 (seconds) 0 - 86400 OC12.pmthresholds.sts1.nearend.1day.PJCS-PGEN 9600 (seconds) 0 - 86400 OC12.pmthresholds.sts1.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000 OC12.pmthresholds.sts1.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000 OC12.pmthresholds.sts1.nearend.1day.SES 7 (seconds) 0 - 86400 OC12.pmthresholds.sts1.nearend.1day.UAS 10 (seconds) 0 - 86400 OC12.pmthresholds.sts12c.nearend.15min.CV 75 (B3 count) 0 - 2160000 OC12.pmthresholds.sts12c.nearend.15min.ES 60 (seconds) 0 - 900 OC12.pmthresholds.sts12c.nearend.15min.FC 10 (count) 0 - 72 OC12.pmthresholds.sts12c.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000 OC12.pmthresholds.sts12c.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000 OC12.pmthresholds.sts12c.nearend.15min.PJCDIFF 60 (count) 0 - 14400000 OC12.pmthresholds.sts12c.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900 OC12.pmthresholds.sts12c.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900 OC12.pmthresholds.sts12c.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000 OC12.pmthresholds.sts12c.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000 OC12.pmthresholds.sts12c.nearend.15min.SES 3 (seconds) 0 - 900 OC12.pmthresholds.sts12c.nearend.15min.UAS 10 (seconds) 0 - 900 OC12.pmthresholds.sts12c.nearend.1day.CV 750 (B3 count) 0 - 207360000 OC12.pmthresholds.sts12c.nearend.1day.ES 600 (seconds) 0 - 86400 OC12.pmthresholds.sts12c.nearend.1day.FC 10 (count) 0 - 6912 OC12.pmthresholds.sts12c.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000 OC12.pmthresholds.sts12c.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000 Table C-14 OC-12 Card Default Settings (continued) Default Name Default Value Default DomainC-45 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card C.2.3.15 OC12-4 Card Default Settings Table C-15 lists the four-port OC12-4 (OC12 IR/STM4 SH 1310-4) card default settings. OC12.pmthresholds.sts12c.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000 OC12.pmthresholds.sts12c.nearend.1day.PJCS-PDET 9600 (seconds) 0 - 86400 OC12.pmthresholds.sts12c.nearend.1day.PJCS-PGEN 9600 (seconds) 0 - 86400 OC12.pmthresholds.sts12c.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000 OC12.pmthresholds.sts12c.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000 OC12.pmthresholds.sts12c.nearend.1day.SES 7 (seconds) 0 - 86400 OC12.pmthresholds.sts12c.nearend.1day.UAS 10 (seconds) 0 - 86400 OC12.pmthresholds.sts3c-9c.nearend.15min.CV 25 (B3 count) 0 - 2160000 OC12.pmthresholds.sts3c-9c.nearend.15min.ES 20 (seconds) 0 - 900 OC12.pmthresholds.sts3c-9c.nearend.15min.FC 10 (count) 0 - 72 OC12.pmthresholds.sts3c-9c.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000 OC12.pmthresholds.sts3c-9c.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000 OC12.pmthresholds.sts3c-9c.nearend.15min.PJCDIFF 60 (count) 0 - 14400000 OC12.pmthresholds.sts3c-9c.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900 OC12.pmthresholds.sts3c-9c.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900 OC12.pmthresholds.sts3c-9c.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000 OC12.pmthresholds.sts3c-9c.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000 OC12.pmthresholds.sts3c-9c.nearend.15min.SES 3 (seconds) 0 - 900 OC12.pmthresholds.sts3c-9c.nearend.15min.UAS 10 (seconds) 0 - 900 OC12.pmthresholds.sts3c-9c.nearend.1day.CV 250 (B3 count) 0 - 207360000 OC12.pmthresholds.sts3c-9c.nearend.1day.ES 200 (seconds) 0 - 86400 OC12.pmthresholds.sts3c-9c.nearend.1day.FC 10 (count) 0 - 6912 OC12.pmthresholds.sts3c-9c.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000 OC12.pmthresholds.sts3c-9c.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000 OC12.pmthresholds.sts3c-9c.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000 OC12.pmthresholds.sts3c-9c.nearend.1day.PJCS-PDET 9600 (seconds) 0 - 86400 OC12.pmthresholds.sts3c-9c.nearend.1day.PJCS-PGEN 9600 (seconds) 0 - 86400 OC12.pmthresholds.sts3c-9c.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000 OC12.pmthresholds.sts3c-9c.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000 OC12.pmthresholds.sts3c-9c.nearend.1day.SES 7 (seconds) 0 - 86400 OC12.pmthresholds.sts3c-9c.nearend.1day.UAS 10 (seconds) 0 - 86400 Table C-14 OC-12 Card Default Settings (continued) Default Name Default Value Default DomainC-46 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card Table C-15 OC12-4 Card Default Settings Default Name Default Value Default Domain OC12-4.config.line.AINSSoakTime 08:00 (hours:mins) 00:00, 00:15, 00:30 .. 48:00 OC12-4.config.line.PJStsMon# 0 (STS #) 0 - 12 OC12-4.config.line.SDBER 1.00E-07 1E-5, 1E-6, 1E-7, 1E-8, 1E-9 OC12-4.config.line.sdh.AdminSSMIn STU G811, STU, G812T, G812L, SETS, DUS OC12-4.config.line.sdh.SendDoNotUse FALSE FALSE when SendDoNotUse TRUE; FALSE, TRUE when SendDoNotUse FALSE OC12-4.config.line.sdh.SendDoNotUse FALSE FALSE, TRUE OC12-4.config.line.sdh.SyncMsgIn TRUE FALSE, TRUE OC12-4.config.line.SendAISOnFacilityLoopback TRUE TRUE, FALSE OC12-4.config.line.SendAISOnTerminalLoopback FALSE FALSE OC12-4.config.line.SFBER 1.00E-04 1E-3, 1E-4, 1E-5 OC12-4.config.line.sonet.AdminSSMIn STU PRS, STU, ST2, ST3, SMC, ST4, DUS, RES when //.//.//.//.NODE.timing.general.SSMMe ssageSet Generation 1; PRS, STU, ST2, TNC, ST3E, ST3, SMC, ST4, DUS, RES when //.//.//.//.NODE.timing.general.SSMMe ssageSet Generation 2; PRS, STU, ST2, ST3, SMC, ST4, DUS, RES when //.//.//.//.NODE.timing.general.SSMMe ssageSet N/A OC12-4.config.line.sonet.SendDoNotUse FALSE FALSE when SendDoNotUse TRUE; FALSE, TRUE when SendDoNotUse FALSE OC12-4.config.line.sonet.SendDoNotUse FALSE FALSE, TRUE OC12-4.config.line.sonet.SyncMsgIn TRUE FALSE, TRUE OC12-4.config.line.State IS,AINS IS, OOS,DSBLD, OOS,MT, IS,AINS OC12-4.config.sts.IPPMEnabled FALSE TRUE, FALSE OC12-4.pmthresholds.line.farend.15min.CV 5315 (B2 count) 0 - 552600 OC12-4.pmthresholds.line.farend.15min.ES 87 (seconds) 0 - 900 OC12-4.pmthresholds.line.farend.15min.FC 10 (count) 0 - 72 OC12-4.pmthresholds.line.farend.15min.SES 1 (seconds) 0 - 900 OC12-4.pmthresholds.line.farend.15min.UAS 3 (seconds) 0 - 900 OC12-4.pmthresholds.line.farend.1day.CV 53150 (B2 count) 0 - 53049600 OC12-4.pmthresholds.line.farend.1day.ES 864 (seconds) 0 - 86400 OC12-4.pmthresholds.line.farend.1day.FC 40 (count) 0 - 6912 OC12-4.pmthresholds.line.farend.1day.SES 4 (seconds) 0 - 86400C-47 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card OC12-4.pmthresholds.line.farend.1day.UAS 10 (seconds) 0 - 86400 OC12-4.pmthresholds.line.nearend.15min.CV 5315 (B2 count) 0 - 552600 OC12-4.pmthresholds.line.nearend.15min.ES 87 (seconds) 0 - 900 OC12-4.pmthresholds.line.nearend.15min.FC 10 (count) 0 - 72 OC12-4.pmthresholds.line.nearend.15min.PSC 1 (count) 0 - 600 OC12-4.pmthresholds.line.nearend.15min.PSC-W 1 (count) 0 - 600 OC12-4.pmthresholds.line.nearend.15min.PSD 300 (seconds) 0 - 900 OC12-4.pmthresholds.line.nearend.15min.PSD-W 300 (seconds) 0 - 900 OC12-4.pmthresholds.line.nearend.15min.SES 1 (seconds) 0 - 900 OC12-4.pmthresholds.line.nearend.15min.UAS 3 (seconds) 0 - 900 OC12-4.pmthresholds.line.nearend.1day.CV 53150 (B2 count) 0 - 53049600 OC12-4.pmthresholds.line.nearend.1day.ES 864 (seconds) 0 - 86400 OC12-4.pmthresholds.line.nearend.1day.FC 40 (count) 0 - 6912 OC12-4.pmthresholds.line.nearend.1day.PSC 5 (count) 0 - 57600 OC12-4.pmthresholds.line.nearend.1day.PSC-W 5 (count) 0 - 57600 OC12-4.pmthresholds.line.nearend.1day.PSD 600 (seconds) 0 - 86400 OC12-4.pmthresholds.line.nearend.1day.PSD-W 600 (seconds) 0 - 86400 OC12-4.pmthresholds.line.nearend.1day.SES 4 (seconds) 0 - 86400 OC12-4.pmthresholds.line.nearend.1day.UAS 10 (seconds) 0 - 86400 OC12-4.pmthresholds.section.nearend.15min.CV 10000 (B1 count) 0 - 553500 OC12-4.pmthresholds.section.nearend.15min.ES 500 (seconds) 0 - 900 OC12-4.pmthresholds.section.nearend.15min.SEFS 500 (seconds) 0 - 900 OC12-4.pmthresholds.section.nearend.15min.SES 500 (seconds) 0 - 900 OC12-4.pmthresholds.section.nearend.1day.CV 100000 (B1 count) 0 - 53136000 OC12-4.pmthresholds.section.nearend.1day.ES 5000 (seconds) 0 - 86400 OC12-4.pmthresholds.section.nearend.1day.SEFS 5000 (seconds) 0 - 86400 OC12-4.pmthresholds.section.nearend.1day.SES 5000 (seconds) 0 - 86400 OC12-4.pmthresholds.sts1.nearend.15min.CV 15 (B3 count) 0 - 2160000 OC12-4.pmthresholds.sts1.nearend.15min.ES 12 (seconds) 0 - 900 OC12-4.pmthresholds.sts1.nearend.15min.FC 10 (count) 0 - 72 OC12-4.pmthresholds.sts1.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000 OC12-4.pmthresholds.sts1.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000 OC12-4.pmthresholds.sts1.nearend.15min.PJCDIFF 60 (count) 0 - 14400000 OC12-4.pmthresholds.sts1.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900 OC12-4.pmthresholds.sts1.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900 OC12-4.pmthresholds.sts1.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000 Table C-15 OC12-4 Card Default Settings (continued) Default Name Default Value Default DomainC-48 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card OC12-4.pmthresholds.sts1.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000 OC12-4.pmthresholds.sts1.nearend.15min.SES 3 (seconds) 0 - 900 OC12-4.pmthresholds.sts1.nearend.15min.UAS 10 (seconds) 0 - 900 OC12-4.pmthresholds.sts1.nearend.1day.CV 125 (B3 count) 0 - 207360000 OC12-4.pmthresholds.sts1.nearend.1day.ES 100 (seconds) 0 - 86400 OC12-4.pmthresholds.sts1.nearend.1day.FC 10 (count) 0 - 6912 OC12-4.pmthresholds.sts1.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000 OC12-4.pmthresholds.sts1.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000 OC12-4.pmthresholds.sts1.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000 OC12-4.pmthresholds.sts1.nearend.1day.PJCS-PDET 9600 (seconds) 0 - 86400 OC12-4.pmthresholds.sts1.nearend.1day.PJCS-PGEN 9600 (seconds) 0 - 86400 OC12-4.pmthresholds.sts1.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000 OC12-4.pmthresholds.sts1.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000 OC12-4.pmthresholds.sts1.nearend.1day.SES 7 (seconds) 0 - 86400 OC12-4.pmthresholds.sts1.nearend.1day.UAS 10 (seconds) 0 - 86400 OC12-4.pmthresholds.sts12c.nearend.15min.CV 75 (B3 count) 0 - 2160000 OC12-4.pmthresholds.sts12c.nearend.15min.ES 60 (seconds) 0 - 900 OC12-4.pmthresholds.sts12c.nearend.15min.FC 10 (count) 0 - 72 OC12-4.pmthresholds.sts12c.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000 OC12-4.pmthresholds.sts12c.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000 OC12-4.pmthresholds.sts12c.nearend.15min.PJCDIFF 60 (count) 0 - 14400000 OC12-4.pmthresholds.sts12c.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900 OC12-4.pmthresholds.sts12c.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900 OC12-4.pmthresholds.sts12c.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000 OC12-4.pmthresholds.sts12c.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000 OC12-4.pmthresholds.sts12c.nearend.15min.SES 3 (seconds) 0 - 900 OC12-4.pmthresholds.sts12c.nearend.15min.UAS 10 (seconds) 0 - 900 OC12-4.pmthresholds.sts12c.nearend.1day.CV 750 (B3 count) 0 - 207360000 OC12-4.pmthresholds.sts12c.nearend.1day.ES 600 (seconds) 0 - 86400 OC12-4.pmthresholds.sts12c.nearend.1day.FC 10 (count) 0 - 6912 OC12-4.pmthresholds.sts12c.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000 OC12-4.pmthresholds.sts12c.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000 OC12-4.pmthresholds.sts12c.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000 OC12-4.pmthresholds.sts12c.nearend.1day.PJCS-PDET 9600 (seconds) 0 - 86400 OC12-4.pmthresholds.sts12c.nearend.1day.PJCS-PGEN 9600 (seconds) 0 - 86400 OC12-4.pmthresholds.sts12c.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000 Table C-15 OC12-4 Card Default Settings (continued) Default Name Default Value Default DomainC-49 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card C.2.3.16 OC-48 Card Default Settings Table C-16 lists the OC-48 (OC48 IR 1310, OC48 LR 1550, OC48 IR/STM16 SH AS 1310, OC48 LR/STM16 LH AS 1550, OC48 ELR/STM16 EH 100 GHz, and OC48 ELR 200 GHz) card default settings. OC12-4.pmthresholds.sts12c.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000 OC12-4.pmthresholds.sts12c.nearend.1day.SES 7 (seconds) 0 - 86400 OC12-4.pmthresholds.sts12c.nearend.1day.UAS 10 (seconds) 0 - 86400 OC12-4.pmthresholds.sts3c-9c.nearend.15min.CV 25 (B3 count) 0 - 2160000 OC12-4.pmthresholds.sts3c-9c.nearend.15min.ES 20 (seconds) 0 - 900 OC12-4.pmthresholds.sts3c-9c.nearend.15min.FC 10 (count) 0 - 72 OC12-4.pmthresholds.sts3c-9c.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000 OC12-4.pmthresholds.sts3c-9c.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000 OC12-4.pmthresholds.sts3c-9c.nearend.15min.PJCDIFF 60 (count) 0 - 14400000 OC12-4.pmthresholds.sts3c-9c.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900 OC12-4.pmthresholds.sts3c-9c.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900 OC12-4.pmthresholds.sts3c-9c.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000 OC12-4.pmthresholds.sts3c-9c.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000 OC12-4.pmthresholds.sts3c-9c.nearend.15min.SES 3 (seconds) 0 - 900 OC12-4.pmthresholds.sts3c-9c.nearend.15min.UAS 10 (seconds) 0 - 900 OC12-4.pmthresholds.sts3c-9c.nearend.1day.CV 250 (B3 count) 0 - 207360000 OC12-4.pmthresholds.sts3c-9c.nearend.1day.ES 200 (seconds) 0 - 86400 OC12-4.pmthresholds.sts3c-9c.nearend.1day.FC 10 (count) 0 - 6912 OC12-4.pmthresholds.sts3c-9c.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000 OC12-4.pmthresholds.sts3c-9c.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000 OC12-4.pmthresholds.sts3c-9c.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000 OC12-4.pmthresholds.sts3c-9c.nearend.1day.PJCS-PDET 9600 (seconds) 0 - 86400 OC12-4.pmthresholds.sts3c-9c.nearend.1day.PJCS-PGEN 9600 (seconds) 0 - 86400 OC12-4.pmthresholds.sts3c-9c.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000 OC12-4.pmthresholds.sts3c-9c.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000 OC12-4.pmthresholds.sts3c-9c.nearend.1day.SES 7 (seconds) 0 - 86400 OC12-4.pmthresholds.sts3c-9c.nearend.1day.UAS 10 (seconds) 0 - 86400 Table C-15 OC12-4 Card Default Settings (continued) Default Name Default Value Default DomainC-50 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card Table C-16 OC-48 Card Default Settings Default Name Default Value Default Domain OC48.config.line.AINSSoakTime 08:00 (hours:mins) 00:00, 00:15, 00:30 .. 48:00 OC48.config.line.AlsMode Disabled Disabled, Auto Restart, Manual Restart, Manual Restart for Test OC48.config.line.AlsRecoveryPulseDuration 2.0 (seconds) 2.0, 2.1, 2.2 .. 100.0 when AlsMode Disabled, Auto Restart, Manual Restart; 80.0, 80.1, 80.2 .. 100.0 when AlsMode Manual Restart for Test OC48.config.line.AlsRecoveryPulseInterval 100 (seconds) 60 - 300 OC48.config.line.PJStsMon# 0 (STS #) 0 - 48 OC48.config.line.SDBER 1.00E-07 1E-5, 1E-6, 1E-7, 1E-8, 1E-9 OC48.config.line.sdh.AdminSSMIn STU G811, STU, G812T, G812L, SETS, DUS OC48.config.line.sdh.SendDoNotUse FALSE FALSE when SendDoNotUse TRUE; FALSE, TRUE when SendDoNotUse FALSE OC48.config.line.sdh.SendDoNotUse FALSE FALSE, TRUE OC48.config.line.sdh.SyncMsgIn TRUE FALSE, TRUE OC48.config.line.SendAISOnFacilityLoopback TRUE TRUE, FALSE OC48.config.line.SendAISOnTerminalLoopback FALSE FALSE OC48.config.line.SFBER 1.00E-04 1E-3, 1E-4, 1E-5 OC48.config.line.sonet.AdminSSMIn STU PRS, STU, ST2, ST3, SMC, ST4, DUS, RES when //.//.//.//.NODE.timing.general.SSMMe ssageSet Generation 1; PRS, STU, ST2, TNC, ST3E, ST3, SMC, ST4, DUS, RES when //.//.//.//.NODE.timing.general.SSMMe ssageSet Generation 2; PRS, STU, ST2, ST3, SMC, ST4, DUS, RES when //.//.//.//.NODE.timing.general.SSMMe ssageSet N/A OC48.config.line.sonet.SendDoNotUse FALSE FALSE when SendDoNotUse TRUE; FALSE, TRUE when SendDoNotUse FALSE OC48.config.line.sonet.SendDoNotUse FALSE FALSE, TRUE OC48.config.line.sonet.SyncMsgIn TRUE FALSE, TRUE OC48.config.line.State IS,AINS IS, OOS,DSBLD, OOS,MT, IS,AINS OC48.config.sts.IPPMEnabled FALSE TRUE, FALSE OC48.pmthresholds.line.farend.15min.CV 21260 (B2 count) 0 - 2212200 OC48.pmthresholds.line.farend.15min.ES 87 (seconds) 0 - 900 OC48.pmthresholds.line.farend.15min.FC 10 (count) 0 - 72C-51 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card OC48.pmthresholds.line.farend.15min.SES 1 (seconds) 0 - 900 OC48.pmthresholds.line.farend.15min.UAS 3 (seconds) 0 - 900 OC48.pmthresholds.line.farend.1day.CV 212600 (B2 count) 0 - 212371200 OC48.pmthresholds.line.farend.1day.ES 864 (seconds) 0 - 86400 OC48.pmthresholds.line.farend.1day.FC 40 (count) 0 - 6912 OC48.pmthresholds.line.farend.1day.SES 4 (seconds) 0 - 86400 OC48.pmthresholds.line.farend.1day.UAS 10 (seconds) 0 - 86400 OC48.pmthresholds.line.nearend.15min.CV 21260 (B2 count) 0 - 2212200 OC48.pmthresholds.line.nearend.15min.ES 87 (seconds) 0 - 900 OC48.pmthresholds.line.nearend.15min.FC 10 (count) 0 - 72 OC48.pmthresholds.line.nearend.15min.PSC 1 (count) 0 - 600 OC48.pmthresholds.line.nearend.15min.PSC-R 1 (count) 0 - 600 OC48.pmthresholds.line.nearend.15min.PSC-S 1 (count) 0 - 600 OC48.pmthresholds.line.nearend.15min.PSC-W 1 (count) 0 - 600 OC48.pmthresholds.line.nearend.15min.PSD 300 (seconds) 0 - 900 OC48.pmthresholds.line.nearend.15min.PSD-R 300 (seconds) 0 - 900 OC48.pmthresholds.line.nearend.15min.PSD-S 300 (seconds) 0 - 900 OC48.pmthresholds.line.nearend.15min.PSD-W 300 (seconds) 0 - 900 OC48.pmthresholds.line.nearend.15min.SES 1 (seconds) 0 - 900 OC48.pmthresholds.line.nearend.15min.UAS 3 (seconds) 0 - 900 OC48.pmthresholds.line.nearend.1day.CV 212600 (B2 count) 0 - 212371200 OC48.pmthresholds.line.nearend.1day.ES 864 (seconds) 0 - 86400 OC48.pmthresholds.line.nearend.1day.FC 40 (count) 0 - 6912 OC48.pmthresholds.line.nearend.1day.PSC 5 (count) 0 - 57600 OC48.pmthresholds.line.nearend.1day.PSC-R 5 (count) 0 - 57600 OC48.pmthresholds.line.nearend.1day.PSC-S 5 (count) 0 - 57600 OC48.pmthresholds.line.nearend.1day.PSC-W 5 (count) 0 - 57600 OC48.pmthresholds.line.nearend.1day.PSD 600 (seconds) 0 - 86400 OC48.pmthresholds.line.nearend.1day.PSD-R 600 (seconds) 0 - 86400 OC48.pmthresholds.line.nearend.1day.PSD-S 600 (seconds) 0 - 86400 OC48.pmthresholds.line.nearend.1day.PSD-W 600 (seconds) 0 - 86400 OC48.pmthresholds.line.nearend.1day.SES 4 (seconds) 0 - 86400 OC48.pmthresholds.line.nearend.1day.UAS 10 (seconds) 0 - 86400 OC48.pmthresholds.section.nearend.15min.CV 10000 (B1 count) 0 - 2151900 OC48.pmthresholds.section.nearend.15min.ES 500 (seconds) 0 - 900 OC48.pmthresholds.section.nearend.15min.SEFS 500 (seconds) 0 - 900 Table C-16 OC-48 Card Default Settings (continued) Default Name Default Value Default DomainC-52 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card OC48.pmthresholds.section.nearend.15min.SES 500 (seconds) 0 - 900 OC48.pmthresholds.section.nearend.1day.CV 100000 (B1 count) 0 - 206582400 OC48.pmthresholds.section.nearend.1day.ES 5000 (seconds) 0 - 86400 OC48.pmthresholds.section.nearend.1day.SEFS 5000 (seconds) 0 - 86400 OC48.pmthresholds.section.nearend.1day.SES 5000 (seconds) 0 - 86400 OC48.pmthresholds.sts1.nearend.15min.CV 15 (B3 count) 0 - 2160000 OC48.pmthresholds.sts1.nearend.15min.ES 12 (seconds) 0 - 900 OC48.pmthresholds.sts1.nearend.15min.FC 10 (count) 0 - 72 OC48.pmthresholds.sts1.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000 OC48.pmthresholds.sts1.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000 OC48.pmthresholds.sts1.nearend.15min.PJCDIFF 60 (count) 0 - 14400000 OC48.pmthresholds.sts1.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900 OC48.pmthresholds.sts1.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900 OC48.pmthresholds.sts1.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000 OC48.pmthresholds.sts1.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000 OC48.pmthresholds.sts1.nearend.15min.SES 3 (seconds) 0 - 900 OC48.pmthresholds.sts1.nearend.15min.UAS 10 (seconds) 0 - 900 OC48.pmthresholds.sts1.nearend.1day.CV 125 (B3 count) 0 - 207360000 OC48.pmthresholds.sts1.nearend.1day.ES 100 (seconds) 0 - 86400 OC48.pmthresholds.sts1.nearend.1day.FC 10 (count) 0 - 6912 OC48.pmthresholds.sts1.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000 OC48.pmthresholds.sts1.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000 OC48.pmthresholds.sts1.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000 OC48.pmthresholds.sts1.nearend.1day.PJCS-PDET 9600 (seconds) 0 - 86400 OC48.pmthresholds.sts1.nearend.1day.PJCS-PGEN 9600 (seconds) 0 - 86400 OC48.pmthresholds.sts1.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000 OC48.pmthresholds.sts1.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000 OC48.pmthresholds.sts1.nearend.1day.SES 7 (seconds) 0 - 86400 OC48.pmthresholds.sts1.nearend.1day.UAS 10 (seconds) 0 - 86400 OC48.pmthresholds.sts12c-48c.nearend.15min.CV 75 (B3 count) 0 - 2160000 OC48.pmthresholds.sts12c-48c.nearend.15min.ES 60 (seconds) 0 - 900 OC48.pmthresholds.sts12c-48c.nearend.15min.FC 10 (count) 0 - 72 OC48.pmthresholds.sts12c-48c.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000 OC48.pmthresholds.sts12c-48c.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000 OC48.pmthresholds.sts12c-48c.nearend.15min.PJCDIFF 60 (count) 0 - 14400000 OC48.pmthresholds.sts12c-48c.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900 Table C-16 OC-48 Card Default Settings (continued) Default Name Default Value Default DomainC-53 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card OC48.pmthresholds.sts12c-48c.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900 OC48.pmthresholds.sts12c-48c.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000 OC48.pmthresholds.sts12c-48c.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000 OC48.pmthresholds.sts12c-48c.nearend.15min.SES 3 (seconds) 0 - 900 OC48.pmthresholds.sts12c-48c.nearend.15min.UAS 10 (seconds) 0 - 900 OC48.pmthresholds.sts12c-48c.nearend.1day.CV 750 (B3 count) 0 - 207360000 OC48.pmthresholds.sts12c-48c.nearend.1day.ES 600 (seconds) 0 - 86400 OC48.pmthresholds.sts12c-48c.nearend.1day.FC 10 (count) 0 - 6912 OC48.pmthresholds.sts12c-48c.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000 OC48.pmthresholds.sts12c-48c.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000 OC48.pmthresholds.sts12c-48c.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000 OC48.pmthresholds.sts12c-48c.nearend.1day.PJCS-PDET 9600 (seconds) 0 - 86400 OC48.pmthresholds.sts12c-48c.nearend.1day.PJCS-PGEN 9600 (seconds) 0 - 86400 OC48.pmthresholds.sts12c-48c.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000 OC48.pmthresholds.sts12c-48c.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000 OC48.pmthresholds.sts12c-48c.nearend.1day.SES 7 (seconds) 0 - 86400 OC48.pmthresholds.sts12c-48c.nearend.1day.UAS 10 (seconds) 0 - 86400 OC48.pmthresholds.sts3c-9c.nearend.15min.CV 25 (B3 count) 0 - 2160000 OC48.pmthresholds.sts3c-9c.nearend.15min.ES 20 (seconds) 0 - 900 OC48.pmthresholds.sts3c-9c.nearend.15min.FC 10 (count) 0 - 72 OC48.pmthresholds.sts3c-9c.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000 OC48.pmthresholds.sts3c-9c.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000 OC48.pmthresholds.sts3c-9c.nearend.15min.PJCDIFF 60 (count) 0 - 14400000 OC48.pmthresholds.sts3c-9c.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900 OC48.pmthresholds.sts3c-9c.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900 OC48.pmthresholds.sts3c-9c.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000 OC48.pmthresholds.sts3c-9c.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000 OC48.pmthresholds.sts3c-9c.nearend.15min.SES 3 (seconds) 0 - 900 OC48.pmthresholds.sts3c-9c.nearend.15min.UAS 10 (seconds) 0 - 900 OC48.pmthresholds.sts3c-9c.nearend.1day.CV 250 (B3 count) 0 - 207360000 OC48.pmthresholds.sts3c-9c.nearend.1day.ES 200 (seconds) 0 - 86400 OC48.pmthresholds.sts3c-9c.nearend.1day.FC 10 (count) 0 - 6912 OC48.pmthresholds.sts3c-9c.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000 OC48.pmthresholds.sts3c-9c.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000 OC48.pmthresholds.sts3c-9c.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000 OC48.pmthresholds.sts3c-9c.nearend.1day.PJCS-PDET 9600 (seconds) 0 - 86400 Table C-16 OC-48 Card Default Settings (continued) Default Name Default Value Default DomainC-54 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card C.2.3.17 OC-192 Card Default Settings Table C-17 lists the OC-192 (OC192 SR/STM64 IO 1310, OC192 LR/STM64 LH ITU 15xx.xx, OC192 IR/STM64 SH 1550, and OC192 LR/STM64 LH 1550) card default settings. OC48.pmthresholds.sts3c-9c.nearend.1day.PJCS-PGEN 9600 (seconds) 0 - 86400 OC48.pmthresholds.sts3c-9c.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000 OC48.pmthresholds.sts3c-9c.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000 OC48.pmthresholds.sts3c-9c.nearend.1day.SES 7 (seconds) 0 - 86400 OC48.pmthresholds.sts3c-9c.nearend.1day.UAS 10 (seconds) 0 - 86400 Table C-16 OC-48 Card Default Settings (continued) Default Name Default Value Default Domain Table C-17 OC-192 Card Default Settings Default Name Default Value Default Domain OC192.config.line.AINSSoakTime 08:00 (hours:mins) 00:00, 00:15, 00:30 .. 48:00 OC192.config.line.AlsMode Disabled Disabled, Auto Restart, Manual Restart, Manual Restart for Test OC192.config.line.AlsRecoveryPulseDuration 2.0 (seconds) 2.0, 2.1, 2.2 .. 100.0 when AlsMode Disabled, Auto Restart, Manual Restart; 80.0, 80.1, 80.2 .. 100.0 when AlsMode Manual Restart for Test OC192.config.line.AlsRecoveryPulseInterval 100 (seconds) 60 - 300 OC192.config.line.PJStsMon# 0 (STS #) 0 - 192 OC192.config.line.SDBER 1.00E-07 1E-5, 1E-6, 1E-7, 1E-8, 1E-9 OC192.config.line.sdh.AdminSSMIn STU G811, STU, G812T, G812L, SETS, DUS OC192.config.line.sdh.SendDoNotUse FALSE FALSE when SendDoNotUse TRUE; FALSE, TRUE when SendDoNotUse FALSE OC192.config.line.sdh.SendDoNotUse FALSE FALSE, TRUE OC192.config.line.sdh.SyncMsgIn TRUE FALSE, TRUE OC192.config.line.SendAISOnFacilityLoopback TRUE TRUE, FALSE OC192.config.line.SendAISOnTerminalLoopback FALSE FALSE OC192.config.line.SFBER 1.00E-04 1E-3, 1E-4, 1E-5C-55 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card OC192.config.line.sonet.AdminSSMIn STU PRS, STU, ST2, ST3, SMC, ST4, DUS, RES when //.//.//.//.NODE.timing.general.SSM MessageSet Generation 1; PRS, STU, ST2, TNC, ST3E, ST3, SMC, ST4, DUS, RES when //.//.//.//.NODE.timing.general.SSM MessageSet Generation 2; PRS, STU, ST2, ST3, SMC, ST4, DUS, RES when //.//.//.//.NODE.timing.general.SSM MessageSet N/A OC192.config.line.sonet.SendDoNotUse FALSE FALSE when SendDoNotUse TRUE; FALSE, TRUE when SendDoNotUse FALSE OC192.config.line.sonet.SendDoNotUse FALSE FALSE, TRUE OC192.config.line.sonet.SyncMsgIn TRUE FALSE, TRUE OC192.config.line.State IS,AINS IS, OOS,DSBLD, OOS,MT, IS,AINS OC192.config.sts.IPPMEnabled FALSE TRUE, FALSE OC192.physicalthresholds.alarm.LBC-HIGH 200 (%) LBC-LOW, LBC-LOW + 1, LBC-LOW + 2 .. 255 OC192.physicalthresholds.alarm.LBC-LOW 20 (%) 0, 1, 2 .. LBC-HIGH OC192.physicalthresholds.alarm.OPR-HIGH 200 (%) OPR-LOW, OPR-LOW + 1, OPR-LOW + 2 .. 255 OC192.physicalthresholds.alarm.OPR-LOW 50 (%) -1, 0, 1 .. OPR-HIGH OC192.physicalthresholds.alarm.OPT-HIGH 120 (%) OPT-LOW, OPT-LOW + 1, OPT-LOW + 2 .. 255 OC192.physicalthresholds.alarm.OPT-LOW 80 (%) 0, 1, 2 .. OPT-HIGH OC192.physicalthresholds.warning.15min.LBC-HIGH 200 (%) LBC-LOW, LBC-LOW + 1, LBC-LOW + 2 .. 255 OC192.physicalthresholds.warning.15min.LBC-LOW 20 (%) 0, 1, 2 .. LBC-HIGH OC192.physicalthresholds.warning.15min.OPR-HIGH 200 (%) OPR-LOW, OPR-LOW + 1, OPR-LOW + 2 .. 255 OC192.physicalthresholds.warning.15min.OPR-LOW 50 (%) -1, 0, 1 .. OPR-HIGH OC192.physicalthresholds.warning.15min.OPT-HIGH 120 (%) OPT-LOW, OPT-LOW + 1, OPT-LOW + 2 .. 255 OC192.physicalthresholds.warning.15min.OPT-LOW 80 (%) 0, 1, 2 .. OPT-HIGH OC192.physicalthresholds.warning.1day.LBC-HIGH 200 (%) LBC-LOW, LBC-LOW + 1, LBC-LOW + 2 .. 255 OC192.physicalthresholds.warning.1day.LBC-LOW 20 (%) 0, 1, 2 .. LBC-HIGH OC192.physicalthresholds.warning.1day.OPR-HIGH 200 (%) OPR-LOW, OPR-LOW + 1, OPR-LOW + 2 .. 255 Table C-17 OC-192 Card Default Settings (continued) Default Name Default Value Default DomainC-56 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card OC192.physicalthresholds.warning.1day.OPR-LOW 50 (%) -1, 0, 1 .. OPR-HIGH OC192.physicalthresholds.warning.1day.OPT-HIGH 120 (%) OPT-LOW, OPT-LOW + 1, OPT-LOW + 2 .. 255 OC192.physicalthresholds.warning.1day.OPT-LOW 80 (%) 0, 1, 2 .. OPT-HIGH OC192.pmthresholds.line.farend.15min.CV 85040 (B2 count) 0 - 8850600 OC192.pmthresholds.line.farend.15min.ES 87 (seconds) 0 - 900 OC192.pmthresholds.line.farend.15min.FC 10 (count) 0 - 72 OC192.pmthresholds.line.farend.15min.SES 1 (seconds) 0 - 900 OC192.pmthresholds.line.farend.15min.UAS 3 (seconds) 0 - 900 OC192.pmthresholds.line.farend.1day.CV 850400 (B2 count) 0 - 849657600 OC192.pmthresholds.line.farend.1day.ES 864 (seconds) 0 - 86400 OC192.pmthresholds.line.farend.1day.FC 40 (count) 0 - 6912 OC192.pmthresholds.line.farend.1day.SES 4 (seconds) 0 - 86400 OC192.pmthresholds.line.farend.1day.UAS 10 (seconds) 0 - 86400 OC192.pmthresholds.line.nearend.15min.CV 85040 (B2 count) 0 - 8850600 OC192.pmthresholds.line.nearend.15min.ES 87 (seconds) 0 - 900 OC192.pmthresholds.line.nearend.15min.FC 10 (count) 0 - 72 OC192.pmthresholds.line.nearend.15min.PSC 1 (count) 0 - 600 OC192.pmthresholds.line.nearend.15min.PSC-R 1 (count) 0 - 600 OC192.pmthresholds.line.nearend.15min.PSC-S 1 (count) 0 - 600 OC192.pmthresholds.line.nearend.15min.PSC-W 1 (count) 0 - 600 OC192.pmthresholds.line.nearend.15min.PSD 300 (seconds) 0 - 900 OC192.pmthresholds.line.nearend.15min.PSD-R 300 (seconds) 0 - 900 OC192.pmthresholds.line.nearend.15min.PSD-S 300 (seconds) 0 - 900 OC192.pmthresholds.line.nearend.15min.PSD-W 300 (seconds) 0 - 900 OC192.pmthresholds.line.nearend.15min.SES 1 (seconds) 0 - 900 OC192.pmthresholds.line.nearend.15min.UAS 3 (seconds) 0 - 900 OC192.pmthresholds.line.nearend.1day.CV 850400 (B2 count) 0 - 849657600 OC192.pmthresholds.line.nearend.1day.ES 864 (seconds) 0 - 86400 OC192.pmthresholds.line.nearend.1day.FC 40 (count) 0 - 6912 OC192.pmthresholds.line.nearend.1day.PSC 5 (count) 0 - 57600 OC192.pmthresholds.line.nearend.1day.PSC-R 5 (count) 0 - 57600 OC192.pmthresholds.line.nearend.1day.PSC-S 5 (count) 0 - 57600 OC192.pmthresholds.line.nearend.1day.PSC-W 5 (count) 0 - 57600 OC192.pmthresholds.line.nearend.1day.PSD 600 (seconds) 0 - 86400 Table C-17 OC-192 Card Default Settings (continued) Default Name Default Value Default DomainC-57 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card OC192.pmthresholds.line.nearend.1day.PSD-R 600 (seconds) 0 - 86400 OC192.pmthresholds.line.nearend.1day.PSD-S 600 (seconds) 0 - 86400 OC192.pmthresholds.line.nearend.1day.PSD-W 600 (seconds) 0 - 86400 OC192.pmthresholds.line.nearend.1day.SES 4 (seconds) 0 - 86400 OC192.pmthresholds.line.nearend.1day.UAS 10 (seconds) 0 - 86400 OC192.pmthresholds.section.nearend.15min.CV 10000 (B1 count) 0 - 7967700 OC192.pmthresholds.section.nearend.15min.ES 500 (seconds) 0 - 900 OC192.pmthresholds.section.nearend.15min.SEFS 500 (seconds) 0 - 900 OC192.pmthresholds.section.nearend.15min.SES 500 (seconds) 0 - 900 OC192.pmthresholds.section.nearend.1day.CV 100000 (B1 count) 0 - 764899200 OC192.pmthresholds.section.nearend.1day.ES 5000 (seconds) 0 - 86400 OC192.pmthresholds.section.nearend.1day.SEFS 5000 (seconds) 0 - 86400 OC192.pmthresholds.section.nearend.1day.SES 5000 (seconds) 0 - 86400 OC192.pmthresholds.sts1.nearend.15min.CV 15 (B3 count) 0 - 2160000 OC192.pmthresholds.sts1.nearend.15min.ES 12 (seconds) 0 - 900 OC192.pmthresholds.sts1.nearend.15min.FC 10 (count) 0 - 72 OC192.pmthresholds.sts1.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000 OC192.pmthresholds.sts1.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000 OC192.pmthresholds.sts1.nearend.15min.PJCDIFF 60 (count) 0 - 14400000 OC192.pmthresholds.sts1.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900 OC192.pmthresholds.sts1.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900 OC192.pmthresholds.sts1.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000 OC192.pmthresholds.sts1.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000 OC192.pmthresholds.sts1.nearend.15min.SES 3 (seconds) 0 - 900 OC192.pmthresholds.sts1.nearend.15min.UAS 10 (seconds) 0 - 900 OC192.pmthresholds.sts1.nearend.1day.CV 125 (B3 count) 0 - 207360000 OC192.pmthresholds.sts1.nearend.1day.ES 100 (seconds) 0 - 86400 OC192.pmthresholds.sts1.nearend.1day.FC 10 (count) 0 - 6912 OC192.pmthresholds.sts1.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000 OC192.pmthresholds.sts1.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000 OC192.pmthresholds.sts1.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000 OC192.pmthresholds.sts1.nearend.1day.PJCS-PDET 9600 (seconds) 0 - 86400 OC192.pmthresholds.sts1.nearend.1day.PJCS-PGEN 9600 (seconds) 0 - 86400 OC192.pmthresholds.sts1.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000 OC192.pmthresholds.sts1.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000 Table C-17 OC-192 Card Default Settings (continued) Default Name Default Value Default DomainC-58 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card OC192.pmthresholds.sts1.nearend.1day.SES 7 (seconds) 0 - 86400 OC192.pmthresholds.sts1.nearend.1day.UAS 10 (seconds) 0 - 86400 OC192.pmthresholds.sts12c-192c.nearend.15min.CV 75 (B3 count) 0 - 2160000 OC192.pmthresholds.sts12c-192c.nearend.15min.ES 60 (seconds) 0 - 900 OC192.pmthresholds.sts12c-192c.nearend.15min.FC 10 (count) 0 - 72 OC192.pmthresholds.sts12c-192c.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000 OC192.pmthresholds.sts12c-192c.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000 OC192.pmthresholds.sts12c-192c.nearend.15min.PJCDIFF 60 (count) 0 - 14400000 OC192.pmthresholds.sts12c-192c.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900 OC192.pmthresholds.sts12c-192c.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900 OC192.pmthresholds.sts12c-192c.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000 OC192.pmthresholds.sts12c-192c.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000 OC192.pmthresholds.sts12c-192c.nearend.15min.SES 3 (seconds) 0 - 900 OC192.pmthresholds.sts12c-192c.nearend.15min.UAS 10 (seconds) 0 - 900 OC192.pmthresholds.sts12c-192c.nearend.1day.CV 750 (B3 count) 0 - 207360000 OC192.pmthresholds.sts12c-192c.nearend.1day.ES 600 (seconds) 0 - 86400 OC192.pmthresholds.sts12c-192c.nearend.1day.FC 10 (count) 0 - 6912 OC192.pmthresholds.sts12c-192c.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000 OC192.pmthresholds.sts12c-192c.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000 OC192.pmthresholds.sts12c-192c.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000 OC192.pmthresholds.sts12c-192c.nearend.1day.PJCS-PDET 9600 (seconds) 0 - 691200000 OC192.pmthresholds.sts12c-192c.nearend.1day.PJCS-PGEN 9600 (seconds) 0 - 86400 OC192.pmthresholds.sts12c-192c.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000 OC192.pmthresholds.sts12c-192c.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000 OC192.pmthresholds.sts12c-192c.nearend.1day.SES 7 (seconds) 0 - 86400 OC192.pmthresholds.sts12c-192c.nearend.1day.UAS 10 (seconds) 0 - 86400 OC192.pmthresholds.sts3c-9c.nearend.15min.CV 25 (B3 count) 0 - 2160000 OC192.pmthresholds.sts3c-9c.nearend.15min.ES 20 (seconds) 0 - 900 OC192.pmthresholds.sts3c-9c.nearend.15min.FC 10 (count) 0 - 72 OC192.pmthresholds.sts3c-9c.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000 OC192.pmthresholds.sts3c-9c.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000 OC192.pmthresholds.sts3c-9c.nearend.15min.PJCDIFF 60 (count) 0 - 14400000 OC192.pmthresholds.sts3c-9c.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900 OC192.pmthresholds.sts3c-9c.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900 OC192.pmthresholds.sts3c-9c.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000 OC192.pmthresholds.sts3c-9c.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000 Table C-17 OC-192 Card Default Settings (continued) Default Name Default Value Default DomainC-59 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card C.2.3.18 OC192-XFP Default Settings Table C-18 lists the OC192-XFP default settings. OC192.pmthresholds.sts3c-9c.nearend.15min.SES 3 (seconds) 0 - 900 OC192.pmthresholds.sts3c-9c.nearend.15min.UAS 10 (seconds) 0 - 900 OC192.pmthresholds.sts3c-9c.nearend.1day.CV 250 (B3 count) 0 - 207360000 OC192.pmthresholds.sts3c-9c.nearend.1day.ES 200 (seconds) 0 - 86400 OC192.pmthresholds.sts3c-9c.nearend.1day.FC 10 (count) 0 - 6912 OC192.pmthresholds.sts3c-9c.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000 OC192.pmthresholds.sts3c-9c.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000 OC192.pmthresholds.sts3c-9c.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000 OC192.pmthresholds.sts3c-9c.nearend.1day.PJCS-PDET 9600 (seconds) 0 - 86400 OC192.pmthresholds.sts3c-9c.nearend.1day.PJCS-PGEN 9600 (seconds) 0 - 86400 OC192.pmthresholds.sts3c-9c.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000 OC192.pmthresholds.sts3c-9c.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000 OC192.pmthresholds.sts3c-9c.nearend.1day.SES 7 (seconds) 0 - 86400 OC192.pmthresholds.sts3c-9c.nearend.1day.UAS 10 (seconds) 0 - 86400 Table C-17 OC-192 Card Default Settings (continued) Default Name Default Value Default Domain Table C-18 OC192-XFP Default Settings Default Name Default Value Default Domain OC192-XFP.config.line.AINSSoakTime 08:00 (hours:mins) 00:00, 00:15, 00:30 .. 48:00 OC192-XFP.config.line.AlsMode Disabled Disabled, Auto Restart, Manual Restart, Manual Restart for Test OC192-XFP.config.line.AlsRecoveryPulseDuration 2.0 (seconds) 2.0, 2.1, 2.2 .. 100.0 when AlsMode Disabled, Auto Restart, Manual Restart; 80.0, 80.1, 80.2 .. 100.0 when AlsMode Manual Restart for Test OC192-XFP.config.line.AlsRecoveryPulseInterval 100 (seconds) 60 - 300 OC192-XFP.config.line.PJStsMon# 0 (STS #) 0 - 192 OC192-XFP.config.line.SDBER 1.00E-07 1E-5, 1E-6, 1E-7, 1E-8, 1E-9 OC192-XFP.config.line.sdh.AdminSSMIn STU G811, STU, G812T, G812L, SETS, DUS OC192-XFP.config.line.sdh.SendDoNotUse FALSE FALSE when SendDoNotUse TRUE; FALSE, TRUE when SendDoNotUse FALSE OC192-XFP.config.line.sdh.SendDoNotUse FALSE FALSE, TRUEC-60 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card OC192-XFP.config.line.sdh.SyncMsgIn TRUE FALSE, TRUE OC192-XFP.config.line.SendAISOnFacilityLoopback TRUE TRUE, FALSE OC192-XFP.config.line.SendAISOnTerminalLoopback TRUE TRUE, FALSE OC192-XFP.config.line.SFBER 1.00E-04 1E-3, 1E-4, 1E-5 OC192-XFP.config.line.sonet.AdminSSMIn STU PRS, STU, ST2, ST3, SMC, ST4, DUS, RES when //.//.//.//.NODE.timing.general.SS MMessageSet Generation 1; PRS, STU, ST2, TNC, ST3E, ST3, SMC, ST4, DUS, RES when //.//.//.//.NODE.timing.general.SS MMessageSet Generation 2; PRS, STU, ST2, ST3, SMC, ST4, DUS, RES when //.//.//.//.NODE.timing.general.SS MMessageSet N/A OC192-XFP.config.line.sonet.SendDoNotUse FALSE FALSE when SendDoNotUse TRUE; FALSE, TRUE when SendDoNotUse FALSE OC192-XFP.config.line.sonet.SendDoNotUse FALSE FALSE, TRUE OC192-XFP.config.line.sonet.SyncMsgIn TRUE FALSE, TRUE OC192-XFP.config.line.State IS,AINS IS, OOS,DSBLD, OOS,MT, IS,AINS OC192-XFP.config.sts.IPPMEnabled FALSE TRUE, FALSE OC192-XFP.physicalthresholds.alarm.LBC-HIGH 200 (%) LBC-LOW, LBC-LOW + 1, LBC-LOW + 2 .. 255 OC192-XFP.physicalthresholds.alarm.LBC-LOW 20 (%) 0, 1, 2 .. LBC-HIGH OC192-XFP.physicalthresholds.alarm.OPR-HIGH 200 (%) OPR-LOW, OPR-LOW + 1, OPR-LOW + 2 .. 255 OC192-XFP.physicalthresholds.alarm.OPR-LOW 50 (%) -1, 0, 1 .. OPR-HIGH OC192-XFP.physicalthresholds.alarm.OPT-HIGH 120 (%) OPT-LOW, OPT-LOW + 1, OPT-LOW + 2 .. 255 OC192-XFP.physicalthresholds.alarm.OPT-LOW 80 (%) 0, 1, 2 .. OPT-HIGH OC192-XFP.physicalthresholds.warning.15min.LBC-HIGH 200 (%) LBC-LOW, LBC-LOW + 1, LBC-LOW + 2 .. 255 OC192-XFP.physicalthresholds.warning.15min.LBC-LOW 20 (%) 0, 1, 2 .. LBC-HIGH OC192-XFP.physicalthresholds.warning.15min.OPR-HIGH 200 (%) OPR-LOW, OPR-LOW + 1, OPR-LOW + 2 .. 255 OC192-XFP.physicalthresholds.warning.15min.OPR-LOW 50 (%) -1, 0, 1 .. OPR-HIGH OC192-XFP.physicalthresholds.warning.15min.OPT-HIGH 120 (%) OPT-LOW, OPT-LOW + 1, OPT-LOW + 2 .. 255 OC192-XFP.physicalthresholds.warning.15min.OPT-LOW 80 (%) 0, 1, 2 .. OPT-HIGH Table C-18 OC192-XFP Default Settings (continued) Default Name Default Value Default DomainC-61 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card OC192-XFP.physicalthresholds.warning.1day.LBC-HIGH 200 (%) LBC-LOW, LBC-LOW + 1, LBC-LOW + 2 .. 255 OC192-XFP.physicalthresholds.warning.1day.LBC-LOW 20 (%) 0, 1, 2 .. LBC-HIGH OC192-XFP.physicalthresholds.warning.1day.OPR-HIGH 200 (%) OPR-LOW, OPR-LOW + 1, OPR-LOW + 2 .. 255 OC192-XFP.physicalthresholds.warning.1day.OPR-LOW 50 (%) -1, 0, 1 .. OPR-HIGH OC192-XFP.physicalthresholds.warning.1day.OPT-HIGH 120 (%) OPT-LOW, OPT-LOW + 1, OPT-LOW + 2 .. 255 OC192-XFP.physicalthresholds.warning.1day.OPT-LOW 80 (%) 0, 1, 2 .. OPT-HIGH OC192-XFP.pmthresholds.line.farend.15min.CV 85040 (B2 count) 0 - 8850600 OC192-XFP.pmthresholds.line.farend.15min.ES 87 (seconds) 0 - 900 OC192-XFP.pmthresholds.line.farend.15min.FC 10 (count) 0 - 72 OC192-XFP.pmthresholds.line.farend.15min.SES 1 (seconds) 0 - 900 OC192-XFP.pmthresholds.line.farend.15min.UAS 3 (seconds) 0 - 900 OC192-XFP.pmthresholds.line.farend.1day.CV 850400 (B2 count) 0 - 849657600 OC192-XFP.pmthresholds.line.farend.1day.ES 864 (seconds) 0 - 86400 OC192-XFP.pmthresholds.line.farend.1day.FC 40 (count) 0 - 6912 OC192-XFP.pmthresholds.line.farend.1day.SES 4 (seconds) 0 - 86400 OC192-XFP.pmthresholds.line.farend.1day.UAS 10 (seconds) 0 - 86400 OC192-XFP.pmthresholds.line.nearend.15min.CV 85040 (B2 count) 0 - 8850600 OC192-XFP.pmthresholds.line.nearend.15min.ES 87 (seconds) 0 - 900 OC192-XFP.pmthresholds.line.nearend.15min.FC 10 (count) 0 - 72 OC192-XFP.pmthresholds.line.nearend.15min.PSC 1 (count) 0 - 600 OC192-XFP.pmthresholds.line.nearend.15min.PSC-R 1 (count) 0 - 600 OC192-XFP.pmthresholds.line.nearend.15min.PSC-S 1 (count) 0 - 600 OC192-XFP.pmthresholds.line.nearend.15min.PSC-W 1 (count) 0 - 600 OC192-XFP.pmthresholds.line.nearend.15min.PSD 300 (seconds) 0 - 900 OC192-XFP.pmthresholds.line.nearend.15min.PSD-R 300 (seconds) 0 - 900 OC192-XFP.pmthresholds.line.nearend.15min.PSD-S 300 (seconds) 0 - 900 OC192-XFP.pmthresholds.line.nearend.15min.PSD-W 300 (seconds) 0 - 900 OC192-XFP.pmthresholds.line.nearend.15min.SES 1 (seconds) 0 - 900 OC192-XFP.pmthresholds.line.nearend.15min.UAS 3 (seconds) 0 - 900 OC192-XFP.pmthresholds.line.nearend.1day.CV 850400 (B2 count) 0 - 849657600 OC192-XFP.pmthresholds.line.nearend.1day.ES 864 (seconds) 0 - 86400 Table C-18 OC192-XFP Default Settings (continued) Default Name Default Value Default DomainC-62 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card OC192-XFP.pmthresholds.line.nearend.1day.FC 40 (count) 0 - 6912 OC192-XFP.pmthresholds.line.nearend.1day.PSC 5 (count) 0 - 57600 OC192-XFP.pmthresholds.line.nearend.1day.PSC-R 5 (count) 0 - 57600 OC192-XFP.pmthresholds.line.nearend.1day.PSC-S 5 (count) 0 - 57600 OC192-XFP.pmthresholds.line.nearend.1day.PSC-W 5 (count) 0 - 57600 OC192-XFP.pmthresholds.line.nearend.1day.PSD 600 (seconds) 0 - 86400 OC192-XFP.pmthresholds.line.nearend.1day.PSD-R 600 (seconds) 0 - 86400 OC192-XFP.pmthresholds.line.nearend.1day.PSD-S 600 (seconds) 0 - 86400 OC192-XFP.pmthresholds.line.nearend.1day.PSD-W 600 (seconds) 0 - 86400 OC192-XFP.pmthresholds.line.nearend.1day.SES 4 (seconds) 0 - 86400 OC192-XFP.pmthresholds.line.nearend.1day.UAS 10 (seconds) 0 - 86400 OC192-XFP.pmthresholds.section.nearend.15min.CV 10000 (B1 count) 0 - 7967700 OC192-XFP.pmthresholds.section.nearend.15min.ES 500 (seconds) 0 - 900 OC192-XFP.pmthresholds.section.nearend.15min.SEFS 500 (seconds) 0 - 900 OC192-XFP.pmthresholds.section.nearend.15min.SES 500 (seconds) 0 - 900 OC192-XFP.pmthresholds.section.nearend.1day.CV 100000 (B1 count) 0 - 764899200 OC192-XFP.pmthresholds.section.nearend.1day.ES 5000 (seconds) 0 - 86400 OC192-XFP.pmthresholds.section.nearend.1day.SEFS 5000 (seconds) 0 - 86400 OC192-XFP.pmthresholds.section.nearend.1day.SES 5000 (seconds) 0 - 86400 OC192-XFP.pmthresholds.sts1.farend.15min.CV 15 (B3 count) 0 - 2160000 OC192-XFP.pmthresholds.sts1.farend.15min.ES 12 (seconds) 0 - 900 OC192-XFP.pmthresholds.sts1.farend.15min.FC 10 (count) 0 - 72 OC192-XFP.pmthresholds.sts1.farend.15min.SES 3 (seconds) 0 - 900 OC192-XFP.pmthresholds.sts1.farend.15min.UAS 10 (seconds) 0 - 900 OC192-XFP.pmthresholds.sts1.farend.1day.CV 125 (B3 count) 0 - 207360000 OC192-XFP.pmthresholds.sts1.farend.1day.ES 100 (seconds) 0 - 86400 OC192-XFP.pmthresholds.sts1.farend.1day.FC 40 (count) 0 - 6912 OC192-XFP.pmthresholds.sts1.farend.1day.SES 7 (seconds) 0 - 86400 OC192-XFP.pmthresholds.sts1.farend.1day.UAS 10 (seconds) 0 - 86400 OC192-XFP.pmthresholds.sts1.nearend.15min.CV 15 (B3 count) 0 - 2160000 OC192-XFP.pmthresholds.sts1.nearend.15min.ES 12 (seconds) 0 - 900 OC192-XFP.pmthresholds.sts1.nearend.15min.FC 10 (count) 0 - 72 OC192-XFP.pmthresholds.sts1.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000 OC192-XFP.pmthresholds.sts1.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000 OC192-XFP.pmthresholds.sts1.nearend.15min.PJCDIFF 60 (count) 0 - 14400000 Table C-18 OC192-XFP Default Settings (continued) Default Name Default Value Default DomainC-63 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card OC192-XFP.pmthresholds.sts1.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900 OC192-XFP.pmthresholds.sts1.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900 OC192-XFP.pmthresholds.sts1.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000 OC192-XFP.pmthresholds.sts1.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000 OC192-XFP.pmthresholds.sts1.nearend.15min.SES 3 (seconds) 0 - 900 OC192-XFP.pmthresholds.sts1.nearend.15min.UAS 10 (seconds) 0 - 900 OC192-XFP.pmthresholds.sts1.nearend.1day.CV 125 (B3 count) 0 - 207360000 OC192-XFP.pmthresholds.sts1.nearend.1day.ES 100 (seconds) 0 - 86400 OC192-XFP.pmthresholds.sts1.nearend.1day.FC 40 (count) 0 - 6912 OC192-XFP.pmthresholds.sts1.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000 OC192-XFP.pmthresholds.sts1.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000 OC192-XFP.pmthresholds.sts1.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000 OC192-XFP.pmthresholds.sts1.nearend.1day.PJCS-PDET 9600 (seconds) 0 - 86400 OC192-XFP.pmthresholds.sts1.nearend.1day.PJCS-PGEN 9600 (seconds) 0 - 86400 OC192-XFP.pmthresholds.sts1.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000 OC192-XFP.pmthresholds.sts1.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000 OC192-XFP.pmthresholds.sts1.nearend.1day.SES 7 (seconds) 0 - 86400 OC192-XFP.pmthresholds.sts1.nearend.1day.UAS 10 (seconds) 0 - 86400 OC192-XFP.pmthresholds.sts12c-192c.farend.15min.CV 75 (B3 count) 0 - 2160000 OC192-XFP.pmthresholds.sts12c-192c.farend.15min.ES 60 (seconds) 0 - 900 OC192-XFP.pmthresholds.sts12c-192c.farend.15min.FC 10 (count) 0 - 72 OC192-XFP.pmthresholds.sts12c-192c.farend.15min.SES 3 (seconds) 0 - 900 OC192-XFP.pmthresholds.sts12c-192c.farend.15min.UAS 10 (seconds) 0 - 900 OC192-XFP.pmthresholds.sts12c-192c.farend.1day.CV 750 (B3 count) 0 - 207360000 OC192-XFP.pmthresholds.sts12c-192c.farend.1day.ES 600 (seconds) 0 - 86400 OC192-XFP.pmthresholds.sts12c-192c.farend.1day.FC 40 (count) 0 - 6912 OC192-XFP.pmthresholds.sts12c-192c.farend.1day.SES 7 (seconds) 0 - 86400 OC192-XFP.pmthresholds.sts12c-192c.farend.1day.UAS 10 (seconds) 0 - 86400 OC192-XFP.pmthresholds.sts12c-192c.nearend.15min.CV 75 (B3 count) 0 - 2160000 OC192-XFP.pmthresholds.sts12c-192c.nearend.15min.ES 60 (seconds) 0 - 900 OC192-XFP.pmthresholds.sts12c-192c.nearend.15min.FC 10 (count) 0 - 72 OC192-XFP.pmthresholds.sts12c-192c.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000 OC192-XFP.pmthresholds.sts12c-192c.nearend.15min.NPJC-PGE N 60 (count) 0 - 7200000 OC192-XFP.pmthresholds.sts12c-192c.nearend.15min.PJCDIFF 60 (count) 0 - 14400000 OC192-XFP.pmthresholds.sts12c-192c.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900 Table C-18 OC192-XFP Default Settings (continued) Default Name Default Value Default DomainC-64 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card OC192-XFP.pmthresholds.sts12c-192c.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900 OC192-XFP.pmthresholds.sts12c-192c.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000 OC192-XFP.pmthresholds.sts12c-192c.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000 OC192-XFP.pmthresholds.sts12c-192c.nearend.15min.SES 3 (seconds) 0 - 900 OC192-XFP.pmthresholds.sts12c-192c.nearend.15min.UAS 10 (seconds) 0 - 900 OC192-XFP.pmthresholds.sts12c-192c.nearend.1day.CV 750 (B3 count) 0 - 207360000 OC192-XFP.pmthresholds.sts12c-192c.nearend.1day.ES 600 (seconds) 0 - 86400 OC192-XFP.pmthresholds.sts12c-192c.nearend.1day.FC 40 (count) 0 - 6912 OC192-XFP.pmthresholds.sts12c-192c.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000 OC192-XFP.pmthresholds.sts12c-192c.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000 OC192-XFP.pmthresholds.sts12c-192c.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000 OC192-XFP.pmthresholds.sts12c-192c.nearend.1day.PJCS-PDET 9600 (seconds) 0 - 691200000 OC192-XFP.pmthresholds.sts12c-192c.nearend.1day.PJCS-PGEN 9600 (seconds) 0 - 86400 OC192-XFP.pmthresholds.sts12c-192c.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000 OC192-XFP.pmthresholds.sts12c-192c.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000 OC192-XFP.pmthresholds.sts12c-192c.nearend.1day.SES 7 (seconds) 0 - 86400 OC192-XFP.pmthresholds.sts12c-192c.nearend.1day.UAS 10 (seconds) 0 - 86400 OC192-XFP.pmthresholds.sts3c-9c.farend.15min.CV 25 (B3 count) 0 - 2160000 OC192-XFP.pmthresholds.sts3c-9c.farend.15min.ES 20 (seconds) 0 - 900 OC192-XFP.pmthresholds.sts3c-9c.farend.15min.FC 10 (count) 0 - 72 OC192-XFP.pmthresholds.sts3c-9c.farend.15min.SES 3 (seconds) 0 - 900 OC192-XFP.pmthresholds.sts3c-9c.farend.15min.UAS 10 (seconds) 0 - 900 OC192-XFP.pmthresholds.sts3c-9c.farend.1day.CV 250 (B3 count) 0 - 207360000 OC192-XFP.pmthresholds.sts3c-9c.farend.1day.ES 200 (seconds) 0 - 86400 OC192-XFP.pmthresholds.sts3c-9c.farend.1day.FC 40 (count) 0 - 6912 OC192-XFP.pmthresholds.sts3c-9c.farend.1day.SES 7 (seconds) 0 - 86400 OC192-XFP.pmthresholds.sts3c-9c.farend.1day.UAS 10 (seconds) 0 - 86400 OC192-XFP.pmthresholds.sts3c-9c.nearend.15min.CV 25 (B3 count) 0 - 2160000 OC192-XFP.pmthresholds.sts3c-9c.nearend.15min.ES 20 (seconds) 0 - 900 OC192-XFP.pmthresholds.sts3c-9c.nearend.15min.FC 10 (count) 0 - 72 OC192-XFP.pmthresholds.sts3c-9c.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000 OC192-XFP.pmthresholds.sts3c-9c.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000 OC192-XFP.pmthresholds.sts3c-9c.nearend.15min.PJCDIFF 60 (count) 0 - 14400000 OC192-XFP.pmthresholds.sts3c-9c.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900 OC192-XFP.pmthresholds.sts3c-9c.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900 OC192-XFP.pmthresholds.sts3c-9c.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000 Table C-18 OC192-XFP Default Settings (continued) Default Name Default Value Default DomainC-65 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card C.2.3.19 MRC-12 Card Default Settings Table C-19 lists the MRC-12 card default settings. OC192-XFP.pmthresholds.sts3c-9c.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000 OC192-XFP.pmthresholds.sts3c-9c.nearend.15min.SES 3 (seconds) 0 - 900 OC192-XFP.pmthresholds.sts3c-9c.nearend.15min.UAS 10 (seconds) 0 - 900 OC192-XFP.pmthresholds.sts3c-9c.nearend.1day.CV 250 (B3 count) 0 - 207360000 OC192-XFP.pmthresholds.sts3c-9c.nearend.1day.ES 200 (seconds) 0 - 86400 OC192-XFP.pmthresholds.sts3c-9c.nearend.1day.FC 40 (count) 0 - 6912 OC192-XFP.pmthresholds.sts3c-9c.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000 OC192-XFP.pmthresholds.sts3c-9c.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000 OC192-XFP.pmthresholds.sts3c-9c.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000 OC192-XFP.pmthresholds.sts3c-9c.nearend.1day.PJCS-PDET 9600 (seconds) 0 - 86400 OC192-XFP.pmthresholds.sts3c-9c.nearend.1day.PJCS-PGEN 9600 (seconds) 0 - 86400 OC192-XFP.pmthresholds.sts3c-9c.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000 OC192-XFP.pmthresholds.sts3c-9c.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000 OC192-XFP.pmthresholds.sts3c-9c.nearend.1day.SES 7 (seconds) 0 - 86400 OC192-XFP.pmthresholds.sts3c-9c.nearend.1day.UAS 10 (seconds) 0 - 86400 Table C-18 OC192-XFP Default Settings (continued) Default Name Default Value Default Domain Table C-19 MRC-12 Card Default Settings Default Name Default Value Default Domain MRC-12.OC12-PORT.config.line.AINSSoakTime 08:00 (hours:mins) 00:00, 00:15, 00:30 .. 48:00 MRC-12.OC12-PORT.config.line.AlsMode Disabled Disabled, Auto Restart, Manual Restart, Manual Restart for Test MRC-12.OC12-PORT.config.line.AlsRecoveryPulseDuration 2.0 (seconds) 2.0, 2.1, 2.2 .. 100.0 when AlsMode Disabled, Auto Restart, Manual Restart; 80.0, 80.1, 80.2 .. 100.0 when AlsMode Manual Restart for Test MRC-12.OC12-PORT.config.line.AlsRecoveryPulseInterval 100 (seconds) 60 - 300 MRC-12.OC12-PORT.config.line.PJStsMon# 0 (STS #) 0 - 12 MRC-12.OC12-PORT.config.line.SDBER 1.00E-07 1E-5, 1E-6, 1E-7, 1E-8, 1E-9C-66 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card MRC-12.OC12-PORT.config.line.sdh.SendDoNotUse FALSE FALSE when SendDoNotUse TRUE; FALSE, TRUE when SendDoNotUse FALSE MRC-12.OC12-PORT.config.line.sdh.SendDoNotUse FALSE FALSE, TRUE MRC-12.OC12-PORT.config.line.sdh.SyncMsgIn TRUE FALSE, TRUE MRC-12.OC12-PORT.config.line.SendAISOnFacilityLoopback TRUE TRUE, FALSE MRC-12.OC12-PORT.config.line.SendAISOnTerminalLoopback TRUE TRUE, FALSE MRC-12.OC12-PORT.config.line.SFBER 1.00E-04 1E-3, 1E-4, 1E-5 MRC-12.OC12-PORT.config.line.sonet.SendDoNotUse FALSE FALSE when SendDoNotUse TRUE; FALSE, TRUE when SendDoNotUse FALSE MRC-12.OC12-PORT.config.line.sonet.SendDoNotUse FALSE FALSE, TRUE MRC-12.OC12-PORT.config.line.sonet.SyncMsgIn TRUE FALSE, TRUE MRC-12.OC12-PORT.config.line.State IS,AINS IS, OOS,DSBLD, OOS,MT, IS,AINS MRC-12.OC12-PORT.config.sts.IPPMEnabled FALSE TRUE, FALSE MRC-12.OC12-PORT.physicalthresholds.alarm.LBC-HIGH 200 (%) LBC-LOW, LBC-LOW + 1, LBC-LOW + 2 .. 255 MRC-12.OC12-PORT.physicalthresholds.alarm.LBC-LOW 20 (%) 0, 1, 2 .. LBC-HIGH MRC-12.OC12-PORT.physicalthresholds.alarm.OPR-HIGH 200 (%) OPR-LOW, OPR-LOW + 1, OPR-LOW + 2 .. 255 MRC-12.OC12-PORT.physicalthresholds.alarm.OPR-LOW 50 (%) -1, 0, 1 .. OPR-HIGH MRC-12.OC12-PORT.physicalthresholds.alarm.OPT-HIGH 120 (%) OPT-LOW, OPT-LOW + 1, OPT-LOW + 2 .. 255 MRC-12.OC12-PORT.physicalthresholds.alarm.OPT-LOW 80 (%) 0, 1, 2 .. OPT-HIGH MRC-12.OC12-PORT.physicalthresholds.warning.15min.LBC-HIGH 200 (%) LBC-LOW, LBC-LOW + 1, LBC-LOW + 2 .. 255 MRC-12.OC12-PORT.physicalthresholds.warning.15min.LBC-LOW 20 (%) 0, 1, 2 .. LBC-HIGH MRC-12.OC12-PORT.physicalthresholds.warning.15min.OPR-HIGH 200 (%) OPR-LOW, OPR-LOW + 1, OPR-LOW + 2 .. 255 MRC-12.OC12-PORT.physicalthresholds.warning.15min.OPR-LOW 50 (%) -1, 0, 1 .. OPR-HIGH MRC-12.OC12-PORT.physicalthresholds.warning.15min.OPT-HIGH 120 (%) OPT-LOW, OPT-LOW + 1, OPT-LOW + 2 .. 255 MRC-12.OC12-PORT.physicalthresholds.warning.15min.OPT-LOW 80 (%) 0, 1, 2 .. OPT-HIGH MRC-12.OC12-PORT.physicalthresholds.warning.1day.LBC-HIGH 200 (%) LBC-LOW, LBC-LOW + 1, LBC-LOW + 2 .. 255 MRC-12.OC12-PORT.physicalthresholds.warning.1day.LBC-LOW 20 (%) 0, 1, 2 .. LBC-HIGH Table C-19 MRC-12 Card Default Settings (continued) Default Name Default Value Default DomainC-67 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card MRC-12.OC12-PORT.physicalthresholds.warning.1day.OPR-HIGH 200 (%) OPR-LOW, OPR-LOW + 1, OPR-LOW + 2 .. 255 MRC-12.OC12-PORT.physicalthresholds.warning.1day.OPR-LOW 50 (%) -1, 0, 1 .. OPR-HIGH MRC-12.OC12-PORT.physicalthresholds.warning.1day.OPT-HIGH 120 (%) OPT-LOW, OPT-LOW + 1, OPT-LOW + 2 .. 255 MRC-12.OC12-PORT.physicalthresholds.warning.1day.OPT-LOW 80 (%) 0, 1, 2 .. OPT-HIGH MRC-12.OC12-PORT.pmthresholds.line.farend.15min.CV 5315 (B2 count) 0 - 552600 MRC-12.OC12-PORT.pmthresholds.line.farend.15min.ES 87 (seconds) 0 - 900 MRC-12.OC12-PORT.pmthresholds.line.farend.15min.FC 10 (count) 0 - 72 MRC-12.OC12-PORT.pmthresholds.line.farend.15min.SES 1 (seconds) 0 - 900 MRC-12.OC12-PORT.pmthresholds.line.farend.15min.UAS 3 (seconds) 0 - 900 MRC-12.OC12-PORT.pmthresholds.line.farend.1day.CV 53150 (B2 count) 0 - 53049600 MRC-12.OC12-PORT.pmthresholds.line.farend.1day.ES 864 (seconds) 0 - 86400 MRC-12.OC12-PORT.pmthresholds.line.farend.1day.FC 40 (count) 0 - 6912 MRC-12.OC12-PORT.pmthresholds.line.farend.1day.SES 4 (seconds) 0 - 86400 MRC-12.OC12-PORT.pmthresholds.line.farend.1day.UAS 10 (seconds) 0 - 86400 MRC-12.OC12-PORT.pmthresholds.line.nearend.15min.CV 5315 (B2 count) 0 - 552600 MRC-12.OC12-PORT.pmthresholds.line.nearend.15min.ES 87 (seconds) 0 - 900 MRC-12.OC12-PORT.pmthresholds.line.nearend.15min.FC 10 (count) 0 - 72 MRC-12.OC12-PORT.pmthresholds.line.nearend.15min.PSC 1 (count) 0 - 600 MRC-12.OC12-PORT.pmthresholds.line.nearend.15min.PSC-W 1 (count) 0 - 600 MRC-12.OC12-PORT.pmthresholds.line.nearend.15min.PSD 300 (seconds) 0 - 900 MRC-12.OC12-PORT.pmthresholds.line.nearend.15min.PSD-W 300 (seconds) 0 - 900 MRC-12.OC12-PORT.pmthresholds.line.nearend.15min.SES 1 (seconds) 0 - 900 MRC-12.OC12-PORT.pmthresholds.line.nearend.15min.UAS 3 (seconds) 0 - 900 MRC-12.OC12-PORT.pmthresholds.line.nearend.1day.CV 53150 (B2 count) 0 - 53049600 MRC-12.OC12-PORT.pmthresholds.line.nearend.1day.ES 864 (seconds) 0 - 86400 MRC-12.OC12-PORT.pmthresholds.line.nearend.1day.FC 40 (count) 0 - 6912 MRC-12.OC12-PORT.pmthresholds.line.nearend.1day.PSC 5 (count) 0 - 57600 MRC-12.OC12-PORT.pmthresholds.line.nearend.1day.PSC-W 5 (count) 0 - 57600 MRC-12.OC12-PORT.pmthresholds.line.nearend.1day.PSD 600 (seconds) 0 - 86400 MRC-12.OC12-PORT.pmthresholds.line.nearend.1day.PSD-W 600 (seconds) 0 - 86400 MRC-12.OC12-PORT.pmthresholds.line.nearend.1day.SES 4 (seconds) 0 - 86400 MRC-12.OC12-PORT.pmthresholds.line.nearend.1day.UAS 10 (seconds) 0 - 86400 Table C-19 MRC-12 Card Default Settings (continued) Default Name Default Value Default DomainC-68 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card MRC-12.OC12-PORT.pmthresholds.section.nearend.15min.CV 10000 (B1 count) 0 - 553500 MRC-12.OC12-PORT.pmthresholds.section.nearend.15min.ES 500 (seconds) 0 - 900 MRC-12.OC12-PORT.pmthresholds.section.nearend.15min.SEFS 500 (seconds) 0 - 900 MRC-12.OC12-PORT.pmthresholds.section.nearend.15min.SES 500 (seconds) 0 - 900 MRC-12.OC12-PORT.pmthresholds.section.nearend.1day.CV 100000 (B1 count) 0 - 53136000 MRC-12.OC12-PORT.pmthresholds.section.nearend.1day.ES 5000 (seconds) 0 - 86400 MRC-12.OC12-PORT.pmthresholds.section.nearend.1day.SEFS 5000 (seconds) 0 - 86400 MRC-12.OC12-PORT.pmthresholds.section.nearend.1day.SES 5000 (seconds) 0 - 86400 MRC-12.OC12-PORT.pmthresholds.sts1.farend.15min.CV 15 (B3 count) 0 - 2160000 MRC-12.OC12-PORT.pmthresholds.sts1.farend.15min.ES 12 (seconds) 0 - 900 MRC-12.OC12-PORT.pmthresholds.sts1.farend.15min.FC 10 (count) 0 - 72 MRC-12.OC12-PORT.pmthresholds.sts1.farend.15min.SES 3 (seconds) 0 - 900 MRC-12.OC12-PORT.pmthresholds.sts1.farend.15min.UAS 10 (seconds) 0 - 900 MRC-12.OC12-PORT.pmthresholds.sts1.farend.1day.CV 125 (B3 count) 0 - 207360000 MRC-12.OC12-PORT.pmthresholds.sts1.farend.1day.ES 100 (seconds) 0 - 86400 MRC-12.OC12-PORT.pmthresholds.sts1.farend.1day.FC 40 (count) 0 - 6912 MRC-12.OC12-PORT.pmthresholds.sts1.farend.1day.SES 7 (seconds) 0 - 86400 MRC-12.OC12-PORT.pmthresholds.sts1.farend.1day.UAS 10 (seconds) 0 - 86400 MRC-12.OC12-PORT.pmthresholds.sts1.nearend.15min.CV 15 (B3 count) 0 - 2160000 MRC-12.OC12-PORT.pmthresholds.sts1.nearend.15min.ES 12 (seconds) 0 - 900 MRC-12.OC12-PORT.pmthresholds.sts1.nearend.15min.FC 10 (count) 0 - 72 MRC-12.OC12-PORT.pmthresholds.sts1.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000 MRC-12.OC12-PORT.pmthresholds.sts1.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000 MRC-12.OC12-PORT.pmthresholds.sts1.nearend.15min.PJCDIFF 60 (count) 0 - 14400000 MRC-12.OC12-PORT.pmthresholds.sts1.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900 MRC-12.OC12-PORT.pmthresholds.sts1.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900 MRC-12.OC12-PORT.pmthresholds.sts1.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000 MRC-12.OC12-PORT.pmthresholds.sts1.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000 MRC-12.OC12-PORT.pmthresholds.sts1.nearend.15min.SES 3 (seconds) 0 - 900 MRC-12.OC12-PORT.pmthresholds.sts1.nearend.15min.UAS 10 (seconds) 0 - 900 MRC-12.OC12-PORT.pmthresholds.sts1.nearend.1day.CV 125 (B3 count) 0 - 207360000 Table C-19 MRC-12 Card Default Settings (continued) Default Name Default Value Default DomainC-69 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card MRC-12.OC12-PORT.pmthresholds.sts1.nearend.1day.ES 100 (seconds) 0 - 86400 MRC-12.OC12-PORT.pmthresholds.sts1.nearend.1day.FC 40 (count) 0 - 6912 MRC-12.OC12-PORT.pmthresholds.sts1.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000 MRC-12.OC12-PORT.pmthresholds.sts1.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000 MRC-12.OC12-PORT.pmthresholds.sts1.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000 MRC-12.OC12-PORT.pmthresholds.sts1.nearend.1day.PJCS-PDET 9600 (seconds) 0 - 86400 MRC-12.OC12-PORT.pmthresholds.sts1.nearend.1day.PJCS-PGEN 9600 (seconds) 0 - 86400 MRC-12.OC12-PORT.pmthresholds.sts1.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000 MRC-12.OC12-PORT.pmthresholds.sts1.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000 MRC-12.OC12-PORT.pmthresholds.sts1.nearend.1day.SES 7 (seconds) 0 - 86400 MRC-12.OC12-PORT.pmthresholds.sts1.nearend.1day.UAS 10 (seconds) 0 - 86400 MRC-12.OC12-PORT.pmthresholds.sts12c.farend.15min.CV 75 (B3 count) 0 - 2160000 MRC-12.OC12-PORT.pmthresholds.sts12c.farend.15min.ES 60 (seconds) 0 - 900 MRC-12.OC12-PORT.pmthresholds.sts12c.farend.15min.FC 10 (count) 0 - 72 MRC-12.OC12-PORT.pmthresholds.sts12c.farend.15min.SES 3 (seconds) 0 - 900 MRC-12.OC12-PORT.pmthresholds.sts12c.farend.15min.UAS 10 (seconds) 0 - 900 MRC-12.OC12-PORT.pmthresholds.sts12c.farend.1day.CV 750 (B3 count) 0 - 207360000 MRC-12.OC12-PORT.pmthresholds.sts12c.farend.1day.ES 600 (seconds) 0 - 86400 MRC-12.OC12-PORT.pmthresholds.sts12c.farend.1day.FC 40 (count) 0 - 6912 MRC-12.OC12-PORT.pmthresholds.sts12c.farend.1day.SES 7 (seconds) 0 - 86400 MRC-12.OC12-PORT.pmthresholds.sts12c.farend.1day.UAS 10 (seconds) 0 - 86400 MRC-12.OC12-PORT.pmthresholds.sts12c.nearend.15min.CV 75 (B3 count) 0 - 2160000 MRC-12.OC12-PORT.pmthresholds.sts12c.nearend.15min.ES 60 (seconds) 0 - 900 MRC-12.OC12-PORT.pmthresholds.sts12c.nearend.15min.FC 10 (count) 0 - 72 MRC-12.OC12-PORT.pmthresholds.sts12c.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000 MRC-12.OC12-PORT.pmthresholds.sts12c.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000 MRC-12.OC12-PORT.pmthresholds.sts12c.nearend.15min.PJCDIFF 60 (count) 0 - 14400000 MRC-12.OC12-PORT.pmthresholds.sts12c.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900 MRC-12.OC12-PORT.pmthresholds.sts12c.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900 MRC-12.OC12-PORT.pmthresholds.sts12c.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000 MRC-12.OC12-PORT.pmthresholds.sts12c.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000 MRC-12.OC12-PORT.pmthresholds.sts12c.nearend.15min.SES 3 (seconds) 0 - 900 MRC-12.OC12-PORT.pmthresholds.sts12c.nearend.15min.UAS 10 (seconds) 0 - 900 Table C-19 MRC-12 Card Default Settings (continued) Default Name Default Value Default DomainC-70 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card MRC-12.OC12-PORT.pmthresholds.sts12c.nearend.1day.CV 750 (B3 count) 0 - 207360000 MRC-12.OC12-PORT.pmthresholds.sts12c.nearend.1day.ES 600 (seconds) 0 - 86400 MRC-12.OC12-PORT.pmthresholds.sts12c.nearend.1day.FC 40 (count) 0 - 6912 MRC-12.OC12-PORT.pmthresholds.sts12c.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000 MRC-12.OC12-PORT.pmthresholds.sts12c.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000 MRC-12.OC12-PORT.pmthresholds.sts12c.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000 MRC-12.OC12-PORT.pmthresholds.sts12c.nearend.1day.PJCS-PDET 9600 (seconds) 0 - 86400 MRC-12.OC12-PORT.pmthresholds.sts12c.nearend.1day.PJCS-PGEN 9600 (seconds) 0 - 86400 MRC-12.OC12-PORT.pmthresholds.sts12c.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000 MRC-12.OC12-PORT.pmthresholds.sts12c.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000 MRC-12.OC12-PORT.pmthresholds.sts12c.nearend.1day.SES 7 (seconds) 0 - 86400 MRC-12.OC12-PORT.pmthresholds.sts12c.nearend.1day.UAS 10 (seconds) 0 - 86400 MRC-12.OC12-PORT.pmthresholds.sts3c-9c.farend.15min.CV 25 (B3 count) 0 - 2160000 MRC-12.OC12-PORT.pmthresholds.sts3c-9c.farend.15min.ES 20 (seconds) 0 - 900 MRC-12.OC12-PORT.pmthresholds.sts3c-9c.farend.15min.FC 10 (count) 0 - 72 MRC-12.OC12-PORT.pmthresholds.sts3c-9c.farend.15min.SES 3 (seconds) 0 - 900 MRC-12.OC12-PORT.pmthresholds.sts3c-9c.farend.15min.UAS 10 (seconds) 0 - 900 MRC-12.OC12-PORT.pmthresholds.sts3c-9c.farend.1day.CV 250 (B3 count) 0 - 207360000 MRC-12.OC12-PORT.pmthresholds.sts3c-9c.farend.1day.ES 200 (seconds) 0 - 86400 MRC-12.OC12-PORT.pmthresholds.sts3c-9c.farend.1day.FC 40 (count) 0 - 6912 MRC-12.OC12-PORT.pmthresholds.sts3c-9c.farend.1day.SES 7 (seconds) 0 - 86400 MRC-12.OC12-PORT.pmthresholds.sts3c-9c.farend.1day.UAS 10 (seconds) 0 - 86400 MRC-12.OC12-PORT.pmthresholds.sts3c-9c.nearend.15min.CV 25 (B3 count) 0 - 2160000 MRC-12.OC12-PORT.pmthresholds.sts3c-9c.nearend.15min.ES 20 (seconds) 0 - 900 MRC-12.OC12-PORT.pmthresholds.sts3c-9c.nearend.15min.FC 10 (count) 0 - 72 MRC-12.OC12-PORT.pmthresholds.sts3c-9c.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000 MRC-12.OC12-PORT.pmthresholds.sts3c-9c.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000 MRC-12.OC12-PORT.pmthresholds.sts3c-9c.nearend.15min.PJCDIFF 60 (count) 0 - 14400000 MRC-12.OC12-PORT.pmthresholds.sts3c-9c.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900 MRC-12.OC12-PORT.pmthresholds.sts3c-9c.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900 MRC-12.OC12-PORT.pmthresholds.sts3c-9c.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000 MRC-12.OC12-PORT.pmthresholds.sts3c-9c.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000 MRC-12.OC12-PORT.pmthresholds.sts3c-9c.nearend.15min.SES 3 (seconds) 0 - 900 Table C-19 MRC-12 Card Default Settings (continued) Default Name Default Value Default DomainC-71 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card MRC-12.OC12-PORT.pmthresholds.sts3c-9c.nearend.15min.UAS 10 (seconds) 0 - 900 MRC-12.OC12-PORT.pmthresholds.sts3c-9c.nearend.1day.CV 250 (B3 count) 0 - 207360000 MRC-12.OC12-PORT.pmthresholds.sts3c-9c.nearend.1day.ES 200 (seconds) 0 - 86400 MRC-12.OC12-PORT.pmthresholds.sts3c-9c.nearend.1day.FC 40 (count) 0 - 6912 MRC-12.OC12-PORT.pmthresholds.sts3c-9c.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000 MRC-12.OC12-PORT.pmthresholds.sts3c-9c.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000 MRC-12.OC12-PORT.pmthresholds.sts3c-9c.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000 MRC-12.OC12-PORT.pmthresholds.sts3c-9c.nearend.1day.PJCS-PDET 9600 (seconds) 0 - 86400 MRC-12.OC12-PORT.pmthresholds.sts3c-9c.nearend.1day.PJCS-PGEN 9600 (seconds) 0 - 86400 MRC-12.OC12-PORT.pmthresholds.sts3c-9c.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000 MRC-12.OC12-PORT.pmthresholds.sts3c-9c.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000 MRC-12.OC12-PORT.pmthresholds.sts3c-9c.nearend.1day.SES 7 (seconds) 0 - 86400 MRC-12.OC12-PORT.pmthresholds.sts3c-9c.nearend.1day.UAS 10 (seconds) 0 - 86400 MRC-12.OC3-PORT.config.line.AINSSoakTime 08:00 (hours:mins) 00:00, 00:15, 00:30 .. 48:00 MRC-12.OC3-PORT.config.line.AlsMode Disabled Disabled, Auto Restart, Manual Restart, Manual Restart for Test MRC-12.OC3-PORT.config.line.AlsRecoveryPulseDuration 2.0 (seconds) 2.0, 2.1, 2.2 .. 100.0 when AlsMode Disabled, Auto Restart, Manual Restart; 80.0, 80.1, 80.2 .. 100.0 when AlsMode Manual Restart for Test MRC-12.OC3-PORT.config.line.AlsRecoveryPulseInterval 100 (seconds) 60 - 300 MRC-12.OC3-PORT.config.line.PJStsMon# 0 (STS #) 0 - 3 MRC-12.OC3-PORT.config.line.SDBER 1.00E-07 1E-5, 1E-6, 1E-7, 1E-8, 1E-9 MRC-12.OC3-PORT.config.line.sdh.SendDoNotUse FALSE FALSE when SendDoNotUse TRUE; FALSE, TRUE when SendDoNotUse FALSE MRC-12.OC3-PORT.config.line.sdh.SendDoNotUse FALSE FALSE, TRUE MRC-12.OC3-PORT.config.line.sdh.SyncMsgIn TRUE FALSE, TRUE MRC-12.OC3-PORT.config.line.SendAISOnFacilityLoopback TRUE TRUE, FALSE MRC-12.OC3-PORT.config.line.SendAISOnTerminalLoopback TRUE TRUE, FALSE MRC-12.OC3-PORT.config.line.SFBER 1.00E-04 1E-3, 1E-4, 1E-5 Table C-19 MRC-12 Card Default Settings (continued) Default Name Default Value Default DomainC-72 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card MRC-12.OC3-PORT.config.line.sonet.SendDoNotUse FALSE FALSE when SendDoNotUse TRUE; FALSE, TRUE when SendDoNotUse FALSE MRC-12.OC3-PORT.config.line.sonet.SendDoNotUse FALSE FALSE, TRUE MRC-12.OC3-PORT.config.line.sonet.SyncMsgIn TRUE FALSE, TRUE MRC-12.OC3-PORT.config.line.State IS,AINS IS, OOS,DSBLD, OOS,MT, IS,AINS MRC-12.OC3-PORT.config.sts.IPPMEnabled FALSE TRUE, FALSE MRC-12.OC3-PORT.physicalthresholds.alarm.LBC-HIGH 200 (%) LBC-LOW, LBC-LOW + 1, LBC-LOW + 2 .. 255 MRC-12.OC3-PORT.physicalthresholds.alarm.LBC-LOW 20 (%) 0, 1, 2 .. LBC-HIGH MRC-12.OC3-PORT.physicalthresholds.alarm.OPR-HIGH 200 (%) OPR-LOW, OPR-LOW + 1, OPR-LOW + 2 .. 255 MRC-12.OC3-PORT.physicalthresholds.alarm.OPR-LOW 50 (%) -1, 0, 1 .. OPR-HIGH MRC-12.OC3-PORT.physicalthresholds.alarm.OPT-HIGH 120 (%) OPT-LOW, OPT-LOW + 1, OPT-LOW + 2 .. 255 MRC-12.OC3-PORT.physicalthresholds.alarm.OPT-LOW 80 (%) 0, 1, 2 .. OPT-HIGH MRC-12.OC3-PORT.physicalthresholds.warning.15min.LBC-HIGH 200 (%) LBC-LOW, LBC-LOW + 1, LBC-LOW + 2 .. 255 MRC-12.OC3-PORT.physicalthresholds.warning.15min.LBC-LOW 20 (%) 0, 1, 2 .. LBC-HIGH MRC-12.OC3-PORT.physicalthresholds.warning.15min.OPR-HIGH 200 (%) OPR-LOW, OPR-LOW + 1, OPR-LOW + 2 .. 255 MRC-12.OC3-PORT.physicalthresholds.warning.15min.OPR-LOW 50 (%) -1, 0, 1 .. OPR-HIGH MRC-12.OC3-PORT.physicalthresholds.warning.15min.OPT-HIGH 120 (%) OPT-LOW, OPT-LOW + 1, OPT-LOW + 2 .. 255 MRC-12.OC3-PORT.physicalthresholds.warning.15min.OPT-LOW 80 (%) 0, 1, 2 .. OPT-HIGH MRC-12.OC3-PORT.physicalthresholds.warning.1day.LBC-HIGH 200 (%) LBC-LOW, LBC-LOW + 1, LBC-LOW + 2 .. 255 MRC-12.OC3-PORT.physicalthresholds.warning.1day.LBC-LOW 20 (%) 0, 1, 2 .. LBC-HIGH MRC-12.OC3-PORT.physicalthresholds.warning.1day.OPR-HIGH 200 (%) OPR-LOW, OPR-LOW + 1, OPR-LOW + 2 .. 255 MRC-12.OC3-PORT.physicalthresholds.warning.1day.OPR-LOW 50 (%) -1, 0, 1 .. OPR-HIGH MRC-12.OC3-PORT.physicalthresholds.warning.1day.OPT-HIGH 120 (%) OPT-LOW, OPT-LOW + 1, OPT-LOW + 2 .. 255 MRC-12.OC3-PORT.physicalthresholds.warning.1day.OPT-LOW 80 (%) 0, 1, 2 .. OPT-HIGH MRC-12.OC3-PORT.pmthresholds.line.farend.15min.CV 1312 (B2 count) 0 - 137700 MRC-12.OC3-PORT.pmthresholds.line.farend.15min.ES 87 (seconds) 0 - 900 MRC-12.OC3-PORT.pmthresholds.line.farend.15min.FC 10 (count) 0 - 72 Table C-19 MRC-12 Card Default Settings (continued) Default Name Default Value Default DomainC-73 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card MRC-12.OC3-PORT.pmthresholds.line.farend.15min.SES 1 (seconds) 0 - 900 MRC-12.OC3-PORT.pmthresholds.line.farend.15min.UAS 3 (seconds) 0 - 900 MRC-12.OC3-PORT.pmthresholds.line.farend.1day.CV 13120 (B2 count) 0 - 13219200 MRC-12.OC3-PORT.pmthresholds.line.farend.1day.ES 864 (seconds) 0 - 86400 MRC-12.OC3-PORT.pmthresholds.line.farend.1day.FC 40 (count) 0 - 6912 MRC-12.OC3-PORT.pmthresholds.line.farend.1day.SES 4 (seconds) 0 - 86400 MRC-12.OC3-PORT.pmthresholds.line.farend.1day.UAS 10 (seconds) 0 - 86400 MRC-12.OC3-PORT.pmthresholds.line.nearend.15min.CV 1312 (B2 count) 0 - 137700 MRC-12.OC3-PORT.pmthresholds.line.nearend.15min.ES 87 (seconds) 0 - 900 MRC-12.OC3-PORT.pmthresholds.line.nearend.15min.FC 10 (count) 0 - 72 MRC-12.OC3-PORT.pmthresholds.line.nearend.15min.PSC 1 (count) 0 - 600 MRC-12.OC3-PORT.pmthresholds.line.nearend.15min.PSD 300 (seconds) 0 - 900 MRC-12.OC3-PORT.pmthresholds.line.nearend.15min.SES 1 (seconds) 0 - 900 MRC-12.OC3-PORT.pmthresholds.line.nearend.15min.UAS 3 (seconds) 0 - 900 MRC-12.OC3-PORT.pmthresholds.line.nearend.1day.CV 13120 (B2 count) 0 - 13219200 MRC-12.OC3-PORT.pmthresholds.line.nearend.1day.ES 864 (seconds) 0 - 86400 MRC-12.OC3-PORT.pmthresholds.line.nearend.1day.FC 40 (count) 0 - 6912 MRC-12.OC3-PORT.pmthresholds.line.nearend.1day.PSC 5 (count) 0 - 57600 MRC-12.OC3-PORT.pmthresholds.line.nearend.1day.PSD 600 (seconds) 0 - 86400 MRC-12.OC3-PORT.pmthresholds.line.nearend.1day.SES 4 (seconds) 0 - 86400 MRC-12.OC3-PORT.pmthresholds.line.nearend.1day.UAS 10 (seconds) 0 - 86400 MRC-12.OC3-PORT.pmthresholds.section.nearend.15min.CV 10000 (B1 count) 0 - 138600 MRC-12.OC3-PORT.pmthresholds.section.nearend.15min.ES 500 (seconds) 0 - 900 MRC-12.OC3-PORT.pmthresholds.section.nearend.15min.SEFS 500 (seconds) 0 - 900 MRC-12.OC3-PORT.pmthresholds.section.nearend.15min.SES 500 (seconds) 0 - 900 MRC-12.OC3-PORT.pmthresholds.section.nearend.1day.CV 100000 (B1 count) 0 - 13305600 MRC-12.OC3-PORT.pmthresholds.section.nearend.1day.ES 5000 (seconds) 0 - 86400 MRC-12.OC3-PORT.pmthresholds.section.nearend.1day.SEFS 5000 (seconds) 0 - 86400 MRC-12.OC3-PORT.pmthresholds.section.nearend.1day.SES 5000 (seconds) 0 - 86400 MRC-12.OC3-PORT.pmthresholds.sts1.farend.15min.CV 15 (B3 count) 0 - 2160000 Table C-19 MRC-12 Card Default Settings (continued) Default Name Default Value Default DomainC-74 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card MRC-12.OC3-PORT.pmthresholds.sts1.farend.15min.ES 12 (seconds) 0 - 900 MRC-12.OC3-PORT.pmthresholds.sts1.farend.15min.FC 10 (count) 0 - 72 MRC-12.OC3-PORT.pmthresholds.sts1.farend.15min.SES 3 (seconds) 0 - 900 MRC-12.OC3-PORT.pmthresholds.sts1.farend.15min.UAS 10 (seconds) 0 - 900 MRC-12.OC3-PORT.pmthresholds.sts1.farend.1day.CV 125 (B3 count) 0 - 207360000 MRC-12.OC3-PORT.pmthresholds.sts1.farend.1day.ES 100 (seconds) 0 - 86400 MRC-12.OC3-PORT.pmthresholds.sts1.farend.1day.FC 40 (count) 0 - 6912 MRC-12.OC3-PORT.pmthresholds.sts1.farend.1day.SES 7 (seconds) 0 - 86400 MRC-12.OC3-PORT.pmthresholds.sts1.farend.1day.UAS 10 (seconds) 0 - 86400 MRC-12.OC3-PORT.pmthresholds.sts1.nearend.15min.CV 15 (B3 count) 0 - 2160000 MRC-12.OC3-PORT.pmthresholds.sts1.nearend.15min.ES 12 (seconds) 0 - 900 MRC-12.OC3-PORT.pmthresholds.sts1.nearend.15min.FC 10 (count) 0 - 72 MRC-12.OC3-PORT.pmthresholds.sts1.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000 MRC-12.OC3-PORT.pmthresholds.sts1.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000 MRC-12.OC3-PORT.pmthresholds.sts1.nearend.15min.PJCDIFF 60 (count) 0 - 14400000 MRC-12.OC3-PORT.pmthresholds.sts1.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900 MRC-12.OC3-PORT.pmthresholds.sts1.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900 MRC-12.OC3-PORT.pmthresholds.sts1.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000 MRC-12.OC3-PORT.pmthresholds.sts1.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000 MRC-12.OC3-PORT.pmthresholds.sts1.nearend.15min.SES 3 (seconds) 0 - 900 MRC-12.OC3-PORT.pmthresholds.sts1.nearend.15min.UAS 10 (seconds) 0 - 900 MRC-12.OC3-PORT.pmthresholds.sts1.nearend.1day.CV 125 (B3 count) 0 - 207360000 MRC-12.OC3-PORT.pmthresholds.sts1.nearend.1day.ES 100 (seconds) 0 - 86400 MRC-12.OC3-PORT.pmthresholds.sts1.nearend.1day.FC 40 (count) 0 - 6912 MRC-12.OC3-PORT.pmthresholds.sts1.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000 MRC-12.OC3-PORT.pmthresholds.sts1.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000 MRC-12.OC3-PORT.pmthresholds.sts1.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000 MRC-12.OC3-PORT.pmthresholds.sts1.nearend.1day.PJCS-PDET 9600 (seconds) 0 - 86400 MRC-12.OC3-PORT.pmthresholds.sts1.nearend.1day.PJCS-PGEN 9600 (seconds) 0 - 86400 MRC-12.OC3-PORT.pmthresholds.sts1.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000 MRC-12.OC3-PORT.pmthresholds.sts1.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000 MRC-12.OC3-PORT.pmthresholds.sts1.nearend.1day.SES 7 (seconds) 0 - 86400 MRC-12.OC3-PORT.pmthresholds.sts1.nearend.1day.UAS 10 (seconds) 0 - 86400 Table C-19 MRC-12 Card Default Settings (continued) Default Name Default Value Default DomainC-75 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card MRC-12.OC3-PORT.pmthresholds.sts3c.farend.15min.CV 25 (B3 count) 0 - 2160000 MRC-12.OC3-PORT.pmthresholds.sts3c.farend.15min.ES 20 (seconds) 0 - 900 MRC-12.OC3-PORT.pmthresholds.sts3c.farend.15min.FC 10 (count) 0 - 72 MRC-12.OC3-PORT.pmthresholds.sts3c.farend.15min.SES 3 (seconds) 0 - 900 MRC-12.OC3-PORT.pmthresholds.sts3c.farend.15min.UAS 10 (seconds) 0 - 900 MRC-12.OC3-PORT.pmthresholds.sts3c.farend.1day.CV 250 (B3 count) 0 - 207360000 MRC-12.OC3-PORT.pmthresholds.sts3c.farend.1day.ES 200 (seconds) 0 - 86400 MRC-12.OC3-PORT.pmthresholds.sts3c.farend.1day.FC 40 (count) 0 - 6912 MRC-12.OC3-PORT.pmthresholds.sts3c.farend.1day.SES 7 (seconds) 0 - 86400 MRC-12.OC3-PORT.pmthresholds.sts3c.farend.1day.UAS 10 (seconds) 0 - 86400 MRC-12.OC3-PORT.pmthresholds.sts3c.nearend.15min.CV 25 (B3 count) 0 - 2160000 MRC-12.OC3-PORT.pmthresholds.sts3c.nearend.15min.ES 20 (seconds) 0 - 900 MRC-12.OC3-PORT.pmthresholds.sts3c.nearend.15min.FC 10 (count) 0 - 72 MRC-12.OC3-PORT.pmthresholds.sts3c.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000 MRC-12.OC3-PORT.pmthresholds.sts3c.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000 MRC-12.OC3-PORT.pmthresholds.sts3c.nearend.15min.PJCDIFF 60 (count) 0 - 14400000 MRC-12.OC3-PORT.pmthresholds.sts3c.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900 MRC-12.OC3-PORT.pmthresholds.sts3c.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900 MRC-12.OC3-PORT.pmthresholds.sts3c.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000 MRC-12.OC3-PORT.pmthresholds.sts3c.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000 MRC-12.OC3-PORT.pmthresholds.sts3c.nearend.15min.SES 3 (seconds) 0 - 900 MRC-12.OC3-PORT.pmthresholds.sts3c.nearend.15min.UAS 10 (seconds) 0 - 900 MRC-12.OC3-PORT.pmthresholds.sts3c.nearend.1day.CV 250 (B3 count) 0 - 207360000 MRC-12.OC3-PORT.pmthresholds.sts3c.nearend.1day.ES 200 (seconds) 0 - 86400 MRC-12.OC3-PORT.pmthresholds.sts3c.nearend.1day.FC 40 (count) 0 - 6912 MRC-12.OC3-PORT.pmthresholds.sts3c.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000 MRC-12.OC3-PORT.pmthresholds.sts3c.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000 MRC-12.OC3-PORT.pmthresholds.sts3c.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000 MRC-12.OC3-PORT.pmthresholds.sts3c.nearend.1day.PJCS-PDET 9600 (seconds) 0 - 86400 MRC-12.OC3-PORT.pmthresholds.sts3c.nearend.1day.PJCS-PGEN 9600 (seconds) 0 - 86400 MRC-12.OC3-PORT.pmthresholds.sts3c.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000 MRC-12.OC3-PORT.pmthresholds.sts3c.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000 MRC-12.OC3-PORT.pmthresholds.sts3c.nearend.1day.SES 7 (seconds) 0 - 86400 Table C-19 MRC-12 Card Default Settings (continued) Default Name Default Value Default DomainC-76 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card MRC-12.OC3-PORT.pmthresholds.sts3c.nearend.1day.UAS 10 (seconds) 0 - 86400 MRC-12.OC48-PORT.config.line.AINSSoakTime 08:00 (hours:mins) 00:00, 00:15, 00:30 .. 48:00 MRC-12.OC48-PORT.config.line.AlsMode Disabled Disabled, Auto Restart, Manual Restart, Manual Restart for Test MRC-12.OC48-PORT.config.line.AlsRecoveryPulseDuration 2.0 (seconds) 2.0, 2.1, 2.2 .. 100.0 when AlsMode Disabled, Auto Restart, Manual Restart; 80.0, 80.1, 80.2 .. 100.0 when AlsMode Manual Restart for Test MRC-12.OC48-PORT.config.line.AlsRecoveryPulseInterval 100 (seconds) 60 - 300 MRC-12.OC48-PORT.config.line.PJStsMon# 0 (STS #) 0 - 48 MRC-12.OC48-PORT.config.line.SDBER 1.00E-07 1E-5, 1E-6, 1E-7, 1E-8, 1E-9 MRC-12.OC48-PORT.config.line.sdh.SendDoNotUse FALSE FALSE when SendDoNotUse TRUE; FALSE, TRUE when SendDoNotUse FALSE MRC-12.OC48-PORT.config.line.sdh.SendDoNotUse FALSE FALSE, TRUE MRC-12.OC48-PORT.config.line.sdh.SyncMsgIn TRUE FALSE, TRUE MRC-12.OC48-PORT.config.line.SendAISOnFacilityLoopback TRUE TRUE, FALSE MRC-12.OC48-PORT.config.line.SendAISOnTerminalLoopback TRUE TRUE, FALSE MRC-12.OC48-PORT.config.line.SFBER 1.00E-04 1E-3, 1E-4, 1E-5 MRC-12.OC48-PORT.config.line.sonet.SendDoNotUse FALSE FALSE when SendDoNotUse TRUE; FALSE, TRUE when SendDoNotUse FALSE MRC-12.OC48-PORT.config.line.sonet.SendDoNotUse FALSE FALSE, TRUE MRC-12.OC48-PORT.config.line.sonet.SyncMsgIn TRUE FALSE, TRUE MRC-12.OC48-PORT.config.line.State IS,AINS IS, OOS,DSBLD, OOS,MT, IS,AINS MRC-12.OC48-PORT.config.sts.IPPMEnabled FALSE TRUE, FALSE MRC-12.OC48-PORT.physicalthresholds.alarm.LBC-HIGH 200 (%) LBC-LOW, LBC-LOW + 1, LBC-LOW + 2 .. 255 MRC-12.OC48-PORT.physicalthresholds.alarm.LBC-LOW 20 (%) 0, 1, 2 .. LBC-HIGH MRC-12.OC48-PORT.physicalthresholds.alarm.OPR-HIGH 200 (%) OPR-LOW, OPR-LOW + 1, OPR-LOW + 2 .. 255 MRC-12.OC48-PORT.physicalthresholds.alarm.OPR-LOW 50 (%) -1, 0, 1 .. OPR-HIGH Table C-19 MRC-12 Card Default Settings (continued) Default Name Default Value Default DomainC-77 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card MRC-12.OC48-PORT.physicalthresholds.alarm.OPT-HIGH 120 (%) OPT-LOW, OPT-LOW + 1, OPT-LOW + 2 .. 255 MRC-12.OC48-PORT.physicalthresholds.alarm.OPT-LOW 80 (%) 0, 1, 2 .. OPT-HIGH MRC-12.OC48-PORT.physicalthresholds.warning.15min.LBC-HIGH 200 (%) LBC-LOW, LBC-LOW + 1, LBC-LOW + 2 .. 255 MRC-12.OC48-PORT.physicalthresholds.warning.15min.LBC-LOW 20 (%) 0, 1, 2 .. LBC-HIGH MRC-12.OC48-PORT.physicalthresholds.warning.15min.OPR-HIGH 200 (%) OPR-LOW, OPR-LOW + 1, OPR-LOW + 2 .. 255 MRC-12.OC48-PORT.physicalthresholds.warning.15min.OPR-LOW 50 (%) -1, 0, 1 .. OPR-HIGH MRC-12.OC48-PORT.physicalthresholds.warning.15min.OPT-HIGH 120 (%) OPT-LOW, OPT-LOW + 1, OPT-LOW + 2 .. 255 MRC-12.OC48-PORT.physicalthresholds.warning.15min.OPT-LOW 80 (%) 0, 1, 2 .. OPT-HIGH MRC-12.OC48-PORT.physicalthresholds.warning.1day.LBC-HIGH 200 (%) LBC-LOW, LBC-LOW + 1, LBC-LOW + 2 .. 255 MRC-12.OC48-PORT.physicalthresholds.warning.1day.LBC-LOW 20 (%) 0, 1, 2 .. LBC-HIGH MRC-12.OC48-PORT.physicalthresholds.warning.1day.OPR-HIGH 200 (%) OPR-LOW, OPR-LOW + 1, OPR-LOW + 2 .. 255 MRC-12.OC48-PORT.physicalthresholds.warning.1day.OPR-LOW 50 (%) -1, 0, 1 .. OPR-HIGH MRC-12.OC48-PORT.physicalthresholds.warning.1day.OPT-HIGH 120 (%) OPT-LOW, OPT-LOW + 1, OPT-LOW + 2 .. 255 MRC-12.OC48-PORT.physicalthresholds.warning.1day.OPT-LOW 80 (%) 0, 1, 2 .. OPT-HIGH MRC-12.OC48-PORT.pmthresholds.line.farend.15min.CV 21260 (B2 count) 0 - 2212200 MRC-12.OC48-PORT.pmthresholds.line.farend.15min.ES 87 (seconds) 0 - 900 MRC-12.OC48-PORT.pmthresholds.line.farend.15min.FC 10 (count) 0 - 72 MRC-12.OC48-PORT.pmthresholds.line.farend.15min.SES 1 (seconds) 0 - 900 MRC-12.OC48-PORT.pmthresholds.line.farend.15min.UAS 3 (seconds) 0 - 900 MRC-12.OC48-PORT.pmthresholds.line.farend.1day.CV 212600 (B2 count) 0 - 212371200 MRC-12.OC48-PORT.pmthresholds.line.farend.1day.ES 864 (seconds) 0 - 86400 MRC-12.OC48-PORT.pmthresholds.line.farend.1day.FC 40 (count) 0 - 6912 MRC-12.OC48-PORT.pmthresholds.line.farend.1day.SES 4 (seconds) 0 - 86400 MRC-12.OC48-PORT.pmthresholds.line.farend.1day.UAS 10 (seconds) 0 - 86400 MRC-12.OC48-PORT.pmthresholds.line.nearend.15min.CV 21260 (B2 count) 0 - 2212200 MRC-12.OC48-PORT.pmthresholds.line.nearend.15min.ES 87 (seconds) 0 - 900 MRC-12.OC48-PORT.pmthresholds.line.nearend.15min.FC 10 (count) 0 - 72 MRC-12.OC48-PORT.pmthresholds.line.nearend.15min.PSC 1 (count) 0 - 600 MRC-12.OC48-PORT.pmthresholds.line.nearend.15min.PSC-R 1 (count) 0 - 600 Table C-19 MRC-12 Card Default Settings (continued) Default Name Default Value Default DomainC-78 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card MRC-12.OC48-PORT.pmthresholds.line.nearend.15min.PSC-S 1 (count) 0 - 600 MRC-12.OC48-PORT.pmthresholds.line.nearend.15min.PSC-W 1 (count) 0 - 600 MRC-12.OC48-PORT.pmthresholds.line.nearend.15min.PSD 300 (seconds) 0 - 900 MRC-12.OC48-PORT.pmthresholds.line.nearend.15min.PSD-R 300 (seconds) 0 - 900 MRC-12.OC48-PORT.pmthresholds.line.nearend.15min.PSD-S 300 (seconds) 0 - 900 MRC-12.OC48-PORT.pmthresholds.line.nearend.15min.PSD-W 300 (seconds) 0 - 900 MRC-12.OC48-PORT.pmthresholds.line.nearend.15min.SES 1 (seconds) 0 - 900 MRC-12.OC48-PORT.pmthresholds.line.nearend.15min.UAS 3 (seconds) 0 - 900 MRC-12.OC48-PORT.pmthresholds.line.nearend.1day.CV 212600 (B2 count) 0 - 212371200 MRC-12.OC48-PORT.pmthresholds.line.nearend.1day.ES 864 (seconds) 0 - 86400 MRC-12.OC48-PORT.pmthresholds.line.nearend.1day.FC 40 (count) 0 - 6912 MRC-12.OC48-PORT.pmthresholds.line.nearend.1day.PSC 5 (count) 0 - 57600 MRC-12.OC48-PORT.pmthresholds.line.nearend.1day.PSC-R 5 (count) 0 - 57600 MRC-12.OC48-PORT.pmthresholds.line.nearend.1day.PSC-S 5 (count) 0 - 57600 MRC-12.OC48-PORT.pmthresholds.line.nearend.1day.PSC-W 5 (count) 0 - 57600 MRC-12.OC48-PORT.pmthresholds.line.nearend.1day.PSD 600 (seconds) 0 - 86400 MRC-12.OC48-PORT.pmthresholds.line.nearend.1day.PSD-R 600 (seconds) 0 - 86400 MRC-12.OC48-PORT.pmthresholds.line.nearend.1day.PSD-S 600 (seconds) 0 - 86400 MRC-12.OC48-PORT.pmthresholds.line.nearend.1day.PSD-W 600 (seconds) 0 - 86400 MRC-12.OC48-PORT.pmthresholds.line.nearend.1day.SES 4 (seconds) 0 - 86400 MRC-12.OC48-PORT.pmthresholds.line.nearend.1day.UAS 10 (seconds) 0 - 86400 MRC-12.OC48-PORT.pmthresholds.section.nearend.15min.CV 10000 (B1 count) 0 - 2151900 MRC-12.OC48-PORT.pmthresholds.section.nearend.15min.ES 500 (seconds) 0 - 900 MRC-12.OC48-PORT.pmthresholds.section.nearend.15min.SEFS 500 (seconds) 0 - 900 MRC-12.OC48-PORT.pmthresholds.section.nearend.15min.SES 500 (seconds) 0 - 900 MRC-12.OC48-PORT.pmthresholds.section.nearend.1day.CV 100000 (B1 count) 0 - 206582400 MRC-12.OC48-PORT.pmthresholds.section.nearend.1day.ES 5000 (seconds) 0 - 86400 MRC-12.OC48-PORT.pmthresholds.section.nearend.1day.SEFS 5000 (seconds) 0 - 86400 MRC-12.OC48-PORT.pmthresholds.section.nearend.1day.SES 5000 (seconds) 0 - 86400 MRC-12.OC48-PORT.pmthresholds.sts1.farend.15min.CV 15 (B3 count) 0 - 2160000 MRC-12.OC48-PORT.pmthresholds.sts1.farend.15min.ES 12 (seconds) 0 - 900 MRC-12.OC48-PORT.pmthresholds.sts1.farend.15min.FC 10 (count) 0 - 72 Table C-19 MRC-12 Card Default Settings (continued) Default Name Default Value Default DomainC-79 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card MRC-12.OC48-PORT.pmthresholds.sts1.farend.15min.SES 3 (seconds) 0 - 900 MRC-12.OC48-PORT.pmthresholds.sts1.farend.15min.UAS 10 (seconds) 0 - 900 MRC-12.OC48-PORT.pmthresholds.sts1.farend.1day.CV 125 (B3 count) 0 - 207360000 MRC-12.OC48-PORT.pmthresholds.sts1.farend.1day.ES 100 (seconds) 0 - 86400 MRC-12.OC48-PORT.pmthresholds.sts1.farend.1day.FC 40 (count) 0 - 6912 MRC-12.OC48-PORT.pmthresholds.sts1.farend.1day.SES 7 (seconds) 0 - 86400 MRC-12.OC48-PORT.pmthresholds.sts1.farend.1day.UAS 10 (seconds) 0 - 86400 MRC-12.OC48-PORT.pmthresholds.sts1.nearend.15min.CV 15 (B3 count) 0 - 2160000 MRC-12.OC48-PORT.pmthresholds.sts1.nearend.15min.ES 12 (seconds) 0 - 900 MRC-12.OC48-PORT.pmthresholds.sts1.nearend.15min.FC 10 (count) 0 - 72 MRC-12.OC48-PORT.pmthresholds.sts1.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000 MRC-12.OC48-PORT.pmthresholds.sts1.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000 MRC-12.OC48-PORT.pmthresholds.sts1.nearend.15min.PJCDIFF 60 (count) 0 - 14400000 MRC-12.OC48-PORT.pmthresholds.sts1.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900 MRC-12.OC48-PORT.pmthresholds.sts1.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900 MRC-12.OC48-PORT.pmthresholds.sts1.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000 MRC-12.OC48-PORT.pmthresholds.sts1.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000 MRC-12.OC48-PORT.pmthresholds.sts1.nearend.15min.SES 3 (seconds) 0 - 900 MRC-12.OC48-PORT.pmthresholds.sts1.nearend.15min.UAS 10 (seconds) 0 - 900 MRC-12.OC48-PORT.pmthresholds.sts1.nearend.1day.CV 125 (B3 count) 0 - 207360000 MRC-12.OC48-PORT.pmthresholds.sts1.nearend.1day.ES 100 (seconds) 0 - 86400 MRC-12.OC48-PORT.pmthresholds.sts1.nearend.1day.FC 40 (count) 0 - 6912 MRC-12.OC48-PORT.pmthresholds.sts1.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000 MRC-12.OC48-PORT.pmthresholds.sts1.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000 MRC-12.OC48-PORT.pmthresholds.sts1.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000 MRC-12.OC48-PORT.pmthresholds.sts1.nearend.1day.PJCS-PDET 9600 (seconds) 0 - 86400 MRC-12.OC48-PORT.pmthresholds.sts1.nearend.1day.PJCS-PGEN 9600 (seconds) 0 - 86400 MRC-12.OC48-PORT.pmthresholds.sts1.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000 MRC-12.OC48-PORT.pmthresholds.sts1.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000 MRC-12.OC48-PORT.pmthresholds.sts1.nearend.1day.SES 7 (seconds) 0 - 86400 MRC-12.OC48-PORT.pmthresholds.sts1.nearend.1day.UAS 10 (seconds) 0 - 86400 MRC-12.OC48-PORT.pmthresholds.sts12c-48c.farend.15min.CV 75 (B3 count) 0 - 2160000 MRC-12.OC48-PORT.pmthresholds.sts12c-48c.farend.15min.ES 60 (seconds) 0 - 900 Table C-19 MRC-12 Card Default Settings (continued) Default Name Default Value Default DomainC-80 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card MRC-12.OC48-PORT.pmthresholds.sts12c-48c.farend.15min.FC 10 (count) 0 - 72 MRC-12.OC48-PORT.pmthresholds.sts12c-48c.farend.15min.SES 3 (seconds) 0 - 900 MRC-12.OC48-PORT.pmthresholds.sts12c-48c.farend.15min.UAS 10 (seconds) 0 - 900 MRC-12.OC48-PORT.pmthresholds.sts12c-48c.farend.1day.CV 750 (B3 count) 0 - 207360000 MRC-12.OC48-PORT.pmthresholds.sts12c-48c.farend.1day.ES 600 (seconds) 0 - 86400 MRC-12.OC48-PORT.pmthresholds.sts12c-48c.farend.1day.FC 40 (count) 0 - 6912 MRC-12.OC48-PORT.pmthresholds.sts12c-48c.farend.1day.SES 7 (seconds) 0 - 86400 MRC-12.OC48-PORT.pmthresholds.sts12c-48c.farend.1day.UAS 10 (seconds) 0 - 86400 MRC-12.OC48-PORT.pmthresholds.sts12c-48c.nearend.15min.CV 75 (B3 count) 0 - 2160000 MRC-12.OC48-PORT.pmthresholds.sts12c-48c.nearend.15min.ES 60 (seconds) 0 - 900 MRC-12.OC48-PORT.pmthresholds.sts12c-48c.nearend.15min.FC 10 (count) 0 - 72 MRC-12.OC48-PORT.pmthresholds.sts12c-48c.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000 MRC-12.OC48-PORT.pmthresholds.sts12c-48c.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000 MRC-12.OC48-PORT.pmthresholds.sts12c-48c.nearend.15min.PJCDIFF 60 (count) 0 - 14400000 MRC-12.OC48-PORT.pmthresholds.sts12c-48c.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900 MRC-12.OC48-PORT.pmthresholds.sts12c-48c.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900 MRC-12.OC48-PORT.pmthresholds.sts12c-48c.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000 MRC-12.OC48-PORT.pmthresholds.sts12c-48c.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000 MRC-12.OC48-PORT.pmthresholds.sts12c-48c.nearend.15min.SES 3 (seconds) 0 - 900 MRC-12.OC48-PORT.pmthresholds.sts12c-48c.nearend.15min.UAS 10 (seconds) 0 - 900 MRC-12.OC48-PORT.pmthresholds.sts12c-48c.nearend.1day.CV 750 (B3 count) 0 - 207360000 MRC-12.OC48-PORT.pmthresholds.sts12c-48c.nearend.1day.ES 600 (seconds) 0 - 86400 MRC-12.OC48-PORT.pmthresholds.sts12c-48c.nearend.1day.FC 40 (count) 0 - 6912 MRC-12.OC48-PORT.pmthresholds.sts12c-48c.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000 MRC-12.OC48-PORT.pmthresholds.sts12c-48c.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000 MRC-12.OC48-PORT.pmthresholds.sts12c-48c.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000 MRC-12.OC48-PORT.pmthresholds.sts12c-48c.nearend.1day.PJCS-PDET 9600 (seconds) 0 - 86400 MRC-12.OC48-PORT.pmthresholds.sts12c-48c.nearend.1day.PJCS-PGEN 9600 (seconds) 0 - 86400 MRC-12.OC48-PORT.pmthresholds.sts12c-48c.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000 MRC-12.OC48-PORT.pmthresholds.sts12c-48c.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000 MRC-12.OC48-PORT.pmthresholds.sts12c-48c.nearend.1day.SES 7 (seconds) 0 - 86400 MRC-12.OC48-PORT.pmthresholds.sts12c-48c.nearend.1day.UAS 10 (seconds) 0 - 86400 MRC-12.OC48-PORT.pmthresholds.sts3c-9c.farend.15min.CV 25 (B3 count) 0 - 2160000 Table C-19 MRC-12 Card Default Settings (continued) Default Name Default Value Default DomainC-81 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card MRC-12.OC48-PORT.pmthresholds.sts3c-9c.farend.15min.ES 20 (seconds) 0 - 900 MRC-12.OC48-PORT.pmthresholds.sts3c-9c.farend.15min.FC 10 (count) 0 - 72 MRC-12.OC48-PORT.pmthresholds.sts3c-9c.farend.15min.SES 3 (seconds) 0 - 900 MRC-12.OC48-PORT.pmthresholds.sts3c-9c.farend.15min.UAS 10 (seconds) 0 - 900 MRC-12.OC48-PORT.pmthresholds.sts3c-9c.farend.1day.CV 250 (B3 count) 0 - 207360000 MRC-12.OC48-PORT.pmthresholds.sts3c-9c.farend.1day.ES 200 (seconds) 0 - 86400 MRC-12.OC48-PORT.pmthresholds.sts3c-9c.farend.1day.FC 40 (count) 0 - 6912 MRC-12.OC48-PORT.pmthresholds.sts3c-9c.farend.1day.SES 7 (seconds) 0 - 86400 MRC-12.OC48-PORT.pmthresholds.sts3c-9c.farend.1day.UAS 10 (seconds) 0 - 86400 MRC-12.OC48-PORT.pmthresholds.sts3c-9c.nearend.15min.CV 25 (B3 count) 0 - 2160000 MRC-12.OC48-PORT.pmthresholds.sts3c-9c.nearend.15min.ES 20 (seconds) 0 - 900 MRC-12.OC48-PORT.pmthresholds.sts3c-9c.nearend.15min.FC 10 (count) 0 - 72 MRC-12.OC48-PORT.pmthresholds.sts3c-9c.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000 MRC-12.OC48-PORT.pmthresholds.sts3c-9c.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000 MRC-12.OC48-PORT.pmthresholds.sts3c-9c.nearend.15min.PJCDIFF 60 (count) 0 - 14400000 MRC-12.OC48-PORT.pmthresholds.sts3c-9c.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900 MRC-12.OC48-PORT.pmthresholds.sts3c-9c.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900 MRC-12.OC48-PORT.pmthresholds.sts3c-9c.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000 MRC-12.OC48-PORT.pmthresholds.sts3c-9c.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000 MRC-12.OC48-PORT.pmthresholds.sts3c-9c.nearend.15min.SES 3 (seconds) 0 - 900 MRC-12.OC48-PORT.pmthresholds.sts3c-9c.nearend.15min.UAS 10 (seconds) 0 - 900 MRC-12.OC48-PORT.pmthresholds.sts3c-9c.nearend.1day.CV 250 (B3 count) 0 - 207360000 MRC-12.OC48-PORT.pmthresholds.sts3c-9c.nearend.1day.ES 200 (seconds) 0 - 86400 MRC-12.OC48-PORT.pmthresholds.sts3c-9c.nearend.1day.FC 40 (count) 0 - 6912 MRC-12.OC48-PORT.pmthresholds.sts3c-9c.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000 MRC-12.OC48-PORT.pmthresholds.sts3c-9c.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000 MRC-12.OC48-PORT.pmthresholds.sts3c-9c.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000 MRC-12.OC48-PORT.pmthresholds.sts3c-9c.nearend.1day.PJCS-PDET 9600 (seconds) 0 - 86400 MRC-12.OC48-PORT.pmthresholds.sts3c-9c.nearend.1day.PJCS-PGEN 9600 (seconds) 0 - 86400 MRC-12.OC48-PORT.pmthresholds.sts3c-9c.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000 MRC-12.OC48-PORT.pmthresholds.sts3c-9c.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000 MRC-12.OC48-PORT.pmthresholds.sts3c-9c.nearend.1day.SES 7 (seconds) 0 - 86400 MRC-12.OC48-PORT.pmthresholds.sts3c-9c.nearend.1day.UAS 10 (seconds) 0 - 86400 Table C-19 MRC-12 Card Default Settings (continued) Default Name Default Value Default DomainC-82 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card C.2.3.20 MRC-2.5G-4 Card Default Settings Table C-20 lists the MRC-2.5G-4 card default settings. Table C-20 MRC-2.5G-4 Card Default Settings Default Name Default Value Default Domain MRC25G-4.OC12-PORT.config.line.AINSSoakTime 08:00 (hours:mins) 00:00, 00:15, 00:30 .. 48:00 MRC25G-4.OC12-PORT.config.line.AlsMode Disabled Disabled, Auto Restart, Manual Restart, Manual Restart for Test MRC25G-4.OC12-PORT.config.line.AlsRecoveryPulseDuration 2.0 (seconds) 2.0, 2.1, 2.2 .. 100.0 when AlsMode Disabled, Auto Restart, Manual Restart; 80.0, 80.1, 80.2 .. 100.0 when AlsMode Manual Restart for Test MRC25G-4.OC12-PORT.config.line.AlsRecoveryPulseInterval 100 (seconds) 60 - 300 MRC25G-4.OC12-PORT.config.line.PJStsMon# 0 (STS #) 0 - 12 MRC25G-4.OC12-PORT.config.line.SDBER 1.00E-07 1E-5, 1E-6, 1E-7, 1E-8, 1E-9 MRC25G-4.OC12-PORT.config.line.SendAISOnFacilityLoopback TRUE TRUE, FALSE MRC25G-4.OC12-PORT.config.line.SendAISOnTerminalLoopback TRUE TRUE, FALSE MRC25G-4.OC12-PORT.config.line.SFBER 1.00E-04 1E-3, 1E-4, 1E-5 MRC25G-4.OC12-PORT.config.line.sonet.SendDoNotUse FALSE FALSE when SendDoNotUse TRUE; FALSE, TRUE when SendDoNotUse FALSE MRC25G-4.OC12-PORT.config.line.sonet.SendDoNotUse FALSE FALSE, TRUE MRC25G-4.OC12-PORT.config.line.sonet.SyncMsgIn TRUE FALSE, TRUE MRC25G-4.OC12-PORT.config.line.State IS,AINS IS, OOS,DSBLD, OOS,MT, IS,AINS MRC25G-4.OC12-PORT.config.sts.IPPMEnabled FALSE TRUE, FALSE MRC25G-4.OC12-PORT.physicalthresholds.alarm.LBC-HIGH 200 (%) LBC-LOW, LBC-LOW + 1, LBC-LOW + 2 .. 255 MRC25G-4.OC12-PORT.physicalthresholds.alarm.LBC-LOW 20 (%) 0, 1, 2 .. LBC-HIGH MRC25G-4.OC12-PORT.physicalthresholds.alarm.OPR-HIGH 200 (%) OPR-LOW, OPR-LOW + 1, OPR-LOW + 2 .. 255 MRC25G-4.OC12-PORT.physicalthresholds.alarm.OPR-LOW 50 (%) -1, 0, 1 .. OPR-HIGH MRC25G-4.OC12-PORT.physicalthresholds.alarm.OPT-HIGH 120 (%) OPT-LOW, OPT-LOW + 1, OPT-LOW + 2 .. 255 MRC25G-4.OC12-PORT.physicalthresholds.alarm.OPT-LOW 80 (%) 0, 1, 2 .. OPT-HIGHC-83 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card MRC25G-4.OC12-PORT.physicalthresholds.warning.15min.LBC-HIGH 200 (%) LBC-LOW, LBC-LOW + 1, LBC-LOW + 2 .. 255 MRC25G-4.OC12-PORT.physicalthresholds.warning.15min.LBC-LOW 20 (%) 0, 1, 2 .. LBC-HIGH MRC25G-4.OC12-PORT.physicalthresholds.warning.15min.OPR-HIGH 200 (%) OPR-LOW, OPR-LOW + 1, OPR-LOW + 2 .. 255 MRC25G-4.OC12-PORT.physicalthresholds.warning.15min.OPR-LOW 50 (%) -1, 0, 1 .. OPR-HIGH MRC25G-4.OC12-PORT.physicalthresholds.warning.15min.OPT-HIGH 120 (%) OPT-LOW, OPT-LOW + 1, OPT-LOW + 2 .. 255 MRC25G-4.OC12-PORT.physicalthresholds.warning.15min.OPT-LOW 80 (%) 0, 1, 2 .. OPT-HIGH MRC25G-4.OC12-PORT.physicalthresholds.warning.1day.LBC-HIGH 200 (%) LBC-LOW, LBC-LOW + 1, LBC-LOW + 2 .. 255 MRC25G-4.OC12-PORT.physicalthresholds.warning.1day.LBC-LOW 20 (%) 0, 1, 2 .. LBC-HIGH MRC25G-4.OC12-PORT.physicalthresholds.warning.1day.OPR-HIGH 200 (%) OPR-LOW, OPR-LOW + 1, OPR-LOW + 2 .. 255 MRC25G-4.OC12-PORT.physicalthresholds.warning.1day.OPR-LOW 50 (%) -1, 0, 1 .. OPR-HIGH MRC25G-4.OC12-PORT.physicalthresholds.warning.1day.OPT-HIGH 120 (%) OPT-LOW, OPT-LOW + 1, OPT-LOW + 2 .. 255 MRC25G-4.OC12-PORT.physicalthresholds.warning.1day.OPT-LOW 80 (%) 0, 1, 2 .. OPT-HIGH MRC25G-4.OC12-PORT.pmthresholds.line.farend.15min.CV 5315 (B2 count) 0 - 552600 MRC25G-4.OC12-PORT.pmthresholds.line.farend.15min.ES 87 (seconds) 0 - 900 MRC25G-4.OC12-PORT.pmthresholds.line.farend.15min.FC 10 (count) 0 - 72 MRC25G-4.OC12-PORT.pmthresholds.line.farend.15min.SES 1 (seconds) 0 - 900 MRC25G-4.OC12-PORT.pmthresholds.line.farend.15min.UAS 3 (seconds) 0 - 900 MRC25G-4.OC12-PORT.pmthresholds.line.farend.1day.CV 53150 (B2 count) 0 - 53049600 MRC25G-4.OC12-PORT.pmthresholds.line.farend.1day.ES 864 (seconds) 0 - 86400 MRC25G-4.OC12-PORT.pmthresholds.line.farend.1day.FC 40 (count) 0 - 6912 MRC25G-4.OC12-PORT.pmthresholds.line.farend.1day.SES 4 (seconds) 0 - 86400 MRC25G-4.OC12-PORT.pmthresholds.line.farend.1day.UAS 10 (seconds) 0 - 86400 MRC25G-4.OC12-PORT.pmthresholds.line.nearend.15min.CV 5315 (B2 count) 0 - 552600 MRC25G-4.OC12-PORT.pmthresholds.line.nearend.15min.ES 87 (seconds) 0 - 900 MRC25G-4.OC12-PORT.pmthresholds.line.nearend.15min.FC 10 (count) 0 - 72 MRC25G-4.OC12-PORT.pmthresholds.line.nearend.15min.PSC 1 (count) 0 - 600 MRC25G-4.OC12-PORT.pmthresholds.line.nearend.15min.PSC-W 1 (count) 0 - 600 MRC25G-4.OC12-PORT.pmthresholds.line.nearend.15min.PSD 300 (seconds) 0 - 900 Table C-20 MRC-2.5G-4 Card Default Settings (continued) Default Name Default Value Default DomainC-84 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card MRC25G-4.OC12-PORT.pmthresholds.line.nearend.15min.PSD-W 300 (seconds) 0 - 900 MRC25G-4.OC12-PORT.pmthresholds.line.nearend.15min.SES 1 (seconds) 0 - 900 MRC25G-4.OC12-PORT.pmthresholds.line.nearend.15min.UAS 3 (seconds) 0 - 900 MRC25G-4.OC12-PORT.pmthresholds.line.nearend.1day.CV 53150 (B2 count) 0 - 53049600 MRC25G-4.OC12-PORT.pmthresholds.line.nearend.1day.ES 864 (seconds) 0 - 86400 MRC25G-4.OC12-PORT.pmthresholds.line.nearend.1day.FC 40 (count) 0 - 6912 MRC25G-4.OC12-PORT.pmthresholds.line.nearend.1day.PSC 5 (count) 0 - 57600 MRC25G-4.OC12-PORT.pmthresholds.line.nearend.1day.PSC-W 5 (count) 0 - 57600 MRC25G-4.OC12-PORT.pmthresholds.line.nearend.1day.PSD 600 (seconds) 0 - 86400 MRC25G-4.OC12-PORT.pmthresholds.line.nearend.1day.PSD-W 600 (seconds) 0 - 86400 MRC25G-4.OC12-PORT.pmthresholds.line.nearend.1day.SES 4 (seconds) 0 - 86400 MRC25G-4.OC12-PORT.pmthresholds.line.nearend.1day.UAS 10 (seconds) 0 - 86400 MRC25G-4.OC12-PORT.pmthresholds.section.nearend.15min.CV 10000 (B1 count) 0 - 553500 MRC25G-4.OC12-PORT.pmthresholds.section.nearend.15min.ES 500 (seconds) 0 - 900 MRC25G-4.OC12-PORT.pmthresholds.section.nearend.15min.SEFS 500 (seconds) 0 - 900 MRC25G-4.OC12-PORT.pmthresholds.section.nearend.15min.SES 500 (seconds) 0 - 900 MRC25G-4.OC12-PORT.pmthresholds.section.nearend.1day.CV 100000 (B1 count) 0 - 53136000 MRC25G-4.OC12-PORT.pmthresholds.section.nearend.1day.ES 5000 (seconds) 0 - 86400 MRC25G-4.OC12-PORT.pmthresholds.section.nearend.1day.SEFS 5000 (seconds) 0 - 86400 MRC25G-4.OC12-PORT.pmthresholds.section.nearend.1day.SES 5000 (seconds) 0 - 86400 MRC25G-4.OC12-PORT.pmthresholds.sts1.farend.15min.CV 15 (B3 count) 0 - 2160000 MRC25G-4.OC12-PORT.pmthresholds.sts1.farend.15min.ES 12 (seconds) 0 - 900 MRC25G-4.OC12-PORT.pmthresholds.sts1.farend.15min.FC 10 (count) 0 - 72 MRC25G-4.OC12-PORT.pmthresholds.sts1.farend.15min.SES 3 (seconds) 0 - 900 MRC25G-4.OC12-PORT.pmthresholds.sts1.farend.15min.UAS 10 (seconds) 0 - 900 Table C-20 MRC-2.5G-4 Card Default Settings (continued) Default Name Default Value Default DomainC-85 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card MRC25G-4.OC12-PORT.pmthresholds.sts1.farend.1day.CV 125 (B3 count) 0 - 207360000 MRC25G-4.OC12-PORT.pmthresholds.sts1.farend.1day.ES 100 (seconds) 0 - 86400 MRC25G-4.OC12-PORT.pmthresholds.sts1.farend.1day.FC 40 (count) 0 - 6912 MRC25G-4.OC12-PORT.pmthresholds.sts1.farend.1day.SES 7 (seconds) 0 - 86400 MRC25G-4.OC12-PORT.pmthresholds.sts1.farend.1day.UAS 10 (seconds) 0 - 86400 MRC25G-4.OC12-PORT.pmthresholds.sts1.nearend.15min.CV 15 (B3 count) 0 - 2160000 MRC25G-4.OC12-PORT.pmthresholds.sts1.nearend.15min.ES 12 (seconds) 0 - 900 MRC25G-4.OC12-PORT.pmthresholds.sts1.nearend.15min.FC 10 (count) 0 - 72 MRC25G-4.OC12-PORT.pmthresholds.sts1.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000 MRC25G-4.OC12-PORT.pmthresholds.sts1.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000 MRC25G-4.OC12-PORT.pmthresholds.sts1.nearend.15min.PJCDIFF 60 (count) 0 - 14400000 MRC25G-4.OC12-PORT.pmthresholds.sts1.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900 MRC25G-4.OC12-PORT.pmthresholds.sts1.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900 MRC25G-4.OC12-PORT.pmthresholds.sts1.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000 MRC25G-4.OC12-PORT.pmthresholds.sts1.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000 MRC25G-4.OC12-PORT.pmthresholds.sts1.nearend.15min.SES 3 (seconds) 0 - 900 MRC25G-4.OC12-PORT.pmthresholds.sts1.nearend.15min.UAS 10 (seconds) 0 - 900 MRC25G-4.OC12-PORT.pmthresholds.sts1.nearend.1day.CV 125 (B3 count) 0 - 207360000 MRC25G-4.OC12-PORT.pmthresholds.sts1.nearend.1day.ES 100 (seconds) 0 - 86400 MRC25G-4.OC12-PORT.pmthresholds.sts1.nearend.1day.FC 40 (count) 0 - 6912 MRC25G-4.OC12-PORT.pmthresholds.sts1.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000 MRC25G-4.OC12-PORT.pmthresholds.sts1.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000 MRC25G-4.OC12-PORT.pmthresholds.sts1.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000 MRC25G-4.OC12-PORT.pmthresholds.sts1.nearend.1day.PJCS-PDET 9600 (seconds) 0 - 86400 MRC25G-4.OC12-PORT.pmthresholds.sts1.nearend.1day.PJCS-PGEN 9600 (seconds) 0 - 86400 MRC25G-4.OC12-PORT.pmthresholds.sts1.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000 MRC25G-4.OC12-PORT.pmthresholds.sts1.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000 MRC25G-4.OC12-PORT.pmthresholds.sts1.nearend.1day.SES 7 (seconds) 0 - 86400 MRC25G-4.OC12-PORT.pmthresholds.sts1.nearend.1day.UAS 10 (seconds) 0 - 86400 Table C-20 MRC-2.5G-4 Card Default Settings (continued) Default Name Default Value Default DomainC-86 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card MRC25G-4.OC12-PORT.pmthresholds.sts12c.farend.15min.CV 75 (B3 count) 0 - 2160000 MRC25G-4.OC12-PORT.pmthresholds.sts12c.farend.15min.ES 60 (seconds) 0 - 900 MRC25G-4.OC12-PORT.pmthresholds.sts12c.farend.15min.FC 10 (count) 0 - 72 MRC25G-4.OC12-PORT.pmthresholds.sts12c.farend.15min.SES 3 (seconds) 0 - 900 MRC25G-4.OC12-PORT.pmthresholds.sts12c.farend.15min.UAS 10 (seconds) 0 - 900 MRC25G-4.OC12-PORT.pmthresholds.sts12c.farend.1day.CV 750 (B3 count) 0 - 207360000 MRC25G-4.OC12-PORT.pmthresholds.sts12c.farend.1day.ES 600 (seconds) 0 - 86400 MRC25G-4.OC12-PORT.pmthresholds.sts12c.farend.1day.FC 40 (count) 0 - 6912 MRC25G-4.OC12-PORT.pmthresholds.sts12c.farend.1day.SES 7 (seconds) 0 - 86400 MRC25G-4.OC12-PORT.pmthresholds.sts12c.farend.1day.UAS 10 (seconds) 0 - 86400 MRC25G-4.OC12-PORT.pmthresholds.sts12c.nearend.15min.CV 75 (B3 count) 0 - 2160000 MRC25G-4.OC12-PORT.pmthresholds.sts12c.nearend.15min.ES 60 (seconds) 0 - 900 MRC25G-4.OC12-PORT.pmthresholds.sts12c.nearend.15min.FC 10 (count) 0 - 72 MRC25G-4.OC12-PORT.pmthresholds.sts12c.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000 MRC25G-4.OC12-PORT.pmthresholds.sts12c.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000 MRC25G-4.OC12-PORT.pmthresholds.sts12c.nearend.15min.PJCDIFF 60 (count) 0 - 14400000 MRC25G-4.OC12-PORT.pmthresholds.sts12c.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900 MRC25G-4.OC12-PORT.pmthresholds.sts12c.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900 MRC25G-4.OC12-PORT.pmthresholds.sts12c.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000 MRC25G-4.OC12-PORT.pmthresholds.sts12c.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000 MRC25G-4.OC12-PORT.pmthresholds.sts12c.nearend.15min.SES 3 (seconds) 0 - 900 MRC25G-4.OC12-PORT.pmthresholds.sts12c.nearend.15min.UAS 10 (seconds) 0 - 900 MRC25G-4.OC12-PORT.pmthresholds.sts12c.nearend.1day.CV 750 (B3 count) 0 - 207360000 MRC25G-4.OC12-PORT.pmthresholds.sts12c.nearend.1day.ES 600 (seconds) 0 - 86400 MRC25G-4.OC12-PORT.pmthresholds.sts12c.nearend.1day.FC 40 (count) 0 - 6912 MRC25G-4.OC12-PORT.pmthresholds.sts12c.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000 MRC25G-4.OC12-PORT.pmthresholds.sts12c.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000 MRC25G-4.OC12-PORT.pmthresholds.sts12c.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000 MRC25G-4.OC12-PORT.pmthresholds.sts12c.nearend.1day.PJCS-PDET 9600 (seconds) 0 - 86400 Table C-20 MRC-2.5G-4 Card Default Settings (continued) Default Name Default Value Default DomainC-87 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card MRC25G-4.OC12-PORT.pmthresholds.sts12c.nearend.1day.PJCS-PGEN 9600 (seconds) 0 - 86400 MRC25G-4.OC12-PORT.pmthresholds.sts12c.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000 MRC25G-4.OC12-PORT.pmthresholds.sts12c.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000 MRC25G-4.OC12-PORT.pmthresholds.sts12c.nearend.1day.SES 7 (seconds) 0 - 86400 MRC25G-4.OC12-PORT.pmthresholds.sts12c.nearend.1day.UAS 10 (seconds) 0 - 86400 MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.farend.15min.CV 25 (B3 count) 0 - 2160000 MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.farend.15min.ES 20 (seconds) 0 - 900 MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.farend.15min.FC 10 (count) 0 - 72 MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.farend.15min.SES 3 (seconds) 0 - 900 MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.farend.15min.UAS 10 (seconds) 0 - 900 MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.farend.1day.CV 250 (B3 count) 0 - 207360000 MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.farend.1day.ES 200 (seconds) 0 - 86400 MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.farend.1day.FC 40 (count) 0 - 6912 MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.farend.1day.SES 7 (seconds) 0 - 86400 MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.farend.1day.UAS 10 (seconds) 0 - 86400 MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.nearend.15min.CV 25 (B3 count) 0 - 2160000 MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.nearend.15min.ES 20 (seconds) 0 - 900 MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.nearend.15min.FC 10 (count) 0 - 72 MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000 MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000 MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.nearend.15min.PJCDIFF 60 (count) 0 - 14400000 MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900 MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900 MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000 MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000 MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.nearend.15min.SES 3 (seconds) 0 - 900 MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.nearend.15min.UAS 10 (seconds) 0 - 900 MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.nearend.1day.CV 250 (B3 count) 0 - 207360000 MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.nearend.1day.ES 200 (seconds) 0 - 86400 MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.nearend.1day.FC 40 (count) 0 - 6912 Table C-20 MRC-2.5G-4 Card Default Settings (continued) Default Name Default Value Default DomainC-88 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000 MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000 MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000 MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.nearend.1day.PJCS-PDET 9600 (seconds) 0 - 86400 MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.nearend.1day.PJCS-PGEN 9600 (seconds) 0 - 86400 MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000 MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000 MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.nearend.1day.SES 7 (seconds) 0 - 86400 MRC25G-4.OC12-PORT.pmthresholds.sts3c-9c.nearend.1day.UAS 10 (seconds) 0 - 86400 MRC25G-4.OC3-PORT.config.line.AINSSoakTime 08:00 (hours:mins) 00:00, 00:15, 00:30 .. 48:00 MRC25G-4.OC3-PORT.config.line.AlsMode Disabled Disabled, Auto Restart, Manual Restart, Manual Restart for Test MRC25G-4.OC3-PORT.config.line.AlsRecoveryPulseDuration 2.0 (seconds) 2.0, 2.1, 2.2 .. 100.0 when AlsMode Disabled, Auto Restart, Manual Restart; 80.0, 80.1, 80.2 .. 100.0 when AlsMode Manual Restart for Test MRC25G-4.OC3-PORT.config.line.AlsRecoveryPulseInterval 100 (seconds) 60 - 300 MRC25G-4.OC3-PORT.config.line.PJStsMon# 0 (STS #) 0 - 3 MRC25G-4.OC3-PORT.config.line.SDBER 1.00E-07 1E-5, 1E-6, 1E-7, 1E-8, 1E-9 MRC25G-4.OC3-PORT.config.line.SendAISOnFacilityLoopback TRUE TRUE, FALSE MRC25G-4.OC3-PORT.config.line.SendAISOnTerminalLoopback TRUE TRUE, FALSE MRC25G-4.OC3-PORT.config.line.SFBER 1.00E-04 1E-3, 1E-4, 1E-5 MRC25G-4.OC3-PORT.config.line.sonet.SendDoNotUse FALSE FALSE when SendDoNotUse TRUE; FALSE, TRUE when SendDoNotUse FALSE MRC25G-4.OC3-PORT.config.line.sonet.SendDoNotUse FALSE FALSE, TRUE MRC25G-4.OC3-PORT.config.line.sonet.SyncMsgIn TRUE FALSE, TRUE MRC25G-4.OC3-PORT.config.line.State IS,AINS IS, OOS,DSBLD, OOS,MT, IS,AINS MRC25G-4.OC3-PORT.config.sts.IPPMEnabled FALSE TRUE, FALSE MRC25G-4.OC3-PORT.physicalthresholds.alarm.LBC-HIGH 200 (%) LBC-LOW, LBC-LOW + 1, LBC-LOW + 2 .. 255 Table C-20 MRC-2.5G-4 Card Default Settings (continued) Default Name Default Value Default DomainC-89 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card MRC25G-4.OC3-PORT.physicalthresholds.alarm.LBC-LOW 20 (%) 0, 1, 2 .. LBC-HIGH MRC25G-4.OC3-PORT.physicalthresholds.alarm.OPR-HIGH 200 (%) OPR-LOW, OPR-LOW + 1, OPR-LOW + 2 .. 255 MRC25G-4.OC3-PORT.physicalthresholds.alarm.OPR-LOW 50 (%) -1, 0, 1 .. OPR-HIGH MRC25G-4.OC3-PORT.physicalthresholds.alarm.OPT-HIGH 120 (%) OPT-LOW, OPT-LOW + 1, OPT-LOW + 2 .. 255 MRC25G-4.OC3-PORT.physicalthresholds.alarm.OPT-LOW 80 (%) 0, 1, 2 .. OPT-HIGH MRC25G-4.OC3-PORT.physicalthresholds.warning.15min.LBC-HIGH 200 (%) LBC-LOW, LBC-LOW + 1, LBC-LOW + 2 .. 255 MRC25G-4.OC3-PORT.physicalthresholds.warning.15min.LBC-LOW 20 (%) 0, 1, 2 .. LBC-HIGH MRC25G-4.OC3-PORT.physicalthresholds.warning.15min.OPR-HIGH 200 (%) OPR-LOW, OPR-LOW + 1, OPR-LOW + 2 .. 255 MRC25G-4.OC3-PORT.physicalthresholds.warning.15min.OPR-LOW 50 (%) -1, 0, 1 .. OPR-HIGH MRC25G-4.OC3-PORT.physicalthresholds.warning.15min.OPT-HIGH 120 (%) OPT-LOW, OPT-LOW + 1, OPT-LOW + 2 .. 255 MRC25G-4.OC3-PORT.physicalthresholds.warning.15min.OPT-LOW 80 (%) 0, 1, 2 .. OPT-HIGH MRC25G-4.OC3-PORT.physicalthresholds.warning.1day.LBC-HIGH 200 (%) LBC-LOW, LBC-LOW + 1, LBC-LOW + 2 .. 255 MRC25G-4.OC3-PORT.physicalthresholds.warning.1day.LBC-LOW 20 (%) 0, 1, 2 .. LBC-HIGH MRC25G-4.OC3-PORT.physicalthresholds.warning.1day.OPR-HIGH 200 (%) OPR-LOW, OPR-LOW + 1, OPR-LOW + 2 .. 255 MRC25G-4.OC3-PORT.physicalthresholds.warning.1day.OPR-LOW 50 (%) -1, 0, 1 .. OPR-HIGH MRC25G-4.OC3-PORT.physicalthresholds.warning.1day.OPT-HIGH 120 (%) OPT-LOW, OPT-LOW + 1, OPT-LOW + 2 .. 255 MRC25G-4.OC3-PORT.physicalthresholds.warning.1day.OPT-LOW 80 (%) 0, 1, 2 .. OPT-HIGH MRC25G-4.OC3-PORT.pmthresholds.line.farend.15min.CV 1312 (B2 count) 0 - 137700 MRC25G-4.OC3-PORT.pmthresholds.line.farend.15min.ES 87 (seconds) 0 - 900 MRC25G-4.OC3-PORT.pmthresholds.line.farend.15min.FC 10 (count) 0 - 72 MRC25G-4.OC3-PORT.pmthresholds.line.farend.15min.SES 1 (seconds) 0 - 900 MRC25G-4.OC3-PORT.pmthresholds.line.farend.15min.UAS 3 (seconds) 0 - 900 MRC25G-4.OC3-PORT.pmthresholds.line.farend.1day.CV 13120 (B2 count) 0 - 13219200 MRC25G-4.OC3-PORT.pmthresholds.line.farend.1day.ES 864 (seconds) 0 - 86400 MRC25G-4.OC3-PORT.pmthresholds.line.farend.1day.FC 40 (count) 0 - 6912 MRC25G-4.OC3-PORT.pmthresholds.line.farend.1day.SES 4 (seconds) 0 - 86400 MRC25G-4.OC3-PORT.pmthresholds.line.farend.1day.UAS 10 (seconds) 0 - 86400 Table C-20 MRC-2.5G-4 Card Default Settings (continued) Default Name Default Value Default DomainC-90 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card MRC25G-4.OC3-PORT.pmthresholds.line.nearend.15min.CV 1312 (B2 count) 0 - 137700 MRC25G-4.OC3-PORT.pmthresholds.line.nearend.15min.ES 87 (seconds) 0 - 900 MRC25G-4.OC3-PORT.pmthresholds.line.nearend.15min.FC 10 (count) 0 - 72 MRC25G-4.OC3-PORT.pmthresholds.line.nearend.15min.PSC 1 (count) 0 - 600 MRC25G-4.OC3-PORT.pmthresholds.line.nearend.15min.PSD 300 (seconds) 0 - 900 MRC25G-4.OC3-PORT.pmthresholds.line.nearend.15min.SES 1 (seconds) 0 - 900 MRC25G-4.OC3-PORT.pmthresholds.line.nearend.15min.UAS 3 (seconds) 0 - 900 MRC25G-4.OC3-PORT.pmthresholds.line.nearend.1day.CV 13120 (B2 count) 0 - 13219200 MRC25G-4.OC3-PORT.pmthresholds.line.nearend.1day.ES 864 (seconds) 0 - 86400 MRC25G-4.OC3-PORT.pmthresholds.line.nearend.1day.FC 40 (count) 0 - 6912 MRC25G-4.OC3-PORT.pmthresholds.line.nearend.1day.PSC 5 (count) 0 - 57600 MRC25G-4.OC3-PORT.pmthresholds.line.nearend.1day.PSD 600 (seconds) 0 - 86400 MRC25G-4.OC3-PORT.pmthresholds.line.nearend.1day.SES 4 (seconds) 0 - 86400 MRC25G-4.OC3-PORT.pmthresholds.line.nearend.1day.UAS 10 (seconds) 0 - 86400 MRC25G-4.OC3-PORT.pmthresholds.section.nearend.15min.CV 10000 (B1 count) 0 - 138600 MRC25G-4.OC3-PORT.pmthresholds.section.nearend.15min.ES 500 (seconds) 0 - 900 MRC25G-4.OC3-PORT.pmthresholds.section.nearend.15min.SEFS 500 (seconds) 0 - 900 MRC25G-4.OC3-PORT.pmthresholds.section.nearend.15min.SES 500 (seconds) 0 - 900 MRC25G-4.OC3-PORT.pmthresholds.section.nearend.1day.CV 100000 (B1 count) 0 - 13305600 MRC25G-4.OC3-PORT.pmthresholds.section.nearend.1day.ES 5000 (seconds) 0 - 86400 MRC25G-4.OC3-PORT.pmthresholds.section.nearend.1day.SEFS 5000 (seconds) 0 - 86400 MRC25G-4.OC3-PORT.pmthresholds.section.nearend.1day.SES 5000 (seconds) 0 - 86400 MRC25G-4.OC3-PORT.pmthresholds.sts1.farend.15min.CV 15 (B3 count) 0 - 2160000 MRC25G-4.OC3-PORT.pmthresholds.sts1.farend.15min.ES 12 (seconds) 0 - 900 MRC25G-4.OC3-PORT.pmthresholds.sts1.farend.15min.FC 10 (count) 0 - 72 MRC25G-4.OC3-PORT.pmthresholds.sts1.farend.15min.SES 3 (seconds) 0 - 900 Table C-20 MRC-2.5G-4 Card Default Settings (continued) Default Name Default Value Default DomainC-91 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card MRC25G-4.OC3-PORT.pmthresholds.sts1.farend.15min.UAS 10 (seconds) 0 - 900 MRC25G-4.OC3-PORT.pmthresholds.sts1.farend.1day.CV 125 (B3 count) 0 - 207360000 MRC25G-4.OC3-PORT.pmthresholds.sts1.farend.1day.ES 100 (seconds) 0 - 86400 MRC25G-4.OC3-PORT.pmthresholds.sts1.farend.1day.FC 40 (count) 0 - 6912 MRC25G-4.OC3-PORT.pmthresholds.sts1.farend.1day.SES 7 (seconds) 0 - 86400 MRC25G-4.OC3-PORT.pmthresholds.sts1.farend.1day.UAS 10 (seconds) 0 - 86400 MRC25G-4.OC3-PORT.pmthresholds.sts1.nearend.15min.CV 15 (B3 count) 0 - 2160000 MRC25G-4.OC3-PORT.pmthresholds.sts1.nearend.15min.ES 12 (seconds) 0 - 900 MRC25G-4.OC3-PORT.pmthresholds.sts1.nearend.15min.FC 10 (count) 0 - 72 MRC25G-4.OC3-PORT.pmthresholds.sts1.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000 MRC25G-4.OC3-PORT.pmthresholds.sts1.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000 MRC25G-4.OC3-PORT.pmthresholds.sts1.nearend.15min.PJCDIFF 60 (count) 0 - 14400000 MRC25G-4.OC3-PORT.pmthresholds.sts1.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900 MRC25G-4.OC3-PORT.pmthresholds.sts1.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900 MRC25G-4.OC3-PORT.pmthresholds.sts1.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000 MRC25G-4.OC3-PORT.pmthresholds.sts1.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000 MRC25G-4.OC3-PORT.pmthresholds.sts1.nearend.15min.SES 3 (seconds) 0 - 900 MRC25G-4.OC3-PORT.pmthresholds.sts1.nearend.15min.UAS 10 (seconds) 0 - 900 MRC25G-4.OC3-PORT.pmthresholds.sts1.nearend.1day.CV 125 (B3 count) 0 - 207360000 MRC25G-4.OC3-PORT.pmthresholds.sts1.nearend.1day.ES 100 (seconds) 0 - 86400 MRC25G-4.OC3-PORT.pmthresholds.sts1.nearend.1day.FC 40 (count) 0 - 6912 MRC25G-4.OC3-PORT.pmthresholds.sts1.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000 MRC25G-4.OC3-PORT.pmthresholds.sts1.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000 MRC25G-4.OC3-PORT.pmthresholds.sts1.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000 MRC25G-4.OC3-PORT.pmthresholds.sts1.nearend.1day.PJCS-PDET 9600 (seconds) 0 - 86400 MRC25G-4.OC3-PORT.pmthresholds.sts1.nearend.1day.PJCS-PGEN 9600 (seconds) 0 - 86400 MRC25G-4.OC3-PORT.pmthresholds.sts1.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000 MRC25G-4.OC3-PORT.pmthresholds.sts1.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000 MRC25G-4.OC3-PORT.pmthresholds.sts1.nearend.1day.SES 7 (seconds) 0 - 86400 MRC25G-4.OC3-PORT.pmthresholds.sts1.nearend.1day.UAS 10 (seconds) 0 - 86400 Table C-20 MRC-2.5G-4 Card Default Settings (continued) Default Name Default Value Default DomainC-92 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card MRC25G-4.OC3-PORT.pmthresholds.sts3c.farend.15min.CV 25 (B3 count) 0 - 2160000 MRC25G-4.OC3-PORT.pmthresholds.sts3c.farend.15min.ES 20 (seconds) 0 - 900 MRC25G-4.OC3-PORT.pmthresholds.sts3c.farend.15min.FC 10 (count) 0 - 72 MRC25G-4.OC3-PORT.pmthresholds.sts3c.farend.15min.SES 3 (seconds) 0 - 900 MRC25G-4.OC3-PORT.pmthresholds.sts3c.farend.15min.UAS 10 (seconds) 0 - 900 MRC25G-4.OC3-PORT.pmthresholds.sts3c.farend.1day.CV 250 (B3 count) 0 - 207360000 MRC25G-4.OC3-PORT.pmthresholds.sts3c.farend.1day.ES 200 (seconds) 0 - 86400 MRC25G-4.OC3-PORT.pmthresholds.sts3c.farend.1day.FC 40 (count) 0 - 6912 MRC25G-4.OC3-PORT.pmthresholds.sts3c.farend.1day.SES 7 (seconds) 0 - 86400 MRC25G-4.OC3-PORT.pmthresholds.sts3c.farend.1day.UAS 10 (seconds) 0 - 86400 MRC25G-4.OC3-PORT.pmthresholds.sts3c.nearend.15min.CV 25 (B3 count) 0 - 2160000 MRC25G-4.OC3-PORT.pmthresholds.sts3c.nearend.15min.ES 20 (seconds) 0 - 900 MRC25G-4.OC3-PORT.pmthresholds.sts3c.nearend.15min.FC 10 (count) 0 - 72 MRC25G-4.OC3-PORT.pmthresholds.sts3c.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000 MRC25G-4.OC3-PORT.pmthresholds.sts3c.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000 MRC25G-4.OC3-PORT.pmthresholds.sts3c.nearend.15min.PJCDIFF 60 (count) 0 - 14400000 MRC25G-4.OC3-PORT.pmthresholds.sts3c.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900 MRC25G-4.OC3-PORT.pmthresholds.sts3c.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900 MRC25G-4.OC3-PORT.pmthresholds.sts3c.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000 MRC25G-4.OC3-PORT.pmthresholds.sts3c.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000 MRC25G-4.OC3-PORT.pmthresholds.sts3c.nearend.15min.SES 3 (seconds) 0 - 900 MRC25G-4.OC3-PORT.pmthresholds.sts3c.nearend.15min.UAS 10 (seconds) 0 - 900 MRC25G-4.OC3-PORT.pmthresholds.sts3c.nearend.1day.CV 250 (B3 count) 0 - 207360000 MRC25G-4.OC3-PORT.pmthresholds.sts3c.nearend.1day.ES 200 (seconds) 0 - 86400 MRC25G-4.OC3-PORT.pmthresholds.sts3c.nearend.1day.FC 40 (count) 0 - 6912 MRC25G-4.OC3-PORT.pmthresholds.sts3c.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000 MRC25G-4.OC3-PORT.pmthresholds.sts3c.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000 MRC25G-4.OC3-PORT.pmthresholds.sts3c.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000 MRC25G-4.OC3-PORT.pmthresholds.sts3c.nearend.1day.PJCS-PDET 9600 (seconds) 0 - 86400 Table C-20 MRC-2.5G-4 Card Default Settings (continued) Default Name Default Value Default DomainC-93 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card MRC25G-4.OC3-PORT.pmthresholds.sts3c.nearend.1day.PJCS-PGEN 9600 (seconds) 0 - 86400 MRC25G-4.OC3-PORT.pmthresholds.sts3c.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000 MRC25G-4.OC3-PORT.pmthresholds.sts3c.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000 MRC25G-4.OC3-PORT.pmthresholds.sts3c.nearend.1day.SES 7 (seconds) 0 - 86400 MRC25G-4.OC3-PORT.pmthresholds.sts3c.nearend.1day.UAS 10 (seconds) 0 - 86400 MRC25G-4.OC48-PORT.config.line.AINSSoakTime 08:00 (hours:mins) 00:00, 00:15, 00:30 .. 48:00 MRC25G-4.OC48-PORT.config.line.AlsMode Disabled Disabled, Auto Restart, Manual Restart, Manual Restart for Test MRC25G-4.OC48-PORT.config.line.AlsRecoveryPulseDuration 2.0 (seconds) 2.0, 2.1, 2.2 .. 100.0 when AlsMode Disabled, Auto Restart, Manual Restart; 80.0, 80.1, 80.2 .. 100.0 when AlsMode Manual Restart for Test MRC25G-4.OC48-PORT.config.line.AlsRecoveryPulseInterval 100 (seconds) 60 - 300 MRC25G-4.OC48-PORT.config.line.PJStsMon# 0 (STS #) 0 - 48 MRC25G-4.OC48-PORT.config.line.SDBER 1.00E-07 1E-5, 1E-6, 1E-7, 1E-8, 1E-9 MRC25G-4.OC48-PORT.config.line.SendAISOnFacilityLoopback TRUE TRUE, FALSE MRC25G-4.OC48-PORT.config.line.SendAISOnTerminalLoopback TRUE TRUE, FALSE MRC25G-4.OC48-PORT.config.line.SFBER 1.00E-04 1E-3, 1E-4, 1E-5 MRC25G-4.OC48-PORT.config.line.sonet.SendDoNotUse FALSE FALSE when SendDoNotUse TRUE; FALSE, TRUE when SendDoNotUse FALSE MRC25G-4.OC48-PORT.config.line.sonet.SendDoNotUse FALSE FALSE, TRUE MRC25G-4.OC48-PORT.config.line.sonet.SyncMsgIn TRUE FALSE, TRUE MRC25G-4.OC48-PORT.config.line.State IS,AINS IS, OOS,DSBLD, OOS,MT, IS,AINS MRC25G-4.OC48-PORT.config.sts.IPPMEnabled FALSE TRUE, FALSE MRC25G-4.OC48-PORT.physicalthresholds.alarm.LBC-HIGH 200 (%) LBC-LOW, LBC-LOW + 1, LBC-LOW + 2 .. 255 MRC25G-4.OC48-PORT.physicalthresholds.alarm.LBC-LOW 20 (%) 0, 1, 2 .. LBC-HIGH MRC25G-4.OC48-PORT.physicalthresholds.alarm.OPR-HIGH 200 (%) OPR-LOW, OPR-LOW + 1, OPR-LOW + 2 .. 255 MRC25G-4.OC48-PORT.physicalthresholds.alarm.OPR-LOW 50 (%) -1, 0, 1 .. OPR-HIGH Table C-20 MRC-2.5G-4 Card Default Settings (continued) Default Name Default Value Default DomainC-94 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card MRC25G-4.OC48-PORT.physicalthresholds.alarm.OPT-HIGH 120 (%) OPT-LOW, OPT-LOW + 1, OPT-LOW + 2 .. 255 MRC25G-4.OC48-PORT.physicalthresholds.alarm.OPT-LOW 80 (%) 0, 1, 2 .. OPT-HIGH MRC25G-4.OC48-PORT.physicalthresholds.warning.15min.LBC-HIGH 200 (%) LBC-LOW, LBC-LOW + 1, LBC-LOW + 2 .. 255 MRC25G-4.OC48-PORT.physicalthresholds.warning.15min.LBC-LOW 20 (%) 0, 1, 2 .. LBC-HIGH MRC25G-4.OC48-PORT.physicalthresholds.warning.15min.OPR-HIGH 200 (%) OPR-LOW, OPR-LOW + 1, OPR-LOW + 2 .. 255 MRC25G-4.OC48-PORT.physicalthresholds.warning.15min.OPR-LOW 50 (%) -1, 0, 1 .. OPR-HIGH MRC25G-4.OC48-PORT.physicalthresholds.warning.15min.OPT-HIGH 120 (%) OPT-LOW, OPT-LOW + 1, OPT-LOW + 2 .. 255 MRC25G-4.OC48-PORT.physicalthresholds.warning.15min.OPT-LOW 80 (%) 0, 1, 2 .. OPT-HIGH MRC25G-4.OC48-PORT.physicalthresholds.warning.1day.LBC-HIGH 200 (%) LBC-LOW, LBC-LOW + 1, LBC-LOW + 2 .. 255 MRC25G-4.OC48-PORT.physicalthresholds.warning.1day.LBC-LOW 20 (%) 0, 1, 2 .. LBC-HIGH MRC25G-4.OC48-PORT.physicalthresholds.warning.1day.OPR-HIGH 200 (%) OPR-LOW, OPR-LOW + 1, OPR-LOW + 2 .. 255 MRC25G-4.OC48-PORT.physicalthresholds.warning.1day.OPR-LOW 50 (%) -1, 0, 1 .. OPR-HIGH MRC25G-4.OC48-PORT.physicalthresholds.warning.1day.OPT-HIGH 120 (%) OPT-LOW, OPT-LOW + 1, OPT-LOW + 2 .. 255 MRC25G-4.OC48-PORT.physicalthresholds.warning.1day.OPT-LOW 80 (%) 0, 1, 2 .. OPT-HIGH MRC25G-4.OC48-PORT.pmthresholds.line.farend.15min.CV 21260 (B2 count) 0 - 2212200 MRC25G-4.OC48-PORT.pmthresholds.line.farend.15min.ES 87 (seconds) 0 - 900 MRC25G-4.OC48-PORT.pmthresholds.line.farend.15min.FC 10 (count) 0 - 72 MRC25G-4.OC48-PORT.pmthresholds.line.farend.15min.SES 1 (seconds) 0 - 900 MRC25G-4.OC48-PORT.pmthresholds.line.farend.15min.UAS 3 (seconds) 0 - 900 MRC25G-4.OC48-PORT.pmthresholds.line.farend.1day.CV 212600 (B2 count) 0 - 212371200 MRC25G-4.OC48-PORT.pmthresholds.line.farend.1day.ES 864 (seconds) 0 - 86400 MRC25G-4.OC48-PORT.pmthresholds.line.farend.1day.FC 40 (count) 0 - 6912 MRC25G-4.OC48-PORT.pmthresholds.line.farend.1day.SES 4 (seconds) 0 - 86400 MRC25G-4.OC48-PORT.pmthresholds.line.farend.1day.UAS 10 (seconds) 0 - 86400 MRC25G-4.OC48-PORT.pmthresholds.line.nearend.15min.CV 21260 (B2 count) 0 - 2212200 MRC25G-4.OC48-PORT.pmthresholds.line.nearend.15min.ES 87 (seconds) 0 - 900 MRC25G-4.OC48-PORT.pmthresholds.line.nearend.15min.FC 10 (count) 0 - 72 MRC25G-4.OC48-PORT.pmthresholds.line.nearend.15min.PSC 1 (count) 0 - 600 Table C-20 MRC-2.5G-4 Card Default Settings (continued) Default Name Default Value Default DomainC-95 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card MRC25G-4.OC48-PORT.pmthresholds.line.nearend.15min.PSC-R 1 (count) 0 - 600 MRC25G-4.OC48-PORT.pmthresholds.line.nearend.15min.PSC-S 1 (count) 0 - 600 MRC25G-4.OC48-PORT.pmthresholds.line.nearend.15min.PSC-W 1 (count) 0 - 600 MRC25G-4.OC48-PORT.pmthresholds.line.nearend.15min.PSD 300 (seconds) 0 - 900 MRC25G-4.OC48-PORT.pmthresholds.line.nearend.15min.PSD-R 300 (seconds) 0 - 900 MRC25G-4.OC48-PORT.pmthresholds.line.nearend.15min.PSD-S 300 (seconds) 0 - 900 MRC25G-4.OC48-PORT.pmthresholds.line.nearend.15min.PSD-W 300 (seconds) 0 - 900 MRC25G-4.OC48-PORT.pmthresholds.line.nearend.15min.SES 1 (seconds) 0 - 900 MRC25G-4.OC48-PORT.pmthresholds.line.nearend.15min.UAS 3 (seconds) 0 - 900 MRC25G-4.OC48-PORT.pmthresholds.line.nearend.1day.CV 212600 (B2 count) 0 - 212371200 MRC25G-4.OC48-PORT.pmthresholds.line.nearend.1day.ES 864 (seconds) 0 - 86400 MRC25G-4.OC48-PORT.pmthresholds.line.nearend.1day.FC 40 (count) 0 - 6912 MRC25G-4.OC48-PORT.pmthresholds.line.nearend.1day.PSC 5 (count) 0 - 57600 MRC25G-4.OC48-PORT.pmthresholds.line.nearend.1day.PSC-R 5 (count) 0 - 57600 MRC25G-4.OC48-PORT.pmthresholds.line.nearend.1day.PSC-S 5 (count) 0 - 57600 MRC25G-4.OC48-PORT.pmthresholds.line.nearend.1day.PSC-W 5 (count) 0 - 57600 MRC25G-4.OC48-PORT.pmthresholds.line.nearend.1day.PSD 600 (seconds) 0 - 86400 MRC25G-4.OC48-PORT.pmthresholds.line.nearend.1day.PSD-R 600 (seconds) 0 - 86400 MRC25G-4.OC48-PORT.pmthresholds.line.nearend.1day.PSD-S 600 (seconds) 0 - 86400 MRC25G-4.OC48-PORT.pmthresholds.line.nearend.1day.PSD-W 600 (seconds) 0 - 86400 MRC25G-4.OC48-PORT.pmthresholds.line.nearend.1day.SES 4 (seconds) 0 - 86400 MRC25G-4.OC48-PORT.pmthresholds.line.nearend.1day.UAS 10 (seconds) 0 - 86400 MRC25G-4.OC48-PORT.pmthresholds.section.nearend.15min.CV 10000 (B1 count) 0 - 2151900 MRC25G-4.OC48-PORT.pmthresholds.section.nearend.15min.ES 500 (seconds) 0 - 900 MRC25G-4.OC48-PORT.pmthresholds.section.nearend.15min.SEFS 500 (seconds) 0 - 900 MRC25G-4.OC48-PORT.pmthresholds.section.nearend.15min.SES 500 (seconds) 0 - 900 Table C-20 MRC-2.5G-4 Card Default Settings (continued) Default Name Default Value Default DomainC-96 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card MRC25G-4.OC48-PORT.pmthresholds.section.nearend.1day.CV 100000 (B1 count) 0 - 206582400 MRC25G-4.OC48-PORT.pmthresholds.section.nearend.1day.ES 5000 (seconds) 0 - 86400 MRC25G-4.OC48-PORT.pmthresholds.section.nearend.1day.SEFS 5000 (seconds) 0 - 86400 MRC25G-4.OC48-PORT.pmthresholds.section.nearend.1day.SES 5000 (seconds) 0 - 86400 MRC25G-4.OC48-PORT.pmthresholds.sts1.farend.15min.CV 15 (B3 count) 0 - 2160000 MRC25G-4.OC48-PORT.pmthresholds.sts1.farend.15min.ES 12 (seconds) 0 - 900 MRC25G-4.OC48-PORT.pmthresholds.sts1.farend.15min.FC 10 (count) 0 - 72 MRC25G-4.OC48-PORT.pmthresholds.sts1.farend.15min.SES 3 (seconds) 0 - 900 MRC25G-4.OC48-PORT.pmthresholds.sts1.farend.15min.UAS 10 (seconds) 0 - 900 MRC25G-4.OC48-PORT.pmthresholds.sts1.farend.1day.CV 125 (B3 count) 0 - 207360000 MRC25G-4.OC48-PORT.pmthresholds.sts1.farend.1day.ES 100 (seconds) 0 - 86400 MRC25G-4.OC48-PORT.pmthresholds.sts1.farend.1day.FC 40 (count) 0 - 6912 MRC25G-4.OC48-PORT.pmthresholds.sts1.farend.1day.SES 7 (seconds) 0 - 86400 MRC25G-4.OC48-PORT.pmthresholds.sts1.farend.1day.UAS 10 (seconds) 0 - 86400 MRC25G-4.OC48-PORT.pmthresholds.sts1.nearend.15min.CV 15 (B3 count) 0 - 2160000 MRC25G-4.OC48-PORT.pmthresholds.sts1.nearend.15min.ES 12 (seconds) 0 - 900 MRC25G-4.OC48-PORT.pmthresholds.sts1.nearend.15min.FC 10 (count) 0 - 72 MRC25G-4.OC48-PORT.pmthresholds.sts1.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000 MRC25G-4.OC48-PORT.pmthresholds.sts1.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000 MRC25G-4.OC48-PORT.pmthresholds.sts1.nearend.15min.PJCDIFF 60 (count) 0 - 14400000 MRC25G-4.OC48-PORT.pmthresholds.sts1.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900 MRC25G-4.OC48-PORT.pmthresholds.sts1.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900 MRC25G-4.OC48-PORT.pmthresholds.sts1.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000 MRC25G-4.OC48-PORT.pmthresholds.sts1.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000 MRC25G-4.OC48-PORT.pmthresholds.sts1.nearend.15min.SES 3 (seconds) 0 - 900 MRC25G-4.OC48-PORT.pmthresholds.sts1.nearend.15min.UAS 10 (seconds) 0 - 900 MRC25G-4.OC48-PORT.pmthresholds.sts1.nearend.1day.CV 125 (B3 count) 0 - 207360000 Table C-20 MRC-2.5G-4 Card Default Settings (continued) Default Name Default Value Default DomainC-97 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card MRC25G-4.OC48-PORT.pmthresholds.sts1.nearend.1day.ES 100 (seconds) 0 - 86400 MRC25G-4.OC48-PORT.pmthresholds.sts1.nearend.1day.FC 40 (count) 0 - 6912 MRC25G-4.OC48-PORT.pmthresholds.sts1.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000 MRC25G-4.OC48-PORT.pmthresholds.sts1.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000 MRC25G-4.OC48-PORT.pmthresholds.sts1.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000 MRC25G-4.OC48-PORT.pmthresholds.sts1.nearend.1day.PJCS-PDET 9600 (seconds) 0 - 86400 MRC25G-4.OC48-PORT.pmthresholds.sts1.nearend.1day.PJCS-PGEN 9600 (seconds) 0 - 86400 MRC25G-4.OC48-PORT.pmthresholds.sts1.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000 MRC25G-4.OC48-PORT.pmthresholds.sts1.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000 MRC25G-4.OC48-PORT.pmthresholds.sts1.nearend.1day.SES 7 (seconds) 0 - 86400 MRC25G-4.OC48-PORT.pmthresholds.sts1.nearend.1day.UAS 10 (seconds) 0 - 86400 MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.farend.15min.CV 75 (B3 count) 0 - 2160000 MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.farend.15min.ES 60 (seconds) 0 - 900 MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.farend.15min.FC 10 (count) 0 - 72 MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.farend.15min.SES 3 (seconds) 0 - 900 MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.farend.15min.UAS 10 (seconds) 0 - 900 MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.farend.1day.CV 750 (B3 count) 0 - 207360000 MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.farend.1day.ES 600 (seconds) 0 - 86400 MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.farend.1day.FC 40 (count) 0 - 6912 MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.farend.1day.SES 7 (seconds) 0 - 86400 MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.farend.1day.UAS 10 (seconds) 0 - 86400 MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.nearend.15min.CV 75 (B3 count) 0 - 2160000 MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.nearend.15min.ES 60 (seconds) 0 - 900 MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.nearend.15min.FC 10 (count) 0 - 72 MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000 MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000 MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.nearend.15min.PJCDIFF 60 (count) 0 - 14400000 MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900 MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900 MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000 Table C-20 MRC-2.5G-4 Card Default Settings (continued) Default Name Default Value Default DomainC-98 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.2.3 Defaults by Card MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000 MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.nearend.15min.SES 3 (seconds) 0 - 900 MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.nearend.15min.UAS 10 (seconds) 0 - 900 MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.nearend.1day.CV 750 (B3 count) 0 - 207360000 MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.nearend.1day.ES 600 (seconds) 0 - 86400 MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.nearend.1day.FC 40 (count) 0 - 6912 MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000 MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000 MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000 MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.nearend.1day.PJCS-PDET 9600 (seconds) 0 - 86400 MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.nearend.1day.PJCS-PGEN 9600 (seconds) 0 - 86400 MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000 MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000 MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.nearend.1day.SES 7 (seconds) 0 - 86400 MRC25G-4.OC48-PORT.pmthresholds.sts12c-48c.nearend.1day.UAS 10 (seconds) 0 - 86400 MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.farend.15min.CV 25 (B3 count) 0 - 2160000 MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.farend.15min.ES 20 (seconds) 0 - 900 MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.farend.15min.FC 10 (count) 0 - 72 MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.farend.15min.SES 3 (seconds) 0 - 900 MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.farend.15min.UAS 10 (seconds) 0 - 900 MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.farend.1day.CV 250 (B3 count) 0 - 207360000 MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.farend.1day.ES 200 (seconds) 0 - 86400 MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.farend.1day.FC 40 (count) 0 - 6912 MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.farend.1day.SES 7 (seconds) 0 - 86400 MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.farend.1day.UAS 10 (seconds) 0 - 86400 MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.nearend.15min.CV 25 (B3 count) 0 - 2160000 MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.nearend.15min.ES 20 (seconds) 0 - 900 MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.nearend.15min.FC 10 (count) 0 - 72 MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.nearend.15min.NPJC-PDET 60 (count) 0 - 7200000 MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.nearend.15min.NPJC-PGEN 60 (count) 0 - 7200000 Table C-20 MRC-2.5G-4 Card Default Settings (continued) Default Name Default Value Default DomainC-99 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.3 Node Default Settings C.3 Node Default Settings Table C-21 on page C-101 lists the node-level default settings for the Cisco ONS 15454. Cisco provides the following user-configurable defaults for each Cisco ONS 15454 node: • Circuit settings—Set the administrative state and path protection circuit defaults, and whether to have circuits send a payload defect indication condition (PDIP). • General settings—Set general node management defaults, including whether to use Daylight Savings Time (DST), whether to insert Alarm Indication Signal VT (AIS-V) in each VT when the carrying STS crosses the signal degrade (SD) path bit error rate (BER) threshold, the IP address of the Network Time Protocol/Simple Network Time Protocol (NTP/SNTP) server to be used, the time zone where the node is located, the SD path BER value, the defaults description, whether to raise a condition on an empty card slot, whether automatic autonomous Transcation Language One (TL1) reporting of PM data is enabled for cross-connect paths on the node, whether or not to allow ports MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.nearend.15min.PJCDIFF 60 (count) 0 - 14400000 MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.nearend.15min.PJCS-PDET 100 (seconds) 0 - 900 MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.nearend.15min.PJCS-PGEN 100 (seconds) 0 - 900 MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.nearend.15min.PPJC-PDET 60 (count) 0 - 7200000 MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.nearend.15min.PPJC-PGEN 60 (count) 0 - 7200000 MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.nearend.15min.SES 3 (seconds) 0 - 900 MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.nearend.15min.UAS 10 (seconds) 0 - 900 MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.nearend.1day.CV 250 (B3 count) 0 - 207360000 MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.nearend.1day.ES 200 (seconds) 0 - 86400 MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.nearend.1day.FC 40 (count) 0 - 6912 MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.nearend.1day.NPJC-PDET 5760 (count) 0 - 691200000 MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.nearend.1day.NPJC-PGEN 5760 (count) 0 - 691200000 MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.nearend.1day.PJCDIFF 5760 (count) 0 - 1382400000 MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.nearend.1day.PJCS-PDET 9600 (seconds) 0 - 86400 MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.nearend.1day.PJCS-PGEN 9600 (seconds) 0 - 86400 MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.nearend.1day.PPJC-PDET 5760 (count) 0 - 691200000 MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.nearend.1day.PPJC-PGEN 5760 (count) 0 - 691200000 MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.nearend.1day.SES 7 (seconds) 0 - 86400 MRC25G-4.OC48-PORT.pmthresholds.sts3c-9c.nearend.1day.UAS 10 (seconds) 0 - 86400 Table C-20 MRC-2.5G-4 Card Default Settings (continued) Default Name Default Value Default DomainC-100 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.3 Node Default Settings to be disabled when they are providing services (when the default is set to FALSE users must remove or disable the services first, then put the ports out of service), and whether to report loopback conditions on Out-of-Service, Maintenance (OOS-MT) state ports. • Power Monitor settings—Set default voltage thresholds for the node. • Network settings—Set whether to prevent display of node IP addresses in CTC (applicable for all users except Superusers); default gateway node type; whether to raise an alarm when the backplane LAN cable is disconnected; and whether to display the IP address in the LCD in an editable mode (in which you can change the IP address directly from LCD screen), to display the IP address on the LCD as read-only, or to suppress display of the IP on the LCD entirely. • OSI settings—Set the Open System Interconnection (OSI) main setup, generic routing encapsulation (GRE) tunnel default, the link access protocol on the D channel (LAP-D), the router subnet, and the TID address resolution protocol (TARP) settings. • 1+1 and Optimized 1+1 protection settings—Set whether or not protected circuits have bidirectional switching, are revertive, and what the reversion time is; set optimized 1+1 detection, recovery, and verify guard timer values. Note Optimized 1+1 supports three timers that ensure the correct state of the cards at key points in card communication. A verification guard timer is used when a Force is issued, to ensure that the far end has a chance to respond. A detection guard timer is used to ensure the presence of an SF/SD condition before switching away from a card. A recover guard timer ensures the absence of SF/SD prior to switching to a card. You can change the default number of seconds before these timers expire by changing the NE default for the corresponding timer to a value within its domain of allowable values. • BLSR protection settings—Set whether BLSR-protected circuits are revertive, and what the reversion time is, at both the ring and span levels. • Legal Disclaimer—Set the legal disclaimer that warns users at the login screen about the possible legal or contractual ramifications of accessing equipment, systems, or networks without authorization. • Security Grant Permissions—Set default user security levels for activating/reverting software, PM data clearing, database restoring, and retrieving audit logs. • Security DataComm settings—Set default security settings for TCC Ethernet IP address and IP netmask, and CTC backplane IP suppression; set secure mode on and secure mode locked (for TCC2P cards only). Note The secure mode supported setting is not user-configurable; rather, it depends upon the presence or absence of TCC2P cards on the node for its setting. • Security Access settings—Set default security settings for LAN access, shell access, serial craft access, element management system (EMS) access (including Internet Inter-Object Request Broker Protocol [IIOP] listener port number), TL1 access, and Simple Network Management Protocol (SNMP) access. • Security RADIUS settings—Set default RADIUS server settings for the accounting port number and the authentication port number, and whether to enable the node as a final authenticator.C-101 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.3 Node Default Settings • Security Policy settings—Set the allowable failed logins before lockout, idle user timeout for each user level, optional lockout duration or manual unlock enabled, password reuse and change frequency policies, number of characters difference that is required between the old and new password, password aging by security level, enforced single concurrent session per user, and option to disable inactive user after a set inactivity period. • Security Password settings—Set when passwords can be changed, how many characters they must differ by, whether or not password reuse is allowed, and whether a password change is required on first login to a new account; set password aging enforcement and user-level specific aging and warning periods; set how many consecutive identical characters are allowed in a password, maximum password length, minimum password length, minimum number and combination of nonalphabetical characters required, and whether or not to allow a password that is a reversal of the login ID associated with the password. • BITS Timing settings—Set the AIS threshold, Admin synchronization status messaging (SSM), coding, facility type, framing, state, and line build-out (LBO) settings for building integrated timing supply 1 (BITS-1) and BITS2 timing. • General Timing settings—Set the mode (External, Line, or Mixed), quality of reserved (RES) timing (the rule that defines the order of clock quality from lowest to highest), revertive, reversion time, and SSM message set for node timing. Note Any node level defaults changed using the Provisioning > Defaults tab, changes existing node level provisioning. Although this is service affecting, it depends on the type of defaults changed, for example, general, and all timing and security attributes. The “Changing default values for some node level attributes overrides the current provisioning.” message is displayed. The Side Effects column of the Defaults editor (right-click a column header and select Show Column > Side Effects) explains the effect of changing the default values. However, when the card level defaults are changed using the Provisioning > Defaults tab, existing card provisioning remains unaffected. Note For more information about each individual node setting, refer to the “Change Node Settings” chapter of the Cisco ONS 15454 Procedure Guide. Table C-21 Node Default Settings Default Name Default Value Default Domain NODE.circuits.SendPDIP TRUE TRUE, FALSE NODE.circuits.State IS,AINS IS, OOS,DSBLD, OOS,MT, IS,AINS NODE.circuits.pathprotection.AllowpathprotectionOverOnePlusOne FALSE TRUE, FALSE NODE.circuits.pathprotection.ProvisionWorkingGoAndReturnOnPrimaryPath TRUE TRUE, FALSE NODE.circuits.pathprotection.ReversionTime 5.0 (minutes) 0.5, 1.0, 1.5 .. 12.0 NODE.circuits.pathprotection.Revertive FALSE TRUE, FALSE NODE.circuits.pathprotection.STS_SDBER 1.00E-06 1E-5, 1E-6, 1E-7, 1E-8, 1E-9 NODE.circuits.pathprotection.STS_SFBER 1.00E-04 1E-3, 1E-4, 1E-5C-102 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.3 Node Default Settings NODE.circuits.pathprotection.SwitchOnPDIP FALSE TRUE, FALSE NODE.circuits.pathprotection.VT_SDBER 1.00E-05 1E-5, 1E-6, 1E-7, 1E-8 NODE.circuits.pathprotection.VT_SFBER 1.00E-03 1E-3, 1E-4, 1E-5 NODE.general.AllowServiceAffectingPortChangeToDisabled TRUE FALSE, TRUE NODE.general.AutoPM FALSE FALSE, TRUE NODE.general.BackupNtpSntpServer 0.0.0.0 IP Address NODE.general.DefaultsDescription Factory Defaults Free form field NODE.general.InsertAISVOnSDP FALSE TRUE, FALSE NODE.general.NtpSntpServer 0.0.0.0 IP Address NODE.general.RaiseConditionOnEmptySlot FALSE TRUE, FALSE NODE.general.ReportLoopbackConditionsOnOOS-MTPorts FALSE FALSE, TRUE NODE.general.SDPBER 1.00E-06 1E-5, 1E-6, 1E-7, 1E-8, 1E-9 NODE.general.TimeZone (GMT-08:00) Pacific Time (US & Canada), Tijuana (For applicable time zones, see Table C-22 on page C-117.) NODE.general.UseDST TRUE TRUE, FALSE NODE.lmp.controlChannel.AdminState OOS,DSBLD IS, OOS,DSBLD NODE.lmp.controlChannel.HelloDeadInterval 12000 (ms) maximum_of(20 00,MinHelloDea dInterval,product _of(HelloInterval ,3)), maximum_of(20 00,MinHelloDea dInterval,product _of(HelloInterval ,3)) + 1, maximum_of(20 00,MinHelloDea dInterval,product _of(HelloInterval ,3)) + 2 .. minimum_of(200 00,MaxHelloDea dInterval) Table C-21 Node Default Settings (continued) Default Name Default Value Default DomainC-103 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.3 Node Default Settings NODE.lmp.controlChannel.HelloInterval 500 (ms) maximum_of(30 0,MinHelloInterv al), maximum_of(30 0,MinHelloInterv al) + 1, maximum_of(30 0,MinHelloInterv al) + 2 .. minimum_of(500 0,MaxHelloInter val,quotient_of( HelloDeadInterv al,3)) NODE.lmp.controlChannel.MaxHelloDeadInterval 20000 (ms) maximum_of(20 00,HelloDeadInt erval,sum_of(Ma xHelloInterval,1) ), maximum_of(20 00,HelloDeadInt erval,sum_of(Ma xHelloInterval,1) ) + 1, maximum_of(20 00,HelloDeadInt erval,sum_of(Ma xHelloInterval,1) ) + 2 .. 20000 NODE.lmp.controlChannel.MaxHelloInterval 2000 (ms) maximum_of(30 0,HelloInterval), maximum_of(30 0,HelloInterval) + 1, maximum_of(30 0,HelloInterval) + 2 .. minimum_of(500 0,difference_of( MaxHelloDeadIn terval,1)) Table C-21 Node Default Settings (continued) Default Name Default Value Default DomainC-104 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.3 Node Default Settings NODE.lmp.controlChannel.MinHelloDeadInterval 2000 (ms) maximum_of(20 00,sum_of(MinH elloInterval,1)), maximum_of(20 00,sum_of(MinH elloInterval,1)) + 1, maximum_of(20 00,sum_of(MinH elloInterval,1)) + 2 .. minimum_of(200 00,HelloDeadInt erval) NODE.lmp.controlChannel.MinHelloInterval 300 (ms) 300, 301, 302 .. minimum_of(500 0,HelloInterval,d ifference_of(Min HelloDeadInterv al,1)) NODE.lmp.dataLink.Type Port Port, Component NODE.lmp.general.Allowed TRUE FALSE, TRUE NODE.lmp.general.Enabled FALSE FALSE, TRUE when Allowed TRUE; FALSE when Allowed FALSE NODE.lmp.general.LMP-WDM TRUE FALSE, TRUE NODE.lmp.general.Role OLS PEER, OLS NODE.lmp.teLink.AdminState OOS,DSBLD IS, OOS,DSBLD NODE.lmp.teLink.DWDM TRUE FALSE, TRUE NODE.lmp.teLink.MuxCapability Lambda Switch Packet Switch - Level 1, Packet Switch - Level 2, Packet Switch - Level 3, Packet Switch - Level 4, Layer 2 Switch, TDM Cross-connect, Lambda Switch, Fiber Switch NODE.network.general.AlarmMissingBackplaneLAN FALSE TRUE, FALSE NODE.network.general.CtcIpDisplaySuppression FALSE TRUE, FALSE Table C-21 Node Default Settings (continued) Default Name Default Value Default DomainC-105 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.3 Node Default Settings NODE.network.general.GatewaySettings None LeaveAsIs, None, ENE, GNE, ProxyOnlyNode NODE.network.general.LcdSetting Allow Configuration Allow Configuration, Display Only, Suppress Display NODE.osi.greTunnel.OspfCost 110 110 - 65535 NODE.osi.greTunnel.SubnetMask 24 (bits) 8, 9, 10 .. 32 NODE.osi.lapd.Mode AITS AITS, UITS NODE.osi.lapd.MTU 512 512, 513, 514 .. 1500 NODE.osi.lapd.Role Network Network, User NODE.osi.lapd.T200 200 (ms) 200, 300, 400 .. 20000 NODE.osi.lapd.T203 10000 (ms) 4000, 4100, 4200 .. 120000 NODE.osi.mainSetup.L1L2LSPBufferSize 512 (bytes) 512 - 1500 NODE.osi.mainSetup.L1LSPBufferSize 512 (bytes) 512 - 1500 NODE.osi.mainSetup.NodeRoutingMode Intermediate System Level 1 End System, Intermediate System Level 1, Intermediate System Level 1/Level 2 NODE.osi.subnet.DISPriority 63 1, 2, 3 .. 127 NODE.osi.subnet.ESH 10 (sec) 10, 20, 30 .. 1000 NODE.osi.subnet.GCCISISCost 60 1, 2, 3 .. 63 NODE.osi.subnet.IIH 3 (sec) 1, 2, 3 .. 600 NODE.osi.subnet.ISH 10 (sec) 10, 20, 30 .. 1000 NODE.osi.subnet.LANISISCost 20 1, 2, 3 .. 63 NODE.osi.subnet.LDCCISISCost 40 1, 2, 3 .. 63 NODE.osi.subnet.OSCISISCost 60 1, 2, 3 .. 63 NODE.osi.subnet.SDCCISISCost 60 1, 2, 3 .. 63 NODE.osi.tarp.L1DataCache TRUE FALSE, TRUE NODE.osi.tarp.L2DataCache FALSE FALSE, TRUE NODE.osi.tarp.LANStormSuppression TRUE FALSE, TRUE NODE.osi.tarp.LDB TRUE FALSE, TRUE NODE.osi.tarp.LDBEntry 5 (min) 1 - 10 Table C-21 Node Default Settings (continued) Default Name Default Value Default DomainC-106 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.3 Node Default Settings NODE.osi.tarp.LDBFlush 5 (min) 0 - 1440 NODE.osi.tarp.PDUsL1Propagation TRUE FALSE, TRUE NODE.osi.tarp.PDUsL2Propagation TRUE FALSE, TRUE NODE.osi.tarp.PDUsOrigination TRUE FALSE, TRUE NODE.osi.tarp.T1Timer 15 (sec) 0 - 3600 NODE.osi.tarp.T2Timer 25 (sec) 0 - 3600 NODE.osi.tarp.T3Timer 40 (sec) 0 - 3600 NODE.osi.tarp.T4Timer 20 (sec) 0 - 3600 NODE.osi.tarp.Type4PDUDelay 0 (sec) 0 - 255 NODE.powerMonitor.EHIBATVG -56.5 (Vdc) -54.0, -54.5, -55.0, -55.5, -56.0, -56.5 NODE.powerMonitor.ELWBATVG -40.5 (Vdc) -40.5, -41.0, -41.5, -42.0, -42.5, -43.0, -43.5, -44.0 NODE.powerMonitor.HIBATVG -54.0 (Vdc) -44.0, -44.5, -45.0 .. -56.5 NODE.powerMonitor.LWBATVG -44.0 (Vdc) -40.5, -41.0, -41.5 .. -54.0 NODE.protection.1+1.BidirectionalSwitching FALSE TRUE, FALSE NODE.protection.1+1.DetectionGuardTimer 1 (seconds) 0, 0.05, 0.1, 0.5, 1, 2, 3, 4, 5 NODE.protection.1+1.RecoveryGuardTimer 1 (seconds) 0, 0.05, 0.1 .. 10 NODE.protection.1+1.ReversionTime 5.0 (minutes) 0.5, 1.0, 1.5 .. 12.0 NODE.protection.1+1.Revertive FALSE TRUE, FALSE NODE.protection.1+1.VerifyGuardTimer 0.5 (seconds) 0.5, 1 NODE.protection.blsr.RingReversionTime 5.0 (minutes) 0.5, 1.0, 1.5 .. 12.0 NODE.protection.blsr.RingRevertive TRUE TRUE, FALSE NODE.protection.blsr.SpanReversionTime 5.0 (minutes) 0.5, 1.0, 1.5 .. 12.0 NODE.protection.blsr.SpanRevertive TRUE TRUE, FALSE NODE.protection.splitter.ReversionTime 5.0 (minutes) 0.5, 1.0, 1.5 .. 12.0 NODE.protection.splitter.Revertive FALSE TRUE, FALSE NODE.protection.ycable.ReversionTime 5.0 (minutes) 0.5, 1.0, 1.5 .. 12.0 NODE.protection.ycable.Revertive FALSE TRUE, FALSE Table C-21 Node Default Settings (continued) Default Name Default Value Default DomainC-107 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.3 Node Default Settings NODE.security.dataComm.CtcBackplaneIpDisplaySuppression NOT SUPPORTED FALSE; TRUE when nothing TRUE; (NOT SUPPORTED) when nothing FALSE NODE.security.dataComm.DefaultTCCEthernetIP 10.0.0.1 IP Address NODE.security.dataComm.DefaultTCCEthernetIPNetmask 24 (bits) 8, 9, 10 .. 32 NODE.security.dataComm.isSecureModeSupportedOnControlCard TRUE FALSE, TRUE NODE.security.dataComm.LcdBackplaneIpSetting NOT SUPPORTED Allow Configuration; Display Only; Suppress Display when nothing TRUE; (NOT SUPPORTED) when nothing FALSE NODE.security.dataComm.SecureModeLocked NOT SUPPORTED FALSE; TRUE when nothing TRUE; (NOT SUPPORTED) when nothing FALSE NODE.security.dataComm.SecureModeOn (May reboot node) NOT SUPPORTED FALSE; TRUE when nothing TRUE; (NOT SUPPORTED) when nothing FALSE NODE.security.emsAccess.AccessState NonSecure NonSecure, Secure NODE.security.emsAccess.IIOPListenerPort (May reboot node) 57790 (port #) 0 - 65535 NODE.security.grantPermission.ActivateRevertSoftware Superuser Provisioning, Superuser NODE.security.grantPermission.PMClearingPrivilege Provisioning Provisioning, Superuser NODE.security.grantPermission.RestoreDB Superuser Provisioning, Superuser NODE.security.grantPermission.RetrieveAuditLog Superuser Provisioning, Superuser NODE.security.idleUserTimeout.Maintenance 01:00 (hours:mins) 00:00, 00:01, 00:02 .. 16:39 Table C-21 Node Default Settings (continued) Default Name Default Value Default DomainC-108 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.3 Node Default Settings NODE.security.idleUserTimeout.Provisioning 00:30 (hours:mins) 00:00, 00:01, 00:02 .. 16:39 NODE.security.idleUserTimeout.Retrieve 00:00 (hours:mins) 00:00, 00:01, 00:02 .. 16:39 NODE.security.idleUserTimeout.Superuser 00:15 (hours:mins) 00:00, 00:01, 00:02 .. 16:39 NODE.security.lanAccess.LANAccess (May disconnect CTC from node) Front & Backplane No LAN Access, Front Only, Backplane Only, Front & Backplane NODE.security.lanAccess.RestoreTimeout 5 (minutes) 0 - 60 NODE.security.legalDisclaimer.LoginWarningMessage

WARNIN G
This system is restricted to authorized users for business purposes. Unauthorized< p>access is a violation of the law. This service may be monitored for administrative

and security reasons. By proceeding, you consent to this monitoring. Free form field NODE.security.other.DisableInactiveUser FALSE FALSE, TRUE NODE.security.other.InactiveDuration 45 (days) 1, 2, 3 .. 99 when nothing TRUE; 45 when nothing FALSE NODE.security.other.SingleSessionPerUser FALSE TRUE, FALSE NODE.security.passwordAging.EnforcePasswordAging FALSE TRUE, FALSE NODE.security.passwordAging.maintenance.AgingPeriod 45 (days) 20 - 90 NODE.security.passwordAging.maintenance.WarningPeriod 5 (days) 2 - 20 NODE.security.passwordAging.provisioning.AgingPeriod 45 (days) 20 - 90 Table C-21 Node Default Settings (continued) Default Name Default Value Default DomainC-109 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.3 Node Default Settings NODE.security.passwordAging.provisioning.WarningPeriod 5 (days) 2 - 20 NODE.security.passwordAging.retrieve.AgingPeriod 45 (days) 20 - 90 NODE.security.passwordAging.retrieve.WarningPeriod 5 (days) 2 - 20 NODE.security.passwordAging.superuser.AgingPeriod 45 (days) 20 - 90 NODE.security.passwordAging.superuser.WarningPeriod 5 (days) 2 - 20 NODE.security.passwordChange.CannotChangeNewPassword FALSE TRUE, FALSE NODE.security.passwordChange.CannotChangeNewPasswordForNDays 20 (days) 20 - 95 NODE.security.passwordChange.NewPasswordMustDifferFromOldByNCharacters 1 (characters) 1 - 5 NODE.security.passwordChange.PreventReusingLastNPasswords 1 (times) 1 - 10 NODE.security.passwordChange.RequirePasswordChangeOnFirstLoginToNewAccou nt FALSE TRUE, FALSE NODE.security.passwordComplexity.IdenticalConsecutiveCharactersAllowed 3 or more 0-2, 3 or more NODE.security.passwordComplexity.MaximumLength 20 20, 80 NODE.security.passwordComplexity.MinimumLength 6 6, 8, 10, 12 NODE.security.passwordComplexity.MinimumRequiredCharacters 1 num, 1 letter & 1 TL1 special 1 num, 1 letter & 1 TL1 special, 1 num, 1 letter & 1 special, 2 each of any 2 of num, upper, lower & TL1 special, 2 each of any 2 of num, upper, lower & special NODE.security.passwordComplexity.ReverseUserIdAllowed TRUE TRUE, FALSE NODE.security.radiusServer.AccountingPort 1813 (port) 0 - 32767 NODE.security.radiusServer.AuthenticationPort 1812 (port) 0 - 32767 NODE.security.radiusServer.EnableNodeAsFinalAuthenticator TRUE FALSE, TRUE NODE.security.serialCraftAccess.EnableCraftPort TRUE TRUE, FALSE NODE.security.shellAccess.AccessState NonSecure Disabled, NonSecure, Secure NODE.security.shellAccess.EnableShellPassword FALSE TRUE, FALSE NODE.security.shellAccess.TelnetPort 23 23 - 9999 NODE.security.snmpAccess.AccessState NonSecure Disabled, NonSecure NODE.security.tl1Access.AccessState NonSecure Disabled, NonSecure, Secure NODE.security.userLockout.FailedLoginsAllowedBeforeLockout 5 (times) 0 - 10 Table C-21 Node Default Settings (continued) Default Name Default Value Default DomainC-110 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.3 Node Default Settings NODE.security.userLockout.LockoutDuration 00:30 (mins:secs) 00:00, 00:05, 00:10 .. 10:00 NODE.security.userLockout.ManualUnlockBySuperuser FALSE TRUE, FALSE NODE.software.AllowDelayedUpgrades FALSE FALSE, TRUE NODE.software.DefaultDelayedUpgrades FALSE FALSE, TRUE when AllowDelayedUp grades TRUE; FALSE when AllowDelayedUp grades FALSE NODE.timing.bits-1.AdminSSMIn STU PRS, STU, ST2, ST3, SMC, ST4, DUS, RES when //.general.SSMM essageSet Generation 1; PRS, STU, ST2, TNC, ST3E, ST3, SMC, ST4, DUS, RES when //.general.SSMM essageSet Generation 2; G811, STU, G812T, G812L, SETS, DUS when //.general.SSMM essageSet N/A NODE.timing.bits-1.AISThreshold SMC PRS, STU, ST2, ST3, SMC, ST4, DUS, RES when //.general.SSMM essageSet Generation 1; PRS, STU, ST2, TNC, ST3E, ST3, SMC, ST4, DUS, RES when //.general.SSMM essageSet Generation 2; G811, STU, G812T, G812L, SETS, DUS when //.general.SSMM essageSet N/A Table C-21 Node Default Settings (continued) Default Name Default Value Default DomainC-111 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.3 Node Default Settings NODE.timing.bits-1.Coding B8ZS B8ZS, AMI when FacilityType DS1; HDB3, AMI when FacilityType E1; N/A when FacilityType 2MHz; AMI when FacilityType 64kHz+8kHz NODE.timing.bits-1.CodingOut B8ZS B8ZS, AMI when FacilityTypeOut DS1; HDB3, AMI when FacilityTypeOut E1; N/A when FacilityTypeOut 2MHz; AMI when FacilityTypeOut 6MHz NODE.timing.bits-1.FacilityType DS1 DS1, 64kHz+8kHz when //.general.Timing Standard SONET; E1, 64kHz+8kHz, 2MHz when //.general.Timing Standard SDH NODE.timing.bits-1.FacilityTypeOut DS1 DS1, 6MHz when //.general.Timing Standard SONET; E1, 6MHz, 2MHz when //.general.Timing Standard SDH Table C-21 Node Default Settings (continued) Default Name Default Value Default DomainC-112 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.3 Node Default Settings NODE.timing.bits-1.Framing ESF ESF, D4 when FacilityType DS1; FAS+CRC, FAS+CAS, FAS+CAS+CRC, FAS, Unframed when FacilityType E1; N/A when FacilityType 2MHz; N/A when FacilityType 64kHz+8kHz NODE.timing.bits-1.FramingOut ESF ESF, D4 when FacilityTypeOut DS1; FAS+CRC, FAS+CAS, FAS+CAS+CRC, FAS, Unframed when FacilityTypeOut E1; N/A when FacilityTypeOut 2MHz; N/A when FacilityTypeOut 6MHz NODE.timing.bits-1.LBO 0-133 0-133, 134-266, 267-399, 400-533, 534-655 NODE.timing.bits-1.SaBit N/A N/A when FacilityType DS1; 4, 5, 6, 7, 8 when FacilityType E1; N/A when FacilityType 2MHz; N/A when FacilityType 64kHz+8kHz NODE.timing.bits-1.State OOS,DSBLD IS, OOS,DSBLD NODE.timing.bits-1.StateOut OOS,DSBLD IS, OOS,DSBLD Table C-21 Node Default Settings (continued) Default Name Default Value Default DomainC-113 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.3 Node Default Settings NODE.timing.bits-2.AdminSSMIn STU PRS, STU, ST2, ST3, SMC, ST4, DUS, RES when //.general.SSMM essageSet Generation 1; PRS, STU, ST2, TNC, ST3E, ST3, SMC, ST4, DUS, RES when //.general.SSMM essageSet Generation 2; G811, STU, G812T, G812L, SETS, DUS when //.general.SSMM essageSet N/A NODE.timing.bits-2.AISThreshold SMC PRS, STU, ST2, ST3, SMC, ST4, DUS, RES when //.general.SSMM essageSet Generation 1; PRS, STU, ST2, TNC, ST3E, ST3, SMC, ST4, DUS, RES when //.general.SSMM essageSet Generation 2; G811, STU, G812T, G812L, SETS, DUS when //.general.SSMM essageSet N/A NODE.timing.bits-2.Coding B8ZS B8ZS, AMI when FacilityType DS1; HDB3, AMI when FacilityType E1; N/A when FacilityType 2MHz; AMI when FacilityType 64kHz+8kHz Table C-21 Node Default Settings (continued) Default Name Default Value Default DomainC-114 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.3 Node Default Settings NODE.timing.bits-2.CodingOut B8ZS B8ZS, AMI when FacilityTypeOut DS1; HDB3, AMI when FacilityTypeOut E1; N/A when FacilityTypeOut 2MHz; AMI when FacilityTypeOut 6MHz NODE.timing.bits-2.FacilityType DS1 DS1, 64kHz+8kHz when //.general.Timing Standard SONET; E1, 64kHz+8kHz, 2MHz when //.general.Timing Standard SDH NODE.timing.bits-2.FacilityTypeOut DS1 DS1, 6MHz when //.general.Timing Standard SONET; E1, 6MHz, 2MHz when //.general.Timing Standard SDH NODE.timing.bits-2.Framing ESF ESF, D4 when FacilityType DS1; FAS+CRC, FAS+CAS, FAS+CAS+CRC, FAS, Unframed when FacilityType E1; N/A when FacilityType 2MHz; N/A when FacilityType 64kHz+8kHz Table C-21 Node Default Settings (continued) Default Name Default Value Default DomainC-115 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.3 Node Default Settings NODE.timing.bits-2.FramingOut ESF ESF, D4 when FacilityTypeOut DS1; FAS+CRC, FAS+CAS, FAS+CAS+CRC, FAS, Unframed when FacilityTypeOut E1; N/A when FacilityTypeOut 2MHz; N/A when FacilityTypeOut 6MHz NODE.timing.bits-2.LBO 0-133 0-133, 134-266, 267-399, 400-533, 534-655 NODE.timing.bits-2.SaBit N/A N/A when FacilityType DS1; 4, 5, 6, 7, 8 when FacilityType E1; N/A when FacilityType 2MHz; N/A when FacilityType 64kHz+8kHz NODE.timing.bits-2.State OOS,DSBLD IS, OOS,DSBLD NODE.timing.bits-2.StateOut OOS,DSBLD IS, OOS,DSBLD NODE.timing.general.Mode Line External, Line, Mixed Table C-21 Node Default Settings (continued) Default Name Default Value Default DomainC-116 Cisco ONS 15454 Reference Manual, Releases 9.1, 9.2, and 9.2.1 78-19870-01 Appendix C Network Element Defaults C.3.1 Time Zones C.3.1 Time Zones Table C-22 lists the time zones that apply for node time zone defaults. Time zones in the table are ordered by their relative relationships to Greenwich Mean Time (GMT), and the default values are displayed in the correct format for valid default input. NODE.timing.general.QualityOfRES RES=DUS PRS Ctrl-Alt-Del on the Cisco KVM Console window menu bar; or by selecting Power Cycle Server on the Server Summary tab of the CIMC GUI. c. Watch during bootup for the F2 prompt, and then press F2 to enter BIOS setup. d. If you have already configured a BIOS Administrator password, enter it and skip to Step h. e. If you have not set a BIOS Administrator password for the server, continue with this step. On the BIOS utility screen, select the Security tab, then select Set Administrator Password. Use the pop-up boxes to set the BIOS administrator password, then press F10 to save your settings and reboot the server. f. Watch during bootup for the F2 prompt, and then press F2 to enter BIOS setup. g. Log into the BIOS Setup utility with your BIOS Administrator password. 1 TPM 3 Securing screw 2 JP2 socket on motherboard 1 3 23-33 Cisco UCS C200 Server Installation and Service Guide OL-20732-02 Chapter 3 Maintaining the Server Installing or Replacing Components h. On the BIOS utility screen, select the Security tab. i. Scroll down to TPM and select TURN ON. j. Press F10 to save your settings and reboot the server. k. Watch during bootup for the F2 prompt, and then press F2 to enter BIOS setup. l. Log into the BIOS Setup utility with your BIOS Administrator password. m. Verify that the TPM is now enabled. Select the Security tab. Verify that the TPM entry now says Enabled. Replacing a PCIe Riser Card Assembly The qualified and supported part numbers for this component are subject to change over time. For the most up-to-date list of replaceable components, see the following URL and then scroll to Technical Specifications: http://www.cisco.com/en/US/products/ps10493/products_data_sheets_list.html To replace a PCIe riser card assembly, follow these steps: Step 1 Remove a PCIe riser card: a. Power off the server as described in the “Shutting Down and Powering Off the Server” section on page 3-7. b. Disconnect all power cords from the power supplies. c. Slide the server out the front of the rack far enough so that you can remove the top cover. You might have to detach cables from the rear panel to provide clearance. Caution If you cannot safely view and access the component, remove the server from the rack. d. Remove the top cover as described in the “Removing and Replacing the Server Top Cover” section on page 3-9. e. Remove the screw that holds the riser card assembly to the rear of the chassis (see Figure 3-21). f. Lift the assembly and any attached PCIe cards straight up and out of the chassis. Lift up on both ends of the bracket evenly to avoid damaging the sockets or the riser cards. g. Remove any PCIe card from the riser card assembly and set it aside. Step 2 Install a PCIe riser card: a. Replace any PCIe card in the new riser card assembly. b. Set the assembly in place, aligning the riser cards with the PCIe slots on the motherboard. c. Press down evenly on both ends of the assembly to fully engage the riser cards with the PCIe slots on the motherboard. d. Replace the screw that secures the assembly to the chassis. e. Replace the top cover. f. Replace the server in the rack, replace power cords and any other cables, and then power on the server by pressing the Power button.3-34 Cisco UCS C200 Server Installation and Service Guide OL-20732-02 Chapter 3 Maintaining the Server Installing or Replacing Components Figure 3-21 Removing and Replacing a PCIe Riser Card Assembly Replacing a PCIe Card This section contains the following topics: • Replacement Procedure, page 3-35 • Special Considerations for the Cisco UCS P81E Virtual Interface Card (N2XX-ACPCI01), page 3-37 • How to Identify Which Power Supply Model is in Your Server, page 3-37 • Installing Multiple PCIe Cards and Resolving Limited Resources, page 3-38 Note If you are installing a Cisco UCS P81E Virtual Interface Card (N2XX-ACPCI01), there are prerequisite considerations. See Special Considerations for the Cisco UCS P81E Virtual Interface Card (N2XX-ACPCI01), page 3-37. Note See also RAID Controller Considerations, page C-1 for information about supported controllers and cables. The qualified and supported part numbers for this component are subject to change over time. For the most up-to-date list of replaceable components, see the following URL and then scroll to Technical Specifications: http://www.cisco.com/en/US/products/ps10493/products_data_sheets_list.html 1 Riser card assembly (top view) 2 Riser card 1 2 13-35 Cisco UCS C200 Server Installation and Service Guide OL-20732-02 Chapter 3 Maintaining the Server Installing or Replacing Components Replacement Procedure Installing a PCIe card requires that you first remove the riser card assembly from the chassis. To install or replace a PCIe card, follow these steps: Step 1 Remove a PCIe card: a. Power off the server as described in the “Shutting Down and Powering Off the Server” section on page 3-7. b. Disconnect all power cords from the power supplies. c. Slide the server out the front of the rack far enough so that you can remove the top cover. You might have to detach cables from the rear panel to provide clearance. Caution If you cannot safely view and access the component, remove the server from the rack. d. Remove the top cover as described in the “Removing and Replacing the Server Top Cover” section on page 3-9. e. Pull the PCI e card retaining latch away from the card. See Figure 3-21 on page 3-34. f. Lift the assembly and any attached PCIe cards straight up and out of the chassis. Lift up on both ends of the assembly evenly to avoid damaging the sockets or the riser cards. g. Pull the PCIe card retaining latch away from the card’s rear tab (see Figure 3-23). Step 2 Pull the PCIe card connector out of the riser card socket and set the card aside. Step 3 Install a PCIe card: a. If you are installing a PCIe card to an empty slot on the riser card assembly, remove any blank panel from the assembly rear slot. Note A standard-profile PCIe card must be installed on the right side of the assembly, as viewed from the rear of the server. A low-profile PCIe card can be installed in either the low-profile slots on the left, or the standard-profile slots on the right if a standard-profile I/O bracket is used on the card. b. Align the PCIe card connector with the riser card socket and push on both ends of the card evenly to fully engage the connector with the riser card socket. c. Pull the PCIe card retaining latch away from the card’s rear tab, then close the latch over the tab. d. Set the assembly in place, aligning the riser cards with the PCIe slots on the motherboard. e. Press down evenly on both ends of the assembly to fully engage the riser cards with the PCIe slots on the motherboard. f. Replace the screw that secures the riser card assembly to the chassis. g. Replace the top cover. h. Replace the server in the rack, replace power cords and any other cables, and then power on the server by pressing the Power button. Step 4 If the card that you replaced was a RAID controller card, see Restoring RAID Configuration After Replacing a RAID Controller, page C-6.3-36 Cisco UCS C200 Server Installation and Service Guide OL-20732-02 Chapter 3 Maintaining the Server Installing or Replacing Components Figure 3-22 PCIe Slot Numbering and Physical Orientation, Facing Server Rear Figure 3-23 Removing and Replacing a PCIe Card PCIe Slot 7 PCIe Slot 6 1 Riser card assembly removed from chassis 3 PCIe card rear plate 2 PCIe socket on riser card 4 PCIe card retaining latch 2 1 3 4 3307393-37 Cisco UCS C200 Server Installation and Service Guide OL-20732-02 Chapter 3 Maintaining the Server Installing or Replacing Components Special Considerations for the Cisco UCS P81E Virtual Interface Card (N2XX-ACPCI01) The Cisco UCS P81E Virtual Interface Card is a standard-profile, half-length, dual-port 10 Gb PCIe card with SFP+. See the following special considerations and prerequisites: • This card is supported in server Generations M1 and M2. • This server supports installation of one of these cards. • This card is supported only in PCIe slot 6 of this server. Note This card must be installed in PCIe slot 6 to use the Cisco Card NIC mode (see Figure 3-22 on page 3-36). See also NIC Modes and NIC Redundancy Settings, page 2-12. • This card requires that the server has CIMC firmware version 1.2(1) or later installed. There is a heartbeat LED on the top and bottom of the card that indicates when firmware is active. • To use this card for UCS integration (UCSM mode) with Cisco UCS Manager 2.0(2xx) or later, the minimum card-firmware and uboot image level is 2.0(2g). • To use this card for UCS integration (UCSM mode) with Cisco UCS Manager 1.4 or 2.0(1), the minimum card-firmware and uboot image level is 1.4(1i). • To connect this card to an upstream Cisco Nexus fabric interconnect (switch), the minimum NXOS version on the fabric interconnect must be 5.0 or later. • This card requires that you have the new power supply model R2X0-PSU2-650W-SB. A 5A standby mode has been added to these power supplies to support this card. See How to Identify Which Power Supply Model is in Your Server, page 3-37. • Both power supplies must be model R2X0-PSU2-650W-SB. Do not mix power supply models in the same server. How to Identify Which Power Supply Model is in Your Server There are two methods that you can use to identify which power supply is installed in your server: 1. Visually inspect the power supply at the rear of the server. The new power supply model R2X0-PSU2-650W-SB has a black handle; the old power supply had silver handle. 2. Use the Cisco Integrated Management Controller (CIMC) GUI to view the power supply model: a. Use a browser to connect to CIMC using the CIMC IP address. b. Log in to CIMC using your administrator user name and password. c. On the CIMC Server tab, click Inventory. d. On the Inventory pane, click the Power Supplies tab. e. View the power supply model number in the Product ID column. The new power supply is listed by the manufacturer’s model number, R2X0-PSU2-650W-SB.3-38 Cisco UCS C200 Server Installation and Service Guide OL-20732-02 Chapter 3 Maintaining the Server Installing or Replacing Components Installing Multiple PCIe Cards and Resolving Limited Resources When a large number of PCIe add-on cards are installed in the server, the system may run out of the following resources required for PCIe devices: • Option ROM memory space • 16-bit I/O space The topics in this section provide guidelines for resolving the issues related to these limited resources. • Resolving Insufficient Memory Space to Execute Option ROMs, page 3-38 • Resolving Insufficient 16-Bit I/O Space, page 3-39 Resolving Insufficient Memory Space to Execute Option ROMs The system has very limited memory to execute PCIe legacy option ROMs, so when a large number of PCIe add-on cards are installed in the server, the system BIOS might not able to execute all of the option ROMs. The system BIOS loads and executes the option ROMs in the order that the PCIe cards are enumerated (Slot 1, Slot 2, Slot 3, etc.). If the system BIOS does not have sufficient memory space to load any PCIe option ROM, it skips loading that option ROM, reports a system event log (SEL) event to the CIMC controller and reports the following error in the Error Manager page of the BIOS Setup utility: ERROR CODE SEVERITY INSTANCE DESCRIPTION 146 Major N/A PCI out of resources error. Major severity requires user intervention but does not prevent system boot. To resolve this issue, disable the Option ROMs that are not needed for system booting. The BIOS Setup Utility provides the setup options to enable or disable the Option ROMs at the PCIe slot level for the PCIe expansion slots and at the port level for the onboard NICs. These options can be found in the BIOS Setup Utility Advanced PCI Configuration page. • Guidelines for RAID controller booting: If the server is configured to boot primarily from RAID storage, make sure that the option ROMs for the slots where your RAID controllers installed are enabled in the BIOS, depending on your RAID controller configuration. If the RAID controller does not appear in the system boot order even with the option ROMs for those slots are enabled, the RAID controller option ROM might not have sufficient memory space to execute. In that case, disable other option ROMs that are not needed for the system configuration to free up some memory space for the RAID controller option ROM. • Guidelines for onboard NIC PXE booting: If the system is configured to primarily perform PXE boot from onboard NICs, make sure that the option ROMs for the onboard NICs to be booted from are enabled in the BIOS Setup Utility. Disable other option ROMs that are not needed to create sufficient memory space for the onboard NICs.3-39 Cisco UCS C200 Server Installation and Service Guide OL-20732-02 Chapter 3 Maintaining the Server Installing or Replacing Components Resolving Insufficient 16-Bit I/O Space The system has only 64 KB of legacy 16-bit I/O resources available. This 64 KB of I/O space is divided between the CPUs in the system because the PCIe controller is integrated into the CPUs. This server BIOS has the capability to dynamically detect the 16-bit I/O resource requirement for each CPU and then balance the 16-bit I/O resource allocation between the CPUs accordingly during the PCI bus enumeration phase of the BIOS POST. When a large number of PCIe cards are installed in the system, the system BIOS might not have sufficient I/O space for some PCIe devices. If the system BIOS is not able to allocate the required I/O resources for any PCIe devices, the following symptoms have been observed: • The system might get stuck in an infinite reset loop. • The BIOS might appear to hang while initializing PCIe devices. • The PCIe option ROMs might take excessive time to complete, which appears to lock up the system. • PCIe boot devices might not be accessible from the BIOS. • PCIe option ROMs might report initialization errors. These errors are seen before the BIOS passes control to the operating system. • The keyboard might not work. To work around this problem, rebalance the 16-bit I/O load using the following methods: 1. Physically remove any unused PCIe cards. 2. If the system has one or more Cisco virtual interface cards (VICs) installed, disable the PXE boot on the VICs that are not required for the system boot configuration by using the Network Adapters page in the CIMC WebUI to free up some 16-bit I/O resources. Each VIC uses a minimum 16 KB of 16-bit I/O resource, so disabling PXE boot on Cisco VICs would free up some 16-bit I/O resources that can be used for other PCIe cards that are installed in the system. 3-40 Cisco UCS C200 Server Installation and Service Guide OL-20732-02 Chapter 3 Maintaining the Server Installing or Replacing Components Replacing an LSI MegaRAID Battery Backup Unit When you install an LSI MegaRAID card and the optional BBU in this server, do not install the BBU on top of the card as described in the LSI instructions. To avoid overheating the card, you must install the BBU on a special bracket that is located on the fan tray. Note LSI recommends that you replace the LSI BBU once per year or after 1,000 recharge cycles, whichever comes first. Verify whether BBU replacement is required by looking in the CIMC. Log in to CIMC for the server, then click Server—Inventory—Storage—Battery Backup Unit. If the Battery Replacement Required field says, “True,” then you must purchase a replacement BBU and replace it. Warning There is danger of explosion if the battery is replaced incorrectly. Replace the battery only with the same or equivalent type recommended by the manufacturer. Dispose of used batteries according to the manufacturer’s instructions. Statement 1015 The qualified and supported part numbers for this component are subject to change over time. For the most up-to-date list of replaceable components, see the following URL and then scroll to Technical Specifications: http://www.cisco.com/en/US/products/ps10493/products_data_sheets_list.html Note The instructions for installing the BBU differ depending on which BBU version you are installing. The newer LSIiBBU08 version requires that you replace the server’s mounting bracket. Procedures for both LSIiBBU06 and LSIiBBU08 are included here. This section includes the following procedures: • Replacing an LSIiBBU06 BBU, page 3-40 • Replacing an LSIiBBU08 BBU, page 3-42 Replacing an LSIiBBU06 BBU This BBU is supported by Cisco for use with the following RAID controller cards: • LSI MegaRAID 9260-4i (Cisco product ID R200-PL004, LSI 6G MegaRAID 9260-4i card w/512MB write cache) • LSI MegaRAID 9280-4i4e (Cisco product ID UCSC-RAID-C-4i4e, LSI 9280-4i4e) To install or replace an LSIiBBU06 version BBU, follow these steps: Step 1 Remove a BBU: a. Remove the three screws that secure the BBU to the BBU bracket on the fan tray (see Figure 3-24). b. Disconnect the cable from the BBU. If you are only replacing a BBU and not the LSI card, you do not have to disconnect the other end of the cable from the card. Step 2 Install a BBU: a. Install the cable that is connected to the LSI controller card to socket J2 on the underside of the BBU.3-41 Cisco UCS C200 Server Installation and Service Guide OL-20732-02 Chapter 3 Maintaining the Server Installing or Replacing Components Note Be careful to align the arrow-mark on the cable connector with the arrow-mark on the socket to avoid damaging the connector pins. b. Place the new BBU over the BBU bracket on the fan tray and align the three screw-holes in the BBU with the three preinstalled standoffs on the bracket. c. Replace the three securing screws that hold the BBU to the BBU bracket. Step 3 If this is a first-time installation of the BBU rather than a replacement, install the cable from the BBU to the LSI card. Connect the cable from the BBU to the socket on the adapter. Note Be careful to align the arrow-mark on the cable connector with the arrow-mark on the socket to avoid damaging the connector pins. Figure 3-24 Removing and Replacing an LSIiBBU06 BBU 1 BBU bracket on fan tray 3 BBU (connector J2 is on the underside) 2 Securing screws (three) 1 2 33-42 Cisco UCS C200 Server Installation and Service Guide OL-20732-02 Chapter 3 Maintaining the Server Installing or Replacing Components Replacing an LSIiBBU08 BBU This BBU is supported by Cisco for use with the following RAID controller cards: • LSI MegaRAID 9260-4i (Cisco product ID R200-PL004, LSI 6G MegaRAID 9260-4i card w/512MB write cache) • LSI MegaRAID 9280-4i4e (Cisco product ID UCSC-RAID-C-4i4e, LSI 9280-4i4e) • LSI MegaRAID 9260-8i (Cisco product ID RC460-PL001, LSI 6G MegaRAID 9260-8i (C200 SFF only)) To install the LSIiBBU08 BBU, you must replace the mounting bracket on the fan tray with a special adapter bracket that is included with the BBU. Use the following procedure to replace the bracket and to install the BBU. Step 1 Replace the mounting bracket—only if you are replacing an LSIiBBU06 with an LSIiBBU08. Skip this step and go to Step 2 if your server is already using an LSIiBBU08 BBU and it already has the new mounting bracket. a. Remove any existing BBU from the existing bracket by removing the BBU retaining screws. b. Disconnect the RAID controller-to-BBU cable from the old BBU. c. Remove the three screws that hold the bracket to the standoffs on the fan tray (see Figure 3-25). d. Set the new bracket in place and replace the three screws that secure it to the fan tray (see Figure 3-26). Figure 3-25 Replacing a Mounting Bracket for the LSIiBBU08 BBU 331001 Mounting bracket3-43 Cisco UCS C200 Server Installation and Service Guide OL-20732-02 Chapter 3 Maintaining the Server Installing or Replacing Components Figure 3-26 Replacing a Mounting Bracket for the LSIiBBU08 BBU (Enlarged) Step 2 Install the new LSIiBBU08 BBU: Note The LSIiBBU08 BBU requires minimum LSI MegaRAID card firmware 2.120.133.1322 or later to be recognized. You can use the Cisco Host Upgrade Utility to upgrade your LSI MegaRAID card firmware. Obtain the Cisco Host Upgrade Utility 1.4.1 or later package (including drivers) by navigating from the Cisco.com software download site: http://www.cisco.com/cisco/software/navigator.html a. Install the BBU cable from the LSI controller card to socket J2 on the new BBU. Note Align the arrow-mark on the cable connector with the arrow-mark on the socket to avoid damaging the connector pins. b. Place the new BBU over the new BBU bracket on the fan tray and align the two screw-holes in the BBU with the two preinstalled standoffs on the bracket. c. Install the two securing screws that hold the BBU to the BBU bracket. 331002 Screws3-44 Cisco UCS C200 Server Installation and Service Guide OL-20732-02 Chapter 3 Maintaining the Server Installing or Replacing Components Figure 3-27 Removing and Replacing an LSIiBBU06 BBU 1 BBU bracket on fan tray 3 BBU (connector J2 is on the underside) 2 Securing screws (two) 331003 1 2 33-45 Cisco UCS C200 Server Installation and Service Guide OL-20732-02 Chapter 3 Maintaining the Server Installing or Replacing Components Installing a Mezzanine Card The qualified and supported part numbers for this component are subject to change over time. For the most up-to-date list of replaceable components, see the following URL and then scroll to Technical Specifications: http://www.cisco.com/en/US/products/ps10493/products_data_sheets_list.html To install or replace a mezzanine card, follow these steps: Step 1 Remove a mezzanine card: a. Power off the server as described in the “Shutting Down and Powering Off the Server” section on page 3-7. b. Disconnect all power cords from the power supplies. c. Slide the server out the front of the rack far enough so that you can remove the top cover. You might have to detach cables from the rear panel to provide clearance. Caution If you cannot safely view and access the component, remove the server from the rack. d. Remove the top cover as described in the “Removing and Replacing the Server Top Cover” section on page 3-9. e. Disconnect the cable harness from the connector on the top of the mezzanine card. f. Use needle-nose pliers to pinch the three plastic standoff posts that hold the mezzanine card to the motherboard. Pinching the top of the post provides clearance to lift the mezzanine card off the posts (see Figure 3-28). g. Lift up on both ends of the mezzanine card evenly to disengage its connector from the motherboard socket. Step 2 Install a mezzanine card: a. Place the mezzanine card in the chassis, aligning the holes on the card with the three plastic standoff posts on the motherboard. b. Push down firmly on the card to fully engage the connector of the card with the motherboard socket. c. Ensure that the holes in the card click down over the three plastic posts on the motherboard. d. Reconnect the cable harness to the connector on the top of the mezzanine card. e. Replace the top cover. f. Replace the server in the rack, replace power cords and any other cables, and then power on the server by pressing the Power button.3-46 Cisco UCS C200 Server Installation and Service Guide OL-20732-02 Chapter 3 Maintaining the Server Installing or Replacing Components Figure 3-28 Removing and Replacing a Mezzanine Card 1 Mezzanine card retaining posts (three) 2 Mezzanine card 195954 2 1A-1 Cisco UCS C200 Server Installation and Service Guide OL-20732-02 APPENDIX A Technical Specifications This appendix lists the technical specifications for the Cisco UCS C200 server and includes the following sections: • Physical Specifications, page A-1 • Environmental Specifications, page A-2 • Power Specifications, page A-2 Physical Specifications Table A-1 lists the physical specifications for the server. Table A-1 Physical Specifications Description Specification Height 1.70 in. (4.32 cm) Width 16.92 in. (43.00 cm) Depth 27.80 in. (70.60 cm) Weight (loaded chassis) 33.00 lbs (14.97 kg)A-2 Cisco UCS C200 Server Installation and Service Guide OL-20732-02 Appendix A Technical Specifications Environmental Specifications Environmental Specifications Table A-2 lists the environmental specifications for the server. Power Specifications Table A-3 lists the specifications for each power supply. You can get more specific power information for your exact server configuration by using the Cisco UCS Power Calculator: http://www.cisco.com/assets/cdc_content_elements/flash/dataCenter/cisco_ucs_power_calculator/ Table A-2 Environmental Specifications Description Specification Temperature, operating: Derate 1°C for every 1000 ft (304 m) up to a maximum altitude of 10,000 ft (3048 m) 50 to 95°F (10 to 35°C) Temperature, nonoperating within altitude: 0 to 40,000 feet (0 to 12,000 meters) –40 to 149°F (–40 to 65°C) Humidity (RH), noncondensing 5 to 93% Altitude 0 to 10000 feet Sound power level Measure A-weighted per ISO7779 LwAd (dBA) Operation at 73°F (23°C) 54.7 dBA Sound power level Measure A-weighted per ISO7779 LwAd (Bels) Operation at 73°F (23°C) 5.7 Bels Table A-3 Power Supply Specifications Description Specification AC-input voltage 115 to 230 VAC nominal (Range: 90 to 264 VAC) AC-input frequency 50 to 60 Hz nominal (Range: 47 to 63 Hz) Maximum AC-input current 10 Amps Maximum output power for each power supply 650 W (up to two power supplies can be installed) Power supply output voltage Main power: 12 VDC Standby power: 5 VDCB-1 Cisco UCS C200 Server Installation and Service Guide OL-20732-02 APPENDIX B Cable and Power Cord Specifications This appendix provides cabling and port specifications for control devices and power connections and includes the following sections: • KVM Cable, page B-1 • Supported Power Cords and Plugs, page B-2 KVM Cable The KVM cable provides a connection into the server, providing a DB9 serial connector, a VGA connector for a monitor, and dual USB ports for a keyboard and mouse. With this cable, you can create a direct connection to the operating system and the BIOS running on the server. This server supports the following Cisco components and part numbers. Figure B-1 KVM Cable Supported Components Part Number KVM cable 37-1016-01 1 Connector to server 3 VGA connection for a monitor 2 DB9 serial connector 4 Two-port USB connector for a mouse and keyboard 192621 1 2 3 4B-2 Cisco UCS C200 Server Installation and Service Guide OL-20732-02 Appendix B Cable and Power Cord Specifications Supported Power Cords and Plugs Supported Power Cords and Plugs Each power supply has a separate power cord. Standard power cords or jumper power cords are available for connection to the server. The jumper power cords, for use in racks, are available as an optional alternative to the standard power cords. Note Only the approved power cords or jumper power cords provided with the server are supported. Table B-1 lists the power cords for the server power supplies. Table B-1 Supported Power Cords for the Server Description Length Power Cord Reference Feet Meters Illustration SFS-250V-10A-AR Power Cord, 250 VAC 10 A IRAM 2073 Plug Argentina 8.2 2.5 Figure B-2 CAB-9K10A-AU 250 VAC 10 A 3112 Plug, Australia 8.2 2.5 Figure B-3 SFS-250V-10A-CN Power Cord, 250 VAC 10 A GB 2009 Plug China 8.2 2.5 Figure B-4 CAB-9K10A-EU Power Cord, 250 VAC 10 A M 2511 Plug Europe 8.2 2.5 Figure B-5 SFS-250V-10A-ID Power Cord, 250 VAC 16A EL-208 Plug South Africa, United Arab Emirates, India 8.2 2.5 Figure B-6 SFS-250V-10A-IS Power Cord, 250 VAC 10 A SI32 Plug Israel 8.2 2.5 Figure B-7 CAB-9K10A-IT Power Cord, 250 VAC 10 A CEI 23-16 Plug Italy 8.2 2.5 Figure B-8 CAB-9K10A-SW Power Cord, 250 VAC 10 A MP232 Plug Switzerland 8.2 2.5 Figure B-9 CAB-9K10A-UK Power Cord, 250 VAC 10 A BS1363 Plug (13 A fuse) United Kingdom 8.2 2.5 Figure B-10 CAB-AC-250V/13A Power Cord, 250 VAC 13 A IEC60320 Plug North America 6.6 2.0 Figure B-11B-3 Cisco UCS C200 Server Installation and Service Guide OL-20732-02 Appendix B Cable and Power Cord Specifications Supported Power Cords and Plugs AC Power Cord Illustrations This section contains the AC power cord illustrations. Figure B-2 SFS-250V-10A-AR Figure B-3 CAB-9K10A-AU CAB-N5K6A-NA Power Cord, 250 VAC 13 A NEMA 6-15 Plug, North America 8.2 2.5 Figure B-12 CAB-9K12A-NA Power cord, 125 VAC, 13 A, NEMA 5-15 Plug North America 8.2 2.5 Figure B-13 CAB-C13-C14-JMPR Cabinet Jumper Power Cord, 250 VAC 13 A, C13-C14 Connectors 2.2 0.7 Figure B-14 Table B-1 Supported Power Cords for the Server (continued) Description Length Power Cord Reference Feet Meters Illustration 186571 2500 mm Cordset rating: 10 A, 250/500 V MAX Length: 8.2 ft Plug: EL 219 (IRAM 2073) Connector: EL 701 (IEC60320/C13) Plug: EL 206 A.S. 3112-2000) Cordset rating: 10 A, 250 V/500V Length: 2500mm 186581 Connector: EL 701C (IEC 60320/C15)B-4 Cisco UCS C200 Server Installation and Service Guide OL-20732-02 Appendix B Cable and Power Cord Specifications Supported Power Cords and Plugs Figure B-4 SFS-250V-10A-CN Figure B-5 CAB-9K10A-EU Figure B-6 SFS-250V-10A-ID Cordset rating 10A, 250V (2500 mm) Plug: EL 218 (CCEE GB2009) 186573 Connector: EL 701 (IEC60320/C13) Connector: VSCC15 Cordset rating: 10A/16 A, 250 V Length: 8 ft 2 in. (2.5 m) Plug: M2511 186576 OVE Cordset rating 16A, 250V (2500mm) Plug: EL 208 187490 Connector: EL 701B-5 Cisco UCS C200 Server Installation and Service Guide OL-20732-02 Appendix B Cable and Power Cord Specifications Supported Power Cords and Plugs Figure B-7 SFS-250V-10A-IS Figure B-8 CAB-9K10A-IT Figure B-9 CAB-9K10A-SW Cordset rating 10A, 250V/500V MAX (2500 mm) Plug: EL 212 (SI-32) 186574 Connector: EL 701B (IEC60320/C13) EL-212 16A 250V Plug: I/3G (CEI 23-16) Connector C15M (EN60320/C15 ) Cordset rating: 10 A, 250 V Length: 8 ft 2 in. (2.5 m) 186575 Plug: MP232-R Cordset rating: 10 A, 250 V Length: 8 ft. 2 in (2.5 m) 186578 Connector: IEC 60320 C15B-6 Cisco UCS C200 Server Installation and Service Guide OL-20732-02 Appendix B Cable and Power Cord Specifications Supported Power Cords and Plugs Figure B-10 CAB-9K10A-UK Figure B-11 CAB-AC-250V/13A Figure B-12 CAB-N5K6A-NA Plug: Cordset rating: 10 A, 250 V/500 V MAX Length: 2500mm 186580 Connector: EL 701C EL 210 (EN 60320/C15) (BS 1363A) 13 AMP fuse Cordset rating 13A, 250V (6.6 feet) (79±2m) Plug: EL312MoldedTwistlock (NEMA L6-20) 186568 Connector: EL 701 (IEC60320/C13) Cordset rating: 10 A, 250 V Length: 8.2 ft 186570 Plug: NEMA 6-15P Connector: IEC60320/C13B-7 Cisco UCS C200 Server Installation and Service Guide OL-20732-02 Appendix B Cable and Power Cord Specifications Supported Power Cords and Plugs Figure B-13 CAB-9K12A-NA Figure B-14 CAB-C13-C14-JMPR, Jumper Power Cord Connector: IEC60320/C15 Cordset rating 13A, 125V (8.2 feet) (2.5m) Plug: NEMA 5-15P 192260 Cordset rating 10A, 250V (686mm) Plug: SS10A 186569 Connector: HS10SB-8 Cisco UCS C200 Server Installation and Service Guide OL-20732-02 Appendix B Cable and Power Cord Specifications Supported Power Cords and PlugsC-1 Cisco UCS C200 Server Installation and Service Guide OL-20732-02 APPENDIX C RAID Controller Considerations This appendix contains the following sections: • Supported RAID Controllers and Required Cables, page C-1 • Enabling the Integrated Intel ICH10R RAID Controller in the BIOS, page C-2 • Enabling the Mezzanine Card RAID Controller in the BIOS, page C-3 • RAID Controller Cabling, page C-3 • How to Determine Which Controller Is in Your Server, page C-4 • How to Disable Quiet Boot For CIMC Firmware Earlier Than Release 1.2(1), page C-5 • How To Launch Option ROM-Based Controller Utilities, page C-5 • Restoring RAID Configuration After Replacing a RAID Controller, page C-6 • For More Information, page C-7 Supported RAID Controllers and Required Cables The Cisco UCS C200 Large Form-Factor (LFF) and C200 Small Form-Factor (SFF) server models support the RAID controller options and cable requirements shown in Table C-1 and Table C-2. Note Do not mix controller types in the server. Dual controllers are not supported. Table C-1 Cisco UCS C200 LFF RAID Options (Up to Four 3.5-Inch Internal Drives) Controller Style Max. Internal Drives SAS SATA Opt. BBU RAID Levels Required Cables Intel ICH10R1 1. The integrated ICH10R controller must be enabled in the BIOS. This controller is not compatible for use with VMWare ESX/ESXi Server software in any generation or version of the Cisco UCS C200 server. Integrated 4 No Yes No 0, 1 1 SATA R200-SATACBL LSI 1064E Mezzanine 4 Yes2 2. You cannot mix SAS and SATA drives when using a 1064E-based controller. Yes No 0, 1, 1E 1 SAS R200-SASCBL LSI MegaRAID 9260-4i PCIe 4 Yes3 3. You can mix SAS and SATA drives when using an LSI MegaRAID card. However, you cannot mix SAS and SATA drives within a volume. Yes Yes 0, 1, 5, 6, 10, 50, 60 1 SAS R200-SASCBL LSI MegaRAID 9280-4i4e PCIe 4 Yes Yes Yes 0, 1, 5, 6, 10, 50, 60 1 SAS R200-SASCBLC-2 Cisco UCS C200 Server Installation and Service Guide OL-20732-02 Appendix C RAID Controller Considerations Enabling the Integrated Intel ICH10R RAID Controller in the BIOS Enabling the Integrated Intel ICH10R RAID Controller in the BIOS Note The integrated ICH10R RAID controller is not compatible for use with VMWare ESX/ESXi Server software in any generation or version of the Cisco UCS C200 server. When using the integrated RAID, you must enable the ICH10R controller in SW RAID mode. Step 1 Boot the server and press F2 when prompted to enter the BIOS Setup utility. Step 2 Select the Advanced tab, then Mass Storage Controllers Configuration. Step 3 Set Onboard SATA Controller to Enabled. Step 4 Set SATA Mode to SW RAID. Step 5 Press F10 to save your changes and exit the utility. Table C-2 Cisco UCS C200 SFF RAID Options (Up to Eight 2.5-Inch Internal Drives) Controller Style Max. Internal Drives SAS SATA Opt. BBU RAID Levels Required Cables Intel ICH10R1 1. The integrated ICH10R controller must be enabled in the BIOS. This controller is not compatible for use with VMWare ESX/ESXi Server software in any generation or version of the Cisco UCS C200 server. Integrated 4 No Yes No 0, 1 1 SATA R200-SATACBL LSI 1068E Mezzanine 8 Yes2 2. You can mix SAS and SATA drives when using a 1068E-based controller. However, you cannot mix SAS and SATA drives within a volume. Yes No 0, 1, 1E 4 drives: 1 SAS 8 drives: 2 SAS R200-SASCBL3 3. Two SAS cables (R200-SASCBL) are shipped with the Cisco UCS C200 SFF server. LSI MegaRAID 9260-8i PCIe 8 Yes4 4. You can mix SAS and SATA drives when using an LSI MegaRAID card. However, you cannot mix SAS and SATA drives within a volume. Yes Yes 0, 1, 5, 6, 10, 50, 60 4 drives: 1 SAS 8 drives: 2 SAS R200-SASCBL LSI MegaRAID 9280-4i4e PCIe 4 Yes Yes Yes 0, 1, 5, 6, 10, 50, 60 1 SAS R200-SASCBLC-3 Cisco UCS C200 Server Installation and Service Guide OL-20732-02 Appendix C RAID Controller Considerations Enabling the Mezzanine Card RAID Controller in the BIOS Enabling the Mezzanine Card RAID Controller in the BIOS When using the supported mezzanine-style RAID controller card, you must enable the ICH10R controller in Enhanced mode. Step 1 Make sure that a RAID cable is attached between the mezzanine card and the disk backplane. Step 2 Boot the server and press F2 when prompted to enter the BIOS Setup utility. Step 3 Select the Advanced tab, then Mass Storage Controllers Configuration. Step 4 Set Onboard SATA Controller to Enabled. Step 5 Set SATA Mode to Enhanced. Step 6 Press F10 to save your changes and exit the BIOS Setup utility. Step 7 To set up a RAID configuration when using the mezzanine card, boot the server and press Ctrl-C when prompted to start the WebBIOS utility. RAID Controller Cabling The possible RAID controller connectors in this server are shown in Figure C-1. The blue line indicates the recommended cable routing path from the backplane to the possible controller locations. Note The Cisco UCS C200 SFF server is shown, with an eight-drive backplane. The LFF server has a four-drive backplane. Figure C-1 RAID Controller Connectors 1 Drive backplane 3 Mezzanine card connector(s) 2 Integrated RAID connector on motherboard 4 LSI MegaRAID PCIe card connectors 1 2 4 3 332177C-4 Cisco UCS C200 Server Installation and Service Guide OL-20732-02 Appendix C RAID Controller Considerations How to Determine Which Controller Is in Your Server Cisco UCS C200 LFF Server Cabling The cable connections required for each type of controller are as follows: • Integrated ICH10R: Connect one SATA cable from the motherboard connector to the drives 1–4 connectors on the backplane. • 1064E mezzanine card: Connect one SAS cable from the single connector on the mezzanine card to the drives 1–4 connectors on the backplane. • LSI MegaRAID card: Connect one SAS cable from connector 1 on the card to the drives 1–4 connectors on the backplane. For all controller types, connect the numbered cable connectors to the corresponding numbered backplane connectors. Connect the cable connector labelled SGPIO to the backplane connector labeled SGPIO. Cisco UCS C200 SFF Server Cabling The cable connections required for each type of controller are as follows: Note Two SAS cables (R200-SASCBL) are shipped with the Cisco UCS C200 SFF server (but not with the LFF version of the server). You can order a set of two spare SAS cables (Cisco PID UCSC-CBL-I2F1). • Integrated ICH10R: Connect one SATA cable from the motherboard connector to the drives 1–4 connectors on the backplane. (Controls 4 drives only.) • 1068E mezzanine card: Connect SAS cable 1 from connector 1 on the card to the drives 1–4 connectors on the backplane. Connect SAS cable 2 from connector 2 on the card to the drives 5–8 connectors on the backplane. • LSI MegaRAID 9260-8i card: Connect SAS cable 1 from connector 1 on the card to the drives 1–4 connectors on the backplane. Connect SAS cable 2 from connector 2 on the card to the drives 5–8 connectors on the backplane. • LSI MegaRAID 9280-4i4e card: Connect one SAS cable from connector 1 on the card to the drives 1–4 connectors on the backplane. (Controls 4 drives only.) For all controller types, connect the numbered cable connectors to the corresponding numbered backplane connectors. Connect the cable connector labelled SGPIO to the backplane connector labeled SGPIO. How to Determine Which Controller Is in Your Server If you do not have a record of which device is used in the server, you can read the on-screen messages that are displayed during system bootup. These messages display information about the devices that are installed in your server. • Information about the models of card installed are displayed as part of the verbose boot. You are also prompted to press Ctrl-H to launch configuration utilities for those cards. For servers running CIMC firmware earlier than release 1.2(1), see also How to Disable Quiet Boot For CIMC Firmware Earlier Than Release 1.2(1), page C-5.C-5 Cisco UCS C200 Server Installation and Service Guide OL-20732-02 Appendix C RAID Controller Considerations How to Disable Quiet Boot For CIMC Firmware Earlier Than Release 1.2(1) • If the mezzanine-style card is enabled, you are prompted to press Ctrl-C to launch the configuration for these cards. See also Enabling the Mezzanine Card RAID Controller in the BIOS, page C-3 • If no models of card are displayed but there is a RAID configuration, your server is using the onboard ICH10R controller. You are also prompted to press Ctrl-M to launch the configuration utilities for this controller (see graphic below). See also Enabling the Integrated Intel ICH10R RAID Controller in the BIOS, page C-2. How to Disable Quiet Boot For CIMC Firmware Earlier Than Release 1.2(1) For CIMC firmware and BIOS release 1.2(1) and later, Quiet Boot has been removed. If you are running CIMC firmware and BIOS earlier than release 1.2(1), you can use the following procedure to disable Quiet Boot. To disable quiet boot so that the controller information and the prompts for the option ROM-based LSI utilities are displayed during bootup, follow these steps: Step 1 Boot the server and watch for the F2 prompt during bootup. Step 2 Press F2 when prompted to enter the BIOS Setup utility. Step 3 On the Main page of the BIOS Setup utility, set Quiet Boot to Disabled. This allows non-default messages, prompts, and POST messages to display during bootup instead of the Cisco logo screen. Step 4 Press F10 to save your changes and exit the utility. How To Launch Option ROM-Based Controller Utilities To alter the RAID configurations on your hard drives, you can use your host-based utilities that you install on top of your host OS, or you can use the LSI option ROM-based utilities that are installed on the server. C-6 Cisco UCS C200 Server Installation and Service Guide OL-20732-02 Appendix C RAID Controller Considerations Restoring RAID Configuration After Replacing a RAID Controller When you boot the server and you have quiet boot disabled (see How to Disable Quiet Boot For CIMC Firmware Earlier Than Release 1.2(1), page C-5), information about your controller is displayed along with the prompts for the key combination to launch the option ROM-based utilities for your controller. Watch for the prompt for your controller during verbose boot: • The prompt for LSI controller card utility is Ctrl-H. • The prompt for the mezzanine-style controller cards is Ctrl-C. • The prompt for the onboard Intel ICH10R controller utility is Ctrl-M. Note Cisco has also developed the Cisco Server Configuration Utility for C-Series servers, which can assist you in setting up some RAID configurations for your drives. This utility is shipped with new servers on CD. You can also download the ISO from Cisco.com. See the user documentation for this utility at the following URL: http://www.cisco.com/en/US/docs/unified_computing/ucs/sw/ucsscu/user/guide/20/SCUUG20.html Restoring RAID Configuration After Replacing a RAID Controller When you replace a RAID controller, the RAID configuration that is stored in the controller is lost. Use the following procedure to restore your RAID configuration to your new RAID controller. Step 1 Replace your RAID controller. See Replacing an LSI MegaRAID Battery Backup Unit, page 3-40. Step 2 If this was a full chassis swap, replace all drives into the drive bays, in the same order that they were installed in the old chassis. Step 3 If Quiet Boot is enabled, disable it in the system BIOS. See How to Disable Quiet Boot For CIMC Firmware Earlier Than Release 1.2(1), page C-5. Step 4 Reboot the server and watch for the prompt to press F. Step 5 Press F when you see the following on-screen prompt: Foreign configuration(s) found on adapter. Press any key to continue or ‘C’ load the configuration utility, or ‘F’ to import foreign configuration(s) and continue. Step 6 Press any key (other than C) to continue when you see the following on-screen prompt: All of the disks from your previous configuration are gone. If this is an unexpected message, then please power of your system and check your cables to ensure all disks are present. Press any key to continue, or ‘C’ to load the configuration utility. Step 7 Watch the subsequent screens for confirmation that your RAID configuration was imported correctly. • If you see the following message, your configuration was successfully imported. The LSI virtual drive is also listed among the storage devices. N Virtual Drive(s) found on host adapter. • If you see the following message, your configuration was not imported. This can happen if you do not press F quickly enough when prompted. In this case, reboot the server and try the import operation again wen you are prompted to press F. 0 Virtual Drive(s) found on host adapter.C-7 Cisco UCS C200 Server Installation and Service Guide OL-20732-02 Appendix C RAID Controller Considerations For More Information For More Information The LSI utilities have help documentation for more information about using the utilities. For basic information about RAID and for using the utilities for the RAID controller cards, see the Cisco UCS Servers RAID Guide. Full LSI documentation is also available: • LSI MegaRAID SAS Software User’s Guide (for LSI MegaRAID) http://www.cisco.com/en/US/docs/unified_computing/ucs/3rd-party/lsi/mrsas/userguide/LSI_MR_SAS_SW_UG.pdf • LSI SAS2 Integrated RAID Solution User Guide (for LSI SAS1064E) http://www.cisco.com/en/US/docs/unified_computing/ucs/3rd-party/lsi/irsas/userguide/LSI_IR_SAS_UG.pdfC-8 Cisco UCS C200 Server Installation and Service Guide OL-20732-02 Appendix C RAID Controller Considerations For More InformationD-1 Cisco UCS C200 Server Installation and Service Guide OL-20732-02 APPENDIX D Installation for Cisco UCS Integration The Cisco UCS integration instructions have been moved to the integration guides found here: Cisco UCS C-Series Server Integration with UCS Manager Guides Refer to the guide that is for the version of Cisco UCS Manager that you are using.D-2 Cisco UCS C200 Server Installation and Service Guide OL-20732-02 Appendix D Installation for Cisco UCS Integration Siège social Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 États-Unis http://www.cisco.com Tél. : +1 408 526-4000 +1 800 553-NETS (6387) Fax : +1 408 526-4100 Téléphones IP Cisco Unified 7961G/7961G-GE et 7941G/7941G-GE pour Cisco Unified CallManager 4.2 INCLUANT LA LICENCE ET LA GARANTIE Manuel de téléphoneCopyright © 2006, Cisco Systems, Inc. Tous droits réservés. Cisco, Cisco IOS, Cisco Systems et le logo Cisco Systems sont des marques déposées de Cisco Systems, Inc. ou de ses filiales aux États-Unis et dans certains autres pays. Tous les autres noms ou marques mentionnés dans ce document ou sur le site Web sont la propriété de leurs détenteurs respectifs. L’utilisation du terme « partenaire » n’implique nullement une relation de partenariat entre Cisco et toute autre entreprise. (0601R) OL-9616-01 Livret de référence Téléphones IP Cisco Unified 7961G/ 7961G-GE et 7941G/ 7941G-GE pour Cisco Unified CallManager 4.2 Définitions des touches dynamiques Icônes de l’écran du téléphone Icônes de boutons Tâches téléphoniques courantes Définitions des touches dynamiques AGrpIntr Répondre à un appel en sonnerie dans un groupe associé Annuler Annuler une opération ou quitter un écran sans appliquer les modifications effectuées autres Afficher d’autres touches dynamiques Bis Rappeler le dernier numéro composé Compos. Composer un numéro de téléphone Conf. Créer une conférence téléphonique ConG Se déconnecter des groupes de recherche pour empêcher les appels de cette provenance de sonner sur votre téléphone Détails Ouvrir l’enregistrement Détails d’un appel à plusieurs interlocuteurs dans les journaux d’appels en absence et d’appels reçus EditNum Modifier un numéro dans un journal d’appels Effacer Supprimer des enregistrements ou des paramètres Effacer Réinitialiser les valeurs par défaut des paramètres Enreg. Sauvegarder les paramètres choisis Fermer Fermer la fenêtre active FinApp. Déconnecter l’appel en cours GrpIntr Répondre à un appel en sonnerie dans un autre groupe InsConf Participer à un appel sur une ligne partagée et établir une conférence téléphonique Insert Participer à un appel sur une ligne partagée Intrcpt Répondre à un appel dans son groupe Joindre Joindre plusieurs appels en cours sur une même ligne pour établir une conférence téléphonique ListConf Afficher la liste des participants à la conférence Tâches téléphoniques courantes Afficher l’aide en ligne sur le téléphone Appuyez sur . Passer un appel Décrochez le téléphone avant ou après avoir composé un numéro. Rappeler un numéro Appuyez sur Bis ou sur la touche de navigation avec le téléphone raccroché pour visualiser le journal d’appels passés. Utiliser le combiné au cours d’un appel Décrochez le combiné. Utiliser le haut-parleur ou le casque au cours d’un appel Appuyez sur ou sur , puis raccrochez le combiné. Utiliser le mode Secret du téléphone Appuyez sur . Utiliser les journaux d’appels Appuyez sur pour choisir un journal d’appels. Pour composer un numéro, mettez en surbrillance une entrée de liste et décrochez le téléphone. Modifier un numéro Appuyez sur EditNum, sur << ou sur >>. Mettre en attente/ reprendre un appel Appuyez sur Attente ou sur Reprend. Transférer un appel vers un nouveau numéro Appuyez sur Trnsfer et entrez un numéro cible, puis appuyez une nouvelle fois sur Trnsfer. Démarrer une confé- rence téléphonique standard Appuyez sur autres > Conf., composez le numéro du participant, puis appuyez de nouveau sur Conf.MàJ Actualiser le contenu ModeVid. Choisir un mode d’affichage vidéo MulConf Héberger une conférence téléphonique Meet-Me NumAbr Composer un numéro à l’aide d’un code de numérotation abrégée NvAppel Passer un nouvel appel Parquer Stocker un appel à l’aide de la fonction de parcage d’appels Précédent Revenir à la rubrique d’aide précédente QRT Soumettre à l’administrateur système des problèmes relatifs aux appels Quitter Revenir à l’écran précédent Rappel Recevoir une notification lorsqu’un poste occupé se libère Recher. Effectuer une recherche dans une liste de répertoires RenvTt Configurer/Annuler le renvoi d’appels Répond. Répondre à un appel Reprend Reprendre un appel en attente Rvoi Im Transférer un appel vers votre système de messagerie vocale Sélect. Sélectionner une option de menu ou un appel SupDerA Abandonner le dernier interlocuteur à avoir rejoint une conférence téléphonique Suppr. Supprimer les caractères situés à droite du curseur lors de l’utilisation de la touche EditNum Suppr. Exclure un participant de la conférence TrnsDir Transférer deux appels l’un vers l’autre Trnsfer Transférer un appel << Supprimer les caractères entrés >> Passer d’un caractère entré à un autre Icônes de l’écran du téléphone État de la ligne et de l’appel Renvoi d’appels activé Appel en attente Appel connecté Téléphone décroché Téléphone raccroché Appel entrant Ligne partagée en cours d’utilisation Appels sécurisés Appel authentifié Appel sécurisé Périphérique sélectionné Combiné en cours d’utilisation Casque en cours d’utilisation Haut-parleur en cours d’utilisation Appels critiques Appel prioritaire Appel d’importance moyenne Appel très important Appel de la plus haute importance Icônes de boutons Autres fonctions Touche de numérotation abrégée configurée Message en attente Mode vidéo activé Option sélectionnée Fonction activée Messages Services Aide Répertoires Paramètres Volume Haut-parleur Secret Casqueiii Table des matières Mise en route 1 Utilisation du présent manuel 1 Recherche d’informations supplémentaires 2 Informations supplémentaires sur la personnalisation de votre téléphone sur le Web 2 Consignes de sécurité et informations relatives aux performances 3 Fonctions d’accessibilité 5 Raccordement du téléphone 6 Présentation du téléphone 9 Présentation des boutons et du matériel 9 Présentation des fonctions de l’écran du téléphone 13 Nettoyage de l’écran du téléphone 14 Présentation des menus et des boutons de fonctions 14 Présentation du système d’aide du téléphone 15 Présentation de la distinction lignes/appels 15 Présentation des icônes de ligne et d’appel 16 Présentation de la disponibilité des fonctions 16 Gestion de base des appels 17 Établissement d’un appel : options de base 17 Établissement d’un appel : options supplémentaires 18 Réponse à un appel 20 Fin d’un appel 21 Utilisation des fonctions d’attente et de reprise 21 Utilisation du mode Secret 22 Passage d’un appel à l’autre 22 Affichage de plusieurs appels 23iv OL-9616-01 Transfert d’appels 23 Renvoi de tous les appels vers un autre numéro 25 Établissement de conférences téléphoniques 26 Présentation des types de conférences téléphoniques 26 Débuter et rejoindre une conférence téléphonique standard 27 Débuter ou rejoindre une conférence téléphonique Meet-Me 29 Gestion avancée des appels 30 Numérotation abrégée 30 Interception d’un appel redirigé vers votre téléphone 31 Utilisation d’une ligne partagée 32 Présentation des lignes partagées 32 Connexion à l’appel d’une ligne partagée 33 Procédure pour empêcher d’autres personnes d’afficher un appel sur une ligne partagée ou de s’y connecter 34 Stockage et récupération des appels parqués 35 Établissement et réception d’appels sécurisés 36 Suivi des appels suspects 36 Attribution de priorité aux appels critiques 37 Utilisation de la fonction de substitution de poste de Cisco 38 Déconnexion de groupes de recherche 38 Utilisation du combiné, du casque et du haut-parleur 39 Acquisition d’un casque 40 Utilisation de la fonction de réponse automatique 40 Utilisation des paramètres du téléphone 41 Personnalisation des sonneries et des indicateurs de message 41 Personnalisation de l’écran du téléphone 42v Utilisation des journaux d’appels et des répertoires 43 Utilisation des journaux d’appels 43 Utilisation du répertoire d’entreprise sur le téléphone 45 Accès aux messages vocaux 46 Accès à vos pages Web Options utilisateur 47 Connexion aux pages Web Options utilisateur 47 Abonnement aux services téléphoniques 48 Présentation des options de configuration supplémentaires 49 Dépannage du téléphone 51 Informations générales de dépannage 51 Affichage des données d’administration du téléphone 52 Utilisation de l’outil de génération de rapports qualité (QRT) 52 Conditions générales de la garantie matérielle limitée à un an de Cisco 53 Index 55vi OL-9616-011 Mise en route Utilisation du présent manuel Ce manuel propose une présentation générale des fonctions disponibles sur votre téléphone. Parcourez-le dans son intégralité pour prendre connaissance de toutes les possibilités de votre téléphone. Vous pouvez également consulter le tableau ci-après, qui permet d’atteindre d’un seul clic les sections les plus utilisées. Pour... Procédez comme suit : Apprendre à utiliser le téléphone par vous-même Si vous avez besoin d’aide, appuyez sur le bouton du téléphone. Prendre connaissance des consignes de sécurité Reportez-vous à la section « Consignes de sécurité et informations relatives aux performances », page 3. Raccorder le téléphone Reportez-vous à la section« Raccordement du téléphone », page 6. Utiliser le téléphone une fois installé Reportez-vous à la section « Présentation du téléphone », page 9 en premier. Connaître la signification des boutons et des voyants Reportez-vous à la section « Présentation des boutons et du matériel », page 9. En savoir plus sur l’écran Reportez-vous à la section « Présentation des fonctions de l’écran du téléphone », page 13. Passer des appels Reportez-vous à la section« Établissement d’un appel : options de base », page 17. Mettre des appels en attente Reportez-vous à la section« Utilisation des fonctions d’attente et de reprise », page 21. Mettre des appels en mode Secret Reportez-vous à la section « Utilisation du mode Secret », page 22. Transférer des appels Reportez-vous à la section « Transfert d’appels », page 23. Établir des conférences téléphoniques Reportez-vous à la section « Établissement de conférences téléphoniques », page 26. Configurer la fonction de numérotation abrégée Reportez-vous à la section « Numérotation abrégée », page 30.2 OL-9616-01 Recherche d’informations supplémentaires Pour obtenir la documentation la plus récente sur les téléphones IP Cisco Unified, reportez-vous au site Web à l’adresse suivante : http://www.cisco.com/univercd/cc/td/doc/product/voice/c_ipphon/index.htm Vous pouvez accéder au site Web de Cisco à l’adresse suivante : http://www.cisco.com/ Les sites Web internationaux de Cisco sont accessibles à l’adresse suivante : http://www.cisco.com/public/countries_languages.shtml Informations supplémentaires sur la personnalisation de votre téléphone sur le Web Votre téléphone IP Cisco Unified est un périphérique réseau qui peut partager des informations avec les autres périphériques du même type de votre entreprise, notamment votre ordinateur. Pour établir/personnaliser des services téléphoniques et contrôler les fonctions/paramètres du téléphone depuis votre ordinateur, vous pouvez utiliser les pages Web Options utilisateur de Cisco Unified CallManager. Ces fonctions font l’objet d’une présentation générale dans ce manuel. Pour obtenir des instructions complètes, reportez-vous au manuel de personnalisation de votre téléphone IP Cisco Unified sur le Web à l’adresse suivante : http://www.cisco.com/univercd/cc/td/doc/product/voice/c_ipphon/index.htm Partager un numéro de téléphone Reportez-vous à la section « Utilisation d’une ligne partagée », page 32. Utiliser la fonction haut-parleur du téléphone Reportez-vous à la section « Utilisation du combiné, du casque et du haut-parleur », page 39. Modifier le volume de la sonnerie ou de la tonalité Reportez-vous à la section « Utilisation des paramètres du téléphone », page 41. Consulter vos appels en absence Reportez-vous à la section « Utilisation des journaux d’appels et des répertoires », page 43. Écouter vos messages vocaux Reportez-vous à la section « Accès aux messages vocaux », page 46. Consulter les définitions des touches dynamiques et des icônes Reportez-vous au livret de référence au début du présent manuel. Pour... Procédez comme suit :3 Consignes de sécurité et informations relatives aux performances Avant d’installer ou d’utiliser votre téléphone IP Cisco Unified, lisez les consignes de sécurité suivantes. Attention CONSIGNES DE SÉCURITÉ IMPORTANTES Ce symbole d’avertissement signale un danger. Vous vous trouvez dans une situation pouvant occasionner des lésions corporelles. Avant de travailler sur un équipement, soyez conscient des risques liés aux circuits électriques et familiarisez-vous avec les procédures couramment utilisées pour éviter les accidents. Utilisez le numéro indiqué à la fin de chaque avertissement pour en rechercher la traduction dans votre version localisée des consignes de sécurité fournies avec ce périphérique. Déclaration 1071. INSTRUCTIONS À GARDER À L’ESPRIT Attention Lisez les instructions d’installation avant de raccorder l’appareil à sa source d’alimentation. Attention La mise au rebut de ce produit doit se faire en conformité avec les lois et réglementations en vigueur dans votre pays. Attention Ne travaillez pas sur le système et ne touchez pas aux câbles pendant un orage. Attention Pour prévenir tout risque d’électrocution, ne branchez pas de circuits de sécurité à tension très basse (Safety extra-low voltage, SELV) sur les circuits de tension destinés au réseau téléphonique (telephone network voltage, TNV). Les ports LAN (réseau local) contiennent des circuits SELV et, les ports WAN (réseau étendu), des circuits TNV. Certains ports LAN et WAN utilisent des connecteurs RJ-45. Soyez prudent lorsque vous connectez des câbles. Avertissement Les circuits d’alimentation directe acheminent le courant via le câble de communication. Utilisez le câble Cisco fourni ou un câble de communication AWG 24 minimum.4 OL-9616-01 Utilisation d’une alimentation externe Les avertissements suivants s’appliquent lorsque vous utilisez une alimentation externe avec le téléphone IP Cisco Unified. Attention Ce produit présuppose l’installation d’une protection contre les courts-circuits liés à une surtension. Veillez à utiliser un fusible ou un disjoncteur inférieur à 120 VCA/15 A aux États-Unis (240 VCA/10 A dans le reste du monde) sur les conducteurs de phase (tout conducteur de courant). Attention Ce dispositif est conçu pour fonctionner avec des systèmes d’alimentation TN. Attention L’ensemble de raccordement fiche-prise doit être accessible à tout moment car il sert de dispositif principal de déconnexion. Attention L’alimentation doit être placée en intérieur. Avertissement Utilisez uniquement l’alimentation spécifiée par Cisco avec ce produit. Panne de courant Votre accessibilité à des services d’urgence par téléphone dépend de l’alimentation de l’appareil. Lors d’une panne de courant, la numérotation des services d’entretien et d’appel d’urgence ne fonctionnera pas. Dans ce cas, vous devrez peut-être réinitialiser ou reconfigurer l’équipement avant d’utiliser la numérotation des services d’entretien et d’appel d’urgence.5 Utilisation de périphériques externes Les informations suivantes s’appliquent lorsque vous utilisez des périphériques externes avec le téléphone IP Cisco Unified : Cisco recommande d’utiliser des périphériques externes de bonne qualité (haut-parleurs, microphones et casques), qui soient blindés contre les interférences produites par les signaux de fréquences radio (FR) et audio (FA). En fonction de leur qualité et de la proximité d’autres périphériques (téléphone portable, radio bidirectionnelle, etc.), des parasites sonores peuvent toujours se produire. Dans ce cas, Cisco vous recommande d’effectuer une ou plusieurs des opérations suivantes : • Éloignez le périphérique externe de la source des signaux de fréquences radio ou audio. • Éloignez les câbles du périphérique externe de la source des signaux de fréquences radio ou audio. • Utilisez des câbles blindés pour le périphérique externe ou des câbles dotés d’un blindage supérieur et d’un meilleur connecteur. • Raccourcissez le câble du périphérique externe. • Utilisez des structures en ferrite ou d’autres dispositifs de ce type pour les câbles du périphérique externe. Cisco ne peut pas garantir les performances du système car elle ne dispose d’aucun moyen de contrôle sur la qualité des périphériques externes, des câbles et des connecteurs utilisés. Le système fonctionne de manière adéquate lorsque les périphériques appropriés sont connectés à l’aide de câbles et de connecteurs de bonne qualité. Avertissement Dans les pays de l’Union européenne, utilisez uniquement des haut-parleurs, des microphones et des casques externes conformes à la Directive 89/336/CE sur la compatibilité électromagnétique (CEM). Fonctions d’accessibilité La liste des fonctions d’accessibilité est disponible sur demande.6 OL-9616-01 Raccordement du téléphone Votre administrateur système va probablement raccorder votre nouveau téléphone IP Cisco Unified au réseau de téléphonie IP de votre entreprise. Si ce n’est pas le cas, reportez-vous à l’illustration et au tableau ci-dessous pour raccorder le téléphone. 1 Port de l’adaptateur CC (48 V) 5 Port d’accès (10/100(/10001 ) PC) 2 Alimentation CA vers CC 6 Port du combiné 3 Cordon d’alimentation CA 7 Port du casque 4 Port réseau (10/100(/10001 ) SW) 1. Uniquement disponible sur les téléphones version gigabit Ethernet. 8 Bouton du socle AUX DC48V 10/100 SW 10/100 PC + 113656 2 8 3 4 5 6 7 17 Réglage du socle Pour modifier l’angle de positionnement de votre téléphone sur votre bureau, maintenez le bouton du socle enfoncé pendant que vous réglez le socle. Réglage du support du combiné Lorsque vous raccordez votre téléphone, vous pouvez régler le support du combiné pour éviter que ce dernier tombe de son support. Pour connaître la procédure, reportez-vous au tableau ci-dessous. Enregistrement à l’aide de l’outil TAPS Une fois votre téléphone raccordé au réseau, votre administrateur système peut vous demander d’enregistrer automatiquement votre téléphone à l’aide de l’outil TAPS (Tool for Auto-Registered Phones Support - Outil d’assistance des téléphones enregistrés automatiquement). Cet outil peut être utilisé pour un nouveau téléphone ou un téléphone de remplacement. Pour enregistrer un téléphone à l’aide de l’outil TAPS, décrochez le combiné, entrez le numéro de poste TAPS fourni par votre administrateur système et suivez les instructions vocales. Vous pouvez avoir à entrer le numéro entier de poste et donc à préciser l’indicatif régional. Lorsque votre téléphone affiche un message de confirmation, raccrochez. Le processus de redémarrage du téléphone est lancé. 1 Posez le combiné de côté et tirez la plaquette plastique carrée du support du combiné. 2 Faites pivoter la plaquette de 180 degrés. 3 Replacez la plaquette sur le support du combiné en la faisant coulisser. Une extension ressort en haut de la plaquette qui a pivoté. Replacez le combiné sur son support. 1 2 3 1205218 OL-9616-01 Informations sur le casque Pour utiliser un casque, branchez-le sur son port situé à l’arrière du téléphone. Bien que Cisco Systems réalise des essais internes sur des casques de fournisseurs tiers utilisés avec les téléphones IP Cisco Unified, Cisco ne certifie, ni ne promeut de produits de fournisseurs de casques ou de combinés. En raison des contraintes environnementales et matérielles liées aux différents sites de déploiement des téléphones IP Cisco Unified, il n’existe pas de solution optimale unique pour tous les environnements. Cisco recommande à ses clients de tester les casques qui fonctionnent le mieux dans leur environnement avant de les déployer à grande échelle sur leur réseau. Dans certains cas, les pièces mécaniques ou les composants électroniques de différents casques peuvent provoquer un écho sur le poste des interlocuteurs des utilisateurs de téléphones IP Cisco Unified. Cisco Systems recommande d’utiliser des périphériques externes (casques, etc.) de bonne qualité, protégés des interférences produites par les signaux de fréquences radio et audio. En fonction de leur qualité et de la proximité d’autres périphériques (téléphone cellulaire, radio bidirectionnelle, etc.), des parasites sonores peuvent toujours se produire. Pour plus d’informations, reportez-vous à la section « Utilisation de périphériques externes », page 5. Pour déterminer si un casque donné convient au téléphone IP Cisco Unified, vérifiez avant tout qu’il ne provoque pas de ronflement sonore. Ce ronflement peut être audible soit uniquement par votre interlocuteur, soit par votre interlocuteur et vous (utilisateur du téléphone IP Cisco Unified). Certains ronflements ou bourdonnements potentiels peuvent être dus à de nombreuses causes extérieures, notamment l’éclairage électrique, la proximité de moteurs électriques et de grands écrans de PC. Dans certains cas, il est possible de réduire ou d’éliminer le ronflement à l’aide d’un groupe amplificateur de puissance local. Pour plus d’informations, reportez-vous à la section « Utilisation d’une alimentation externe », page 4. Qualité audio à l’appréciation de l’utilisateur Au-delà des performances physiques, mécaniques et techniques, la qualité audio d’un casque doit sembler bonne à votre interlocuteur et vous (utilisateur). Le son est un facteur subjectif et Cisco ne peut pas garantir les performances d’un casque ou d’un combiné quelconque, mais certains des casques et combinés disponibles sur les sites indiqués ci-dessous semblent fonctionner correctement sur les téléphones IP Cisco Unified. Néanmoins, il appartient en dernier ressort au client de tester cet équipement dans son propre environnement pour déterminer si ses performances sont acceptables. Pour plus d’informations sur les casques, reportez-vous aux pages Web suivantes : http://www.vxicorp.com/cisco http://www.plantronics.com/cisco9 Présentation du téléphone Les téléphones IP Cisco Unified 7961G/7961G-GE (version gigabit Ethernet) et 7941G/7941G-GE (version gigabit Ethernet) sont des téléphones haut de gamme qui permettent une communication orale via le réseau de données utilisé par votre ordinateur. Ainsi, vous pouvez passer et recevoir des appels téléphoniques, mettre des appels en attente, utiliser une numérotation abrégée, transférer des appels, établir des conférences téléphoniques, etc. Les téléphones IP Cisco Unified 7961G-GE et 7941G-GE version gigabit Ethernet sont équipés des toutes dernières technologies et évolutions en matière de téléphonie VoIP Gigabit Ethernet. Les téléphones IP Cisco Unified 7961G et 7961G-GE comptent six touches programmables pour les lignes téléphoniques, les fonctions, les numéros abrégés et les services. En revanche, les téléphones IP Cisco Unified 7941G et 7941G-GE disposent de deux touches de ce type (reportez-vous à la section « Présentation des boutons et du matériel », page 9 pour en savoir plus). Outre ses capacités de gestion de base des appels, votre téléphone peut prendre en charge certaines fonctions de productivité destinées à améliorer le périphérique. Selon sa configuration, il permet : • l’accès aux données du réseau, aux applications XML et aux services Web. • la personnalisation en ligne des fonctions et des services téléphoniques depuis vos pages Web Options utilisateur. • un système d’aide en ligne complet qui affiche des informations à l’écran du téléphone. Présentation des boutons et du matériel La Figure 1 et la Figure 2 permettent d’identifier les boutons et le matériel de votre téléphone.10 OL-9616-01 Figure 1 Téléphones IP Cisco Unified 7961G et 7961G-GE Figure 2 Téléphones IP Cisco Unified 7941G et 7941G-GE 1 16 3 4 5 7 9 6 8 15 14 13 12 11 10 137503 1 2 137504 4 5 6 7 9 15 14 13 12 11 10 16 1 3 8 1 211 Élément Description Pour plus d’informations, reportez-vous à la section... 1 Touches programmables Selon la configuration du téléphone, les touches programmables permettent l’accès aux : • Lignes téléphoniques (boutons de ligne). • Numéros abrégés (touches de numérotation abrégée). • Services Web (par exemple, bouton du carnet d’adresses personnel). • Fonctions du téléphone (par exemple, bouton de confidentialité). Les boutons s’allument et leur couleur indique l’état de l’appel. Vert fixe : appel actif Vert clignotant : appel en attente Orange fixe : fonction de confidentialité en cours d’utilisation Orange clignotant : appel entrant Rouge fixe : ligne en cours d’utilisation à distance Rouge clignotant : ligne non disponible de parcage d’appel dirigé • Présentation des fonctions de l’écran du téléphone, page 13 • Gestion de base des appels, page 17 • Numérotation abrégée, page 30 • Utilisation d’une ligne partagée, page 32 • Stockage et récupération des appels parqués, page 35 2 Écran du téléphone Affiche les fonctions téléphoniques. Présentation des fonctions de l’écran du téléphone, page 13 3 Bouton du socle Permet de régler l’angle du socle du téléphone. Réglage du socle, page 7 4 Bouton Messages Compose le numéro de votre service de messagerie vocale automatiquement (variable selon les services). Utilisation des journaux d’appels, page 43. 5 Bouton Répertoires Active/Désactive le menu de répertoires et permet d’accéder aux journaux d’appels/répertoires. Utilisation des journaux d’appels, page 43 6 Bouton d’aide Active le menu d’aide. Présentation du système d’aide du téléphone, page 1512 OL-9616-01 7 Bouton Paramètres Active/Désactive le menu de paramètres. Il permet de contrôler le contraste de l’écran et les sonneries. Utilisation des paramètres du téléphone, page 41 8 Bouton Services Active/Désactive le menu de services. Accès à vos pages Web Options utilisateur, page 47 9 Bouton Volume Contrôle le volume du combiné, du casque et du haut-parleur (décroché) et le volume de la sonnerie (raccroché). Utilisation du combiné, du casque et du haut-parleur, page 39 10 Bouton Haut-parleur Active/Désactive le mode haut-parleur. Lorsque le mode haut-parleur est activé, le bouton est allumé. Utilisation du combiné, du casque et du haut-parleur, page 39 11 Bouton Secret Active/Désactive le mode Secret. En mode Secret, le bouton est allumé. Utilisation du mode Secret, page 22 12 Bouton Casque Active/Désactive le mode casque. Lorsque le mode casque est activé, le bouton est allumé. Utilisation du combiné, du casque et du haut-parleur, page 39 13 Bouton de navigation Permet de faire défiler les menus et de mettre les options en surbrillance. Lorsque le téléphone est raccroché, le bouton permet d’afficher les numéros de téléphone du journal d’appels passés. Utilisation des journaux d’appels, page 43 14 Clavier Permet de composer les numéros de téléphone, de saisir des lettres et de sélectionner des options de menu. Gestion de base des appels, page 17 15 Touches dynamiques Activent chacune une option de touche dynamique (affichée à l’écran du téléphone). Présentation des fonctions de l’écran du téléphone, page 13 16 Bande lumineuse du combiné Indique un appel entrant ou un nouveau message vocal. Accès aux messages vocaux, page 46 Élément Description Pour plus d’informations, reportez-vous à la section...13 Présentation des fonctions de l’écran du téléphone Lorsque des appels sont actifs et que plusieurs menus de fonctions sont ouverts, l’écran principal du téléphone se présente de la façon suivante : 1 Ligne téléphonique principale Affiche le numéro de téléphone (numéro de poste) pour votre ligne téléphonique principale. Lorsque plusieurs onglets de fonctions sont ouverts, le numéro de téléphone, l’heure et la date s’affichent en alternance à cet endroit. 2 Icônes de touches programmables Les touches programmables peuvent servir de boutons de lignes téléphoniques, de touches de numérotation abrégée, de boutons de services téléphoniques ou de boutons de fonctions téléphoniques. Les icônes et les étiquettes indiquent le mode de configuration de ces boutons. Pour obtenir des informations sur une icône, reportez-vous à la section Icônes de l’écran du téléphone dans le livret de référence au début du présent manuel. 3 Étiquettes des touches dynamiques Affichent chacune une fonction de touche dynamique. Pour activer une touche dynamique, appuyez sur le bouton correspondant. 4 Ligne d’état Affiche les icônes du mode audio, les informations d’état et les invites. 5 Zone d’activité des appels Affiche les appels en cours par ligne, y compris l’ID de l’appelant, la durée et l’état de l’appel pour la ligne mise en surbrillance (en mode d’affichage standard). Reportez-vous aux sections « Présentation des icônes de ligne et d’appel », page 16 et « Affichage de plusieurs appels », page 23. 6 Onglet de téléphone Indique l’activité des appels. 7 Onglets de fonctions Indiquent chacun un menu de fonctions ouvert. Reportez-vous à la section « Présentation des menus et des boutons de fonctions », page 14. 7 1 6 5 4 2 3 137522 7796114 OL-9616-01 Nettoyage de l’écran du téléphone Essuyez doucement l’écran du téléphone avec un chiffon doux et sec. N’appliquez pas de produits, qu’ils soient liquides ou en poudre, sur votre téléphone. Si vous n’utilisez pas de chiffon doux et sec, vous risquez d’endommager les composants de votre téléphone et donc d’entraîner des dysfonctionnements. Présentation des menus et des boutons de fonctions Appuyez sur un bouton de fonction pour ouvrir ou fermer un menu de fonctions. Pour... Procédez comme suit : Ouvrir ou fermer un menu de fonctions Appuyez sur un bouton de fonction : Messages Services Répertoires Paramètres Aide Faire défiler une liste ou un menu Appuyez sur le bouton de navigation. Remonter d’un niveau dans un menu de fonctions Appuyez sur Quitter. Si vous appuyez sur Quitter alors que vous êtes dans le niveau supérieur d’un menu, ce dernier se ferme. Basculer d’un menu de fonctions actif à un autre Appuyez sur un onglet de fonction. Chaque menu de fonctions a un onglet. Celui-ci est visible lorsque le menu de fonctions est ouvert.15 Présentation du système d’aide du téléphone Votre téléphone IP Cisco Unified comprend un système d’aide en ligne complet. Les rubriques d’aide apparaissent à l’écran du téléphone. Reportez-vous au tableau suivant pour plus de détails. Présentation de la distinction lignes/appels Pour éviter toute confusion entre les lignes et les appels, reportez-vous aux descriptions suivantes. Lignes : chaque ligne est associée à un numéro de téléphone (ou de poste) que les autres peuvent utiliser pour vous appeler. Selon la configuration, les téléphones IP Cisco Unified 7961G/7961G-GE et 7941G/7941G-GE peuvent respectivement prendre en charge six et deux lignes maximum. Pour connaître le nombre de lignes dont vous disposez, observez le côté droit de l’écran du téléphone. Vous disposez d’autant de lignes que de numéros d’annuaire et d’icônes de lignes téléphoniques ( ). Appels : chaque ligne peut prendre en charge plusieurs appels. Par défaut, le téléphone prend en charge quatre appels connectés par ligne mais l’administrateur système peut adapter ce nombre à vos besoins. Un seul appel peut être actif à un moment donné. Les autres appels sont automatiquement mis en attente. Pour... Procédez comme suit : Afficher le menu principal Appuyez sur le bouton du téléphone et attendez quelques secondes que le menu s’affiche. Les rubriques du menu principal abordent les thèmes suivants. • À propos de votre téléphone IP Cisco Unified : détails • Procédures relatives aux tâches téléphoniques courantes • Fonctions d’appel : descriptions et procédures • Aide : conseils sur l’utilisation et l’accès Obtenir des informations sur un bouton ou une touche dynamique Appuyez sur , puis rapidement sur un bouton ou une touche dynamique. Obtenir des informations sur une option de menu Appuyez sur , ou pour afficher un menu de fonctions. Mettez une option du menu en surbrillance, puis appuyez deux fois sur rapidement. Apprendre à se servir de l’aide Appuyez sur . Choisissez Aide dans le menu principal.16 OL-9616-01 Présentation des icônes de ligne et d’appel Votre téléphone affiche des icônes pour vous aider à déterminer l’état de la ligne et de l’appel. Présentation de la disponibilité des fonctions Selon la configuration de votre système téléphonique, certaines fonctions décrites dans ce manuel sont susceptibles de ne pas être disponibles dans votre cas ou de fonctionner différemment. Si vous avez des questions quant au fonctionnement ou à la disponibilité des fonctions, contactez un membre de l’équipe d’assistance ou votre administrateur système. Icône État de l’appel Description Combiné raccroché Aucune activité d’appel sur cette ligne. Combiné décroché Un numéro est en cours de composition ou un appel sortant est en sonnerie. Pour connaître les différentes options de composition de numéros, reportez-vous à la section « Établissement d’un appel : options de base », page 17. Appel connecté La communication avec votre interlocuteur est actuellement établie. Appel en sonnerie Un appel entrant est en sonnerie sur l’une de vos lignes. Reportez-vous à la section « Réponse à un appel », page 20 pour en savoir plus. Appel en attente Vous avez mis cet appel en attente. Utilisé à distance Un autre téléphone qui partage votre ligne a un appel connecté. Reportez-vous à la section « Utilisation d’une ligne partagée », page 32 pour en savoir plus. Appel authentifié Reportez-vous à la section « Établissement et réception d’appels sécurisés », page 36. Appel chiffré Reportez-vous à la section « Établissement et réception d’appels sécurisés », page 36.17 Gestion de base des appels Les tâches de gestion de base des appels s’appuient sur un ensemble de fonctions et de services. La disponibilité des fonctions peut varier. Pour plus d’informations, contactez votre administrateur système. Établissement d’un appel : options de base Le tableau ci-dessous présente des moyens simples de passer un appel à l’aide du téléphone IP Cisco Unified. Pour... Procédez comme suit : Pour plus d’informations, reportez-vous à la section... Passer un appel en utilisant le combiné Décrochez le combiné et composez un numéro. Présentation du téléphone, page 9 Passer un appel en utilisant le haut-parleur Appuyez sur , puis composez un numéro. Utilisation du combiné, du casque et du haut-parleur, page 39 Passer un appel en utilisant le casque Appuyez sur , puis composez un numéro. Si le bouton est allumé, vous pouvez également appuyer sur NvAppel et composer un numéro. Utilisation du combiné, du casque et du haut-parleur, page 39 Rappeler un numéro Appuyez sur Bis pour composer le dernier numéro ou sur la touche de navigation pour visualiser les appels passés (dans ce dernier cas, le téléphone doit être inactif). Utilisation des journaux d’appels, page 43 Passer un appel lorsqu’un autre appel est actif (en utilisant la même ligne) 1. Appuyez sur Attente. 2. Appuyez sur NvAppel. 3. Entrez un numéro. Utilisation des fonctions d’attente et de reprise, page 21 Composer un numéro à partir d’un journal d’appels 1. Sélectionnez > Appels en absence, Appels reçus ou Appels composés. 2. Sélectionnez ou recherchez une entrée de liste, puis décrochez le téléphone. Utilisation des journaux d’appels, page 4318 OL-9616-01 Conseils • Vous pouvez composer un numéro avec le combiné raccroché et sans tonalité (prénumérotation). Pour la prénumérotation, entrez un numéro, puis décrochez le téléphone en soulevant le combiné ou en appuyant sur Compos., ou . • En cas de prénumérotation, le téléphone tente d’anticiper le numéro en cours de composition. Pour ce faire, il utilise le journal d’appels passés pour afficher les numéros correspondants (s’ils sont disponibles). Cette opération s’appelle la numérotation automatique. Pour la lancer, sélectionnez le numéro affiché ou recherchez une entrée de liste, puis décrochez le téléphone. • Si vous commettez une erreur pendant la numérotation, appuyez sur << pour effacer des chiffres. Établissement d’un appel : options supplémentaires Vous pouvez passer des appels en utilisant des fonctions et des services spéciaux éventuellement disponibles sur le téléphone. Pour plus d’informations sur ces options supplémentaires, contactez votre administrateur système. Pour... Procédez comme suit : Pour plus d’informations, reportez-vous à la section... Passer un appel lorsqu’un autre est actif (sur une ligne différente) 1. Appuyez sur pour ouvrir la nouvelle ligne. L’appel de la première ligne sera mis en attente automatiquement. 2. Entrez un numéro. Utilisation des fonctions d’attente et de reprise, page 21 Composer un numéro abrégé Procédez comme suit : • Appuyez sur (touche de numérotation abrégée) • Utilisez la fonction NumAbr. • Utilisez la fonction Numéro abrégé. Numérotation abrégée, page 30 Composer un numéro à partir d’un répertoire d’entreprise disponible sur le téléphone 1. Sélectionnez > Répertoire d’entreprise (le nom exact de ce service peut varier). 2. Saisissez un nom et appuyez sur Recher. 3. Mettez en surbrillance une entrée de liste et décrochez le téléphone. Utilisation des journaux d’appels, page 4319 Composer un numéro de répertoire d’entreprise à l’aide de Cisco WebDialer 1. Ouvrez un navigateur Web et accédez au répertoire de votre entreprise compatible WebDialer. 2. Cliquez sur le numéro à composer. Personnalisation de votre téléphone IP Cisco Unified sur le Web : http://www.cisco.com/ univercd/cc/td/doc/product/ voice/c_ipphon/index.htm Utiliser la fonction de rappel Cisco pour recevoir une notification lorsqu’un poste occupé ou en sonnerie se libère 1. Appuyez sur Rappel lorsque vous entendez la tonalité occupé ou la sonnerie. 2. Raccrochez. Le téléphone vous avertit lorsque la ligne se libère. 3. Passez de nouveau l’appel. Votre administrateur système Passer un appel prioritaire Entrez le numéro d’accès MLPP, puis le numéro de téléphone. Attribution de priorité aux appels critiques, page 37 Composer un numéro à partir d’un carnet d’adresses personnel 1. Choisissez > Service Carnet d’adresses personnel (le nom exact de cette fonction peut varier). 2. Mettez en surbrillance une entrée de liste et décrochez le téléphone. Vous pouvez également appuyer sur l’entrée de liste de l’écran tactile. Connexion aux pages Web Options utilisateur, page 47 Passer un appel à l’aide d’un code de facturation ou de suivi 1. Composez un numéro. 2. Après la tonalité, entrez un code d’affaire client ou un code d’autorisation forcée. Votre administrateur système Passer un appel en utilisant votre profil de substitution de poste Cisco Connectez-vous au service de substitution de poste sur un téléphone. Utilisation de la fonction de substitution de poste de Cisco, page 38 Pour... Procédez comme suit : Pour plus d’informations, reportez-vous à la section...20 OL-9616-01 Réponse à un appel Vous pouvez répondre à un appel en décrochant le combiné ou utiliser d’autres options éventuellement disponibles sur le téléphone. Pour... Procédez comme suit : Pour plus d’informations, reportez-vous à la section... Répondre en utilisant un casque Si le bouton est éteint, appuyez dessus. Si le bouton est déjà allumé, appuyez sur Répond. ou sur (bouton de ligne clignotant). Utilisation du combiné, du casque et du haut-parleur, page 39 Répondre en utilisant le haut-parleur Appuyez sur , Répond. ou sur (clignotement). Utilisation du combiné, du casque et du haut-parleur, page 39 Répondre à un nouvel appel à partir d’un appel connecté Appuyez sur Répond. ou, si l’appel est en sonnerie sur une autre ligne, appuyez sur (clignotement). Utilisation des fonctions d’attente et de reprise, page 21 Répondre à l’aide de la fonction d’appel en attente Appuyez sur Répond. Utilisation des fonctions d’attente et de reprise, page 21 Envoyer un appel vers le système de messagerie vocale Appuyez sur Rvoi Im. Accès aux messages vocaux, page 46 Connecter automatiquement des appels Utilisez la fonction de réponse automatique. Utilisation de la fonction de réponse automatique, page 40 Récupérer un appel parqué sur un autre téléphone Utilisez la fonction de parcage d’appel ou la fonction de parcage d’appel dirigé. Stockage et récupération des appels parqués, page 35 Utiliser le téléphone pour répondre à un appel en sonnerie sur un autre poste Utilisez la fonction d’interception d’appels. Interception d’un appel redirigé vers votre téléphone, page 31 Répondre à un appel prioritaire Mettez fin à l’appel en cours en raccrochant, puis appuyez sur Répond. Attribution de priorité aux appels critiques, page 3721 Fin d’un appel Pour mettre fin à un appel, raccrochez. Reportez-vous au tableau suivant pour plus de détails. Utilisation des fonctions d’attente et de reprise Un seul appel peut être actif à un moment donné. Tous les autres appels seront mis en attente. Conseils • Généralement, l’activation de la fonction de mise en attente génère de la musique ou un bip. • Un appel en attente est indiqué par l’icône . Pour... Procédez comme suit : Raccrocher lorsque vous utilisez le combiné Replacez le combiné sur son support ou appuyez sur FinApp. Raccrocher lorsque vous utilisez le casque Appuyez sur . Pour que le mode casque reste activé, appuyez sur FinApp. Raccrocher lorsque vous utilisez le haut-parleur Appuyez sur ou sur FinApp. Mettre fin à un appel sans mettre fin à un autre appel de la même ligne Appuyez sur FinApp. Si nécessaire, récupérez d’abord l’appel mis en attente. Pour... Procédez comme suit : Mettre un appel en attente 1. Assurez-vous de la mise en surbrillance de l’appel à mettre en attente. 2. Appuyez sur Attente. Reprendre sur la ligne active un appel mis en attente 1. Vérifiez que l’appel approprié est en surbrillance. 2. Appuyez sur Reprend. Reprendre sur une autre ligne un appel mis en attente Appuyez sur pour ouvrir la ligne appropriée. Si un seul appel est en attente sur cette ligne, sa reprise est automatique. Si plusieurs appels sont en attente, recherchez l’appel concerné dans la liste, puis appuyez sur Reprend.22 OL-9616-01 Utilisation du mode Secret En mode Secret, vous pouvez entendre vos interlocuteurs, mais ces derniers ne peuvent pas vous entendre. Il est possible d’utiliser le mode Secret conjointement au combiné, au haut-parleur ou au casque. Passage d’un appel à l’autre Vous pouvez passer d’un appel à l’autre, sur une ou plusieurs lignes. Si l’appel sur lequel vous voulez basculer n’est pas automatiquement mis en surbrillance, utilisez le bouton de navigation pour l’atteindre. Pour... Procédez comme suit : Passer en mode Secret Appuyez sur . Sortir du mode Secret Appuyez sur . Pour... Procédez comme suit : Passer d’un appel à l’autre sur une même ligne 1. Vérifiez que l’appel sur lequel vous voulez passer est en surbrillance. 2. Appuyez sur Reprend. Tout appel actif est mis en attente et l’appel sélectionné est repris. Passer d’un appel à l’autre sur différentes lignes Appuyez sur le bouton de la ligne sur laquelle vous souhaitez passer. Si un seul appel est en attente sur cette ligne, sa reprise est automatique. Si plusieurs appels sont en attente, mettez en surbrillance l’appel concerné, puis appuyez sur Reprend. Répondre à un appel en sonnerie à partir d’un appel déjà connecté Appuyez sur Répond. ou, si l’appel est en sonnerie sur une autre ligne, appuyez sur . Tout appel actif est mis en attente et l’appel sélectionné est repris.23 Affichage de plusieurs appels Une meilleure compréhension de l’affichage de plusieurs appels sur le téléphone peut vous aider à organiser vos efforts de gestion des appels. En mode d’affichage standard, le téléphone affiche les appels de la façon suivante pour la ligne mise en surbrillance : • Les appels ayant le niveau de priorité le plus important et la durée la plus longue s’affichent en haut de la liste. • Les appels d’un même type sont regroupés. Par exemple, tous les appels avec lesquels vous êtes entré en interaction sont regroupés vers le haut de la liste, tandis que les appels en attente sont regroupés en bas. Vous pouvez utiliser les méthodes suivantes pour afficher plusieurs appels sur plusieurs lignes. Transfert d’appels Le transfert permet de rediriger un appel connecté. La cible est le numéro vers lequel vous souhaitez transférer l’appel. Pour... Procédez comme suit : Afficher les appels d’une autre ligne 1. Appuyez sur . 2. Appuyez immédiatement sur le bouton de ligne . Avoir un aperçu de l’activité de la ligne (un appel par ligne) Appuyez sur pour faire apparaître la ligne mise en surbrillance. Le téléphone bascule sur le mode de présentation des appels et affiche un seul appel par ligne. L’appel affiché est l’appel actif ou l’appel en attente le plus ancien. Pour revenir à l’affichage standard, appuyez sur , puis, immédiatement après, sur le bouton de la ligne. Pour... Procédez comme suit : Transférer un appel sans prévenir le destinataire du transfert 1. Au cours d’un appel actif, appuyez sur Trnsfer. 2. Entrez le numéro cible. 3. Appuyez de nouveau sur Trnsfer pour effectuer le transfert ou sur FinApp. pour l’annuler. Remarque Si le téléphone prend en charge le transfert en mode combiné raccroché, vous pouvez également effectuer le transfert en raccrochant.24 OL-9616-01 Conseils • Si le transfert en mode combiné raccroché est activé sur le téléphone, vous pouvez soit raccrocher pour mettre fin à l’appel, soit appuyer sur Trnsfer, puis raccrocher. • Si le transfert en mode combiné raccroché n’est pas activé sur le téléphone, le fait de raccrocher sans appuyer sur Trnsfer remet l’appel en attente. • Vous ne pouvez pas utiliser la touche Trnsfer pour rediriger un appel en attente. Appuyez sur Reprend pour le reprendre avant de le transférer. Consulter un destinataire avant de lui transférer un appel 1. Au cours d’un appel actif, appuyez sur Trnsfer. 2. Entrez le numéro cible. 3. Patientez quelques instants pour laisser le temps au destinataire du transfert de répondre. 4. Appuyez de nouveau sur Trnsfer pour effectuer le transfert ou sur FinApp. pour l’annuler. Remarque Si le téléphone prend en charge le transfert en mode combiné raccroché, vous pouvez également effectuer le transfert en raccrochant. Connecter deux appels en cours sans rester en ligne (transfert direct) 1. Faites défiler les appels pour mettre en surbrillance celui de votre choix sur la ligne. 2. Appuyez sur Sélect. 3. Renouvelez cette procédure pour le second appel. 4. Lorsque l’un des appels sélectionnés est mis en surbrillance, appuyez sur TrnsDir. (Pour afficher TrnsDir, vous pouvez avoir à appuyer sur la touche autres.) Les deux appels se connectent l’un à l’autre et vous ne participez plus à l’appel. Remarque Pour rester en ligne avec ces appelants, utilisez l’option Joindre à la place. Rediriger un appel vers le système de messagerie vocale Appuyez sur Rvoi Im. L’appel est automatiquement transféré vers la messagerie vocale, qui diffuse une annonce d’accueil. Cette fonction est disponible lorsqu’un appel est actif, en sonnerie ou en attente. Pour... Procédez comme suit :25 Renvoi de tous les appels vers un autre numéro Le renvoi de tous vos appels permet de rediriger tous les appels entrants du téléphone vers un autre numéro. Remarque Si la fonction de renvoi des appels s’applique à toute ligne secondaire, aucune confirmation de votre téléphone n’indique la conduite de l’opération. À la place, vous devez confirmer vos paramètres dans les pages Options utilisateur. Reportez-vous à la section « Connexion aux pages Web Options utilisateur », page 47. Conseils • Vous devez entrer le numéro cible de renvoi d’appel exactement comme si vous le composiez sur le téléphone. Par exemple, entrez un code d’accès ou l’indicatif régional (le cas échéant). • Vous pouvez renvoyer vos appels vers un téléphone analogique traditionnel ou vers un autre téléphone IP, même si votre administrateur système peut limiter la fonction de renvoi des appels aux numéros utilisés dans votre entreprise. • Vous devez configurer cette fonction pour chacune des lignes. Si un appel arrive sur une ligne sur laquelle le renvoi d’appels n’est pas activé, la sonnerie de cet appel est normale. Pour... Procédez comme suit : Configurer le renvoi d’appels sur la ligne principale Appuyez sur RenvTt, puis entrez un numéro de téléphone cible. Annuler un renvoi d’appels sur la ligne principale Appuyez sur RenvTt. Vérifier que le renvoi d’appels est activé sur la ligne principale Recherchez : • L’icône de renvoi d’appel au-dessus du numéro de téléphone principal ( ). • Le numéro cible de renvoi d’appel dans la ligne d’état. Configurer ou annuler le renvoi d’appels à distance ou pour une ligne différente de la ligne principale 1. Connectez-vous aux pages Web Options utilisateur et sélectionnez un périphérique. 2. Choisissez Renv. tous les appels... 3. Choisissez la ligne principale ou toute ligne secondaire. 4. Choisissez de réacheminer les appels vers la messagerie vocale ou vers un autre numéro.26 OL-9616-01 Établissement de conférences téléphoniques Votre téléphone IP Cisco Unified vous permet de réunir trois personnes ou plus dans une même conversation téléphonique en établissant une conférence. Présentation des types de conférences téléphoniques Il existe deux types de conférences téléphoniques : standard et Meet-Me. Conférences téléphoniques standard Vous pouvez créer des conférences téléphoniques standard de différentes manières selon vos besoins et les touches dynamiques du téléphone. • Conf. : cette touche dynamique permet d’appeler chaque participant et d’établir ainsi une conférence standard. La conférence téléphonique standard est une fonction par défaut disponible sur la plupart des téléphones. • Joindre : cette touche dynamique permet de joindre plusieurs appels déjà en cours sur une ligne et d’établir ainsi une conférence standard. • InsConf : cette touche dynamique permet de vous connecter à un appel existant sur une ligne partagée et de transformer l’appel en conférence téléphonique standard. Cette fonction n’est disponible que sur les téléphones utilisant des lignes partagées. Pour obtenir des instructions supplémentaires, reportez-vous à la section « Débuter et rejoindre une conférence téléphonique standard », page 27. Conférences téléphoniques Meet-Me Vous pouvez créer une conférence Meet-Me en appelant le numéro de conférence à l’heure prévue. Pour obtenir des instructions supplémentaires, reportez-vous à la section « Débuter ou rejoindre une conférence téléphonique Meet-Me », page 29.27 Débuter et rejoindre une conférence téléphonique standard Une conférence téléphonique standard permet à trois personnes au moins de participer à un appel unique. Pour... Procédez comme suit : • Créer une conférence téléphonique en appelant les participants • Ajouter de nouveaux participants à une conférence téléphonique existante 1. À partir d’un appel connecté, appuyez sur Conf. (Pour afficher cette option, vous pouvez avoir à appuyer sur la touche dynamique autres.) 2. Entrez le numéro de téléphone du participant. 3. Patientez pendant la connexion de l’appel. 4. Appuyez de nouveau sur Conf. pour ajouter ce participant à l’appel. 5. Répétez cette procédure pour ajouter d’autres participants. Créer une conférence en joignant au moins deux appels existants 1. Assurez-vous d’avoir deux appels minimum sur une même ligne. 2. Mettez en surbrillance un appel à ajouter à la conférence. 3. Appuyez sur Sélect. L’appel sélectionné affiche cette icône . 4. Répétez cette opération pour chacun des appels à ajouter. 5. À partir de l’un des appels sélectionnés, appuyez sur Joindre. (Pour afficher cette option, vous pouvez avoir à appuyer d’abord sur la touche dynamique autres.) Remarque L’appel actif est sélectionné automatiquement. Participer à une conférence Répondez au téléphone lorsqu’il sonne. Créer une conférence téléphonique en insérant un appel sur une ligne partagée Mettez en surbrillance un appel sur une ligne partagée et appuyez sur InsConf. (Vous pouvez avoir à appuyer d’abord sur la touche dynamique autres.) Reportez-vous à la section « Utilisation d’une ligne partagée », page 32. Afficher la liste des participants à une conférence 1. Mettez en surbrillance une conférence active. 2. Appuyez sur ListConf. Les participants sont répertoriés dans l’ordre dans lequel ils rejoignent la conférence, les derniers à la rejoindre apparaissant en tête de liste.28 OL-9616-01 Conseils • Il n’est possible d’ajouter à une conférence que les appels présents sur une même ligne. S’ils sont sur des lignes différentes, transférez-les sur une seule ligne avant d’appuyer sur Conf. ou sur Joindre. • Selon la configuration du téléphone, vous risquez de mettre fin à une conférence si vous la quittez alors que vous en êtes l’initiateur. Pour éviter ce problème, transférez la conférence avant de raccrocher. Mettre à jour la liste des participants à une conférence Lorsque vous affichez la liste des participants à la conférence, appuyez sur MàJ. Afficher l’initiateur de la conférence Lorsque la liste des participants à la conférence est affichée, recherchez la personne répertoriée au bas de la liste, avec un astérisque (*) à côté de son nom. Abandonner le dernier interlocuteur à avoir rejoint la conférence Appuyez sur SupDerA. Vous ne pouvez exclure des participants que si vous êtes l’initiateur de la conférence téléphonique. Exclure un participant de la conférence 1. Mettez en surbrillance le nom du participant. 2. Appuyez sur Suppr. Vous ne pouvez exclure des participants que si vous êtes l’initiateur de la conférence. Quitter une conférence standard Raccrochez ou appuyez sur FinApp. Pour... Procédez comme suit :29 Débuter ou rejoindre une conférence téléphonique Meet-Me La conférence téléphonique Meet-Me permet de démarrer une conférence ou de composer son numéro pour s’y connecter. Pour... Procédez comme suit : Démarrer une conférence Meet-Me 1. Demandez un numéro de conférence Meet-Me à votre administrateur système. 2. Distribuez le numéro aux participants. 3. Lorsque vous êtes prêt à démarrer la réunion, décrochez le téléphone pour obtenir la tonalité et appuyez sur MulConf. 4. Composez le numéro de la conférence Meet-Me. Les participants peuvent rejoindre la conférence en composant son numéro. Remarque Les participants entendent une tonalité occupé s’ils appellent le numéro de la conférence avant la connexion de l’organisateur. Dans ce cas, ils doivent rappeler. Rejoindre une conférence Meet-Me Composez le numéro de la conférence Meet-Me (que vous a communiqué l’organisateur de la conférence). Remarque Vous entendez une tonalité occupé si vous appelez le numéro de la conférence avant la connexion de l’organisateur. Dans ce cas, rappelez ultérieurement. Mettre fin à une conférence Meet-Me Tous les participants doivent raccrocher. La conférence ne se termine pas automatiquement lorsque l’organisateur se déconnecte.30 OL-9616-01 Gestion avancée des appels Les tâches de gestion avancée des appels comprennent des fonctions spéciales que l’administrateur système peut configurer sur le téléphone, en fonction de vos besoins en la matière et de votre environnement de travail. Numérotation abrégée La numérotation abrégée permet d’entrer un code, d’appuyer sur un bouton ou de sélectionner un élément de l’écran du téléphone pour passer un appel. Selon la configuration du téléphone, plusieurs fonctions de numérotation abrégée peuvent être disponibles : • Touches de numérotation abrégée • Numérotation abrégée • Numéros abrégés Remarque • Pour configurer des touches de numérotation abrégée et la numérotation abrégée, vous devez accéder aux pages Web Options utilisateur. Reportez-vous à la section « Connexion aux pages Web Options utilisateur », page 47. • Votre administrateur système peut également configurer des fonctions de numérotation abrégée pour vous. Pour... Procédez comme suit : Utiliser des touches de numérotation abrégée 1. Configurez des touches de numérotation abrégée depuis les pages Web Options utilisateur. 2. Pour passer un appel, appuyez sur (touche de numérotation abrégée). Utiliser NumAbr 1. Configurez des codes de numérotation abrégée depuis les pages Web Options utilisateur. 2. Pour passer un appel, entrez le code de numérotation abrégée et appuyez sur NumAbr. Utiliser Numéro abrégé 1. Abonnez-vous au service de numérotation abrégée et configurez des codes de numérotation abrégée depuis les pages Web Options utilisateur. Reportezvous à la section « Abonnement aux services téléphoniques », page 48. 2. Pour passer un appel, choisissez > Service de numérotation abrégée sur le téléphone (le nom exact de cette fonction peut varier), puis mettez en surbrillance une entrée de liste et décrochez le téléphone. Vous pouvez également appuyer sur l’entrée de la liste de l’écran du téléphone.31 Interception d’un appel redirigé vers votre téléphone Grâce à cette fonction, vous pouvez répondre à un appel en sonnerie sur le téléphone d’un collègue en le redirigeant vers votre appareil. Vous pouvez utiliser la fonction d’interception d’appels si vous partagez la gestion des appels avec des collègues. Pour... Procédez comme suit : Répondre à un appel en sonnerie sur un autre poste de votre groupe de prise d’appel 1. Procédez comme suit : • Appuyez sur la touche dynamique Intrcpt si elle est disponible. • Dans le cas contraire, décrochez le téléphone pour l’afficher et appuyez sur Intrcpt. • Si le téléphone prend en charge la fonction d’interception automatique, vous êtes connecté à l’appel. 2. Lorsque le téléphone sonne, appuyez sur Répond. pour vous connecter à l’appel. Répondre à un appel en sonnerie sur un poste hors de votre groupe 1. Procédez comme suit : • Appuyez sur la touche dynamique GrpIntr si elle est disponible. • Dans le cas contraire, décrochez le téléphone pour l’afficher et appuyez sur GrpIntr. 2. Entrez le code d’interception du groupe. Si le téléphone prend en charge la fonction d’interception automatique, vous êtes connecté à l’appel. 3. Lorsque le téléphone sonne, appuyez sur Répond. pour vous connecter à l’appel. Répondre à un appel en sonnerie sur un autre poste de votre groupe ou sur celui d’un groupe associé 1. Procédez comme suit : • Appuyez sur la touche dynamique AGrpIntr si elle est disponible. • Dans le cas contraire, décrochez le téléphone pour l’afficher et appuyez sur AGrpIntr. • Si le téléphone prend en charge la fonction d’interception automatique, vous êtes connecté à l’appel. 2. Lorsque le téléphone sonne, appuyez sur Répond. pour vous connecter à l’appel.32 OL-9616-01 Conseils • Selon la configuration du téléphone, vous pouvez recevoir un signal sonore et/ou visuel à propos d’un appel vers votre groupe de prise d’appel. • Le fait d’appuyer sur Intrcpt et sur GrpIntr vous connecte à l’appel qui sonne depuis plus longtemps. • Le fait d’appuyer sur AGrpIntr vous connecte à l’appel du groupe de prise d’appel de niveau de priorité supérieur. • Si vous avez plusieurs lignes et si vous voulez prendre l’appel sur une ligne secondaire, appuyez sur le bouton de la ligne souhaitée, puis sur une touche dynamique d’interception d’appel. Utilisation d’une ligne partagée Votre administrateur système peut vous demander d’utiliser une ligne partagée si vous : • Avez plusieurs téléphones et souhaitez n’avoir qu’un seul numéro de téléphone. • Partagez des tâches de gestion d’appels avec des collègues. • Gérez des appels pour le compte d’un manager. Présentation des lignes partagées Utilisation à distance L’icône Utilisé à distance apparaît lorsqu’un autre téléphone de votre ligne partagée a un appel connecté. Vous pouvez passer et recevoir des appels normalement sur la ligne partagée, même si l’icône Utilisé à distance s’affiche. Partage des informations relatives aux appels et insertion Les autres téléphones qui partagent une ligne affichent chacun des informations sur les appels passés et reçus de la ligne partagée. Ces informations peuvent inclure l’ID de l’appelant et la durée de l’appel. (Pour obtenir des informations sur les cas d’exception, reportez-vous à la section Confidentialité.) Lorsque des informations d’appels s’affichent ainsi, vos collègues et vous qui partagez une ligne pouvez vous connecter aux appels en utilisant la fonction Insert ou InsConf. Reportez-vous à la section « Connexion à l’appel d’une ligne partagée », page 33. Confidentialité Pour empêcher les collègues qui partagent votre ligne de voir les informations sur vos appels, activez la fonction de confidentialité. Ainsi, ils ne peuvent pas se connecter à vos appels. Reportez-vous à la section « Procédure pour empêcher d’autres personnes d’afficher un appel sur une ligne partagée ou de s’y connecter », page 34. Remarque Le nombre maximum d’appels pris en charge sur une ligne partagée varie selon les téléphones.33 Connexion à l’appel d’une ligne partagée Selon la configuration de votre téléphone, vous pouvez vous connecter à l’appel d’une ligne partagée à l’aide de la fonction Insert ou InsConf. Conseils • Si vous partagez la ligne avec un téléphone dont la fonction de confidentialité est activée, les informations d’appels et les touches dynamiques d’insertion n’apparaissent pas sur les autres téléphones qui partagent la ligne. • Lorsque vous vous connectez à un appel à l’aide de la touche Insert, vous pouvez en être déconnecté s’il est mis en attente, transféré ou transformé en conférence téléphonique. Pour... Procédez comme suit : Vérifier si la ligne partagée est en cours d’utilisation Recherchez l’icône Utilisé à distance ( en regard d’un bouton de ligne rouge ). Afficher les détails sur les appels en cours de la ligne partagée Appuyez sur le bouton de ligne rouge correspondant à la ligne utilisée à distance. Tout appel non confidentiel s’affiche dans la zone d’activité des appels de l’écran du téléphone. Vous connecter à un appel sur une ligne partagée à l’aide de la touche dynamique Insert 1. Mettez en surbrillance un appel utilisé à distance. 2. Appuyez sur Insert. (Vous pouvez avoir à appuyer d’abord sur la touche dynamique autres.) Les autres interlocuteurs entendent un bip leur annonçant votre présence. Vous connecter à un appel sur une ligne partagée à l’aide de la touche dynamique InsConf À la différence de la fonction Insert, InsConf transforme l’appel en conférence téléphonique standard et permet ainsi d’y ajouter de nouveaux participants. Reportez-vous à la section « Établissement de conférences téléphoniques », page 26. Vous connecter à un appel par insertion et ajouter des participants à une conférence Insérez l’appel en utilisant l’option InsConf, si elle est disponible. Contrairement à la fonction Insert, InsConf transforme l’appel en conférence téléphonique standard et permet ainsi d’y ajouter de nouveaux participants. Reportez-vous à la section « Établissement de conférences téléphoniques », page 26. Vous déconnecter d’un appel par insertion Raccrochez. Si vous raccrochez après avoir utilisé la fonction Insert, les autres interlocuteurs entendent une tonalité de déconnexion et l’appel initial continue. Si vous raccrochez après avoir utilisé la fonction InsConf, l’appel reste en mode conférence (à condition qu’il reste au moins trois participants sur la ligne).34 OL-9616-01 Procédure pour empêcher d’autres personnes d’afficher un appel sur une ligne partagée ou de s’y connecter Si vous partagez une ligne téléphonique, vous pouvez utiliser la fonction de confidentialité pour empêcher les personnes qui partagent votre ligne d’afficher vos appels ou de s’y connecter. Conseils • Si vous partagez la ligne avec un téléphone dont la fonction de confidentialité est activée, vous pouvez passer et recevoir des appels normalement sur la ligne partagée. • La fonction de confidentialité s’applique à toutes les lignes partagées du téléphone. Par consé- quent, si vous avez plusieurs lignes partagées et si la fonction de confidentialité est activée, vos collègues ne pourront pas afficher les appels sur vos lignes partagées, ni s’y connecter. • Lorsque vous mettez un appel en attente, le nom et le numéro de l’appelant (ID) s’affichent sur la ligne partagée même si la fonction de confidentialité est activée. Toutefois, votre administrateur système peut empêcher l’affichage de l’ID d’un appelant en attente si la fonction de confidentialité est activée. Dans ce cas, vous ne pouvez récupérer l’appel que depuis le téléphone utilisé pour le mettre en attente. Pour... Procédez comme suit : Empêcher d’autres personnes d’afficher ou de joindre les appels sur une ligne partagée 1. Appuyez sur Confidentiel . 2. Pour vérifier que la fonction de confidentialité est activée, recherchez l’icône de confidentialité activée située à côté d’un bouton de ligne orange . Autoriser les autres personnes à afficher des appels ou à s’y connecter sur une ligne partagée 1. Appuyez sur Confidentiel . 2. Pour vérifier que la fonction de confidentialité est désactivée, recherchez l’icône de confidentialité désactivée située à côté d’un bouton de ligne non allumé .35 Stockage et récupération des appels parqués Si vous souhaitez stocker un appel, vous pouvez le parquer pour qu’une autre personne et vous puissiez le récupérer sur un autre téléphone du système Cisco Unified CallManager (par exemple, le téléphone du bureau d’un collègue ou celui d’une salle de conférence). Vous pouvez parquer un appel en utilisant les méthodes suivantes. • Pour stocker l’appel, appuyez sur la touche dynamique Parquer. Le téléphone affiche le numéro de parcage où le système a stocké l’appel. Vous devez enregistrer ce numéro et utiliser le même pour récupérer l’appel. • Pour diriger l’appel vers un numéro spécifique de parcage abrégé ou non, utilisez la touche dynamique Trnsfer. La récupération de l’appel implique la composition du préfixe de récupération d’appels parqués suivi du numéro de parcage (abrégé ou non). • À l’aide du bouton de parcage d’appel dirigé, vous pouvez composer le numéro abrégé de parcage et déterminer s’il est disponible ou non. Conseils • Vous disposez d’un délai limité pour récupérer un appel parqué avant qu’il recommence à sonner sur le poste initial. Pour en savoir plus, contactez votre administrateur système. • Votre administrateur système peut affecter des boutons de parcage d’appel dirigé à des boutons de ligne disponibles sur le téléphone ou le module d’extension pour téléphones IP Cisco Unified 7914. • Vous pouvez composer des numéros de parcage d’appel dirigé si vous n’avez pas de boutons de parcage d’appel dirigé sur le téléphone. Toutefois, vous ne pourrez pas voir l’état du numéro de parcage d’appel dirigé. Pour... Procédez comme suit : Stocker un appel actif à l’aide de la fonction de parcage d’appels 1. Au cours d’un appel, appuyez sur Parquer. (Vous pouvez avoir à appuyer d’abord sur la touche dynamique autres.) 2. Notez le numéro de parcage affiché à l’écran du téléphone. 3. Raccrochez. Récupérer un appel parqué Entrez le numéro de parcage sur tout téléphone IP Cisco Unified du réseau pour vous connecter à l’appel. Diriger et stocker un appel actif vers un numéro de parcage d’appel dirigé 1. Au cours d’un appel, appuyez sur Trnsfer. 2. Pour composer le numéro abrégé de parcage, appuyez sur le bouton de parcage d’appel dirigé si vous disposez de l’icône de parcage non occupé . Un bouton clignotant de parcage d’appel dirigé et l’icône de parcage occupé indiquent que le numéro de parcage d’appel dirigé n’est pas disponible. 3. Appuyez de nouveau sur Trnsfer pour valider le stockage de l’appel. Récupérer un appel parqué depuis un numéro de parcage d’appel dirigé Depuis tout téléphone du réseau, entrez le préfixe de récupération d’appels parqués et composez le numéro de parcage d’appel dirigé. Pour vous connecter à l’appel, vous pouvez également appuyer sur le bouton de parcage d’appel dirigé si vous disposez de l’icône de parcage occupé .36 OL-9616-01 Établissement et réception d’appels sécurisés En fonction de la configuration du système téléphonique choisie par votre administrateur système, votre téléphone peut prendre en charge la fonction d’établissement et de réception d’appels sécurisés. Il peut prendre en charge les types d’appels suivants. • Appel authentifié : l’identité de tous les téléphones participant à l’appel a été vérifiée. • Appel chiffré : le téléphone reçoit et transmet (sur le réseau IP Cisco Unified) des données audio chiffrées (votre conversation). Les appels chiffrés sont également authentifiés. • Appel non sécurisé : au moins l’un des téléphones en cours d’appel ou la connexion ne prend pas en charge ces fonctions de sécurité. Il peut également être impossible de vérifier l’identité des téléphones. Remarque Des interactions, des restrictions et des limites affectent les fonctions de sécurité du téléphone. Pour en savoir plus, contactez votre administrateur système. Suivi des appels suspects Si vous faites l’objet d’appels suspects ou malveillants, votre administrateur système peut ajouter la fonction d’identification des appels malveillants (MAL) sur le téléphone. Cette fonction permet de déterminer si un appel actif est suspect. Dans l’affirmative, le lancement d’une série de messages automatisés de suivi et de notification se produit. Pour... Procédez comme suit : Contrôler le niveau de sécurité d’un appel Vérifiez si l’une des icônes de sécurité suivantes apparaît en haut à droite de la zone d’activité des appels (en regard de l’indicateur de durée d’appel) : Appel authentifié Appel chiffré Aucune icône de sécurité n’apparaît si l’appel n’est pas sécurisé. Déterminer s’il est possible de passer des appels sécurisés dans votre entreprise Contactez votre administrateur système. Pour... Procédez comme suit : Informer votre administrateur système d’un appel suspect ou malveillant Appuyez sur MAL. Le téléphone émet une tonalité et affiche le message MAL réussie.37 Attribution de priorité aux appels critiques Dans certains environnements spécialisés, tels que des bureaux de l’armée ou de l’État, vous pouvez avoir à passer et à recevoir des appels urgents ou critiques. Si vous avez besoin de ce traitement spécialisé des appels, votre administrateur système peut ajouter une fonction de préséance et préemption à plusieurs niveaux (MLPP) sur le téléphone. Gardez ces termes à l’esprit : • La préséance indique la priorité associée à un appel. • La préemption est le processus qui permet de mettre fin à un appel de priorité inférieure et d’accepter parallèlement un appel de priorité supérieure. Conseils • Lorsque vous passez ou recevez un appel compatible MLPP, vous entendez une sonnerie et une tonalité d’attente spéciales, différentes des sonneries et tonalités standard. • Si vous entrez un numéro d’accès MLPP incorrect, un message vocal vous en avertit. Si vous... Procédez comme suit : Souhaitez pouvoir choisir le niveau de priorité (préséance) d’un appel sortant Contactez votre administrateur système pour obtenir la liste des numéros de priorité correspondant aux appels. Souhaitez passer un appel prioritaire (qui a la préséance) Entrez le numéro d’accès MLPP (fourni par votre administrateur système), puis le numéro de téléphone. Entendez une sonnerie différente (plus rapide que d’habitude) ou une tonalité d’attente spéciale Vous recevez un appel prioritaire (qui a la préséance). Une icône MLPP s’affiche à l’écran du téléphone pour indiquer le niveau de priorité de l’appel. Souhaitez afficher le niveau de priorité d’un appel Recherchez une icône MLPP à l’écran du téléphone : Appel prioritaire Appel d’importance moyenne (immédiat) Appel très important (rapide) Appel de la plus haute importance (suppression rapide) ou appel prioritaire Les appels les plus importants s’affichent en haut de la liste des appels. Si aucune icône MLPP n’apparaît, l’appel est un appel normal (routine). Souhaitez accepter un appel plus important Répondez normalement à l’appel. Le cas échéant, mettez d’abord fin à l’appel actif. Entendez une tonalité continue qui interrompt votre appel En d’autres termes, un appel reçu par votre interlocuteur ou vous est prioritaire sur l’appel en cours. Raccrochez immédiatement pour permettre à l’appel plus important de sonner sur votre téléphone.38 OL-9616-01 Utilisation de la fonction de substitution de poste de Cisco La fonction de substitution de poste de Cisco (EM) permet de configurer temporairement un téléphone IP Cisco Unified comme étant le vôtre. Dès que vous vous connectez, le téléphone adopte votre profil d’utilisateur, y compris vos lignes, vos fonctions, vos services actifs et vos paramètres Web. L’administrateur système doit configurer la fonction EM à votre place. Conseils • Lors de la substitution de poste, vous êtes automatiquement déconnecté au bout d’un certain temps. Ce délai est défini par l’administrateur système. • Les modifications apportées au profil de substitution de poste (dans les pages Web Options utilisateur) prennent effet lors de la prochaine connexion au service de substitution de poste sur un téléphone. • Les paramètres contrôlés uniquement sur le téléphone ne sont pas gérés dans le profil de substitution de poste. Déconnexion de groupes de recherche Si votre entreprise reçoit un grand nombre d’appels entrants, vous pouvez être membre d’un groupe de recherche. Un groupe de recherche inclut une série de numéros d’annuaire partageant la charge des appels entrants. Lorsque le premier numéro d’annuaire du groupe de recherche est occupé, le système recherche le numéro d’annuaire suivant disponible dans le groupe et dirige les appels vers ce téléphone. Lorsque vous vous éloignez du téléphone, vous pouvez vous déconnecter des groupes de recherche et empêcher ainsi les appels de cette provenance de sonner. Conseil La déconnexion des groupes de recherche n’empêche pas les appels d’autres groupes de sonner sur votre téléphone. Pour... Procédez comme suit : Vous connecter au service EM 1. Sélectionnez > Service de substitution de poste (le nom de cette fonction peut varier). 2. Entrez votre ID utilisateur et votre PIN (fournis par votre administrateur système). 3. Si le programme le demande, sélectionnez un profil de périphérique. Vous déconnecter du service EM 1. Sélectionnez > Service de substitution de poste (le nom de cette fonction peut varier). 2. Lorsque vous êtes invité à vous déconnecter, appuyez sur Oui. Pour... Procédez comme suit : Vous déconnecter des groupes de recherche pour bloquer temporairement les appels des groupes de recherche Appuyez sur ConG. L’écran du téléphone affiche Déconnecté du grpe rech. Vous connecter pour recevoir des appels des groupes de recherche Appuyez sur ConG.39 Utilisation du combiné, du casque et du haut-parleur Vous pouvez utiliser votre téléphone avec un combiné, un casque ou un haut-parleur. Pour... Procédez comme suit : Utiliser le combiné Soulevez-le pour le décrocher. Remettez-le en place pour le raccrocher. Utiliser un casque Appuyez sur pour activer/désactiver le mode casque. Si vous utilisez la fonction de réponse automatique, reportez-vous à la section « Utilisation de la fonction de réponse automatique », page 40 pour obtenir des informations sur les cas d’exception. Vous pouvez utiliser le casque avec tous les contrôles de votre téléphone, notamment et . Utiliser le haut-parleur Appuyez sur pour activer/désactiver le mode haut-parleur. La plupart des opérations de composition de numéro ou de prise d’appel déclenchent automatiquement le mode haut-parleur, à condition que le combiné soit sur son support et que la touche soit éteinte. Basculer vers le mode casque ou haut-parleur au cours d’un appel (en mode combiné) Appuyez sur ou sur , puis raccrochez le combiné. Basculer vers le mode combiné au cours d’un appel (en mode haut-parleur ou casque) Soulevez le combiné (n’appuyez sur aucun bouton). Régler le volume d’un appel Appuyez sur au cours de l’appel ou après obtention de la tonalité. Cette opération règle le volume du combiné, du casque ou du haut-parleur, selon le dispositif utilisé. Appuyez sur Enreg. pour conserver le niveau du volume lors des prochains appels.40 OL-9616-01 Acquisition d’un casque Votre téléphone peut prendre en charge quatre ou six prises casque. Pour plus d’informations sur l’achat d’un casque, reportez-vous à la section « Informations sur le casque », page 8. Utilisation de la fonction de réponse automatique Lorsque la fonction de réponse automatique est activée, votre téléphone répond automatiquement aux appels entrants après quelques sonneries. Votre administrateur système configure la fonction de réponse automatique de sorte qu’elle fonctionne avec votre haut-parleur ou avec votre casque. Vous pouvez utiliser la fonction de réponse automatique si vous recevez un grand nombre d’appels entrants. Si vous... Procédez comme suit : Utilisez la fonction de réponse automatique avec un casque Même si vous n’êtes pas en ligne, restez en mode casque (en d’autres termes, le bouton doit rester allumé). Pour que le mode casque reste activé, procédez comme suit : • Appuyez sur FinApp. pour raccrocher. • Appuyez sur NvAppel ou sur Compos. pour passer d’autres appels. Si votre téléphone est configuré pour utiliser la fonction de réponse automatique en mode casque, la réponse aux appels est automatique à condition que le bouton soit allumé. Dans le cas contraire, les appels sonnent normalement et vous devez y répondre manuellement. Utilisez la fonction de réponse automatique avec le haut-parleur Laissez le combiné raccroché et gardez le mode casque inactif (bouton éteint). Dans le cas contraire, les appels sonnent normalement et vous devez y répondre manuellement.41 Utilisation des paramètres du téléphone Vous pouvez personnaliser votre téléphone IP Cisco Unified en réglant la sonnerie, l’image d’arrière-plan et d’autres paramètres. Personnalisation des sonneries et des indicateurs de message Vous pouvez personnaliser la manière dont votre téléphone signale la présence d’un appel entrant et d’un nouveau message vocal. Vous pouvez également régler le volume de la sonnerie du téléphone. Pour... Procédez comme suit : Changer la sonnerie 1. Sélectionnez > Préférences utilisateur > Sonneries. 2. Choisissez une ligne téléphonique ou la sonnerie par défaut. 3. Sélectionnez une sonnerie pour en entendre un échantillon. 4. Appuyez sur Sélect. et sur Enreg. pour définir la sonnerie, ou appuyez sur Annuler. (Appuyez sur Défaut pour appliquer le paramètre de sonnerie par défaut à une ligne téléphonique sélectionnée.) Modifier la séquence de la sonnerie (clignotement seulement, une sonnerie, bip seulement, etc.) 1. Connectez-vous à vos pages Web Options utilisateur. (Reportez-vous à la section « Connexion aux pages Web Options utilisateur », page 47.) 2. Choisissez Modification des paramètres de sonnerie de votre téléphone. Remarque Avant de pouvoir changer les paramètres de sonnerie dans les pages Web Options utilisateur, votre administrateur système peut avoir à activer cette option de modification de la configuration du téléphone. Régler le volume de la sonnerie du téléphone Appuyez sur lorsque le combiné est raccroché et que les touches du casque et du haut-parleur sont désactivées. Le nouveau volume de la sonnerie est automatiquement enregistré. Modifier la façon dont le témoin lumineux de votre combiné signale les messages vocaux 1. Connectez-vous à vos pages Web Options utilisateur. (Reportez-vous à la section « Connexion aux pages Web Options utilisateur », page 47.) 2. Choisissez Modification du comportement de votre Indicateur de messages en attente... Remarque Généralement, la politique du système par défaut pour le témoin de la messagerie vocale sur votre combiné indique à votre téléphone de toujours indiquer un nouveau message vocal en l’éclairant.42 OL-9616-01 Personnalisation de l’écran du téléphone Vous pouvez régler certains paramètres de l’écran du téléphone selon vos besoins. Pour... Procédez comme suit : Modifier le niveau de contraste de l’écran du téléphone 1. Sélectionnez > Préférences utilisateur > Contraste. 2. Pour procéder aux réglages, appuyez sur Plus, Moins ou sur la touche . 3. Appuyez sur Enreg. ou sur Annuler. Remarque Si vous enregistrez par erreur un niveau de contraste très faible ou très élevé et si vous ne voyez plus l’affichage de l’écran du téléphone : Appuyez sur , puis sur 1, 3 sur le clavier. Appuyez ensuite sur pour modifier le contraste jusqu’à ce que l’affichage de l’écran du téléphone soit lisible, puis appuyez sur Enreg. Modifier l’image d’arrière-plan 1. Sélectionnez > Préférences utilisateur > Images arrière-plan. 2. Faites défiler les images disponibles et appuyez sur Sélect. pour en choisir une. 3. Appuyez sur Aperçu pour afficher une vue plus grande de l’image d’arrière-plan. 4. Appuyez sur Quitter pour retourner au menu de sélection. 5. Appuyez sur Enreg. pour accepter l’image ou sur Annuler. Remarque Si la sélection d’images ne s’affiche pas, cette option n’a pas été activée sur votre système. Modifier la langue 1. Connectez-vous à vos pages Web Options utilisateur. (Reportez-vous à la section « Connexion aux pages Web Options utilisateur », page 47.) 2. Sélectionnez Modifier la langue... Changer le libellé 1. Connectez-vous à vos pages Web Options utilisateur. (Reportez-vous à la section « Connexion aux pages Web Options utilisateur », page 47.) 2. Sélectionnez l’option de modification du libellé de ligne. Remarque L’administrateur système doit activer l’accès à cette fonction à votre place.43 Utilisation des journaux d’appels et des répertoires Cette section explique comment utiliser les journaux d’appels et les répertoires. Pour accéder aux deux fonctions, utilisez le bouton Répertoires . Utilisation des journaux d’appels Le téléphone gère des enregistrements des appels en absence, passés et reçus. Pour... Procédez comme suit : Afficher les journaux d’appels Sélectionnez > Appels en absence, Appels composés ou Appels reçus. Chaque journal contient 100 enregistrements maximum. Pour afficher une entrée de liste tronquée, mettez-la en surbrillance et appuyez sur EditNum. Effacer les journaux d’appels Appuyez sur , puis sur Effacer. Cette procédure permet d’effacer les enregistrements d’appel de tous les journaux. Composer un numéro à partir d’un journal d’appels (sans connexion à un autre appel) 1. Sélectionnez > Appels en absence, Appels composés ou Appels reçus. 2. Mettez en surbrillance un enregistrement d’appel à partir du journal. Remarque Si la touche dynamique Détails s’affiche, l’appel est l’entrée principale d’un appel à plusieurs interlocuteurs. Reportez-vous à la section Conseils ci-dessous. 3. Si vous devez modifier le numéro affiché, appuyez sur EditNum, puis sur << ou >>. Pour supprimer le numéro, appuyez sur EditNum, puis sur Suppr. (Vous pouvez avoir à appuyer sur la touche dynamique autres pour afficher Suppr.) 4. Décrochez pour passer l’appel.44 OL-9616-01 Conseils Pour afficher l’enregistrement complet d’un appel à plusieurs interlocuteurs, appuyez sur Détails. L’enregistrement Détails affiche deux entrées pour chaque appel à plusieurs interlocuteurs en absence ou reçu. Les entrées apparaissent dans l’ordre chronologique inverse : • La première entrée enregistrée est le nom/numéro du dernier appel à plusieurs interlocuteurs terminé, reçu sur votre téléphone. • La seconde entrée enregistrée est le nom/numéro du premier appel à plusieurs interlocuteurs terminé, reçu sur votre téléphone. Composer un numéro à partir d’un journal d’appels (lors d’une connexion à un autre appel) 1. Sélectionnez > Appels en absence, Appels composés ou Appels reçus. 2. Mettez en surbrillance un enregistrement d’appel à partir du journal. Remarque Si la touche dynamique Détails s’affiche, l’appel est l’entrée principale d’un appel à plusieurs interlocuteurs. Reportez-vous à la section Conseils ci-dessous. 3. Si vous devez modifier le numéro affiché, appuyez sur EditNum, puis sur << ou >>. Pour supprimer le numéro, appuyez sur EditNum, puis sur Suppr. (Vous pouvez avoir à appuyer sur la touche dynamique autres pour afficher Suppr.) 4. Appuyez sur Compos. 5. Choisissez une option de menu pour traiter l’appel initial. • Attente : met le premier appel en attente et compose le second. • Transfert : transfère le premier interlocuteur vers le second et vous déconnecte de l’appel. (Sélectionnez de nouveau cette option après avoir composé le numéro pour que l’opération soit effectuée.) • Conférence : établit une conférence téléphonique entre tous les interlocuteurs, vous y compris. (Appuyez sur Conf. après avoir composé le numéro pour que l’opération soit effectuée.) • FinApp. : déconnecte le premier appel et compose le second. Pour... Procédez comme suit :45 Utilisation du répertoire d’entreprise sur le téléphone Selon sa configuration, le téléphone peut donner accès à un répertoire d’entreprise et donc aux numéros de collègues. Le répertoire d’entreprise est configuré et géré par votre administrateur système. Conseil Utilisez les numéros du clavier pour entrer des caractères à l’écran du téléphone. Utilisez le bouton de navigation du téléphone pour vous déplacer parmi les champs de saisie. Pour... Procédez comme suit : Composer un numéro à partir d’un répertoire d’entreprise (sans connexion à un autre appel) 1. Sélectionnez > Répertoire d’entreprise (le nom exact de ce service peut varier). 2. Entrez un nom complet ou partiel, puis appuyez sur Recher. 3. Pour composer un numéro, sélectionnez ou recherchez une entrée de liste, puis décrochez le téléphone. Composer un numéro à partir d’un répertoire d’entreprise (lors d’une connexion à un autre appel) 1. Sélectionnez > Répertoire d’entreprise (le nom exact de ce service peut varier). 2. Entrez un nom complet ou partiel, puis appuyez sur Recher. 3. Recherchez une entrée de liste et appuyez sur Compos. 4. Choisissez une option de menu pour traiter l’appel initial. • Attente : met le premier appel en attente et compose le second. • Transfert : transfère le premier interlocuteur vers le second et vous déconnecte de l’appel. (Sélectionnez de nouveau cette option après avoir composé le numéro pour que l’opération soit effectuée.) • Conférence : établit une conférence téléphonique entre tous les interlocuteurs, vous y compris. (Appuyez sur Conf. après avoir composé le numéro pour que l’opération soit effectuée.) • FinApp. : déconnecte le premier appel et compose le second.46 OL-9616-01 Accès aux messages vocaux Pour accéder aux messages vocaux, utilisez le bouton . Remarque Votre entreprise détermine le service de messagerie vocale utilisé par votre système téléphonique. Pour obtenir des informations précises et détaillées, reportez-vous à la documentation livrée avec votre service de messagerie vocale. Pour... Procédez comme suit : Configurer et personnaliser votre service de messagerie vocale Appuyez sur et suivez les instructions vocales. Si un menu apparaît à l’écran, sélectionnez l’option appropriée. Vérifier si vous avez un nouveau message vocal Recherchez : • Un témoin lumineux rouge fixe sur votre combiné. (Cet indicateur peut varier. Reportez-vous à la section « Personnalisation des sonneries et des indicateurs de message », page 41.) • L’icône clignotante de message en attente et un message affiché à l’écran. Écouter vos messages vocaux ou accéder au menu des messages vocaux Appuyez sur . Selon votre service de messagerie vocale, cette opération permet de composer automatiquement le numéro du service de messagerie ou d’afficher un menu. Transférer un appel vers votre système de messagerie vocale Appuyez sur Rvoi Im. Cette fonction transfère automatiquement un appel, notamment un appel en sonnerie ou en attente, vers votre système de messagerie vocale. Les appelants entendent le message d’accueil de votre messagerie vocale et peuvent laisser un message.47 Accès à vos pages Web Options utilisateur Comme le téléphone IP Cisco Unified est un périphérique réseau, il peut partager des données avec d’autres périphériques réseau de votre entreprise, notamment votre ordinateur et vos services Web accessibles via un navigateur. Vous pouvez mettre en place des services téléphoniques et contrôler les paramètres et les fonctions depuis l’ordinateur en utilisant les pages Web Options utilisateur de Cisco Unified CallManager. Lorsque vous avez configuré les fonctions et services des pages Web, vous pouvez y accéder depuis le téléphone. Par exemple, vous pouvez configurer des touches de numérotation abrégée depuis les pages Web, puis y accéder depuis votre téléphone. Cette section explique comment accéder aux pages Web Options utilisateur et comment s’abonner aux services téléphoniques. Pour plus d’informations sur les fonctions configurables et sur les services téléphoniques avec abonnement, reportez-vous au manuel Personnalisation de votre téléphone IP Cisco Unified sur le Web à l’adresse suivante : http://www.cisco.com/univercd/cc/td/doc/product/voice/c_ipphon/index.htm Connexion aux pages Web Options utilisateur Procédure Étape 1 Demandez à votre administrateur système de vous fournir une URL de page Options utilisateur, un ID utilisateur et un mot de passe par défaut. Étape 2 Ouvrez un navigateur Web sur l’ordinateur et entrez l’URL (fournie par votre administrateur système), puis connectez-vous. Étape 3 Dans le menu général, sélectionnez le type de périphérique (modèle de téléphone) dans la liste déroulante « Sélectionner un périphérique ». Une fois la sélection effectuée, un menu contextuel apparaît et propose les options appropriées à ce type de périphérique. Étape 4 Sélectionnez une option pour afficher la page de configuration, puis effectuez les sélections ou modifications appropriées. Étape 5 Cliquez sur MàJ pour appliquer et enregistrer vos modifications. Étape 6 Cliquez sur Retour au menu pour revenir au menu contextuel, ou sur Déconnecter pour quitter les pages Utilisateur.48 OL-9616-01 Abonnement aux services téléphoniques Pour accéder à ces services, vous devez commencer par vous y abonner en vous connectant aux pages Web Options utilisateur depuis l’ordinateur. (Pour obtenir de l’aide sur la connexion, reportez-vous à la section « Connexion aux pages Web Options utilisateur », page 47.) Les services téléphoniques peuvent comprendre : • Des services d’informations accessibles via le Web, notamment les cours de la bourse, les programmes de cinéma et la météo. • Des données réseau, notamment les calendriers et les répertoires d’entreprise dans lesquels vous pouvez effectuer des recherches. • Des fonctions téléphoniques, telles que Mes numéros abrégés et un carnet d’adresses personnel. Pour plus d’informations, reportez-vous au tableau ci-après. Pour... Après vous être connecté et avoir sélectionné le type de périphérique, procédez comme suit : Vous abonner à un service Dans le menu principal, sélectionnez Configurer vos Services téléphoniques IP Cisco Unified. Sélectionnez un service dans la liste déroulante « Services disponibles », puis cliquez sur Continuer. Saisissez les renseignements supplémentaires sur demande (par exemple, un code postal ou un code PIN), puis cliquez sur S’abonner. Modifier ou supprimer un abonnement Dans le menu principal, sélectionnez Configurer vos Services téléphoniques IP Cisco Unified. Cliquez sur un service du volet « Vos abonnements ». Cliquez sur MàJ après avoir effectué vos modifications ou sur Se désabonner. Associer un service à une touche programmable Après vous être abonné à un service, sélectionnez Ajouter/mettre à jour vos boutons URL de service dans le menu principal. Pour chaque touche disponible, sélectionnez un service dans la liste déroulante, puis saisissez une description. Une fois vos modifications effectuées, cliquez sur MàJ. Votre administrateur système détermine le nombre de touches programmables pouvant être associées à des services. Il peut également affecter des touches de service au téléphone. Accéder à un service sur le téléphone Appuyez sur le bouton du téléphone. À la place, vous pouvez appuyer sur une touche programmable associée à un service (le cas échéant). Apprendre à utiliser les services téléphoniques Reportez-vous au manuel Personnalisation de votre téléphone IP Cisco Unified sur le Web à l’adresse suivante : http://www.cisco.com/univercd/cc/td/doc/product/voice/c_ipphon/index.htm49 Présentation des options de configuration supplémentaires Votre administrateur système peut configurer le téléphone de manière à ce qu’il utilise, le cas échéant, des modèles de boutons et de touches dynamiques spécifiques, associés à des fonctions et à des services particuliers. Le tableau ci-dessous fournit une présentation de certaines options de configuration que vous pouvez demander à l’administrateur de votre système téléphonique en fonction de vos besoins en matière d’appels ou de votre environnement de travail. Remarque Vous trouverez les manuels des téléphones et autres documents auxquels il est fait référence dans ce tableau sur le Web : http://www.cisco.com/univercd/cc/td/doc/product/voice/c_ipphon/index.htm Si vous... Procédez comme suit : Pour plus d’informations... Devez gérer plusieurs appels sur la ligne téléphonique Demandez à votre administrateur système de configurer la ligne pour qu’elle prenne en charge plusieurs appels. Contactez votre administrateur système ou l’équipe d’assistance téléphonique. Avez besoin de plusieurs lignes téléphoniques Demandez à votre administrateur système de vous configurer un ou plusieurs numéros d’annuaire supplémentaires. Contactez votre administrateur système ou l’équipe d’assistance téléphonique. Avez besoin de plus de touches de numé- rotation abrégée Vérifiez d’abord que vous utilisez déjà la totalité des touches de numérotation abrégée disponibles. Si vous avez besoin de touches de numérotation abrégée supplémentaires, utilisez la fonction de numérotation abrégée ou abonnez-vous au service de numérotation abrégée. Vous pouvez également ajouter à votre téléphone le module d’extension 7914 pour téléphone IP Cisco Unified. Reportez-vous aux références suivantes : • « Numérotation abrégée », page 30 • « Abonnement aux services téléphoniques », page 48 • Cisco IP Phone Expansion Module 7914 Phone Guide Travaillez en collaboration avec un assistant administratif (ou en tant qu’assistant administratif) Pensez à utiliser : • Le service Cisco IP Manager Assistant. • Une ligne partagée. Reportez-vous aux références suivantes : • « Utilisation d’une ligne partagée », page 32 • Guide de l’utilisateur de Cisco IP Manager Assistant50 OL-9616-01 Souhaitez utiliser un même numéro de poste pour plusieurs téléphones Demandez une ligne partagée. Cette opération permet par exemple d’utiliser un numéro de poste unique pour les téléphones du bureau et du laboratoire. Reportez-vous à la section « Utilisation d’une ligne partagée », page 32. Partagez vos téléphones ou votre bureau avec des collègues Pensez à utiliser : • La fonction de parcage d’appels pour enregistrer et récupérer des appels sans utiliser la fonction de transfert. • La fonction d’interception d’appels pour répondre à des appels en sonnerie sur un autre téléphone. • Une ligne partagée pour afficher ou joindre les appels de vos collègues. • La fonction de substitution de poste de Cisco pour affecter vos numéro de téléphone et profil utilisateur à un téléphone IP Cisco Unified partagé. Demandez des détails sur ces fonctions à votre administrateur système et reportez-vous aux sections suivantes : • « Gestion avancée des appels », page 30 • « Utilisation d’une ligne partagée », page 32 • « Utilisation de la fonction de substitution de poste de Cisco », page 38 Répondez à de nombreux appels ou gérez des appels pour le compte d’une autre personne Demandez à votre administrateur système de configurer la fonction de réponse automatique sur le téléphone. Reportez-vous à la section « Utilisation de la fonction de réponse automatique », page 40. Devez passer des appels vidéo Pensez à utiliser Cisco VT Advantage pour passer des appels vidéo avec le téléphone IP Cisco Unified, un ordinateur et une caméra vidéo externe. Si vous avez besoin d’aide, contactez votre administrateur système et reportez-vous aux documents Cisco VT Advantage Quick Start Guide et Cisco VT Advantage User Guide. Souhaitez affecter temporairement vos numéro de téléphone et paramètres à un téléphone IP Cisco Unified partagé Demandez des détails sur le service de substitution de poste de Cisco à votre administrateur système. Reportez-vous à la section « Utilisation de la fonction de substitution de poste de Cisco », page 38. Si vous... Procédez comme suit : Pour plus d’informations...51 Dépannage du téléphone Cette section fournit des informations de dépannage sur le téléphone IP Cisco Unified. Informations générales de dépannage Cette section vous aide à résoudre les problèmes du téléphone. Pour en savoir plus, contactez votre administrateur système. Signe Explication Vous n’entendez pas la tonalité ou vous ne pouvez pas passer un appel Un ou plusieurs des éléments suivants peuvent être en cause : • Vous devez vous connecter au service de substitution de poste. • Vous devez entrer un code d’affaire client ou un code d’autorisation forcée après avoir composé un numéro. • Le téléphone est soumis à des restrictions horaires pendant lesquelles certaines fonctions ne sont pas disponibles. Le bouton de paramètres ne répond pas Votre administrateur système peut avoir désactivé sur le téléphone. La touche dynamique à utiliser n’apparaît pas Un ou plusieurs des éléments suivants peuvent être en cause : • Vous devez appuyer sur autres pour afficher des touches dynamiques supplémentaires. • Vous devez changer l’état de la ligne (par exemple, décrochez ou établissez une communication). • Le téléphone n’est pas configuré pour prendre en charge la fonction associée à cette touche dynamique. L’action Joindre échoue L’action Joindre nécessite plusieurs appels sélectionnés. Assurez-vous de sélectionner au moins un appel en plus de l’appel actif automatiquement. L’action Joindre requiert également que les appels sélectionnés se trouvent sur la même ligne. Si nécessaire, transférez les appels vers une ligne avant de les joindre. L’utilisation de la touche dynamique Insert aboutit à un échec sous forme de tonalité d’occupation rapide Vous ne pouvez pas vous connecter à un appel chiffré si le téléphone utilisé n’est pas configuré pour le chiffrement. Si la tentative de connexion échoue pour cette raison, le téléphone émet une tonalité d’occupation rapide.52 OL-9616-01 Affichage des données d’administration du téléphone Votre administrateur système peut vous demander d’accéder aux données d’administration du téléphone à des fins de dépannage. Utilisation de l’outil de génération de rapports qualité (QRT) L’administrateur système peut configurer temporairement le téléphone avec l’outil de génération de rapports qualité pour régler les problèmes de performances. Vous pouvez appuyer sur QRT pour envoyer des informations à votre administrateur système. Selon sa configuration, QRT permet de : • signaler immédiatement un problème audio sur un appel en cours. • sélectionner un problème général dans une liste et choisir des codes motifs. Vous êtes déconnecté d’un appel joint à l’aide de la touche dynamique Insert Lorsque vous vous connectez à un appel à l’aide de la touche Insert, vous pouvez en être déconnecté s’il est mis en attente, transféré ou transformé en conférence téléphonique. Le rappel Cisco échoue L’interlocuteur a peut-être activé le renvoi d’appels. Si vous devez... Procédez comme suit : Accéder aux données de configuration du réseau Sélectionnez > Config. réseau, puis l’élément de configuration réseau à afficher. Accéder aux données d’état Sélectionnez > État, puis l’élément d’état à afficher. Accéder aux caractéristiques du téléphone Sélectionnez > Caractéristiques. Accéder aux informations de qualité d’appel et de qualité vocale du téléphone Choisissez > État > Statistiques d’appel. Signe Explication53 Conditions générales de la garantie matérielle limitée à un an de Cisco Des conditions spéciales s’appliquent à votre garantie matérielle et plusieurs services sont à votre disposition au cours de la période couverte par cette garantie. Vous trouverez votre déclaration de garantie formelle, comprenant la garantie applicable aux logiciels Cisco, sur le CD de documentation de Cisco et sur Cisco.com. Procédez comme suit pour télécharger le pack d’informations Cisco et le document de garantie (depuis le CD ou depuis le site Cisco.com). 1. Lancez votre navigateur et saisissez l’URL suivante : http://www.cisco.com/univercd/cc/td/doc/es_inpck/cetrans.htm La page des garanties et des accords de licence s’affiche. 2. Pour consulter le pack d’informations Cisco, procédez comme suit : a. Cliquez sur le champ Information Packet Number et vérifiez que la référence 78-5235-02F0 est mise en surbrillance. b. Sélectionnez la langue souhaitée pour la lecture du document. c. Cliquez sur Go. d. La page de garantie limitée et de licence pour les logiciels Cisco correspondant au pack d’informations s’affiche. e. Reportez-vous à ce document en ligne ou cliquez sur l’icône PDF pour le télécharger et l’imprimer au format PDF (Portable Document Format) d’Adobe. Remarque Vous devez avoir installé Adobe Acrobat Reader pour afficher et imprimer les fichiers PDF. Vous pouvez télécharger le logiciel Reader sur le site Web d’Adobe : http://www.adobe.com.54 OL-9616-01 3. Pour lire la version traduite et localisée des informations de garantie relatives à votre produit, procédez comme suit. a. Entrez la référence suivante dans le champ Warranty Document Number : 78-10747-01C0 b. Sélectionnez la langue souhaitée pour l’affichage du document. c. Cliquez sur Go. La page de garantie de Cisco s’affiche. d. Reportez-vous à ce document en ligne ou cliquez sur l’icône PDF pour le télécharger et l’imprimer au format PDF (Portable Document Format) d’Adobe. Vous pouvez également vous reporter au site Web de service et d’assistance de Cisco pour obtenir de l’aide : http://www.cisco.com/public/Support_root.shtml. Durée de la garantie matérielle Un (1) an Politique de remplacement, de réparation ou de remboursement du matériel Cisco ou son centre de réparation feront leur possible (dans des limites commerciales raisonnables) pour expédier une pièce de rechange sous dix (10) jours ouvrables après réception d’une demande d’autorisation de renvoi de matériel. Les délais de livraison réels peuvent varier selon la situation géographique du client. Cisco se réserve le droit de rembourser le montant de l’achat comme recours exclusif sous garantie. Obtention d’un numéro d’autorisation de renvoi de matériel Contactez l’entreprise auprès de laquelle vous avez acheté le produit. Si vous avez acheté le produit directement auprès de Cisco, contactez votre représentant commercial et de service après-vente Cisco. Fournissez les renseignements ci-dessous et conservez-les. Produit acheté auprès de Numéro de téléphone de l’entreprise Référence du produit Numéro de série du produit Numéro du contrat de maintenance55 Index A Accessibilité, fonctions 5 Aide en ligne, utilisation 15 Aide, utilisation 15 Appel en attente 20 Appels affich. 13 affichage 22 attente et reprise 21 attribution de priorité 37 avec plusieurs interlocuteurs 26 différences avec une ligne 15 établissement 17 fin 21 fonctions de conférence 26 gestion 22 icônes 16 multiples, affichage 23 nombre maximum par ligne 15 parcage 35 rapports sur les problèmes 52 réacheminement d’appels en sonnerie 20, 31 renvoi 25 réponse 20 sécurisés 36 stockage et récupération 35 transfert 23 utilisation du mode Secret 22 Appels composés, enregistrements 43 Appels en absence, enregistrements 43 Appels reçus, enregistrements 43 Appels suspects, suivi 36 Attente et passage d’un appel à l’autre 22 et transfert 23 utilisation 21 Attribution de priorité aux appels 37 Authentifiés, appels 36 B Bouton d’aide, description 11 Bouton de navigation, description 12 Bouton Messages, description 11 Bouton Paramètres, description 12 Bouton Répertoires, description 11 Bouton Secret, description 12 Bouton Services, description 12 Bouton Volume, description 12 Boutons de fonctions aide 11 Messages 11 Paramètres 12 Répertoires 11 Services 12 Boutons de ligne, identification 1156 OL-9616-01 C Carnet d’adresses personnel abonnement 48 numérotation 19 Casque bouton, identification 12 mode 39 raccrochage 21 réponse à des appels 20 Chiffrés, appels 36 Clavier description 12 Combiné bande lumineuse 12 fixation sur son support 7 utilisation 39 Composition, options 17 Conférences Meet-Me 26, 29 Conférences téléphoniques Meet-Me 26, 29 standard 26, 27 Confidentialité et lignes partagées 32 utilisation 34 Consignes, sécurité 3 D Déconnexion de groupes de recherche 38 Dépannage 51 Données d’état, recherche 51 Données de configuration du réseau, recherche 51 E Écran du téléphone fonction 13 modification de la langue 42 nettoyage 14 réglage du contraste 42 Établissement d’appels, options 17 F Fin d’un appel, options 21 Fonctions, disponibilité 16, 49 G Gestion de plusieurs appels 22 Groupe de recherche 38 H Haut-parleur bouton, identification 12 mode 39 raccrochage 21 réponse à des appels 20 I Icône Utilisé à distance pour les lignes partagées 32 Icônes pour les états d’appel 16 Identification des appels malveillants (MAL), utilisation 3657 Indicateur de messages vocaux 46 InsConf, voir Insert Insert et confidentialité 34 et lignes partagées 32 utilisation 33 Installation du téléphone IP Cisco Unified 6 Interception d’appels 31 Interception d’appels de groupe 31 J Journaux d’appels affichage et composition d’un numéro 43 effacement 43 L Ligne état 13 Ligne téléphonique affich. 13 boutons 11 description 15 Lignes affich. 13 description 15 Lignes partagées avec insertion 33 avec la fonction de confidentialité 34 description 32 et icône Utilisé à distance 32 M Menus d’options, utilisation 16 Menus, utilisation 16 Messages écoute 46 indicateur 41, 46 MLPP, utilisation 37 Mode Secret, utilisation 22 N Numéro abrégé 30 boutons, identification 11 étiquettes 13 utilisation 18 Numéro de poste 13 Numérotation automatique 18 Numérotation avec le combiné raccroché 18 O Outil d’assistance des téléphones enregistrés automatiquement (TAPS, Tool for Auto-Registered Phones Support) 7 P Pages Web Options utilisateur accès 47 et aux services téléphoniques 48 Parcage d’appel dirigé 35 Parcage d’appels 35 Passage d’un appel à l’autre 22 Performances du casque, généralités 8 Prénumérotation 18 Problèmes audio 5258 OL-9616-01 Q QRT, utilisation 52 R Raccrochage, options 21 Rappel 17 Renvoi d’appels 25 Renvoi d’appels, options 25 Répertoire numérotation à partir d’une page Web 19 utilisation sur un téléphone 18, 43 Répertoire d’entreprise numérotation à partir d’une page Web 19 utilisation sur un téléphone 18 Réponse à des appels, options 20 Réponse automatique 40 Reprise, utilisation 21 S Sécurisés, appels 36 Sécurité, consignes 3 Service de messagerie vocale 46 Service de numérotation abrégée abonnement 48 numérotation 19 Services, abonnement 48 Socle bouton, identification 11 réglage 7 Sonnerie indicateur 12 personnalisation 41 Substitution de poste connexion 38 déconnexion 38 T TAPS, utilisation 7 Téléphone IP Cisco Unified aide en ligne 15 configuration des fonctions 16, 49 description 9 enregistrement 7 fixation du support du combiné 7 illustration 10 raccordement 6 réglage de la hauteur 7 services Web 47 Texte saisi sur le téléphone 16 Touches dynamiques description 12 étiquettes 13 Touches programmables description 11 étiquettes 13 Traitement des appels avancé 30 de base 17 Transfert, options 23 W WebDialer 19 Z Zone d’activité des appels 13Siège social Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 États-Unis www.cisco.com Tél. : +1 408 526-4000 +1 800 553-NETS (6387) Fax : +1 408 526-4100 Siège social en Europe Cisco Systems International BV Haarlerbergpark Haarlerbergweg 13-19 1101 CH Amsterdam Pays-Bas www-europe.cisco.com Tél. : +31 0 20 357 1000 Fax : +31 0 20 357 1100 Siège social aux États-Unis Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 États-Unis www.cisco.com Tél. : +1 408 526-7660 Fax : +1 408 527-0883 Siège social en Asie-Pacifique Cisco Systems, Inc. 168 Robinson Road #28-01 Capital Tower Singapour 068912 www.cisco.com Tél. : +65 6317 7777 Fax : +65 6317 7799 Cisco Systems possède plus de 200 bureaux dans les pays ci-dessous. Les adresses, numéros de téléphone et numéros de fax sont indiqués sur le site Web de Cisco à l’adresse suivante : www.cisco.com/go/offices Afrique du Sud • Allemagne • Arabie Saoudite • Argentine • Australie • Autriche • Belgique • Brésil • Bulgarie • Canada • Chili • Chypre • Colombie Corée • Costa Rica • Croatie • Danemark • Dubai, État des Émirats Arabes Unis • Écosse • Espagne • États-Unis • Finlande • France • Grèce Hongrie • Inde • Indonésie • Irlande • Israël • Italie • Japon • Luxembourg • Malaisie • Mexique • Norvège • Nouvelle-Zélande • Pays-Bas • Pérou Philippines • Pologne • Portugal • Puerto Rico • RAS de Hong Kong • République populaire de Chine • République Tchèque • Roumanie • Royaume-Uni Russie • Singapour • Slovaquie • Slovénie • Suède • Suisse • Taïwan • Thaïlande • Turquie • Ukraine • Venezuela • Viêtnam • Zimbabwe CCSP, CCVP, le logo Cisco Square Bridge, Follow Me Browsing et StackWise sont des marques de Cisco Systems, Inc. Changing the Way We Work, Live, Play, and Learn et iQuick Study sont des marques de service de Cisco Systems, Inc. Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, le logo Cisco Certified Internetwork Expert, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, le logo Cisco Systems, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, le logo iQ, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, le logo Networkers, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, The Fastest Way to Increase Your Internet Quotient et TransPath sont des marques déposées de Cisco Systems, Inc. et/ou de ses filiales aux États-Unis et dans certains autres pays. Toutes les autres marques mentionnées dans ce document ou sur le site Web sont la propriété de leurs détenteurs respectifs. L’utilisation du terme « partenaire » n’implique nullement une relation de partenariat entre Cisco et toute autre entreprise. (0601R) © 2006 Cisco Systems, Inc. Tous droits réservés. OL-9616-01 Le logo Java est une marque ou une marque déposée de Sun Microsystems, Inc. aux États-Unis ou dans d’autres pays. Copyright © 2011, Meraki, Inc. Meraki Cloud Controller Product Manual December 2011 ® Meraki Cloud Controller Product Manual | 2 www.meraki.com 660 Alabama St. San Francisco, California 94110 Phone: +1 415 632 5800 Fax: +1 415 632 5899 Copyright: © 2011 Meraki, Inc. All rights reserved. Trademarks: Meraki® is a registered trademark of Meraki, Inc. ® Meraki Cloud Controller Product Manual | 3 Table of Contents 1 Introduction............................................................................................................. 10 1.1 Primary MCC Functions..................................................................................................................... 10 1.2 MCC Versions.................................................................................................................................... 10 1.3 MCC Layout....................................................................................................................................... 11 1.4 How to Use This Document............................................................................................................... 11 2 System Overview .................................................................................................... 13 2.1 Data Flow........................................................................................................................................... 14 2.2 Centralized Management and Monitoring.......................................................................................... 14 2.3 Security.............................................................................................................................................. 14 2.4 Network Optimization......................................................................................................................... 14 2.5 Availability.......................................................................................................................................... 14 2.6 Mesh Networking............................................................................................................................... 15 2.7 Over-the-Air Upgrades....................................................................................................................... 15 3 Getting Started........................................................................................................ 16 4 Configuring SSIDs .................................................................................................. 17 5 Assigning IP Addresses to Wireless Clients........................................................ 18 5.1 NAT Mode.......................................................................................................................................... 18 5.2 Bridge Mode (Enterprise Only).......................................................................................................... 18 5.3 VPNs.................................................................................................................................................. 19 6 Configuring the LAN............................................................................................... 20 6.1 Firewall Settings ................................................................................................................................ 20 6.2 Assigning IP Addresses to Meraki APs ............................................................................................. 20 6.2.1 Configuring a Static IP Address Directly on a Meraki AP............................................................... 20 6.2.2 Configuring a Static IP Address for a Meraki AP via DHCP Reservations ..................................... 21 7 Wireless Encryption and Authentication.............................................................. 22 7.1 Association Requirements................................................................................................................. 22 7.1.1 Open............................................................................................................................................... 23 7.1.2 MAC-Based Access Control (Enterprise Only)............................................................................... 23 7.1.3 Pre-Shared Keys (WEP, WPA/WPA2-Personal)............................................................................ 23 7.1.4 WPA2-Enterprise with 802.1x Authentication (Enterprise Only)..................................................... 24 7.2 Network Sign-On Methods................................................................................................................. 24Meraki Cloud Controller Product Manual | 4 7.2.1 Direct Access.................................................................................................................................. 25 7.2.2 Click-Through Splash Page............................................................................................................ 25 7.2.3 Sign-On Splash Page ..................................................................................................................... 25 7.2.4 Billing .............................................................................................................................................. 26 7.2.5 Hosting Your Own Splash Page..................................................................................................... 26 7.3 Configuring an Authentication Server................................................................................................ 26 7.3.1 Meraki-Hosted Authentication Server............................................................................................. 26 7.3.2 Externally Hosted RADIUS Server ................................................................................................. 27 7.3.3 Externally Hosted Active Directory Server...................................................................................... 29 7.3.4 Externally Hosted LDAP Server...................................................................................................... 31 8 Monitoring................................................................................................................ 33 8.1 Overview Page .................................................................................................................................. 33 8.2 All-Network Overview Page............................................................................................................... 34 8.3 Maps Page (Enterprise Only) ............................................................................................................ 34 8.4 Access Points Page........................................................................................................................... 35 8.5 Access Point Details Page................................................................................................................. 36 8.5.1 AP Tagging..................................................................................................................................... 37 8.6 Clients Page ...................................................................................................................................... 39 8.6.1 Clients Overview Page Features .................................................................................................... 39 8.6.2 Traffic Analysis (Enterprise Only)................................................................................................... 40 8.6.3 Client Details Page ......................................................................................................................... 41 8.6.4 Client Location Services ................................................................................................................. 43 8.7 Event Log Page (Enterprise Only)..................................................................................................... 44 8.8 Rogue APs Page (Enterprise Only)................................................................................................... 45 8.9 WIPS Page (Enterprise Only)............................................................................................................ 45 8.10 Summary Report Page (Enterprise Only)......................................................................................... 45 8.11 PCI Reports Page (Enterprise Only)................................................................................................. 45 8.12 Live Updates (Enterprise Only)......................................................................................................... 46 8.13 Search Tool....................................................................................................................................... 46 8.14 Email Alerts....................................................................................................................................... 46 8.15 Export XML Data .............................................................................................................................. 46 8.16 Logins Page...................................................................................................................................... 47 8.17 Account Activity Page....................................................................................................................... 47 9 VLAN Tagging (Enterprise Only)........................................................................... 48 9.1 Per-SSID VLAN Tagging................................................................................................................... 49Meraki Cloud Controller Product Manual | 5 9.2 Per-User VLAN Tagging.................................................................................................................... 49 9.3 Per-Device Type VLAN Tagging........................................................................................................ 50 9.4 Management Traffic........................................................................................................................... 50 9.5 Configuring the LAN to Support VLAN Tagging ................................................................................ 50 9.6 Other Considerations......................................................................................................................... 50 10 User Access Control Features .............................................................................. 51 10.1 Network Access Control.................................................................................................................... 51 10.2 MAC Whitelist ................................................................................................................................... 52 10.3 MAC Blacklist.................................................................................................................................... 52 10.4 Bandwidth Shaping........................................................................................................................... 53 10.5 Adult Content Filtering ...................................................................................................................... 53 10.6 Firewall Rules for Wireless Users..................................................................................................... 54 10.6.1 LAN Isolation ................................................................................................................................ 54 10.6.2 Custom Firewall Rules (Enterprise Only)...................................................................................... 54 10.7 Captive Portal Strength..................................................................................................................... 55 10.8 Enable/Disable Simultaneous Logins ............................................................................................... 55 10.9 Walled Garden (Enterprise Only)...................................................................................................... 55 11 Identity Policy Manager (Enterprise Only) ........................................................... 57 11.1 How IPM Works................................................................................................................................ 57 11.2 How to Configure IPM....................................................................................................................... 58 11.2.1 Define a Group Policy on the RADIUS Server.............................................................................. 58 11.2.2 Define a Group Policy on the MCC............................................................................................... 58 11.2.3 Test the IPM Configuration........................................................................................................... 60 12 Traffic Shaper (Enterprise Only) ........................................................................... 61 12.1 Configuring Shaping Policies............................................................................................................ 61 12.1.1 Creating Shaping Rules................................................................................................................ 61 12.1.2 Example Shaping Policy............................................................................................................... 62 13 Guest Management (Enterprise Only) .................................................................. 63 14 Rogue AP Detection (Enterprise Only)................................................................. 64 15 Wireless Intrusion Prevention System (Enterprise Only)................................... 66 16 Wireless Features................................................................................................... 67 16.1 AutoRF.............................................................................................................................................. 67 16.2 Channel Selection............................................................................................................................. 67Meraki Cloud Controller Product Manual | 6 16.3 Channel Spreading (Enterprise Only)............................................................................................... 68 When automatic channel selection is configured, an administrator can configure “channel spreading”, which allows Meraki APs to operate on different channels. Channel spreading selects channels that minimize RF utilization and interference in the network, thereby maximizing overall network performance and client capacity (i.e., the number of wireless clients that can connect to the network). ......................... 68 16.4 Network Scans (Enterprise Only)...................................................................................................... 68 16.5 Spectrum Analysis (Enterprise Only)................................................................................................ 68 16.6 Transmit Power Control (Enterprise Only)........................................................................................ 69 16.7 Radio Settings Page (Enterprise Only)............................................................................................. 69 16.7.1 Radio Controls.............................................................................................................................. 69 16.7.2 Channel Planning Report.............................................................................................................. 69 16.8 SSID Availability Page...................................................................................................................... 69 16.8.1 SSID Visibility (Enterprise Only)................................................................................................... 69 16.8.2 SSID Broadcast Controls By AP (Enterprise Only)....................................................................... 70 16.8.3 Timed SSID Broadcasting (Enterprise Only)................................................................................ 71 16.9 Band Selection and Band Steering (Enterprise Only)....................................................................... 71 16.10 Disabling Legacy 802.11b Bitrates (Enterprise Only)....................................................................... 71 16.11 Software Upgrades........................................................................................................................... 72 16.11.1 Preferred Maintenance Window (Enterprise Only)..................................................................... 72 16.12 Mesh Networking.............................................................................................................................. 72 16.13 Wired Clients..................................................................................................................................... 73 16.14 Wireless Bridging.............................................................................................................................. 73 16.15 Quality of Service.............................................................................................................................. 73 16.16 Power Save....................................................................................................................................... 74 16.17 Run Dark........................................................................................................................................... 74 16.18 Accessing the AP’s Local Web Page................................................................................................ 74 17 Branding.................................................................................................................. 75 17.1 Splash Page ..................................................................................................................................... 75 17.1.1 Meraki-Hosted Splash Page......................................................................................................... 75 17.1.2 Externally Hosted Splash Page.................................................................................................... 75 17.1.3 Splash Page Frequency ............................................................................................................... 75 18 Billing....................................................................................................................... 77 19 Administering Multiple Networks.......................................................................... 78 19.1 Organizations.................................................................................................................................... 78Meraki Cloud Controller Product Manual | 7 An “organization” consists of a collection of networks and a collection of administrative accounts. Every administrator has an account in the MCC that is part of an organization. An organization is covered by a single license. (For more information on licensing, see Chapter Licensing21, “Licensing”)....................... 78 19.2 Administrators................................................................................................................................... 78 19.2.1 Organization Administrators ......................................................................................................... 78 19.2.2 Network Administrators................................................................................................................. 79 19.3 Moving APs between Networks or Organizations............................................................................. 79 20 Teleworker VPN ...................................................................................................... 80 20.1 Typical Use Cases............................................................................................................................ 80 20.2 How It Works..................................................................................................................................... 80 20.3 The Virtual Concentrator................................................................................................................... 80 20.4 Creating the Virtual Concentrator Network....................................................................................... 81 20.5 Installing the Virtual Concentrator..................................................................................................... 81 20.6 Monitoring the Virtual Concentrator.................................................................................................. 82 20.6.1 Overview....................................................................................................................................... 82 20.6.2 Concentrator Status...................................................................................................................... 82 20.6.3 Clients........................................................................................................................................... 82 20.6.4 Event Log...................................................................................................................................... 82 20.6.5 Summary Report........................................................................................................................... 82 20.7 Configuring the Virtual Concentrator ................................................................................................ 83 20.7.1 Concentrator Settings................................................................................................................... 83 20.7.2 Alerts and Administrators.............................................................................................................. 83 20.8 Configuring Remote APs .................................................................................................................. 83 20.9 Create Remote Site Network and Add APs...................................................................................... 84 20.9.1 Configure SSIDs to Tunnel........................................................................................................... 84 20.9.2 Configure Split Tunnel.................................................................................................................. 84 20.9.3 Tunneling wired client traffic ......................................................................................................... 84 20.10 Configuration Best Practices ............................................................................................................ 85 20.10.1 Concentrator Location(s)............................................................................................................ 85 20.10.2 Firewall Settings ......................................................................................................................... 86 21 Licensing................................................................................................................. 87 21.1 Adding Licenses ............................................................................................................................... 87 21.2 Cloud Controller Upgrades ............................................................................................................... 88 21.3 Renewing Licenses........................................................................................................................... 88 21.4 Expired Licenses or Exceeding the Licensed AP Limit..................................................................... 88 22 Troubleshooting ..................................................................................................... 89Meraki Cloud Controller Product Manual | 8 23 References .............................................................................................................. 90 24 Appendix A: Example Office Configuration......................................................... 91 24.1 Objectives......................................................................................................................................... 91 24.2 Implementation Alternatives ............................................................................................................. 92 24.3 Assumptions ..................................................................................................................................... 92 24.4 Configuration for Guests................................................................................................................... 93 24.4.1 Configuration Settings .................................................................................................................. 93 24.4.2 Configure a Splash Page.............................................................................................................. 93 24.4.3 Create a Guest Ambassador........................................................................................................ 94 24.5 Configuration for Employees ............................................................................................................ 95 24.5.1 Dashboard Configuration.............................................................................................................. 95 24.5.2 Configure Meraki APs as RADIUS Clients in NPS....................................................................... 96 24.5.3 Testing RADIUS Authentication.................................................................................................... 97 24.6 Configuration for Contractors............................................................................................................ 98 24.6.1 Configuration for Users................................................................................................................. 98 24.6.2 Configuration of NPS Policies..................................................................................................... 100 24.6.3 Configuration of Group Policy in the Meraki Cloud Controller.................................................... 103 24.6.4 Testing the Group Policy Application.......................................................................................... 104 24.7 Traffic Shaping Configuration ......................................................................................................... 105 24.8 Summary......................................................................................................................................... 106 25 Appendix B: Example Teleworker VPN Configuration...................................... 107 25.1 Objectives....................................................................................................................................... 107 25.2 Virtual Concentrator Installation...................................................................................................... 108 25.2.1 Virtual Concentrator Network...................................................................................................... 108 25.2.2 Virtual Concentrator Configuration Settings ............................................................................... 109 25.2.3 Installing the Virtual Concentrator in VMware............................................................................. 110 25.3 Remote Site Network Configuration ............................................................................................... 111 25.3.1 Remote Site Network.................................................................................................................. 111 25.4 AP Pre-Configuration...................................................................................................................... 113 26 Appendix B: Miscellaneous Configuration Settings ......................................... 115 26.1 FreeRADIUS Configuration............................................................................................................. 115 26.1.1 Configuration for APs (clients.conf file)....................................................................................... 115 26.1.2 Configuration for Users (Users file) ............................................................................................ 115 26.1.3 Configuration for WPA2-Enterprise with 802.1x Authentication (eap.conf file)........................... 116 26.2 Switch Configuration for VLAN Tagging ......................................................................................... 116Meraki Cloud Controller Product Manual | 9 27 Appendix C: RADIUS Attributes.......................................................................... 117 27.1 Authentication Attributes................................................................................................................. 117 27.1.1 Attributes Supported in Access-Request Messages................................................................... 117 27.1.2 Attributes Supported in Access-Accept Messages..................................................................... 117 27.1.3 Attributes Supported in Access-Reject Messages...................................................................... 118 27.2 Accounting Attributes...................................................................................................................... 119 28 Appendix D: Meraki-Hosted Splash Page Variables ......................................... 120Meraki Cloud Controller Product Manual | 10 1 Introduction The Meraki Cloud Controller (MCC) provides centralized management, optimization, and monitoring of a Meraki wireless LAN system. The MCC is not an appliance that an administrator must purchase and install in a data center to manage wireless access points (APs). Rather, the MCC is a cloud-based service that is constantly monitoring, optimizing, and reporting on the behavior of the network. 1.1 Primary MCC Functions An administrator uses the MCC to configure and monitor Meraki wireless networks. The MCC provides the following primary functions: • Centralized configuration: o Configuration of multiple geographically distributed networks. o Secure access to configuration settings via a web browser. • Network optimization: o Performance optimization through RF management. o Diagnostic tools to enable proper AP placement. • Centralized monitoring: o Usage statistics, login history, and alerts. o Remote troubleshooting and issue diagnosis. 1.2 MCC Versions There are two versions of the MCC: • Meraki Enterprise Cloud Controller: The Meraki Enterprise Cloud Controller enables companies and organizations to setup secure wireless LANs. Examples include offices, warehouses, retail stores, educational campuses, and healthcare institutions. • Meraki Pro Cloud Controller: The Meraki Pro Cloud Controller is for basic wireless deployments that require Internet-only access. Examples include fee-based wireless hotspots, coffee shops, and other amenity networks. This manual addresses all features supported by the Meraki Enterprise Cloud Controller and the Meraki Pro Cloud Controller. Some features in the Meraki Enterprise Cloud Controller are not available in the Meraki Pro Cloud Controller; these features are designated as “Enterprise Only”.Meraki Cloud Controller Product Manual | 11 1.3 MCC Layout Figure 1 is a screenshot of the main page of the Meraki Enterprise Cloud Controller’s administrator interface. Figure 1 – Meraki Enterprise Cloud Controller Administrator Interface The 3 tabs in the left navigation panel are as follows: • Monitor: View information about APs, client devices, and users. • Configure: Configure the various features of the MCC, such as SSIDs, authentication, and branding. • Help: Get access to technical support and the Meraki knowledge base. 1.4 How to Use This Document The chapters in this manual begin with more basic topics and progress to more advanced topics. The chapters are roughly grouped as follows: Chapters 1-2 Overview These chapters provide an introduction to the Meraki wireless solution. Chapters 3-8 Basic Topics These chapters enable an administrator to get a simple wireless network up and running. Wireless and networking fundamentals are reviewed.Meraki Cloud Controller Product Manual | 12 Chapters 9-17 Advanced Topics These chapters describe sophisticated features that enable administrators to manage and monitor their Meraki wireless networks more effectively. Chapters 18-20 Administrative Topics These chapters discuss some of features and functions pertaining to Meraki network administrators. Chapters 21-25 References and AppendicesMeraki Cloud Controller Product Manual | 13 2 System Overview This chapter explains how the MCC operates and fits into the overall Meraki system. In the Meraki architecture, there is only one type of hardware: access points (APs). There is no need for specialized hardware controllers or management appliances. Meraki APs tunnel back to the MCC via a secure Internet connection. All control, configuration, optimization, and mobility control functions are centralized in Meraki’s network operations centers (NOCs), which are distributed geographically around the world. These NOCs provide physical security to the MCC, as well as high availability through power backups and redundant servers in hot standby mode. The geographical distribution of the NOCs also improves the performance of Meraki wireless networks by minimizing the distance that networks need to travel to contact the MCC. An administrator can use the MCC to make configuration changes and obtain reporting information on his networks. For example, the administrator may wish to change the bandwidth available to guests accessing the network. Once that change is made through the MCC, all APs automatically receive the new configuration. Figure 2 depicts the primary components of a Meraki wireless system. !"#$% !#&'(#"")( !"#$%&'' ()* )+ )+ )+ )+ ,'"$-. /-.$#-$. Figure 2 – Meraki Wireless System ArchitectureMeraki Cloud Controller Product Manual | 14 2.1 Data Flow The MCC is “out of band,” which means that client traffic never flows through the MCC. This architecture is important both for performance as well as security reasons. It is not possible for an unauthorized person having access to the MCC to see user data, and the MCC is not a bottleneck for data traffic flows. Thus, the system operates securely and efficiently. 2.2 Centralized Management and Monitoring MCC management and monitoring activities are performed remotely through the Meraki Dashboard, the web-based interface to the MCC. Dashboard can be accessed using any JavaScript-capable Internet web browser, including Firefox, Internet Explorer, and Chrome. Unlike other solutions, there is no need to install and maintain separate management servers or appliances. The administrator can troubleshoot multiple wireless networks remotely from a single interface. Through the Meraki Dashboard, administrators have access to standard troubleshooting tools, such as ping and throughput tests. In addition, administrators can monitor bandwidth and usage data, either through the Meraki Dashboard or with existing monitoring infrastructure using Meraki’s XML-based API. An administrator can build custom monitoring and reporting applications based on historical statistics without installing additional software or hardware on site. 2.3 Security Control traffic flows between the APs and the MCC via a persistent secure tunnel. All sensitive data, such as configuration details, user names, and passwords, are encrypted. In addition, traffic between APs in a Meraki network is encrypted using a per-network Advanced Encryption Standard (AES) key. The MCC distributes the secret network key over SSL when each AP downloads its configuration. The in-network encryption is performed with the assistance of hardware accelerators, and does not cause performance degradation or increased latency on a per-hop basis. Furthermore, security keys (such as WEP or WPA2 encryption keys) cannot be retrieved off an access point even if an attacker has physical possession of the device. 2.4 Network Optimization The MCC provides round-the-clock optimization of the Meraki wireless network. Meraki’s Auto RF optimization capability monitors channel utilization and interference, ensuring the network is operating at peak performance. The MCC can minimize channel utilization in any given part of the network by assigning channels to the individual radios and by adjusting the radio transmit powers. Mesh routes are also constantly updated to ensure maximum client throughput. 2.5 Availability Multiple geographically distributed Meraki data centers are used to ensure that networks continue to function even in the event of a catastrophic failure. In case the MCC is ever unreachable (e.g., because the Internet route to the MCC has Meraki Cloud Controller Product Manual | 15 gone down temporarily), Meraki networks that do not use the MCC for authentication or splash page hosting continue to operate, providing wireless connectivity to users using the last configuration it obtained from the MCC. Configuration changes and firmware upgrades resume when the MCC is reachable again. 2.6 Mesh Networking All Meraki APs support mesh networking. A Meraki AP automatically configures as either a mesh gateway or a mesh repeater. A mesh gateway is an AP that connects directly to a wired network, such as an enterprise LAN or T1 modem. A mesh repeater does not require a wired connection. Instead, it identifies the nearest mesh gateway in its network and spreads wireless connectivity from that mesh gateway over a wider coverage area. A collection of mesh repeaters and mesh gateways form a wireless mesh network. The data flowing from a client may go through several mesh repeaters before reaching a mesh gateway, at which point the data enters the wired network. 2.7 Over-the-Air Upgrades New features require no client- or server-side upgrades, but instead are added to the MCC several times per year with minimal downtime. Meraki also manages firmware upgrades centrally, freeing the administrator from having to worry about keeping the APs up-to-date. Firmware upgrades take place over the air in a secure, fault-tolerant fashion. Network administrators receive an email alert several weeks in advance of a firmware upgrade and a notice will be posted in Dashboard notifying them of the exact time that the upgrade will occur. If necessary the upgrade can be delayed or rescheduled by contacting Meraki Support.Meraki Cloud Controller Product Manual | 16 3 Getting Started This chapter describes how to configure a Meraki wireless network for the first time. There are 3 simple steps to creating and configuring a Meraki wireless network: Step 1: Create an account. To manage Meraki wireless networks through the MCC, an administrator needs to create an account at http://dashboard.meraki.com. The administrator’s email address will be used as the login ID. Step 2: Run the Quick Start application. After logging into an account, the administrator can use the Quick Start application to create the first wireless network. The steps include naming the network, adding APs, and configuring the APs with access policies. If creating multiple, similar networks for different sites (eg. a chain of retail stores), an administrator has the option to copy configuration settings from an existing Dashboard network to save time. In this case, all SSID and networkwide settings (eg. administrators, alerts, etc) will be copied to the new network. Note: An administrator can create a “live demo” network at this step, which provides a fully configurable wireless network without any physical APs. With a simulated network, an administrator can manage a network consisting of virtual APs and sample usage data to experience the MCC with minimal investment. Step 3: Test the network. The administrator can now test the basic settings in the wireless network. The administrator can then iteratively test and configure additional wireless settings.Meraki Cloud Controller Product Manual | 17 4 Configuring SSIDs An SSID is a logical wireless network, sometimes referred to as a virtual access point (VAP). In practice, the SSID is the name of a wireless network that a client “discovers” when it probes for available wireless networks in the environment. Multiple SSIDs allow an administrator to use a single physical Meraki network to support multiple applications with different configuration requirements. For example, one SSID can allow visitor access to only the Internet without any encryption, and another SSID can require employees to utilize encryption for access to company servers. The MCC supports multiple SSIDs. The Enterprise Cloud Controller supports up to 16 SSIDs in networks that contain all 802.11n APs, and up to 4 SSIDs in networks that contain 802.11b/g APs. The Pro Cloud Controller supports up to 2 SSIDs. Each SSID is configurable with its own settings for authentication, encryption, bandwidth limits, etc. SSID settings are located under the Configure tab in the MCC. Figure 3 is a screenshot of the SSID Overview page: Figure 3 – SSID Overview Page The following elements can be configured on a per-SSID basis and are described in subsequent chapters: • Client IP addressing • LAN configuration (e.g., VLAN tagging) • Wireless encryption and authentication (e.g., WPA2-Personal, WPA2- Enterprise with 802.1x authentication) • User access control (e.g., per-user and group policies) • Traffic shaping (eg. application-specific usage policies) • Wireless features (e.g., band steering) • Branding (e.g., splash page / captive portal)Meraki Cloud Controller Product Manual | 18 5 Assigning IP Addresses to Wireless Clients The administrator can assign IP addresses to wireless clients via one of the following two addressing modes. The addressing mode is configured on a perSSID basis under the Configure tab on the Access Control page. 5.1 NAT Mode In NAT mode, the Meraki APs run as DHCP servers to assign IP addresses to wireless clients out of a private 10.x.x.x IP address pool behind a NAT. NAT mode should be enabled when any of the following is true: • Wireless clients associated to the SSID require Internet-only access. • There is no DHCP server on the LAN that can assign IP addresses to the wireless clients. • There is a DHCP server on the LAN, but it does not have enough IP addresses to assign to wireless clients. • There are multiple DHCP servers in the network assigning IP addresses from different subnets. This is common when there are heterogeneous backhaul connections (e.g., some APs in the network obtain Internet connectivity from a T1, while other APs in the same network obtain Internet connectivity from a business-class DSL). The implications of enabling NAT mode are as follows: • Devices outside of the wireless network cannot initiate a connection to a wireless client. • Wireless clients cannot use Layer 2 discovery protocols to find other devices on either the wired or wireless network. • Legacy VPN clients (i.e., those that do not support NAT Traversal) may not be able to establish IPSec tunnels over the wireless network. (One workaround is to upgrade the VPN client or configure the VPN client to establish an IPSec tunnel over TCP, e.g. SSL.) • VLAN tagging wireless traffic is not supported in NAT mode. 5.2 Bridge Mode (Enterprise Only) In bridge mode, the Meraki APs act as bridges, allowing wireless clients to obtain their IP addresses from an upstream DHCP server. Bridge mode should be enabled when any of the following is true: • Wired and wireless clients in the network need to reach each other (e.g., a wireless laptop needs to discover the IP address of a network Meraki Cloud Controller Product Manual | 19 printer, or wired desktop needs to connect to a wireless surveillance camera). • Layer 2 multicast and broadcast packets (e.g., ARP, Bonjour) need to propagate in a limited manner to both wired and wireless clients for device discovery, networking, etc. • The wireless network needs to support legacy VPN clients (i.e., those that do not support NAT Traversal). • Wired and wireless clients need to have IP addresses in the same subnet for monitoring and/or access control reasons (e.g., a web gateway in the network allows/denies Internet access based on the client’s IP address). • Wireless traffic needs to be VLAN-tagged between the Meraki AP and the upstream wired infrastructure. The implications of enabling bridge mode are as follows: • An administrator cannot enable adult content filtering on the SSID. Because the adult content filtering feature is DNS-based, bridge mode disables adult content filtering by using the DNS server(s) advertised by the network’s DHCP server. • Multiple DHCP servers are allowed, but they must assign IP addresses to wireless clients from the same subnet. This enables these IP addresses to be routed by the LAN to which the Meraki APs are connected. 5.3 VPNs Meraki supports most VPN solutions by default. Any IPSec implementation that has support for NAT Traversal (NAT-T) will work on a Meraki network. Certain IPSec-based VPN solutions do not work well behind a NAT. If difficulties occur when using VPNs, an administrator should consider switching VPN clients to use SSL instead of IPSec, or enabling bridge mode as the wireless client IP addressing mode. Note that most wireless networking solutions that use NAT share the same problems with IPSec VPNs.Meraki Cloud Controller Product Manual | 20 6 Configuring the LAN The following section describes how to configure your LAN to support a Meraki system. While a Meraki wireless network imposes minimal requirements on the wired LAN infrastructure, some small changes may be required. 6.1 Firewall Settings If a firewall is in place, it must allow outgoing connections on particular ports to particular IP addresses. The most current list of outbound ports and IP addresses can be found here: http://tinyurl.com/y79une3 6.2 Assigning IP Addresses to Meraki APs All Meraki gateway APs (APs with Ethernet connections to the LAN) must be assigned routable IP addresses. These IP addresses can be configured directly on each AP (see instructions below), or assigned to the APs via an upstream DHCP server. In general, static IP address assignment is recommended for Meraki APs, even when the APs obtain their IP addresses via DHCP. (The DHCP server should be configured to assign a static IP address for each MAC address belonging to a Meraki AP.) Other features of the wireless network, such as 802.1x authentication, may rely on the property that the APs have static IP addresses. 6.2.1 Configuring a Static IP Address Directly on a Meraki AP A static IP address can be configured directly on a given AP through the following steps: 1. Using a client machine (e.g., a laptop), connect to the AP either wirelessly (by associating to any SSID broadcasted by the AP) or over a wired connection (by plugging one end of an Ethernet cable into the client machine, and the other end of the Ethernet cable into the AP’s Ethernet jack; it may be necessary to unplug the AP from its existing Ethernet connection in order to connect the client machine). 2. Using a web browser on the client machine, access the AP’s built-in web server by browsing to http://my.meraki.com. 3. Click on the “Static IP Configuration” tab. You will be prompted to login. The default username is “admin” and the default password is the AP’s serial number, with hyphens included. 4. Configure the static IP address, net mask, gateway IP address, and DNS servers that this AP will use on its wired connection to the Internet. 5. If necessary, reconnect the AP to its Ethernet connection to the LAN.Meraki Cloud Controller Product Manual | 21 6.2.2 Configuring a Static IP Address for a Meraki AP via DHCP Reservations Instead of associating to each Meraki AP and configuring a static IP address on each AP, an administrator can configure static IP addresses to assign to Meraki APs on the upstream DHCP server. Through “DHCP reservations”, IP addresses are “reserved” for the MAC addresses of the Meraki APs. Please consult the documentation for the DHCP server to configure DHCP reservations.Meraki Cloud Controller Product Manual | 22 7 Wireless Encryption and Authentication The MCC supports a wide variety of encryption and authentication methods— from simple, open access to WPA2-Enterprise with 802.1x authentication. This chapter explains the different encryption and authentication modes available in the MCC. Encryption and authentication are configured in the MCC under the Configure tab on the Access Control page. Generally speaking, the encryption method is configured under “Association requirements”, while the authentication method is configured under “Network sign-on method”. To associate to a wireless network, a client must have the correct encryption keys (association requirements). Once associated the wireless client may need to enter information (network sign-on method) before accessing resources on the wireless network. The combinations of encryption and authentication methods that are supported are as follows: Network sign-on method Association requirements Direct access Clickthrough splash page Sign-on splash page Billing (paid access) Open (no encryption) ü ü ü ü MAC-based access control (no encryption) ü ü WEP (shared network key) ü ü ü WPA2-PSK (shared network key) ü ü ü WPA2- Enterprise with 802.1x authentication ü ü 7.1 Association Requirements In the “Association requirements” of the Access Control page, an administrator configures the parameters that need to be satisfied at wireless association time in order for a device to connect successfully to a wireless network.Meraki Cloud Controller Product Manual | 23 7.1.1 Open Open mode allows any device to connect to the wireless network. The major advantage of open mode is its simplicity: Any client can connect easily and without complex configuration. Open mode is recommended when there are guests who need to get onto the network, or more generally, when ease of connectivity is paramount and access control is not required. In most environments, the administrator should ensure that wireless clients associated on an open network cannot access LAN resources, such as file shares. Administrators can control access using VLAN tagging, the LAN isolation feature, or custom firewall rules (see Section 10.6.2, “Custom Firewall Rules (Enterprise Only)”). 7.1.2 MAC-Based Access Control (Enterprise Only) MAC-based access control admits or denies wireless association based on the connecting device’s MAC address. When a wireless device attempts to associate, the Meraki AP queries a customer-premise RADIUS server with an Access-Request message. The RADIUS server can admit or deny the device based on the MAC address, responding to the Meraki AP with either an AccessAccept message or an Access-Reject message, respectively. This authentication method requires no client-side configuration. However, it suffers from a poor user experience. Wireless clients that are denied wireless association simply cannot connect to the SSID, and they do not receive any explicit notification about why they cannot connect. If this authentication method is selected, at least 1 RADIUS server must be configured on the Access Control page in the “RADIUS for MAC-based access control” section. This section includes a test tool that simulates the wireless device connecting to every Meraki AP in the network. (See Section 7.3, “Configuring an Authentication Server”, for more information.) 7.1.3 Pre-Shared Keys (WEP, WPA/WPA2-Personal) A pre-shared key (PSK) allows anyone who has the key to use the wireless network. Wired Equivalent Privacy (WEP) is the original 802.11 pre-shared key mechanism, utilizing RC4 encryption. WEP is vulnerable to being hacked; the encryption key can be derived by an eavesdropper who sees enough traffic. Only use WEP if it is not possible to utilize more advanced security—for instance, when there are legacy client devices in the network that do not support WPA/WPA2. WPA- and WPA2-Personal (Wi-Fi Protected Access) use stronger encryption than WEP. (WPA-Personal uses TKIP with RC4 encryption, while WPA2- Personal uses AES encryption.) WPA2-Personal is preferred. Though it requires some client-side configuration, a PSK is relatively easy to configure. It can be a good choice when there is a small number of users or when clients do not support more sophisticated authentication mechanisms, such as WPA2-Enterprise. A deployment based on a PSK does not scale well, Meraki Cloud Controller Product Manual | 24 however. With a large number of users, it becomes more difficult to change the PSK, an operation that should be performed periodically to ensure that the PSK has not been shared with unwanted users. 7.1.4 WPA2-Enterprise with 802.1x Authentication (Enterprise Only) 802.1x is an IEEE standard framework for encrypting and authenticating a user who is trying to associate to a wired or wireless network. WPA-Enterprise uses TKIP with RC4 encryption, while WPA2-Enterprise adds AES encryption. 802.1x can be transparent to wireless users. For example, Windows machines can be configured for single sign-on, such that the same credentials that a user enters to log into his machine are passed automatically to the authentication server for wireless authentication. The user is never prompted to re-enter his credentials. 802.1x utilizes the Extensible Authentication Protocol (EAP) to establish a secure tunnel between participants involved in an authentication exchange. The MCC supports multiple EAP types, depending on whether the network is using a Meraki-hosted authentication server or a customer-hosted authentication server. (See Section 7.3, “Configuring an Authentication Server”, for more information.) The following table shows the EAP types supported by the MCC: EAP Mode Customer RADIUS Meraki RADIUS PEAPv0/EAP-MSCHAPv2 ü ü EAP-TTLS/MSCHAPv2 ü ü EAP-TLS ü PEAPv1/EAP-GTC ü WPA2-Enterprise with 802.1x authentication is typically used with a customerpremise RADIUS server. The RADIUS server must be configured to allow authentication requests from the IP addresses of the Meraki APs. This configuration is necessary to successfully complete the EAP exchange and is one more reason to configure static IP addresses on the Meraki APs. Note: 802.1x is typically only performed once a user’s credentials have been entered into the machine. If you would like to be able to authenticate a machine before the user signs in (also known as “machine authentication”), please see the Meraki Knowledge Base online. 7.2 Network Sign-On Methods The network sign-on method is the mechanism by which a wireless client gains access to network resources. It occurs after a wireless client has associated to an SSID.Meraki Cloud Controller Product Manual | 25 7.2.1 Direct Access With direct access, a wireless client is granted network access as soon as he associates to the SSID. No splash page is presented to the wireless client. 7.2.2 Click-Through Splash Page When configured, a click-through splash page displays a fully customizable HTML page to the wireless client the first time the client makes an HTTP request. An administrator may use this splash page to display an acceptable use policy or network announcements. The client is only granted network access after clicking the “Continue” button on the splash page. The click-through splash page is hosted by the MCC. As such, the network must have connectivity to the MCC in order to display the splash page. If the MCC is unreachable for some reason, the administrator can configure whether new wireless users should be admitted to the wireless network without seeing the splash page. This setting is under the Configure tab on the Access Control page in the “Disconnection behavior” section. While the click-through splash page requires no client-side configuration, it should only be enabled on an SSID whose clients are all capable of displaying the splash page. When there are clients that are not browser-capable (e.g., wireless barcode scanners), the splash page should be disabled on the SSID. An administrator can configure whether new wireless clients are able to obtain network access when the click-through splash page cannot be displayed (i.e., when the MCC becomes temporarily unavailable). See Chapter 17, “Branding”, for additional information on customizing the clickthrough splash page, including the ability to configure the splash page interval. 7.2.3 Sign-On Splash Page A sign-on splash page provides the functionality of the click-through splash page, but adds the ability to prompt the wireless client for a username and password. The client is only granted network access after he enters a username and password that are validated against a backend authentication server (either a Meraki-hosted authentication server or a customer-hosted RADIUS, Active Directory or LDAP server). (See Section 7.3, “Configuring an Authentication Server”, for more information.) The sign-on splash page may be hosted by the MCC or on an external web server (see Section 17.1, “Splash Page”). An administrator can configure whether new wireless clients are able to obtain network access when the sign-on splash page cannot be displayed or when the username/password credentials cannot be validated (i.e., the authentication server is unreachable). This setting is under the Configure tab on the Access Control page in the “Disconnection behavior” section. Sign-on splash page is an authentication option that requires no client-side configuration. In addition, it is secured by SSL (HTTPS), so that usernames and passwords are sent to the MCC confidentially. However, when enabled, it requires clients to remember usernames and passwords, which they will need to Meraki Cloud Controller Product Manual | 26 enter periodically. As with the click-through splash page, clients that are incapable of displaying the splash page need to be considered. See Section 17.1, “Branding”, for additional information on customizing the splash pages or using an externally. 7.2.4 Billing When configuring an SSID as a wireless hotspot, an administrator can utilize Meraki’s integrated billing features to grant network access only to paying users. For additional information on integrated billing, see Chapter 18, “Billing”. 7.2.5 Hosting Your Own Splash Page Meraki also supports the ability for you to host splash pages on your own web server. This capability is referred to as “EXCAP” for externally hosted captive portals. For additional information, please search for EXCAP in the Meraki Knowledge Base. 7.3 Configuring an Authentication Server There are 5 different applications of authentication servers that are supported by the MCC: 1. Meraki-hosted authentication server 2. Externally hosted RADIUS server for MAC-based access control and/or WPA2-Enterprise with 802.1x authentication 3. Externally hosted RADIUS server for sign-on splash page authentication 4. Externally hosted Active Directory server for sign-on splash page authentication 5. Externally hosted LDAP server for sign-on splash page authentication The authentication server type is configured on a per-SSID basis under the Configure tab on the Access Control page. For instance, an administrator could use the Meraki-hosted authentication server to manage guest user accounts for the guest SSID, while using a customer-hosted RADIUS or Active Directory server to authenticate employees for the employee SSID. 7.3.1 Meraki-Hosted Authentication Server The Meraki-hosted authentication server is configured through the MCC. For each user account, an administrator can configure the user’s name, the e-mail address and password that the user will use to log in, and optionally, an expiration time (to create a user account that self-expires after some period of time). The option to select a Meraki-hosted authentication server appears when any of the following is configured: • Sign-on splash pageMeraki Cloud Controller Product Manual | 27 • WPA2-Enterprise with 802.1x authentication On the Access Control page, an administrator can create, edit, and remove user accounts. An expiration time can also be configured on a user account, so that the account becomes invalid after a certain amount of time elapses. (This feature is useful for guest accounts.) Finally, the Access Control page provides an option for “self-registration”, which allows users to create their own accounts. However, administrators still need to manually add those accounts to the list of users allowed on the network before the account has access. User accounts configured in the Meraki-hosted authentication server are global to the networks in the organization. So, a password change to a user account in one network applies to other networks in which the user account may be used. (For more information, see Section 19.1, “Organizations”.) Meraki APs must be able to reach the MCC in order to use the Meraki-hosted authentication server. If the MCC becomes temporarily unavailable, existing wireless clients (already authenticated) remain connected, but new wireless clients are unable to authenticate to access the wireless network. An administrator can configure whether new wireless clients are able to obtain network access when the MCC is unavailable under the Configure tab on the Access Control page in the “Disconnection behavior” section. 7.3.2 Externally Hosted RADIUS Server Many organizations have an existing user authentication or directory server that they would like to use to control access to the wireless LAN. Common server types include LDAP and Active Directory. Any type of authentication server with a RADIUS interface can be integrated with a Meraki wireless network. The MCC allows an administrator to configure multiple RADIUS servers for failover. When an externally hosted RADIUS server is used with either MAC-based access control or WPA2-Enterprise with 802.1x authentication, the Meraki APs must be able to reach the RADIUS server. The MCC offers a test tool that enables an administrator to verify connectivity of all of the Meraki APs to the RADIUS server, and to check a particular set of user credentials against the RADIUS server. The test tool appears under the Configure tab on the Access Control page. When an externally hosted RADIUS server is used with sign-on splash page, an administrator can configure the Meraki wireless network to use an externally hosted RADIUS server for user authentication. The MCC acts as an intermediary in this configuration to provide (1) a consistent end user experience (e.g., the wireless user is not presented with the splash page again if he reassociates to another AP) and (2) RADIUS accounting features (see “Appendix C: RADIUS ”). If the sign-on splash page is hosted by the MCC, the conversation is a straightforward RADIUS exchange between the MCC and the external RADIUS server.Meraki Cloud Controller Product Manual | 28 If the sign-on splash page is itself externally hosted, the conversation involves exchanges between the splash page server, the MCC, and the RADIUS server. Specifically: 1. The wireless client associates with the Meraki wireless network. 2. The user makes an initial request for a URL in his web browser. 3. The Meraki AP redirects the user to a URL on the splash page server. (The administrator configures this URL in the MCC, under the Configure tab on the Splash Page page.) When the Meraki AP redirects the user to the splash page server, it includes the following HTTP parameters in the HTTP redirect: • continue_url: The URL that the user originally requested. This parameter may be interpreted by the splash page server to decide where the user should be redirected if he authenticates successfully. • login_url: The URL at the MCC to which the splash page server should send an HTTP POST with collected user credentials (see Step 4). This parameter is escaped to include the continue_url embedded within it, and should not be interpreted by the splash page server. • ap_mac: MAC address of the Meraki AP to which the user is associated. • ap_name: Name (if configured) of the Meraki AP to which the user is associated. • ap_tags: Tags (if configured) applied to the Meraki AP to which the user is associated. • mauth: An opaque string used by the MCC for authentication and security. 4. The external splash page server presents the user with a web form that captures the user’s credentials and causes the user to send an HTTP POST to the MCC, using the URL specified in login_url (see Step 3). In this HTTP POST, the server includes the following parameters: • username: The username that the wireless user provided to the splash page server. • password: The password that the wireless user provided to the splash page server. • success_url (optional): The URL to which the wireless user is redirected if he passes authentication. The splash page server can use this parameter to override the continue_url that the user originally requested.Meraki Cloud Controller Product Manual | 29 5. The MCC receives the HTTP POST from the splash page server, and in turn, sends a RADIUS Access-Request to the external RADIUS server with the username and password. 6. The RADIUS server processes the RADIUS Access-Request from the MCC, and responds to the MCC with a RADIUS Access-Accept or Access-Reject. The RADIUS server may optionally send RADIUS attributes to the MCC to enforce over the wireless user. (For a list of supported RADIUS attributes, see Section 27.1, “Authentication Attributes”.) 7. The MCC processes the response from the RADIUS server and redirects the wireless user accordingly. a. If the MCC receives an Access-Accept message from the RADIUS server, the user has successfully authenticated. The MCC redirects the user to the original URL he requested (continue_url), or the URL specified by the splash page server in the (optional) success_url (see Step 4). b. If the MCC receives an Access-Reject message from the RADIUS server, the user has failed authentication and is redirected back to the splash page server’s URL (in Step 3). Because the MCC needs to contact an external RADIUS server, the MCC must be able to reach the RADIUS server. This requirement may necessitate firewall changes that allow inbound connections to the RADIUS server. If the RADIUS server becomes temporarily unavailable, existing wireless clients (already authenticated) remain connected, but new wireless clients are unable to authenticate to access the network. 7.3.3 Externally Hosted Active Directory Server Meraki wireless networks can also integrate natively with Active Directory without requiring RADIUS when sign-on splash page is used. If your network does not require the additional configuration options provided by RADIUS integration, there are certain advantages if the APs can communicate directly with Active Directory without a RADIUS server acting as an intermediary. Native AD integration eliminates the need to configure Microsoft NPS (or any other RADIUS server). Also, when using RADIUS integration with multi-domain forests, for example a school that has one domain for faculty and another for students that is using sign-on splash authentication, users must remember to include their domain with their username, which can easily be forgotten. Or alternatively, a complex hierarchy of RADIUS proxy servers or custom scripts might be required to make the log in process easier for the user. In order to configure native Active Directory integration, sign-on splash must be configured and Use My Active Directory Server selected from the Authentication Server drop-down menu under Configure->Access control. (See Figure 4)Meraki Cloud Controller Product Manual | 30 Figure 4 - Configuring Sign-on Splash with Native Active Directory Once Active Directory server option has been selected, the internal IP addresses of any domain controllers that will be used for authentication should be entered, along with the credentials of an Active Directory administrator that has read rights to all domain controllers that will used. (See Figure 5) It is highly recommended that a separate account is created for the purpose of providing Active Directory authentication. Users should take the following steps to secure the account: 1. Create a Global Security Group in your domain (or forest) 2. Create a user account and add it to the new group. 3. Update the user account so that the new Security group is the user’s primary group. 4. Remove the Domain Users group from the account. This will isolate the account from acting like a normal domain user.Meraki Cloud Controller Product Manual | 31 Figure 5 - Dashboard Active Directory Server Configuration In addition, the Global Catalog (port 3269) must be enabled for each domain controller. 7.3.4 Externally Hosted LDAP Server Similarly to Active Directory, Meraki wireless networks can natively integrate with LDAP authentication servers when using sign-on splash page. The manner with which this authentication is configured is very similar to that described for Active Directory in Section 7.3.3. In order to configure native LDAP integration, sign-on splash must be configured and Use My LDAP Server selected from the Authentication Server drop-down menu under Configure->Access control. (See Figure 6) Figure 6 - Configuring Sign-on Splash with Native LDAP Authentication Once the LDAP server option has been selected, the internal IP addresses of any LDAP servers that will be used for authentication should be entered, along with the appropriate port number and the credentials of an LDAP administrator with administrative rights to all domains that will be used. The common name Meraki Cloud Controller Product Manual | 32 (cn) and domain components (dn) should be entered in the format shown in Figure 7. Figure 7 - Dashboard Native LDAP Authentication Server ConfigurationMeraki Cloud Controller Product Manual | 33 8 Monitoring This chapter describes the extensive monitoring features under the Monitor tab in the MCC. 8.1 Overview Page The Overview page shows a summary of network usage and network status. An administrator can see how many users have associated to the network in the last day/week, how much data those users transferred in that timeframe, and how bandwidth usage has fluctuated over the last week (a network usage graph). The aerial map shows the latest information about the APs in the network. The options in the upper-right corner enable an administrator to view the APs on top of a graphical map, a satellite image, or a hybrid view. In the upper-left corner, the arrow controls enable the administrator to pan. Panning can also be achieved by clicking-and-dragging the map. Below the arrow controls, a scale control enables the administrator to adjust the zoom level. The zoom level can also be controlled with the magnifying glass next to the arrow controls, or by doubleclicking on a particular region to zoom into. On the map, the colored dots represent APs. The status of the AP is indicated by its color: • Green: The AP is not reporting any problems. • Yellow: The AP is up, but experienced a problem recently. In some cases, the administrator may be able to clear this alert on the Access Points page. • Red: The AP is currently down. • Gray: The AP has been down for more than 7 days. An administrator can click on an AP to get its name, its mesh mode (mesh gateway or mesh repeater), the number of users that have associated to it in the last 24 hours (also indicated by the number inside the AP), and the amount of data that it has transferred in the last 24 hours. Gray lines between APs represent mesh links. Mousing over a mesh repeater highlights a line that shows the path that the AP is taking through the mesh network to reach a mesh gateway (and the LAN). The “Options” box in the upper right part of the map lets users select what the numbers in the APs represent (e.g., number of clients connected or mesh hops to gateway), as well as preferences about how to display mesh links. The “Current clients” link under the network name in the upper left corner, when clicked, will open up a table showing a summary of the distribution of current clients at that moment across the various SSIDs and channels in the network. Clicking on the link directly above the network name in the upper left corner or selecting the All-network Overview option under the Network drop-down selector Meraki Cloud Controller Product Manual | 34 at the top of the screen will take the administrator to the All Network Overview page. 8.2 All-Network Overview Page The all-network overview page shows a summary of all of the networks in a particular organization. The usage graph at the top summarizes cumulative usage across all networks, and the map shows network locations with markers that are color-coded to the networks listed in the network list to the left of the usage graph. If the user mouses over a network in the list, the network marker on the map will be highlighted along with the usage for that particular network in the usage graph. Clicking on a particular network marker on the map or network name in the list will allow the user to “drill down” to the Overview page for that particular network. Figure 8 is an example of an all-network Overview page. Figure 8 – All-Network Overview Page Configuring Sign-on Splash with Native Active Directory 8.3 Maps Page (Enterprise Only) The Maps page enables an administrator to upload custom maps and floorplans for better network visualization. For instance, an administrator could upload multiple images to visualize AP placement on multiple floors of an office building, or different branch offices in the organization. Figure 9 is an example of an AP placement on a floorplan.Meraki Cloud Controller Product Manual | 35 Figure 9 – Maps Page An administrator can add a map or floorplan image (GIF, PNG, JPG, or PDF format up to 10 MB per image) under the Configure tab on the Maps & Floorplans page. This is also where an administrator would modify or delete an existing image. After uploading the image, the administrator can return to the Maps page to place APs on the image. The “Place APs” button in the upper-right corner produces a checklist of APs that the administrator can add to the image. The administrator then places the APs by dragging-and-dropping the AP icons onto the image. 8.4 Access Points Page The Access Points page identifies the APs on the network and shows their status, activity, and usage. The top-level page provides a list of APs in the network. The Access Points page has the following features: • Can be sorted by clicking on a column header. • Columns can be added, removed, or reordered in the list by clicking on “Display Options”. • Search by AP name, serial number or MAC address Figure 10 is a screenshot that shows a top-level Access Points page. Figure 10 – Access Points PageMeraki Cloud Controller Product Manual | 36 8.5 Access Point Details Page To get additional information about an individual AP, an administrator can click on the AP in the list to bring up a page that contains the following: • Identifying information (e.g., MAC address, serial number, status) • Performance data (e.g., connectivity, throughput, latency, mesh neighbors), with zoom and pan features across various time ranges • Live tools for remote troubleshooting There are a variety of real-time tools that can be used for troubleshooting and debugging wireless issues remotely. Administrators can see a list of current clients associated to a particular AP and ping associated clients as well as the AP itself, run a throughput test, ping a particular MAC address and run an interference scan of the local RF environment (Caution: live interference scan will disconnect currently associated clients). Interference scan will also be discussed as part of the spectrum analysis capabilities in Section 16.5). • Link to the event log for this specific AP (see Section 8.7, “Event Log Page (Enterprise Only)”) • Lists of strong and weak mesh neighbors (adjacent APs in the mesh) in the Neighbors tables Figure 11 shows a screenshot of the AP details page. Figure 11 – AP Details Page Throughput statistics for mesh gateways are throughput numbers to meraki.com. Gateway speeds are often limited by the Internet uplink speed. Administrators should use these statistics to troubleshoot problems either within the LAN or with the Internet service provider.Meraki Cloud Controller Product Manual | 37 Throughput statistics for mesh repeaters are throughput numbers within the mesh network, not through the Internet uplink. As such, it is possible to see 6 Mbps throughput within the mesh network, but 1.5 Mbps throughput through the DSL uplink. Administrators should use these statistics to troubleshoot problems within the wireless network, such as poor mesh connections or channel interference. 8.5.1 AP Tagging A convenient way to make it easier to find, sort and filter APs in a large network with hundreds or thousands of APs is using AP tagging. Alphanumeric tags can be assigned to access points to create groups of APs by location (e.g. Building_1, Floor_4, West_Campus, etc.) or by other criteria. The Access Points page (See Section 8.4) is searchable by tag to make filtering for specific groups of APs fast and easy. Figure 12 shows a screenshot of an AP with the tag “Lobby” applied. Figure 12 - Access Point with Tag Applied Tags can be added to APs either individually or in groups. Figure 13 - Editing AP Configuration to Add Tag Figure 14 and Figure 14 show how to add a tag to an individual AP by editing its configuration. Meraki Cloud Controller Product Manual | 38 Figure 13 - Editing AP Configuration to Add Tag Figure 14 - Adding a Tag to an Individual AP Figure 15 illustrates how to add a tag to a group of APs from the Access Points page.Meraki Cloud Controller Product Manual | 39 Figure 15 - Adding Tags to Many APs 8.6 Clients Page The Clients page shows how the network is being used and by which client devices. Figure 16 is a screenshot of the Clients page: Figure 16 – Clients Page 8.6.1 Clients Overview Page Features The Clients page has the following features: • Displays clients that have associated on any SSID advertised by the wireless network, or only those clients that have associated on a given SSID. This can be selected using the SSID drop down menu at the top of the screen.Meraki Cloud Controller Product Manual | 40 • Search for clients by MAC, OS, device type or NetBIOS/Bonjour name. • Zoom control, which enables the administrator to see only those clients that have associated within the specified time span. • The administrator can also click on the “blocked list” to view only those clients on the MAC blacklist (see Section 10.3, “MAC Blacklist”). • Like the Access Points page, the Clients page has a list that can be customized (adding, removing, and reordering columns) and resorted (by clicking on a column header). • The “Description” column shows the device name, if it can be determined (i.e., through NetBIOS); otherwise, it simply displays the device’s MAC address. • The “Operating system” column shows the operating system of the device, which is determined through OS fingerprinting (the unique pattern by which a particular operating system requests an IP address via DHCP). • An administrator can mouse over a row in the device list to see a new line appear in the usage graph, which depicts the fraction of total bandwidth that the highlighted device used. 8.6.2 Traffic Analysis (Enterprise Only) Meraki Enterprise networks offer powerful application visibility and control tools. Packet inspection engines running custom parsers in each AP provide this information by fingerprinting and identifying applications and application groups. Traffic Shaper (to be discussed in Section 12) then provides the ability to create custom per-user shaping policies based on this application-level visibility. Since Meraki’s parsers are designed to run at line rate, there is no performance decrease when enabling Traffic Analysis or Traffic Shaping Next to the usage graph at the top of the screen is a pie chart that can display a breakdown of the traffic currently displayed on the page by application, HTTP content type, port number or custom criteria. The gray arrows flip from one chart to the next. Custom pie charts can be configured on the Network-wide Settings page under the Configure tab. Clicking on either the pie chart itself or the “More” link underneath the pie chart will open up the Traffic Analysis Details page, showing a detailed list of the specific applications and content types that make up the data shown in the pie chart. The applications have been assigned to groups to make classifying applications and creating shaping policies simpler. An up to date list of which applications are included in each group can be found here: http://bit.ly/cUFXnv The percent of total usage is shown by application as well as by application group. Figure 17 shows a screen shot of the Clients page with the Traffic Analysis details page expanded.Meraki Cloud Controller Product Manual | 41 Figure 17 - Traffic Analysis Details Page Clicking on a particular application or content type within the Traffic Analysis Details page will take you to the Rule Details page, where you will find detailed information about that particular application or content type rule, including which users are contributing to usage of this type and details such as which application group that item belongs to, port number, description of the application or rule and links to additional information. Figure 18 shows the Rule Details page for Netflix, a video streaming site. Figure 18 - Rule Details Page 8.6.3 Client Details Page An administrator can click on a particular device in the device list to obtain additional information about the wireless client. Figure 19 is a screenshot of the Client details page for a specific device.Meraki Cloud Controller Product Manual | 42 Figure 19 – Information about a Specific Client This page provides detailed information about the client device and user as well as their network usage. Features include: • Client configuration details At the top of the page administrators can see detailed information about this particular client, including MAC address and IP address, device type and manufacturer, operating system, Bonjour/DHCP/NetBIOS hostname, wireless card capabilities, most recent SSID, AP and time on the network as well as Active Directory username for most recent user. • Client location The approximate location of the wireless client is indicated on a Google map or a custom floor plan. More details about Client Location Services can be found in section 8.5.4. • Traffic analysis Pie charts similar to those on the Client Overview page show details about this particular client’s usage of the network. • Dynamic access control On this page, an administrator can create a dynamic access control policy to either block a wireless device or bypass the wireless device from seeing a splash page. (To configure these settings, an administrator clicks the “Edit” button to change the “Network access” field to either “normal”, “blocked”, or “whitelisted”.) Optionally, the administrator can configure a message that appears on the block page for a blacklisted user. The user can also be manually assigned a group policy which can be configured per SSID. • Event logMeraki Cloud Controller Product Manual | 43 This page also provides a link to the event log for this specific client (see Section 8.7, “Event Log Page (Enterprise Only)”). • Live tools Similar to the live tools on the AP details page, an administrator can locate a client, ping a client or even see a real-time packet counter showing the user’s activity from this page. 8.6.4 Client Location Services In the upper-right corner of the Client details page is a map where the approximate location of the client is indicated with a blue dot. Figure 20 below is a screenshot of the client location map. Figure 20 - Client Location Map on Client Details Page Client location is determined using advanced triangulation techniques that employ calibrated weighted averages and AP selection algorithms to ensure accuracy. Data from up to the last 24 hours will be used to calculate client location. In order to view a client’s location on a custom floor plan, all of the AP’s that “see” the client that were used to calculate location must be located on the same floor plan. Otherwise, the client’s location can still be viewed on a Google map. To update the client location data from the access point the client is currently associated to, click the “Locate Client’ button under the Live Tools section of this page. To ensure location accuracy, at least three access points are required. In addition, the access points should not be deployed such that all of the access points are in a linear pattern (see Figure 21 below). In this situation, client location will always appear that they are in line with the access points. Meraki Cloud Controller Product Manual | 44 Figure 21 - Poor AP Deployment for Accurate Location For best accuracy, the access points should be deployed in a non-linear pattern, or scatter pattern (see Figure 22 below). Figure 22 - Good AP Deployment for Accurate Location 8.7 Event Log Page (Enterprise Only) The Event Log page provides detailed logging about various client activities, including the following: • Associations/disassociations • Authentication attempts and outcomes • DHCP activity • Initial traffic An administrator can use these logs to troubleshoot a client that may be experiencing issues on the wireless network. Figure 23 is a screenshot of an Event Log page.Meraki Cloud Controller Product Manual | 45 Figure 23 – Event Log Page The Event Log page allows an administrator to adjust the time interval over which the event log reports. In addition, the Event Log page supports the search tool. (See Section 8.13, “Search Tool”.) The administrator can view the event log for a given AP or a given client. Both filters can be applied through the search tool, or by accessing the event log links through the Access Points page and Clients page, respectively. 8.8 Rogue APs Page (Enterprise Only) The Rogue APs page lists nearby APs that are detected by the Meraki APs during periodic scans. (See Chapter 14, “Rogue AP Detection (Enterprise Only)”.) 8.9 WIPS Page (Enterprise Only) The Wireless Intrusion Prevention System (WIPS) page classifies and maps intrusions including AP Spoofs, Rogue SSIDs, Interfering SSIDs, Malicious Broadcasts, and Packet Floods. The Rogue Containment feature can be used to contain Rogue SSIDs by sending deauthentication frames to Rogue AP clients. (See Chapter 15, “Wireless Intrusion Preventions SystemRogue AP Detection (Enterprise Only)”.) 8.10 Summary Report Page (Enterprise Only) An administrator can obtain network analytics from the Summary Report page under the Monitor tab. This report provides information about the usage and uptime of the Meraki wireless network, and can be e-mailed on a configurable schedule for constant visibility. Administrators can also add their organization’s logo to the report. 8.11 PCI Reports Page (Enterprise Only) An administrator can check network settings against PCI DSS v2.0 WLAN requirements using the PCI Report page under the Monitor tab. The results will indicate a pass/fail for each WLAN PCI requirement, with details on why. In the case of a failure, guidance is provided on what network settings need to be changed to get into compliance. The report can be printed and filed away or given to a security auditor.Meraki Cloud Controller Product Manual | 46 8.12 Live Updates (Enterprise Only) The Maps, Access Points, and Clients pages under the Monitor tab support live updates, which provide real-time information about network status and client usage. An administrator can click on the “Live updates” link on a page on which the feature is offered. When live updates are enabled, the MCC will fetch up-todate information for that page from the wireless network approximately every 30 seconds, for as long as the administrator stays on the page. (The live updates are disabled as soon as the administrator browses to a different page.) Live updates are an effective way to troubleshoot and closely monitor AP status (e.g., when an AP loses network connectivity) and client usage (e.g., to see which clients are currently associated to the wireless network and how much bandwidth they are using). 8.13 Search Tool The Maps, Access Points, Clients, Event Log, and Rogue APs pages under the Monitor tab all have search capabilities, which enable an administrator to find or filter a list of APs or wireless devices with tremendous flexibility and ease. Any string can be entered; the MCC will attempt to match on that string across all available fields. For example, an administrator can search/filter by device description, Ethernet address, or IP address. In addition, searches can be bookmarked for future use. The search tool also supports a number of keywords, which can be used to search/filter by specific characteristics. For example, an administrator can search/filter on a combination of strings, usage data, or mesh hop count. All of the available keyword options are enumerated in the “Help” link next to the search tool. The search tool operates instantaneously over the data in the AP or device list. It is an effective way to manage and monitor a large number of APs and/or a large number of wireless clients. 8.14 Email Alerts Administrators can subscribe to receive email alerts from the MCC about various notable network events. Events that can trigger alerts include AP or network outages, detection of new rogue APs or configuration changes being saved in Dashboard by administrators. The time sensitivity of these alerts are configurable from five minutes to one hour, which can help to reduce false positives. Alerts are configured under the Configure tab on the Network-Wide Settings page. 8.15 Export XML Data List data on the Access Points and Clients pages can be exported in XML format for further processing and analysis outside of the MCC. An administrator can Meraki Cloud Controller Product Manual | 47 click on the “Download as XML” link to retrieve the data. Most spreadsheet programs, such as Microsoft Excel, can open an XML file. 8.16 Logins Page While the Clients page shows a list of devices, the Logins page shows a list of users. A user can login with multiple devices. The Logins page shows users who have logged in with one of the following authentication methods: • Sign-on splash pages with a Meraki-hosted authentication server • Billing logins Like the Clients page, the Logins page allows an administrator to filter users by the SSID on which they associated, display different columns of information, sort by different columns, and adjust the zoom level by timeframe. 8.17 Account Activity Page The Account Activity page provides transaction information for networks that use Meraki’s integrated billing. Payments received from an end user appear as a credit, while payments made from Meraki to the network administrator appear as a debit. Transactions also show the timestamp, the user’s login name, the MAC address of the device from which the user made a payment, and the price plan the user purchased. Administrators may view the transaction history for any given month. (For more information, see Chapter 18, “Billing”.)Meraki Cloud Controller Product Manual | 48 9 VLAN Tagging (Enterprise Only) Virtual Local Area Networks (VLANs) allow a single physical Ethernet network to appear to be multiple logical networks. There are a couple of reasons to use VLANs, including: • Enhance network security by preventing wireless devices from accessing LAN resources. • Increase performance by limiting broadcast domains. Note that VLAN tagging typically requires a non-trivial amount of LAN configuration on the upstream switches, routers, and firewalls. If the primary motivation for VLAN tagging is the first use case, an administrator should consider using Meraki’s LAN isolation or Custom Firewall rules features (see Section 10.6, “Firewall Rules for Wireless Users”). A typical VLAN configuration might break up a physical LAN by department (e.g., Engineering, HR, Marketing) or by user class (Employee, Guest). Figure 24 shows an example configuration. Figure 24 – Example Network with VLANs VLANs can be port-based (assigning a physical port on a device to a VLAN) or tag-based (tagging particular kinds of traffic with a VLAN tag, as defined by 802.1q). Meraki APs use tag-based VLANs (i.e., VLAN tagging) to identify wireless traffic to an upstream switch/router. When the switch/router sees VLANtagged traffic from a Meraki AP, it can apply different policies to that traffic, including access control (e.g., send traffic straight to the firewall for Internet-only access) or QoS (e.g., prioritize traffic on the VOIP SSID). Conversely, when the AP receives VLAN-tagged traffic from the upstream switch/router, it forwards that traffic to the correct client and/or SSID. The AP drops all packets with VLAN IDs that are not associated to any of its wireless users or SSIDs.Meraki Cloud Controller Product Manual | 49 VLAN tagging can be configured either per SSID, per user, or per device type. In either case, the SSID must be configured in bridge mode (see Section 5.2, “Bridge Mode (Enterprise Only)”). 9.1 Per-SSID VLAN Tagging When VLAN tagging is configured per SSID, all data traffic from wireless users associated to that SSID is tagged with the configured VLAN ID. Multiple SSIDs also can be configured to use the same VLAN tag. For instance, a single VLAN ID could be used to identify all wireless traffic traversing the network, regardless of the SSID. VLAN tagging is configured for an SSID under the Configure tab on the Access Control page. 9.2 Per-User VLAN Tagging When VLAN tagging is configured per user, multiple users can be associated to the same SSID, but their traffic is tagged with different VLAN IDs. This configuration is achieved by authenticating wireless devices or users against a customer-premise RADIUS server, which can return RADIUS attributes that convey the VLAN ID that should be assigned to a particular user’s traffic. In order to perform per-user VLAN tagging, a RADIUS server must be used with one of the following settings: • MAC-based access control (no encryption) • WPA2-Enterprise with 802.1x authentication A per-user VLAN tag can be applied in 3 different ways: 1. The RADIUS server returns a Tunnel-Private-Group-ID attribute in the Access-Accept message, which specifies the VLAN ID that should be applied to the wireless user. This VLAN ID could override whatever may be configured in the MCC (which could be no VLAN tagging, or a per-SSID VLAN tag). To have this VLAN ID take effect, “RADIUS override” must be set to “RADIUS response can override VLAN tag” under the Configure tab on the Access Control page in the “VLAN setup” section. 2. The RADIUS server returns a group policy attribute (e.g., Filter-ID) in the Access-Accept message. The group policy attribute specifies a group policy that should be applied to the wireless user, overriding the policy configured on the SSID itself. If the group policy includes a VLAN ID, the group policy’s VLAN ID will be applied to the user. (See Chapter 11, “Identity Policy Manager (Enterprise Only)”.) 3. On the Client Details page, a client can be manually assigned a group policy. If the group policy includes a VLAN ID< the group policy’s VLAN ID will be applied to the user.Meraki Cloud Controller Product Manual | 50 9.3 Per-Device Type VLAN Tagging Group policies can automatically be assigned to different device types such as Android, iPad, iPhone, iPod, Mac OS X, Windows, etc. If the group policy includes a VLAN ID, then group policy’s VLAN ID will be applied to the user and override other VLAN settings for that SSID or user. 9.4 Management Traffic Management traffic is always untagged between the Meraki AP and the upstream switch/router. (VLAN tagging applies only to data traffic to/from wireless clients.) The wired network must be configured to allow untagged traffic from the APs to the Internet (so that the APs can communicate with the MCC) and to other network appliances that the APs would contact for user or network management (e.g., Active Directory or RADIUS servers for user authentication). 9.5 Configuring the LAN to Support VLAN Tagging Because a Meraki AP can be sending/receiving tagged data traffic as well as untagged management traffic, all Meraki APs must be connected to a trunk port on the upstream switch/router that is configured to handle any of the VLANs used by the wireless network. See Section 26.2, “Switch Configuration for VLAN Tagging”. 9.6 Other Considerations • For greater security, no SSID should be untagged (i.e., on the “native VLAN”). • The amount of broadcast traffic on the trunk port to which the Meraki AP is attached should be limited. Limiting broadcast traffic improves wireless performance. • Currently, VLAN tagging is not supported in a deployment in which Meraki APs are used to form a wireless bridge between two wired LANs.Meraki Cloud Controller Product Manual | 51 10 User Access Control Features This chapter describes the access control options available in the MCC. Most of these options appear under the Configure tab on the Access Control page. Meraki’s Identity Policy Manager (IPM) is covered separately in Chapter 11, “Identity Policy Manager (Enterprise Only)”. 10.1 Network Access Control Network access control (NAC) scans clients connecting to an SSID to check to see if they are running anti-virus software to ensure that the network is protected from infected machines. To enable this feature, either click-through splash page or sign-on splash page must be enabled on the SSID (See Chapter 7, Network Sign-On Methods). Meraki NAC is enabled on a per-SSID basis. The scan is done by a Java applet in the browser. If supported anti-virus software is detected as running on the client machine, the client will be allowed onto the network. If not, the client will be quarantined behind to a walled garden where they can be remediated by downloading anti-virus software. Clients running Windows XP, 7 or Vista will be scanned for supported anti-virus software. Non-Windows clients are not scanned. An updated list of detected anti-virus software can be found here: http://bit.ly/eXCWuQ If a device fails the scan, they will be quarantined by the AP’s policy firewall and sent either to a standard splash page that allow them to download Microsoft Security Essentials, or to a remediation page. The remediation page is a custom URL that the administrator can set to allow non-compliant clients to download other anti-virus software. This could be an internal website or a public website from an anti-virus software vendor. If selecting a custom URL, the IP of the host must be added to the walled garden as well (See section 10.9 “Walled Garden (Enterprise Only)”). To enable NAC on an SSID, select “Check clients for antivirus software” under Access Control. Then select either “Show default NAC failure page” or “Show custom URL”. Figure 25 shows an example of an SSID that is using NAC and where non-compliant clients are sent to McAfee’s download page for remediation. Figure 25 - Network Access Control SettingsMeraki Cloud Controller Product Manual | 52 Once NAC has been enabled on an SSID, NAC activity can be monitored from the NAC page under the Monitor tab. Figure 26 shows the NAC logs on the NAC page. From this page, both successful and unsuccessful attempts to access an SSID with NAC enabled can be viewed and searched. Figure 26 - NAC Monitoring Page 10.2 MAC Whitelist If a splash page is enabled on an SSID, the administrator can identify devices by MAC address that will bypass the splash page and immediately gain network access. This is useful to enable devices that cannot display a splash page to still be able to associate to an SSID that has a splash page enabled. Devices on the whitelist will: • Never be shown a splash page. • Be able to access the network without logging in (if sign-on splash page is configured) or paying (if billing is configured). • Not be subject to the bandwidth limits set on the network. Although this whitelist is configured under the Configure tab on the Access Control page for a specific SSID, it applies to all SSIDs in then network. Alternatively, an administrator can dynamically add wireless clients to the whitelist from the Monitor tab on the Clients page. An administrator can select a client device and change the Access Status from “normal” to “whitelisted.” Using this whitelist is not recommended for access control, but rather, as a temporary workaround. Managing a list of MAC addresses does not scale well from a management perspective. Moreover, MAC addresses can be spoofed, which may enable unwanted users from accessing the wireless network. The recommended approach is to migrate client devices that are unable to display splash pages to a separate SSID that does not have the splash page enabled. 10.3 MAC Blacklist An administrator can block specific wireless devices from network access by MAC address. A device is added to the blacklist from the Monitor tab on the Meraki Cloud Controller Product Manual | 53 Clients page, by changing the Access Status from “normal” to “blocked.” An administrator can optionally enter a message, which is displayed to the wireless client on the page that he receives when he tries to access the network. This message could be used to communicate remediation steps to the blocked client. As with the splash page bypass list, the MAC blacklist is not recommended for access control. A list of MAC addresses quickly becomes unmanageable with a large number of client devices. Moreover, MAC addresses can be spoofed to circumvent this blacklist. Blocking users and devices should occur by employing a combination of wireless encryption and authentication methods. (See Chapter 7, “Wireless Encryption and Authentication”.) 10.4 Bandwidth Shaping Bandwidth shaping ensures that users do not consume more bandwidth than they should. The MCC includes an integrated bandwidth shaping module that enforces upload and download limits. This setting could be used, for instance, to assign more bandwidth for VOIP handsets on one SSID and less bandwidth for data-only users on another SSID. The bandwidth limits are enforced by the Meraki APs so that they are applied consistently to a wireless client, even if that client roams from one AP to another. The MCC supports separate upload and download limits. Asymmetric upload and download limits are useful, for example, when a user only needs to periodically download large images (e.g., CAD drawings) but not upload them. Specific application requirements and available bandwidth should be considered to determine the optimum bandwidth settings. Bandwidth limits can be applied per SSID or per user. To configure per SSID bandwidth limits, go to the Access Control page under the Configure tab. To provide a better user experience when using bandwidth shaping, an administrator can enable SpeedBurst using the checkbox in the Bandwidth Limits section on the Access Control page. SpeedBurst allows each client to exceed their assigned limit in a “burst” for a short period of time, making their experience feel snappier while still preventing any one user from using more than their fair share of bandwidth over the longer term. A user is allowed up to four times their allotted bandwidth limit for a period of up to five seconds. The MCC supports per-user bandwidth limits when a customer-hosted RADIUS server is used. See Section 7.3.2, "Externally Hosted RADIUS Server”, for details. Finally, if billing is enabled, it is possible to configure bandwidth limits that apply to each billing tier. See Chapter 18, “Billing” for details. 10.5 Adult Content Filtering Adult content filtering prevents a wireless client from accessing sites that contain pornographic, sexual, or otherwise adult material. The filtering is performed at the DNS level via OpenDNS. Users may be redirected to a safe OpenDNS landing page.Meraki Cloud Controller Product Manual | 54 This feature provides basic adult content filtering for applications in which advanced filtering techniques are not required (e.g., filtering for guests in the office lobby). If more advanced filtering is required, a separate content filtering solution is recommended. This feature is configured on a per-SSID basis under the Configure tab on the Access Control page. It is only available when NAT mode is selected for client IP addressing. 10.6 Firewall Rules for Wireless Users The administrator can define firewall rules that restrict which network resources users can access. There are 3 options: 1. Allow wireless clients to access my LAN (LAN isolation disabled) 2. Prevent wireless clients from accessing my LAN (LAN isolation enabled) 3. Custom firewall rules 10.6.1 LAN Isolation LAN isolation is designed to allow clients to access the Internet but not be able to access LAN resources. Guest access networks are a common use case. LAN isolation is quick to enable and does not require that the network support VLANs. LAN isolation blocks access to the following IP ranges: • 10/8 • 172.16/12 • 192.168/16 10.6.2 Custom Firewall Rules (Enterprise Only) Custom firewall rules provide an administrator with more granular access control beyond LAN isolation. An administrator can define a set of firewall rules that is evaluated for every request sent by a wireless user associated to that SSID. Firewall rules are evaluated from top to bottom. The first rule that matches is applied, and subsequent rules are not evaluated. If no rules match, the default rule (allow all traffic) is applied. As an example, Figure 27 depicts a sample set of custom firewall rules. Figure 27 – Example Custom Firewall RulesMeraki Cloud Controller Product Manual | 55 Different kinds of requests will match different rules, as the table below shows. For a web request to CNN, rules 1-4 do not match, so rule #5 (the default rule) applies, and the request is allowed. In contrast, for a BitTorrent request over TCP port 6881, rule #1 does not match, but rule #2 matches. The request is denied, and no subsequent rules are evaluated. Rule # Attempted Action Example #1: Web request to www.cnn.com. Example #2: Print to 192.168.1.37. Example #3: Send BitTorrent traffic. Example #4: Access file server on LAN. 1 (no match) (no match) (no match) (no match) 2 (no match) (no match) MATCH (deny) (no match) 3 (no match) MATCH (allow) (no match) 4 (no match) MATCH (deny) 5 MATCH (allow) Firewall rules can be applied for a given SSID or as part of a group policy (see Chapter 11, “Identity Policy Manager (Enterprise Only)”). 10.7 Captive Portal Strength The administrator can configure this feature to block all traffic (including non-web traffic) from wireless users until they have clicked through the splash page. The administrator can configure this setting for each SSID. This feature is configured under the Configure tab on the Access Control page when either the click-through splash page or the splash page with username/password login is configured. 10.8 Enable/Disable Simultaneous Logins This feature prevents wireless users from using the same sign-on splash page credentials on multiple computers simultaneously. This setting only applies to sign-on splash page with either the Meraki-hosted authentication server or customer-hosted authentication server. This setting does not have any effect on 802.1x users, who are not prevented from logging in simultaneously from multiple computers. This feature is configured under the Configure tab on the Access Control page when the splash page with username/password login is configured. 10.9 Walled Garden (Enterprise Only) A walled garden defines a set of IP addresses that a wireless user can access before he has authenticated. For instance, the walled garden might include the “company info” pages from a company’s website. In designing these companion web pages, ensure that users can easily get back to the login page.Meraki Cloud Controller Product Manual | 56 A walled garden is configured under the Configure tab on the Access Control page when either the click-through splash page or the splash page with username/password login is configured.Meraki Cloud Controller Product Manual | 57 11 Identity Policy Manager (Enterprise Only) The Meraki Identity Policy Manager (IPM) enables administrators to apply different security settings for different groups of users. IPM can be used to implement a variety of policies over a single SSID. For example, a university wants to have three tiers of access for students, staff, and guests. All users should have access to the Internet, students should have access to network printers, and staff should have access to internal applications and servers. This university’s policy could be implemented with 3 distinct SSIDs in which each SSID is mapped to its own unique VLAN tag (see Section 9.2, “Per-User VLAN Tagging”). However, not all networks have VLAN tagging enabled, and VLAN administration can be complex. IPM enables the university to implement sophisticated policies over a single SSID. Note that IPM is also useful for implementing Payment Card Industry (PCI) compliance. For additional information on PCI, please see the Meraki PCI white paper. IPM is compatible with the following access control modes: • MAC-based access control • WPA2-Enterprise with 802.1x authentication 11.1 How IPM Works The following outlines how the system behaves when IPM has been configured. 1. A user associates with a network. 2. The Meraki AP sends a RADIUS Access-Request message to the RADIUS server. The Access-Request message contains RADIUS attributes that help the RADIUS server to identify the wireless user. 3. The RADIUS server determines which group it should assign to the user. This determination could be based on any combination of criteria to which the RADIUS server is privy (e.g., the user’s MAC address, username, domain, AP, SSID, time of day, etc.). 4. If the RADIUS server admits the user, it returns a RADIUS AccessAccept message to the Meraki AP. The Access-Accept message contains RADIUS attributes that indicate the group policy to which the user belongs. 5. The Meraki AP receives the Access-Accept message from the RADIUS server, and applies the appropriate group policy to that user. These policies are “identity-based” because they are based upon the user’s identity, as determined by the RADIUS server. The mapping of a user to a group policy is performed by the RADIUS server; the configuration of a group policy, by the Meraki Cloud Controller; and the application of a group policy, by a Meraki AP.Meraki Cloud Controller Product Manual | 58 Group policies are at the core of IPM and are discussed below. (Per-user VLAN tagging is a subset of IPM and is described in Section 9.2, “Per-User VLAN Tagging”). 11.2 How to Configure IPM A “group policy” is a named policy that contains a group of settings that can be applied to a particular user. When the Meraki AP receives the Access-Accept message from the RADIUS server (step #5 above), the RADIUS server may include a RADIUS attribute that identifies this group policy by name. If the group policy identified in the RADIUS attribute matches a group policy configured in the MCC, the Meraki AP will apply the settings in that group policy to the user. There are 3 key steps to configuring a group policy: 1. Create a group policy on the RADIUS server. 2. Define a corresponding group policy on the MCC. 3. Test the group policy configuration. The following sections describe each step in more detail. See “Appendix A: Example Office Configuration” for example configurations of group policies. 11.2.1 Define a Group Policy on the RADIUS Server How an administrator defines a group policy on the RADIUS server depends on the RADIUS implementation. For example, in Windows Server, the administrator creates a policy in the Network Policy Server (NPS) that defines the following: 1. Conditions (i.e., what needs to match). Examples of conditions include the user’s domain, user group, SSID to which the user connected, and MAC address of the AP to which the user connected. 2. Settings (i.e., what should be applied if the conditions match). Here, the administrator specifies what RADIUS attribute (and attribute value, i.e., the group policy name) the RADIUS server returns to the Meraki AP. When a user matches an NPS policy’s conditions, the RADIUS server sends the group policy name as a RADIUS attribute to the Meraki AP. 11.2.2 Define a Group Policy on the MCC Group policies are configured in the MCC under the Configure tab on the Group Policies page. (Figure 28 shows a sample screenshot.) Group policies are configured on a per-SSID basis. In this way, two different SSIDs could have group policies with the same name, but different settings.Meraki Cloud Controller Product Manual | 59 Figure 28 – Group Policies Page For a given SSID, an administrator can configure the following: 1. RADIUS attribute identifying the group policy. (Figure 29 defines the RADIUS attributes that can be used to identify a group policy.) 2. One or more group policies that can be applied to users connecting to this SSID. For a given group policy, an administrator can configure the following: a. Bandwidth limits b. VLAN tagging c. Splash page bypass d. Firewall rules In each case, the administrator can choose to (1) use the default setting configured on the SSID (under the Configure tab on the Access Control page for the given SSID), or (2) override the default setting configured on the SSID with a setting configured in the group policy. Since there is no universally accepted RADIUS attribute to pass group policy information, Meraki supports a variety of different attributes, as shown in the following table. Figure 29 – RADIUS Attributes for Group Policy Attribute Name Vendor ID Filter-Id (Defined in RFC 2865, Type 11.) Reply-Message (Defined in RFC 2865, Type 18.) Airespace-ACL-Name Vendor number=14179 Vendor-assigned attribute number=6 Aruba-User-Role Vendor number=14823 Vendor-assigned attribute number=1Meraki Cloud Controller Product Manual | 60 Note that group policies can only be configured on an SSID that uses a local (customer-premise) RADIUS server for authentication at association time. 11.2.3 Test the IPM Configuration Since policies and permission rules can be complex and sometimes result in counter-intuitive behavior, it is important to test out a configuration thoroughly before deploying it in a live environment. An administrator can utilize the following tools to confirm that IPM is configured and operating correctly: • Event log: The event log shows RADIUS attributes that were received and/or applied for a particular user. (See Section 8.7, “Event Log Page (Enterprise Only)”.) • Authentication test tools: The RADIUS test tools under the Configure tab on the Access Control page simulate a user authentication, and they show the RADIUS attributes that were received and/or applied for a particular test user. (See Section 7.3.2, “Externally Hosted RADIUS Server”.)Meraki Cloud Controller Product Manual | 61 12 Traffic Shaper (Enterprise Only) Section 8.6.2 introduced the granular, application-specific network usage data that is at an administrator’s disposal through Traffic Analysis. In addition to providing this level of visibility into how the wireless network is being used, administrators can create shaping policies to apply per user controls on a per application basis. This allows the throttling of recreational applications such as peer-to-peer filesharing programs and the prioritization of enterprise applications such as Salesforce.com, ensuring that business-critical application performance is not compromised. 12.1 Configuring Shaping Policies Shaping policies can be created on the Traffic Shaping page under the Configure tab. Shaping policies are created and applied per SSID by selecting the appropriate SSID from the drop-down selector at the top of the page. Shaping policies can also be turned on and off using the “Shape traffic” drop down selector underneath the SSID selector. 12.1.1 Creating Shaping Rules Traffic shaping policies consist of a series of rules that are evaluated in the order in which they appear in the policy, similar to custom firewall rules. There are two main components to each rule: rule definitions and rule actions. • Rule Definition Rules can be defined in two ways. An administrator can select from various pre-defined application categories such as Video & Music, Peerto-Peer or Email. More information about which applications are included in each category can be found in Section 8.6.2. The second method of defining rules is to use custom rule definitions. Administrators can create rules by specifying HTTP hostnames (eg. salesforce.com), port number (eg. 80), IP ranges (eg. 192.168.0.0/16), or IP range and port combinations (eg. 192.168.0.0/16:80). • Rule Actions Traffic matching specified rule sets can be shaped and/or prioritized. o Bandwidth limits can be specified to either 1. Ignore any limits specified for a particular SSID on the Access Control page (allow unlimited bandwidth usage), 2. Obey the specified SSID limits or 3. Apply more restrictive limits that than the SSID limits. To specify asymmetric limits on uploads and downloads, click on the Details link next to the bandwidth slider control. o Quality of Service (QoS) prioritization can be applied to traffic at Layers 2 and 3. Layer 2 prioritization is accomplished by Meraki Cloud Controller Product Manual | 62 specifying a value for the PCP tag in the 802.1q header on outgoing traffic from the access point. This feature is only available for SSIDs where VLAN tagging is enabled. To prioritize traffic at Layer 3, a value is selected for the DSCP tag in the IP header on all incoming and outgoing IP packets. This also affects the WMM priority of the traffic. To fully benefit from this feature, upstream wired switches and routers must be configured for QoS prioritization as well. 12.1.2 Example Shaping Policy Figure 30 shows a typical shaping policy that might be found in an office setting. Figure 30 - Example Shaping PolicyMeraki Cloud Controller Product Manual | 63 13 Guest Management (Enterprise Only) Many organizations want to be able to quickly and easily get guests online, and at the same time, control who is on the network. The MCC allows administrators to create “guest ambassadors”, who can create guest user accounts but cannot otherwise modify the system. For example, a network administrator can create a guest ambassador account for a receptionist. In turn, the receptionist can create user accounts for guests who need temporary access to the wireless network. Guest ambassador accounts are configured under the Configure tab on the Network-Wide Settings page. A guest ambassador who logs into the MCC can access the “Guest Management Portal”, which only allows the creation of user accounts on SSIDs that are configured with a sign-on splash page using Merakihosted authentication server. The guest ambassador can add, edit, and remove user accounts, and can specify expiration times for user accounts (e.g., to expire in 1 day). Figure 31 shows a screenshot of the Guest Management Portal used by guest ambassadors. Figure 31 – Guest Management PortalMeraki Cloud Controller Product Manual | 64 14 Rogue AP Detection (Enterprise Only) Meraki APs can detect nearby APs that may pose a security threat to either wireless users or to the organization’s network. Meraki identifies 2 types of rogue APs: 1. APs that are broadcasting the same SSID as the administrator’s configured SSID can trick clients into connecting to the wrong AP. These clients could then potentially divulge personal or confidential information to the wrong host. 2. APs could be connected to the organization’s wired network without any of the necessary encryption or authentication settings, thereby opening a security hole into the organization’s wired network. (These APs may not necessarily be introduced into the network maliciously. For instance, an employee might bring a consumer-grade AP into work for his own convenience. He plugs the AP into the LAN near his desk and intentionally does not configure any encryption or authentication settings so that he can connect to his AP without having to log in.) Figure 32 is a screenshot of a Rogue APs page. Figure 32 – Rogue APs Page Like the Access Points and Clients pages, the Rogue APs page has a list that can be customized (adding, removing, and reordering columns) and resorted (by clicking on a column header). The Rogue AP page supports the following features: • Rogue APs that are spoofing an SSID (the first type of rogue APs described above) can be found by sorting on the “SSID” column. • Rogue APs that are connected to the wired network (the second type of rogue APs described above) can be found by sorting on the “Wired MAC” column.Meraki Cloud Controller Product Manual | 65 • The location of a rogue AP can be triangulated with the information in the “Seen by” column, which lists the Meraki APs that are detecting a given rogue AP and the signal strength between a Meraki AP and the rogue AP. • A nearby AP that does not pose a security threat (e.g., an AP deployed in a neighboring office) can be marked as “known” by selecting the AP, then selecting the action (from the “Actions” drop-down menu) “Mark as known”. Known APs are colored green in the “Status” column; unknown APs are colored red. Scans for rogue APs occur periodically according to the “Network Scans” configuration on the Network-Wide Settings page under the Configure tab (see Section 16.4, “Network Scans (Enterprise Only)”). An administrator can force an immediate scan by clicking the “Scan now” button at the top of the Rogue APs page. Note that a forced scan disassociates all clients that may be connected to Meraki APs at the time the scan is initiated.Meraki Cloud Controller Product Manual | 66 15 Wireless Intrusion Prevention System (Enterprise Only) Meraki’s Wireless Intrusion Prevention System (WIPS) can detect, classify, locate, and remediate a variety of intrusions on the WLAN. Intrusions are classified as: 1. AP Spoofs: AP's that are broadcasting your SSID and copying the MAC address of one of your AP's. A very high priority threat. 2. Rogue SSIDs which are broadcast from: a. A rouge AP that is broadcasting your SSID, perhaps in attempts to lure your clients to associate. b. An AP that is detected to be plugged into the wired LAN. Someone who may have malicious or innocent intent has plugged an unauthorized access point into the wired LAN. c. Ad-hoc networks. A client associated to your WLAN is operating in ad-hoc mode. This could allow unauthorized clients access to your WLAN through the ad-hoc network. 3. Interfering SSIDs: Other AP’s detected in the area. 4. Malicious broadcasts: DOS attacks attempting to bring down your APs. 5. Packet floods: Client floods or AP floods that try to bring down your APs. The location of the intrusions will be triangulated and placed on a map provided you have also placed the location of your APs on the map. For accurate results, it is recommended that you have at least three AP’s which are not placed in a straight line. The intrusions can then be physically located and removed. Rogue SSIDs can also be wirelessly using Rogue Containment. The Meraki AP’s will send periodic deauthentication messages to the clients trying to associate to the Rogue SSIDs. Figure 32 is a screenshot of a WIPS page. Figure 33 – WIPS PageMeraki Cloud Controller Product Manual | 67 16 Wireless Features This chapter describes the various wireless features that can be configured in the MCC. 16.1 AutoRF The MCC features AutoRF, Meraki’s integrated RF intelligence. AutoRF constantly scans the local RF environment and performs system-wide network optimizations of AP channel selection and transmit power (Enterprise only), resulting in maximized network performance and reliability. The various components of Meraki’s RF analysis and control features will be described in the following sections. 16.2 Channel Selection Channel selection involves the assignment of RF channels to the radios on the Meraki APs. Optimizing channel assignments reduces channel interference and channel utilization, thereby improving overall network performance and increasing the network’s client capacity. Channel selection is configured under the Configure tab on the Radio Settings page in Enterprise networks (more detail on the Radio Settings page can be found in Section 16.6) and on the Network-Wide Settings page in Pro networks. Two options are available: 1. Manual: In this case, the administrator can manually configure the channels used by the Meraki APs on the 2.4 GHz and 5 GHz bands. These channel assignments apply across the entire network. 2. Automatic: In this case, the administrator allows the MCC to automatically assign the optimal channels to the radios. The MCC determines the optimal channel configuration for a network by periodically measuring the global network performance and issuing new channel assignments to APs. Changing channel assignments can cause noticeable network downtime. The administrator can configure the MCC to automatically reassign channels in the wireless network during periods of inactivity (when the channel reassignment would cause the least amount of disruption). Or, the administrator can perform the MCC-calculated channel assignments on demand. The list of available channels that can be assigned to radios is populated based on which country the APs are deployed in. As such, the “Country” setting needs to be configured correctly in order for channel management to comply with region-specific wireless regulations. The Country selector can be found above the Channel Selection controls.Meraki Cloud Controller Product Manual | 68 16.3 Channel Spreading (Enterprise Only) When automatic channel selection is configured, an administrator can configure “channel spreading”, which allows Meraki APs to operate on different channels. Channel spreading selects channels that minimize RF utilization and interference in the network, thereby maximizing overall network performance and client capacity (i.e., the number of wireless clients that can connect to the network). Channel spreading is ideal for environments in which a high number of clients could saturate a single channel. For instance, in an auditorium with hundreds of wireless clients and numerous APs broadcasting in the same space, channel spreading should be enabled. Channel spreading is configured under the Configure tab on the Radio Settings page. 16.4 Network Scans (Enterprise Only) Meraki APs perform networks scans to collect information about the RF environment (e.g., channel utilization, channel interference, etc.), and to detect rogue APs. There are 2 types of network scans: • Opportunistic scans are performed when an individual AP has no clients associated to it. • Mandatory scans are performed at a specific time of day (on specific days of the week) by all APs in the network. Note that a mandatory scan disconnects any clients that may be associated to Meraki APs at the time a scan begins. Whether a network performs only opportunistic scans or performs both opportunistic and mandatory scans is configured under the Configure tab on the Network-Wide Settings page. The schedule for mandatory scans is also configured in this section. 16.5 Spectrum Analysis (Enterprise Only) Meraki 802.11n APs feature built-in spectrum analysis capabilities. The APs scan for both 802.11 (other APs) and non-802.11 sources of RF interference (eg. Bluetooth headsets, cordless phones and microwaves). This data is then fed into the Meraki AutoRF planning algorithms to determine optimal channel plan (if auto-channel selection is enabled) and transmit power settings. No separate sensor APs need to be deployed as the APs can both serve clients and perform network scans. A real-time interference scan can be run from the Live Tools section of the Access Point Details page (see Section 8.4), giving an administrator both instantaneous and historical data about interference sources in the area of a particular AP.Meraki Cloud Controller Product Manual | 69 16.6 Transmit Power Control (Enterprise Only) Administrators have the option of having all APs in the network set at 100% transmit power or allowing the Cloud Controller to determine the best power settings for optimal performance. In cases where APs are deployed with high density and significant overlap in coverage, the Cloud Controller may determine that interference could be minimized by a reduction in transmit power. In this situation, if an AP were to go down resulting in a gap in coverage, the adjacent AP power levels would then be automatically increased to compensate. Administrators can select full transmit power or automated transmit power selection on the Radio Settings Page (See Section 16.7). Channel spreading must be enabled in order to enable automatic power adjustments. 16.7 Radio Settings Page (Enterprise Only) AP radio controls and channel plan data can be found on the Radio Settings Page under the Configure tab. There are two main sections of this page: Controls and Channel Planning reporting. 16.7.1 Radio Controls Controls found in this section include the Country selector (see Section 16.2), Manual versus Automatic Channel Selection (see Section 16.2), Channel Spreading (see Section 16.3) and Full versus Automatic Radio Power Selection (see Section 16.6). 16.7.2 Channel Planning Report This report shows administrators a summary of the current channel plan in the network as well as all APs, both Meraki and non-Meraki or “rogue”, that were detected on each channel during the last network scan performed. This table gives administrators insight into the current channel plan. Clicking on the Details links next to each channel that has APs assigned to it will bring you to the Channel Interference table that shows more detail about current transmit power and interference sources seen by each AP on that channel, both current and historically. 16.8 SSID Availability Page The SSID Availability page is where an administrator can manage the visibility and availability of SSIDs based on time and location. 16.8.1 SSID Visibility (Enterprise Only) Administrators can “hide” an SSID by disabling advertisement of the SSID in: • The Beacon frame that the AP periodically broadcasts. • The Probe response frame that the AP sends in response to a Probe request frame from a wireless client. Only wireless clients that are manually configured with the hidden SSID’s settings can connect to the hidden SSID. Other clients that are not configured to connect to the hidden SSID cannot discover it as an available wireless network.Meraki Cloud Controller Product Manual | 70 This feature can be used to discourage wireless users from connecting to a particular SSID. For instance, at a school, the “VOIP” SSID could be hidden so that students would be less likely to connect to it. However, phones could be configured to connect to the SSID. It is important to note that this ability to hide an SSID is not a security feature. Basic wireless snooping or eavesdropping techniques can be used to uncover a hidden SSID. A hidden SSID should still be used in conjunction with the appropriate wireless security methods, such as wireless encryption and authentication (see Section 7, “Wireless Encryption and Authentication”). The option to hide an SSID appears under the Configure tab on the Access Control page. 16.8.2 SSID Broadcast Controls By AP (Enterprise Only) By using AP tagging (See Section 8.5.1), an administrator can choose to broadcast an SSID from certain APs only. As an example, a guest SSID is only to be broadcast in the lobby of an office building. APs located in the lobby area have been tagged with the tag “Lobby”. To choose to broadcast the guest SSID only from the tagged APs, use the AP selection drop-down menu under SSID availability section, choosing “This SSID is enabled on some APs…”. See Figure 34 for selector location on SSID Availability page. Figure 34 - Selecting to Broadcast SSID on certain Tagged APs See Figure 35 for an illustration of an SSID configured to only broadcast from APs tagged “Lobby”.Meraki Cloud Controller Product Manual | 71 Figure 35 - SSID Enabled on Tagged APs Only 16.8.3 Timed SSID Broadcasting (Enterprise Only) For certain deployment types such as a retail store offering free public wireless access, an administrator may only want to offer network access during certain business hours. With timed SSID broadcasting, the hours in which an SSID are broadcast can be configured in Dashboard rather than requiring an administrator to manually disable an SSID at the end of the day. This feature actually disables the SSID in contrast to hiding an SSID (See 16.8, “Hidden SSID”). The option to set broadcast hours for an SSID appears under the Configure tab on the Access Control page. 16.9 Band Selection and Band Steering (Enterprise Only) Band selection enables an administrator to configure an SSID to broadcast on both 2.4 and 5 GHz bands, on both bands with band steering enabled, or on the 5 GHz band only. Band steering steers 5 GHz-capable clients from the 2.4 GHz band, which is typically heavily utilized by wireless devices, to the 5 GHz band, which is much less utilized. Band steering increases the total bandwidth and capacity available to clients, while improving client performance at 5 GHz. Band selection and band steering are configured under the Configure tab on the Access Control page. For networks containing the Meraki MR11 (a single-radio AP), a separate band selection setting appears under the Configure tab on the Network-Wide Settings page. This setting allows an administrator to configure whether the MR11 APs broadcast on the 2.4 GHz band or on the 5 GHz band. 16.10Disabling Legacy 802.11b Bitrates (Enterprise Only) An administrator can improve the performance of clients on the 2.4 GHz band by disabling legacy 802.11b bitrates (1, 2, and 5.5 Mbps). If these legacy bitrates are disabled, 802.11b clients will be unable to associate to the SSID at those bitrates. This feature is configured under the Configure tab on the Access Control page.Meraki Cloud Controller Product Manual | 72 16.11Software Upgrades Meraki strives to minimize the administrative cost of its systems. One of the ways Meraki realizes this goal is by centrally managing the software upgrade process. Meraki releases MCC and AP firmware upgrades periodically to licensed organizations, in a manner that is minimally disruptive to administrators and wireless users. For a Meraki network to upgrade to the latest firmware, the network simply needs to be connected to the Internet to reach the MCC. If an upgrade is available, it is scheduled and deployed. An AP’s local web page (see the section below on accessing the AP’s local web page) shows whether an upgrade is in progress. An upgrade takes about 30 minutes over a fast Internet connection. When the upgrade completes, the node reboots itself. 16.11.1 Preferred Maintenance Window (Enterprise Only) Enterprise Customers can configure a weekly preferred maintenance window during which firmware upgrades should occur. This maintenance window is configured on the Network-Wide Settings page under the Configure tab. 16.12Mesh Networking In a wireless mesh deployment, multiple APs (with or without connections to wired Ethernet) communicate over wireless interfaces to form a single network. Each AP develops a list of neighboring devices and exchanges information with the rest of the network to form routes through the network. When a Meraki AP is connected to a wired Ethernet connection and obtains an IP address (either through static IP configuration or DHCP), the AP takes the identity of a “mesh gateway”. If an AP is not connected to a wired Ethernet connection or does not obtain an IP address over that connection, the AP operates as a “mesh repeater”, which relays wireless traffic through the mesh network, either to a gateway or through other repeaters. Meraki devices in a mesh network configuration communicate using a proprietary routing protocol designed by Meraki. The protocol is designed specifically for wireless mesh networking, and accounts for several unique characteristics of wireless networks including variable link quality caused by noise or multi-path interference, as well as the performance impact of routing traffic through multiple hops. The protocol is also designed to provide ease of deployment and rapid convergence while maintaining low channel overhead. Occasionally, a mesh repeater in the network will become unavailable, due to disconnection or changes in the environment. Each AP in the Meraki mesh network constantly updates its routing tables with the optimal path to the network gateways. If the best path changes due to node failure or route metric, traffic will flow via the best known path. In the event of a mesh gateway failure or the emergence of a new mesh gateway with a better routing metric, all new traffic flows will be routed to the new mesh gateway. Because certain mesh gateways may be located on different IP subnets from each other, each TCP flow is mapped to a particular mesh gateway Meraki Cloud Controller Product Manual | 73 to avoid breaking established connections. The route through the network to the specified mesh gateway may change over time, to adapt to network conditions. Refer to the Meraki Network Design Guide for more information about designing a Meraki mesh network. 16.13Wired Clients Administrators can plug computers, switches, and other devices into the Ethernet jack of a Meraki AP. The administrator can decide how to treat device that are plugged into a wired port on the AP. Options include: • Disable wired clients • Wired clients are treated as part of a specified SSID The treatment of wired clients is configured under the Configure tab on the Network-Wide Settings page. If wired traffic is allowed, the AP will route all packets received on its wired port as if they came from the specified SSID. Wired clients would be subject to any network sign-on methods configured on that SSID (e.g., sign-on splash page). However, wireless settings (e.g., link encryption or 802.1x authentication) or networking settings (e.g., VLAN tagging) would not be applied. 16.14Wireless Bridging Two Meraki APs can be used to create a wireless bridge between two LANs. For details about this configuration, reference the Meraki Point-to-Point Whitepaper. 16.15Quality of Service The MCC supports the Wireless Multimedia Extensions (WMM) standard for traffic prioritization. WMM is a Wi-Fi Alliance standard based on the IEEE 802.11e specification, with a focus on the EDCA component to help ensure that devices such as wireless VOIP phones operate well when connected to a Meraki wireless network. WMM provides four different traffic classes: voice, video, best effort, and background. Devices that support WMM and request a higher level of service, such as Wi-Fi handsets, will receive higher priority on the Meraki wireless network. QoS keeps latency, jitter, and loss for selected traffic types within acceptable boundaries. When providing QoS for downstream traffic (AP to client), upstream traffic (client to AP) is treated as best-effort. The application of QoS features might not be noticeable on lightly loaded networks. If latency, jitter, and loss are noticeable when the media is lightly loaded, it indicates a system fault, a network design problem, or a mismatch between the latency, jitter, and loss requirements of the application and the network over which the application is being run. QoS features start to be applied to application performance as the load on the network increases.Meraki Cloud Controller Product Manual | 74 16.16Power Save Meraki also supports WMM Power Save mode, which helps wireless devices avoid excessive battery drain. WMM Power Save improves on the standard 802.11 Power Save Polling mode by allowing devices to “sleep” differently when they receive critical vs. non-critical packets. Devices that support WMM Power Save should experience extended battery life when using a Meraki network. 16.17Run Dark Run dark disables the LED lights on all APs. This feature is useful in situations where the lights may be annoying or distracting. For example, it can be enabled to prevent outdoor APs from drawing attention at night. This feature is configured under the Configure tab on the Network-Wide Settings page. 16.18Accessing the AP’s Local Web Page In general, Meraki networks are configured using the MCC, rather than on the individual APs. However, there are a small number of tasks for which information on the AP’s local web page is useful. The steps to access an AP’s local web page are as follows: 1. Associate with the AP either wirelessly or as a wired client (using an Ethernet cable attached to the AP’s Ethernet port). 2. Go to http://my.meraki.com. The AP’s local web page can be used for a variety of configuration, monitoring, and troubleshooting activities, including the following: • View the AP’s status (e.g., setup, connectivity, firmware upgrade, etc.). • View channel utilization and the AP’s signal strength to the client. • Run client-to-AP speed tests. • View statistics about the AP’s mesh neighbors. • Configure a static IP address on the AP. (See Section 6.2.1, “Configuring a Static IP Address Directly on a Meraki AP”.)Meraki Cloud Controller Product Manual | 75 17 Branding This chapter describes the MCC’s capabilities related to branding. 17.1 Splash Page A splash page can provide a unified branding experience to wireless users in addition to prompting for username/password credentials. For example, the splash page can display a corporate logo and color scheme. The splash page can also show the terms of service, which might include an acceptable use agreement or a privacy statement. Administrators can set up a separate splash page for each SSID. Splash pages can be hosted by Meraki or by an external host. 17.1.1 Meraki-Hosted Splash Page Meraki-hosted splash pages (both click-through splash pages and sign-on splash pages) are configured under the Configure tab on the Splash Page page. These built-in splash page capabilities enable administrators to eliminate the need to set up a local web server. Administrators can choose to customize one of Meraki’s pre-defined splash page templates or create a fully custom page. Splash page variables can be added to splash pages to display dynamic information to the user (e.g., the error returned from a customer-hosted RADIUS server when authentication fails). For a list of splash page variables, see “Appendix D: Meraki-Hosted Splash Page Variables”. 17.1.2 Externally Hosted Splash Page Both click-through splash pages and sign-on splash pages can be externally hosted. Externally hosted sign-on splash pages are covered in Section 7.3.2, “Externally Hosted RADIUS Server”. When an SSID is configured with a click-through splash page, an administrator can redirect a wireless user to a URL. This feature enables the administrator to host the splash page, rather than having it hosted by Meraki. To use this feature, the IP address of the URL’s web server must be inside the walled garden (see Section 10.9, “Walled Garden (Enterprise Only)”). The redirect URL for a clickthrough splash page is configured under the Configure tab on the Splash Page page. For additional information on hosting your own splash page, search the Meraki knowledge base for “EXCAP” or externally hosted captive portal. 17.1.3 Splash Page Frequency Regardless of whether the splash page is Meraki-hosted or externally hosted, the frequency with which a wireless client is presented with a splash page can be configured, since the frequency is enforced on the Meraki AP. This splash page frequency is configured under the Configure tab on the Splash Page page.Meraki Cloud Controller Product Manual | 76Meraki Cloud Controller Product Manual | 77 18 Billing Meraki provides an integrated billing module that administrators can use to quickly and easily charge for network access. Billing is enabled as a network sign-on method (see Section 7.2, “Network SignOn Methods”). It is configured under the Configure tab on the Access Control page. Meraki processes end user credit card transactions, so that administrators do not have to configure or maintain a credit card payment gateway. At the end of each month, if the generated revenue exceeds $20 USD, Meraki sends a payout to the network operator, less a 20% processing fee. Payouts are sent via PayPal (all currencies). The administrator can view payment and payout history on the Account Activity page under the Monitor tab. The administrator can configure the currency for a billed network. Note, however, that once a transaction has occurred on the network, it is not possible to change the currency of the billed network. An administrator can create up to five billing plans (tiers of service). The administrator can specify the fees charged over a particular amount of time with a specific performance limit. For example: • $5 per month for .5 Mbps of bandwidth • $10 per month for 1 Mbps of bandwidth In addition, the administrator can check the “Free access” option, which provides free access for a limited amount of time (and possibly subject to a bandwidth limit). This limited free access can serve as a trial period for wireless users before they purchase a paid plan. Note that it is not possible to customize the splash page when billing is enabled.Meraki Cloud Controller Product Manual | 78 19 Administering Multiple Networks This chapter describes the relationships between an administrator’s account and the “organization” of networks the administrator can monitor and configure. 19.1 Organizations An “organization” consists of a collection of networks and a collection of administrative accounts. Every administrator has an account in the MCC that is part of an organization. An organization is covered by a single license. (For more information on licensing, see Chapter Licensing21, “Licensing”) Organizations can only be created. To delete an organization, please contact Meraki Support. 19.2 Administrators An administrator can belong to multiple organizations, but his credentials (username and password) may be different for each organization. There are two types of administrators: organization administrators and network administrators. 19.2.1 Organization Administrators An organization administrator has visibility into all networks in the organization. There are two types of organization administrators, full, or read/write, and readonly. Organization administrative accounts are managed under the Organization tab on the Configure page. A full organization administrator can perform the following operations within a given organization to which he belongs: • Create, edit, and delete organization full or ready-only organization administrator accounts or any network administrator account for the organization. o When an administrator resets the password on an administrative account, a new password is emailed to the administrator. An administrator can reset his own password by clicking the “my profile” link at the top of any page in the MCC. • Create, edit, and delete networks • Add licenses for new access points The administrator that creates the first network in a new organization will automatically be designated an organization administrator. Meraki Cloud Controller Product Manual | 79 19.2.2 Network Administrators A network administrator has visibility into all networks in the organization for which he has been designated a network administrator. There are two types of network administrators, full, or read/write, and read-only. Administrative accounts are managed under the Configure tab on the Network-Wide Settings page. A network administrator can perform the following operations within a given organization to which he belongs: • Create, edit, and delete administrator accounts for the organization. o When an administrator resets the password on an administrative account, a new password is emailed to the administrator. An administrator can reset his own password by clicking the “my profile” link at the top of any page in the MCC. • Create, edit, and delete networks for which he has been granted administrative privileges. o By definition, an administrator has administrative privileges over any network that he creates himself. However, another administrator who did not create the network must first be granted administrative access to the network (by another administrator with administrative access to the network) before he can access it. 19.3 Moving APs between Networks or Organizations An administrator can move APs between networks in a given organization. This operation is performed under the Monitor tab on the Access Points page. After selecting the AP to move, the administrator selects the action (from the “Actions” drop-down menu) to “Change network”, which presents a drop-down menu with the names of the other networks in the organization. The administrator can then select the network to which to move the selected AP. An administrator can also move APs between organizations. This is accomplished through the following steps: 1. The administrator records the serial number of the AP to move. 2. The administrator removes the AP from its current network. To do this, the administrator goes to the Access Points page under the Monitor tab, selects the AP to remove, and selects the action (from the “Actions” drop-down menu) to “Remove from network”. 3. The administrator logs out of the current organization, then logs into the target organization. After selecting the target network, the administrator adds the AP to the network under the Configure tab on the Add Access Points page. (He will need the serial number he recorded for this step.)Meraki Cloud Controller Product Manual | 80 20 Teleworker VPN Meraki Teleworker VPN enables administrators to extend the corporate LAN to employees at remote sites with Meraki AP’s without requiring client devices to have client VPN software installed and running. The experience of wireless clients connected to remote AP’s will be the same as though they were located at headquarters, with full corporate network access. 20.1 Typical Use Cases Teleworker VPN can be used to connect small branch offices (<5 people), teleworker or executive home offices, temporary site offices (eg. construction site) and traveling employees on the road back to the corporate LAN and provide access to corporate resources back at headquarters. 20.2 How It Works A Meraki AP at a remote site establishes a layer 2 connection using an IPSecencrypted, UDP tunnel back to the corporate LAN. Tunnels are established on a per SSID basis, and terminate at headquarters on a Meraki virtual concentrator appliance. Since most corporate LAN’s are located behind a firewall and NAT, the Meraki Cloud Controller can negotiate a connection between the remote AP and the virtual concentrator across a NAT, or a manual port-forwarding method can be used to establish a connection. Both wireless and wired client traffic at the remote site can be tunneled. Wired clients connected directly to a Meraki AP can have their traffic tunneled. For example, a ShoreTel IP phone can be plugged into the second Ethernet port on an MR12 AP and connect via the VPN tunnel to the corporate PBX. Teleworker VPN is compatible with any Meraki Enterprise MR-series AP. 20.3 The Virtual Concentrator Meraki VPN tunnels terminate on a virtual concentrator rather than on a typical hardware VPN concentrator appliance. The concentrator image can be downloaded from Dashboard and installed in VMware (vSphere Hypervisor (ESXi), Workstation and Player are supported) on any enterprise-grade server. The virtual concentrator can then be managed using Dashboard like any other Meraki networking hardware. Full monitoring and logging capabilities (eg. connected clients, traffic analysis, etc) can be utilized in the concentrator network. Just like a Meraki AP, the concentrator firmware is automatically updated by the Cloud Controller.Meraki Cloud Controller Product Manual | 81 20.4 Creating the Virtual Concentrator Network A virtual concentrator is located in a separate concentrator network, separate from the networks containing the access points that will be connected via VPN. A concentrator network is created in the same manner as an AP network, using the network drop-down selector at the top of the Dashboard. Figure 36 - Creating a Virtual Concentrator Network 20.5 Installing the Virtual Concentrator Once the concentrator network has been created, the concentrator virtual machine image can be downloaded from Dashboard from the Status page under the Monitor tab in the concentrator network. Figure 37 - Downloading the Virtual Concentrator Image Once the image has been downloaded, it can be run in VMware on an existing server in the LAN. Minimum hardware requirements for the server are: -1 GHz processor -1 GB available hard drive space -500 MB dedicated RAMMeraki Cloud Controller Product Manual | 82 20.6 Monitoring the Virtual Concentrator Once the virtual concentrator is running, it can be monitored in Dashboard similarly to Meraki APs. The following is a short description of each page under the Monitor tab and what features can be found there: 20.6.1 Overview The overview page shows high-level summary information about the concentrator network including geographic location of the concentrator on a Google map, overall bandwidth usage of VPN clients and recent and currently connected client counts. For more information about the features on this page, see Section 8.1, “Overview”. 20.6.2 Concentrator Status The concentrator status page is very similar to the AP status page. Configuration settings can be edited here including device name, tags and address (this address is what determines where the concentrator location is displayed in the Google map on the Overview page). The concentrator virtual machine image can be downloaded from this page. Various live troubleshooting tests such as list active clients, ping and throughput tests are located on this page, as are various diagnostic graphs showing connectivity and latency. For more information about the features on this page, see Section 8.4, “Access Points Page”. 20.6.3 Clients The clients page shows a list of all recent VPN clients and network usage, including application-level traffic analysis. See Section 8.6, “Clients Page”, for more details. 20.6.4 Event Log The Event Log page provides detailed logging about various client activities, including the following: • Associations/disassociations • Authentication attempts and outcomes • DHCP activity • Initial traffic For more details about this page, see Section 8.7, “Event Log Page”. 20.6.5 Summary Report An administrator can obtain network analytics from the Summary Report page under the Monitor tab. This report provides information about the VPN usage and uptime of the Meraki VPN concentrators, and can be e-mailed on a Meraki Cloud Controller Product Manual | 83 configurable schedule for constant visibility. Administrators can also add their organization’s logo to the report. 20.7 Configuring the Virtual Concentrator Minimal configuration is required for the virtual concentrator. The configuration settings that are required can be managed under the Configure tab. 20.7.1 Concentrator Settings There are three configuration settings that can be found on this page: concentrator name, tunneling settings and traffic analysis. Concentrator name – The device name can be set or changed from this page. Tunneling – In order for a remote AP to successfully connect to the virtual concentrator, it will likely have to traverse a NAT. There are two methods for doing this NAT traversal: automatic and manual. Automatic – NAT traversal is auto-negotiated by the Cloud Controller. The method works for most NATs and requires an active Internet connection to function properly. In order for automatic NAT traversal to work, outbound UDP port 9350 should be opened to allow the virtual concentrator to communicate with the Cloud Controller during initial negotiation of NAT traversal connection. After connection is established between remote AP and the virtual concentrator, the Cloud Controller is no longer involved in VPN communication. Manual – With certain types of NATs, automatic NAT traversal will not work. In this case, a connection can be manually established via port forwarding by specifying the IP address of the NAT and an open port on the NAT. The specified NAT port should be configured to forward to the concentrator’s IP address at port 9350. The concentrator’s IP address can be found on the Concentrator status page (see 20.6.2, “Concentrator Status”). Traffic Analysis – This feature may be enabled and disabled on this page, and custom pie charts created. See Section 8.6.2, “Traffic Analysis” for more details. 20.7.2 Alerts and Administrators On this page, the network time zone may be set, email alerts configured for concentrator outages, administrators designated and firmware update time windows specified. See related manual sections for AP network for more details. 20.8 Configuring Remote APs No pre-provisioning of remote APs is required. Once a remote site network is created in Dashboard and APs are added to the network, the APs will automatically download their configurations once they are connected to the Internet.Meraki Cloud Controller Product Manual | 84 20.9 Create Remote Site Network and Add APs It is recommended that a separate network be created in Dashboard for each remote site location for purposes of manageability and usage tracking. Remote site networks should be created and access points added to the networks using the Quick Start guide. Get started by selecting “Create a New Network” from the network selector in Dashboard. Figure 38 - Creating a Remote Site Network If creating multiple, similar remote networks such as retail store locations, identical networks can be quickly created by selecting “Copy settings from an existing network” during the quick start process. It is highly recommended that in this scenario, a single remote network is completely configured and then other networks are created by cloning this configuration. Figure 39 - Network Cloning During Quick Start Process 20.9.1 Configure SSIDs to Tunnel VPN tunnels are configured on a per SSID basis. A typical configuration for a small branch office might be a tunneled SSID for corporate use that is copied from the headquarters network, with 802.1x authentication, bridge mode and custom firewall rules, and a second personal SSID with WPA2-PSK for personal and family use that is not tunneled. To select an SSID to be tunneled, select the concentrator to be used with the VPN drop-down selector on the Access Control page under the Configure tab in the remote site network. 20.9.2 Configure Split Tunnel To avoid all traffic from being tunneled to the concentrator in the main office, select tunnel type: “Split tunnel”. Then select the IP ranges and ports that you wish to tunnel back to the concentrator. All other traffic will use the local LAN or WAN connection. This can dramatically reduce the traffic load on the corporate network. 20.9.3 Tunneling wired client traffic Wired traffic can be tunneled as well if an MR12 is used as a remote AP by connecting clients such as an IP phone or desktop computer to the Eth1 port. Wired client traffic will be tunneled if the port has been associated to an SSID Meraki Cloud Controller Product Manual | 85 that is tunneled. This setting can be found on the Network-wide Settings page under the Configure tab in the remote network. Figure 40 - Configuring MR12 port to Tunnel Wired Traffic 20.10Configuration Best Practices There are a variety of best practices that will result in the smoothest possible deployment and operation of remote sites with Teleworker VPN that shall be discussed in the following sections. 20.10.1 Concentrator Location(s) Depending on the VLAN and firewall configuration of an administrator’s network as well as how the VPN will be used, the optimal concentrator location and number of concentrators may vary. Multiple VLAN Deployments The concentrator does not currently support VLAN tagging. Clients will be assigned to the VLAN that the concentrator is located in. Depending on the desired VPN usage and the network configuration, this will dictate where the VPN concentrator is located and whether multiple concentrators are required. Example: At Acme Corporation, two VLANs exist: VLAN 30, for end user data traffic (including wireless users) and VLAN 20, for traffic from their PBX phone system (the PBX at HQ sits in this VLAN). The administrator would like to deploy remote APs and IP phones to all of the company’s traveling salespersons. In this scenario there are two concentrator deployment options: Option 1 – Single concentrator In this scenario, a single concentrator can be deployed in either VLAN 20 or 30, and static routes or firewall exceptions created in the LAN to allow the IP phones to communicate with the PBX or to allow wireless clients to access corporate resources in VLAN 30. Option 2 – Two concentrators In this scenario, a concentrator is placed in both VLAN 20 and 30. Data traffic on the corporate SSID is tunneled to the VLAN 30 concentrator, and voice traffic from the IP phones is tunneled to the VLAN 20 concentrator using a second tunneled SSID associated to the Ethernet port on the AP that the phone is connected to.Meraki Cloud Controller Product Manual | 86 20.10.2 Firewall Settings Depending on the administrator’s corporate firewall policies, the IP addresses of the concentrator might need to be whitelisted for outbound UDP traffic, and the cloud controller IP addresses for inbound UDP traffic. In addition, if using automatic NAT traversal, certain IP addresses in the Cloud Controller might need to be whitelisted to allow the Cloud Controller to negotiate the connection between the concentrator and the remote APs. A list of the required Cloud Controller IP addresses can be found here: http://bit.ly/iaQ8K0Meraki Cloud Controller Product Manual | 87 21 Licensing This chapter explains licensing for Meraki networks. An organization must have a current license for the MCC to work properly. Each organization is licensed for a maximum number of APs, for either the Enterprise or the Pro Cloud Controller, for a certain amount of time (typically 1 year or 3 years). For example, the organization may be licensed for 250 APs through January 30, 2011, for the Enterprise Cloud Controller. Administrators can manage the organization’s licenses on the License Info page under the Configure tab. The page displays the following: • Status: OK or problem • Cloud Controller: Enterprise or Pro • Expiration date • Device limit • Current device count • License history (list of licenses that have been applied to the network) When a new organization is created, the organization is granted a 30-day grace period. Before the grace period expires, the administrator must enter a valid license key, whose format is a 12-character string (e.g., “Z2A7-32TE-A8Y4”). Networks using the Pro Cloud Controller do not require a license key. 21.1 Adding Licenses An administrator can increase the licensed AP limit on the License Info page by clicking the “Increase device limit” button. The new license key must be at least as long as the existing license applied to the organization. The MCC will automatically extend the renewal date of the organization’s license in order to enforce co-termination. Example: An organization contains one Enterprise network with ten APs, each of which was purchased at the same time with a one-year license. Four months into the license term six more APs are added, each with one-year licenses. The network now has twenty-four AP-months ((12-8=4 months)*6 APs) of “extra credit”. These 24 AP-months are distributed over the 16 AP network, adding an additional 1.5 months onto the original one-year term of the network. So all the licenses for all 16 APs will expire in 9.5 months. Figure 41 illustrates how this pro-ration calculation works.Meraki Cloud Controller Product Manual | 88 Figure 41 - License Proration Calculation 21.2 Cloud Controller Upgrades An administrator can upgrade from Pro Cloud Controller to Enterprise Cloud Controller by contacting Meraki Sales. 21.3 Renewing Licenses The administrator can renew the license within 30 days of the renewal date. To renew, simply click on the “Renew license” button on the License Info page and enter a license key. 21.4 Expired Licenses or Exceeding the Licensed AP Limit If an organization’s license is expired or the number of APs in the organization exceeds the licensed limit, the administrator has 30 days to return the organization to a valid licensed state. During this grace period, the system will remind the administrator to add additional licenses. After 30 days, administrators will not be able to access the MCC (except to add additional licenses), and client access to the Meraki wireless network will no longer be possible.Meraki Cloud Controller Product Manual | 89 22 Troubleshooting For troubleshooting tips, please refer to the Meraki Knowledge Base, which can be accessed from the Help tab.Meraki Cloud Controller Product Manual | 90 23 References Meraki provides resources that administrators can reference when implementing and managing a Meraki wireless network, including the following: • Meraki Network Design Guide • Meraki Hosted Architecture White Paper • Wireless Guest Access at the Workplace White Paper • Wireless User Authentication White Paper • Wireless Network Security White Paper These resources are available at the following locations: http://www.meraki.com/library/collateral/ http://www.meraki.com/library/product/ In addition, numerous tools are available to administrators to help configure and monitor wireless networks, including: • Wi-Fi Stumbler • Wi-Fi Mapper • Client Insight • Simulated networks • Coverage calculator These tools can be found here: http://www.meraki.com/toolsMeraki Cloud Controller Product Manual | 91 24 Appendix A: Example Office Configuration This chapter describes a typical office network configuration for a Meraki wireless network. 24.1 Objectives In this example, the network administrator would like to have a single physical Meraki network provide wireless access to employees, guests and on-site contractors, each with their own unique access requirements. Employees – These users need access to all LAN resources, as well as the Internet. They are authenticated against the company’s existing Active Directory database using RADIUS via 802.1x. No bandwidth limitations are applied, and they are not required to view a splash page before gaining network access. Guests – These users are allowed Internet-only access; all other LAN resources are blocked. To avoid letting guests consume too much bandwidth, limits of 500 kbps up and down are applied. Guests see a branded splash page when they first associate to the wireless network where they must enter a temporary username and password provided by the receptionist. Guest accounts are valid for two hours. Contractors – These users have access to a specific printer on the LAN as well as the Internet. Like employees, contractors authenticate against the company’s Active Directory server. No bandwidth limitations or access time limits are applied. Contractors also do not see a splash page. Guests and contractors share an SSID, while guests have their own SSID. In addition, employees are allowed to use the wireless network for recreational purposes, while at the same time certain employee groups need to use video conferencing as well as access business-critical enterprise web applications reliably and without performance degradation from bandwidth starvation. To manage these constraints, the administrator will create traffic shaping rules to control employee and contractor usage of recreational applications and to prioritize bandwidth for certain business-critical enterprise applications. The requirements for the access policies of each user group are summarized in the table below:Meraki Cloud Controller Product Manual | 92 User Group Required Access Access Control Band width Limit Traffic Shaping Time Limit Sign-on Splash Page Employees Full LAN WPA2- Enterpris e with 802.1x None Yes None No Guests Internet only Open, NAC 500 kbps No Two hours Yes Contractors Internet + printer WPA2- Enterpris e with 802.1x None Yes None No 24.2 Implementation Alternatives Broadly speaking, there are at least two ways to achieve the desired configuration above: VLANs and firewall policies. The first approach uses VLANs to enforce different permissions. One advantage of VLANs is that many administrators are comfortable with VLANs. Some disadvantages are that VLANs can be fairly hard to configure and may not scale well across large or geographically distributed networks (e.g., multiple branch sites). VLANs can be set per SSID or per user/machine using RADIUS attributes. The second approach uses Meraki’s Identity Policy Manger (IPM). With IPM, Meraki access points enforce IP-level firewall rules on a per-user basis to achieve the desired security policies. No VLANs are required and configurations are highly flexible. For the rest of this chapter we focus on the IPM approach. 24.3 Assumptions In this particular example, it is assumed that the administrator will be configuring Microsoft NPS with Active Directory for WPA2-Enterprise with 802.1x authentication and to apply group policies to authenticated users in conjunction with Meraki’s Identity Policy Manager. Network Policy Server (NPS) is the RADIUS implementation that runs on Windows Server 2008; earlier versions of Windows called this services IAS. This example uses NPS. For more information on NPS configuration, please refer to the following Microsoft documentation: http://technet.microsoft.com/en-us/network/bb629414.aspx.Meraki Cloud Controller Product Manual | 93 In addition, we will assume that the network is comprised of MR14 dual-radio 802.11n APs, that the network will be configured for best performance, and that all of the APs are gateways (i.e., each AP is connected to the LAN). 24.4 Configuration for Guests This section describes how to configure the guest SSID in Dashboard. 24.4.1 Configuration Settings On the Overview page under the Configuration tab, enable one SSID for guest access and another SSID for employees and contractors. In this example, the guest access SSID is named Meraki-Guest and the employee/contractor SSID is named Meraki-Corp. Figure 42 shows the creation of the two SSIDs. Figure 42 - Creation of Employee and Guest SSIDs On the Access Control page under the Configure tab, select the Meraki-Guest SSID. Configure the following settings: Association requirements: Open (no encryption) Network sign-on method: Sign-on splash page Bandwidth limit: 500 kbps Client IP assignment: NAT Mode: use Meraki DHCP Content filtering: Block adult content Network Access Control: Enabled Firewall: Prevent wireless clients from accessing my LAN SSID Visibility: Show this SSID Band selection: Dual band operation with band steering 24.4.2 Configure a Splash Page The splash page can be customized on the Splash Page menu under the Configure tab. In this example a custom theme has been uploaded called “ACME Terms and Conditions”.Meraki Cloud Controller Product Manual | 94 Figure 43 shows the completed splash page configuration settings. Figure 43 - Splash Page Configuration Settings 24.4.3 Create a Guest Ambassador In order for the receptionist to be able to access Dashboard to create timeexpiring user accounts for guests, a guest ambassador account needs to be created. On the Network-wide settings page under the Configure tab, add the receptionist as a user in the “Guest Ambassadors”. Figure 44 shows the creation of guest ambassadors using the Guest Ambassador widget. Figure 44 – Creating a Guest AmbassadorMeraki Cloud Controller Product Manual | 95 The receptionist now has the ability to create expiring guest accounts and only has access to the Guest Management Portal. When a guest visiting the office requires access, the receptionist logs into the guest management portal and creates guest accounts as necessary. Figure 45 shows the Guest Management Portal configured to create accounts that are valid for two hours. Figure 45 - Guest Management Portal 24.5 Configuration for Employees The Meraki Corp SSID will now be configured for employee access. Since 802.1x with RADIUS authentication will be used with RADIUS against an on-site Active Directory server, some configuration of NPS will be required as well. 24.5.1 Dashboard Configuration On the Access Control page under the Configure tab, select the Meraki-Corp SSID, which will be used for both employee and contractor access. Configure the following settings: Association requirements: WPA2-Enterprise with 802.1x Network sign-on method: Direct access Authentication Server: Use my RADIUS server RADIUS for 802.1x: Enter IP, port and secret for on-site RADIUS server Bandwidth limit: Unlimited Client IP assignment: Bridge Mode (clients will receive IP addresses from the LAN DHCP server)Meraki Cloud Controller Product Manual | 96 Content filtering: Block adult content Firewall: Allow wireless clients to access my LAN SSID Visibility: Show this SSID Band selection: Dual band operation with Band Steering A summary of the configuration settings for both Meraki-Guest and Meraki-Corp can be seen on the Overview page under the Configure tab. Figure 46 shows the Configuration Overview page with summary of settings for both SSIDs. Figure 46 - Summary of Configuration Settings for Both SSIDs 24.5.2 Configure Meraki APs as RADIUS Clients in NPS In order to complete the 802.1x configuration for employee access, the Meraki APs need to be configured as RADIUS clients in Microsoft NPS. Each RADIUS client needs to specify the IP address of the Meraki AP and the shared secret in use between the Meraki APs and the RADIUS server. This requirement makes it important to ensure that the APs always get the same IP address, either through assigning fixed IPs through DHCP or assigning them a static IP address (see section 6.2.1). Note that many other RADIUS servers (e.g., Free RADIUS) do not require each AP to be entered. Figure 47 is a screenshot of the RADIUS client configuration in NPS.Meraki Cloud Controller Product Manual | 97 Figure 47 - RADIUS Client Configuration in NPS 24.5.3 Testing RADIUS Authentication Once Dashboard and NPS have been configured for RADIUS authentication, the configuration should be tested using the Dashboard built-in 802.1x test tool under Configuration tab by entering a set of user credentials that will be verified against all APs in the network. Figure 48 shows the results of a successful 802.1x test, verifying that the configuration is correct. Figure 48 - 802.1x Test ResultsMeraki Cloud Controller Product Manual | 98 24.6 Configuration for Contractors Contractor access is controlled via application of a group policy that specifies custom firewall policies when a user in this group associates to the Meraki-Corp SSID. The following sections show how to create a Contractors user group in NPS, create an NPS access control policy, configure the group policy in Dashboard, create the custom firewall rules, and test the policy. 24.6.1 Configuration for Users User accounts for wired and wireless users are configured in Active Directory (AD). Users can be added to Windows groups or user groups so that NPS policies can subsequently be defined for a group of users. Figure 49 shows creation of the Contractors group within Active Directory. Figure 49 - Active Directory Group Creation The appropriate users then need to be added to the defined group. Figure 50 shows the addition of a user account to the “Contractors” group.Meraki Cloud Controller Product Manual | 99 Figure 50 - Adding a User to an Active Directory Group Figure 51 is a screenshot of a user account configured within AD that has been added to the “Contractors” user group.Meraki Cloud Controller Product Manual | 100 Figure 51 - User Account Group Membership 24.6.2 Configuration of NPS Policies NPS policies are applied to users when they authenticate against an AD server. A policy specifies (1) conditions, which must match in order for the policy to be applied, and (2) settings, which are applied by the policy. There are two types of NPS policies that are most relevant to a wireless network: • Connection Request Policies apply before a user authenticates. The conditions specified for a connection request policy are limited to those that can be determined prior to authentication (e.g., the MAC address of the Meraki AP performing the authentication). • Network Policies apply after a user authenticates and is “authorized” for network access. Any information about the user that becomes available after authentication can be used to set conditions for a network policy (e.g., the user group to which the user belongs). In this example, a connection request policy for wireless users has been created that simply specifies which type of authentication protocol will be applied. Here, Protected Extensible Authentication Protocol (PEAP) is used for all wireless users requesting network access.Meraki Cloud Controller Product Manual | 101 Figure 52 shows the NPS connection request policy for wireless users on this network. Figure 52- Wireless Connection Request NPS Policy After the connection request policy has been applied and the user has been authenticated, then the network policy is applied. In this example, the network policy to be applied is that a RADIUS Filter-ID attribute value of “Contractors” is returned to the RADIUS client (i.e., the Meraki AP) whenever a member of the “Contractors” group authenticates to the network. Figure 53 depicts a network policy with a condition that matches any members of user group “Contractors”. Meraki Cloud Controller Product Manual | 102 Figure 53 - Network Policy Condition to Match User Group Figure 54 shows the setting (i.e., the action) of the network policy that causes a Filter-ID RADIUS attribute with the value “Contractors” to be sent to the RADIUS client. Figure 54 - Network Policy Setting to Send RADIUS AttributeMeraki Cloud Controller Product Manual | 103 Figure 55 shows a summary of the “Contractor” network policy, listing that access should be granted to the user, the Filter-ID RADIUS attribute should be returned and encryption should be used. Figure 55 - NPS Network Policy Summary 24.6.3 Configuration of Group Policy in the Meraki Cloud Controller Once NPS has been configured to return the specified RADIUS attribute for users from a particular group then the Meraki AP can match this RADIUS attribute against an IPM group policy that has been configured in the MCC. In this particular example, a group policy has been configured called “Contractors” that will be applied to any user whose RADIUS access-accept contains the value “Contractors” in the Filter-ID attribute. The policy allows unlimited bandwidth usage, tags traffic with an SSID’s default VLAN tag (if configured) and applies custom firewall rules. These rules allow TCP traffic to a printer at 172.16.30.231, block both TCP and UDP traffic to the rest of the LAN (172.16/16) and allow Internet access. This custom firewall policy will override the SSID firewall settings for users from this group. Figure 56 shows the configuration of the Contractors group policy in the MCC. Meraki Cloud Controller Product Manual | 104 Figure 56 - MCC Configuration of IPM Group Policy 24.6.4 Testing the Group Policy Application Once the MCC group policy has been configured, the final step is to test to make sure that the policy is being applied correctly to users from the specified group at authentication. The MCC contains two built-in test tools for this purpose; the 802.1x test tool on the Configure->Access Control page and the Event log. The 802.1x test tool will simulate a user from this group attempting to authenticate to each of the APs in the network. If 802.1x and the group policy have been configured correctly and the correct credentials are entered, the test will show successful authentication against each AP in the network as well as any RADIUS attributes that are being returned. Figure 57 shows the results of a successful 802.1x test. The user’s credentials were passed by all six APs and a Filter-ID attribute of “Contractors” is being returned.Meraki Cloud Controller Product Manual | 105 Figure 57 - Successful Result from MCC 802.1x Test Tool Finally, when a user from this group authenticates to the wireless network the event log will show any group policies that have been applied. Figure 58 shows the event log after a user from the Contractor group has successfully authenticated to the wireless network, in this case to the AP named “southwest-corner”. The log shows the user has been assigned to the group “Contractor” and the appropriate policy applied. Figure 58 - Event Log for Contractor Group User 24.7 Traffic Shaping Configuration The administrator will create two shaping rules. The first rule will enforce a bandwidth limit of 1 Mbps per user for streaming video applications (eg. YouTube), streaming audio applications (eg. Pandora) and peer-to-peer filesharing applications (eg. BitTorrent), which tend to be the most bandwidthintensive applications used recreationally by employees in this office. The second rule.will prioritize all traffic to salesforce.com and VoIP and videoconferencing at Layer 3 by setting the highest possible DSCP bit value of 7, as well as allow unlimited bandwidth to these applications. Figure 59 shows how these rules would be configured.Meraki Cloud Controller Product Manual | 106 Figure 59 - Example Traffic Shaping Policy 24.8 Summary This section shows how a relatively sophisticated corporate environment would configure a multi-user, authenticated LAN. Environments with fewer requirements may find they have no need for firewall rules or VLANs, while those with more complex requirements may find themselves combining VLAN and multiple firewall rules to achieve the desired configuration.Meraki Cloud Controller Product Manual | 107 25 Appendix B: Example Teleworker VPN Configuration This chapter describes a typical VPN configuration for a remote site using the Meraki Teleworker VPN. 25.1 Objectives In this example, the network administrator at Acme Enterprise would like to configure a home office with a secure LAN connection for a company executive. The network will need to support two user groups at the remote site, an employee (the executive) and family members. Employee – The executive needs full access to all LAN resources, as well as the Internet. The user should be authenticated against the company’s existing Active Directory database using RADIUS via 802.1x, just as though she were trying to access the wireless LAN at the office. No bandwidth limitations will be applied, and she is not required to view a splash page before gaining network access. She will also be provided an IP phone that will require a connection to the PBX at headquarters. A shaping policy assuring VoIP traffic of unlimited bandwidth is to be used. Family Members – These users are allowed Internet and local access for printing to a local printer; no tunneled LAN access is to be provided. To avoid letting guests consume too much bandwidth, limits of 1 Mbps up and down are applied along with a shaping policy limiting streaming audio and video to 500 kbps. A pre-shared key will be used for authentication and adult content filtering will be applied. The requirements for the access policies of each user group are summarized in the table below: User Group Required Access Access Control Bandwidth Limit Adult Content Filtering Traffic Shaping Employees Full LAN WPA2- Enterprise with 802.1x None None Unlimited bandwidth for VoIP Guests Internet and local WPA2- PSK 1 Mbps Enabled Limit P2P, streaming video and audio to 500 kbpsMeraki Cloud Controller Product Manual | 108 25.2 Virtual Concentrator Installation Before secure LAN access can be provided to remote sites, the virtual concentrator must be created and deployed in the LAN. 25.2.1 Virtual Concentrator Network The virtual concentrator resides in a separate network in Dashboard from the APs at headquarters or the APs at the remote site that will be connecting to it. A virtual concentrator network is created in the same manner as a network for APs, by selecting “Create a new VPN concentrator” from the network selector dropdown menu at the top of the screen in Dashboard. See Figure 60, “Creating the VPN Concentrator Network”. Figure 60 - Creating the VPN Concentrator Network The administrator will then be prompted to name the VPN concentrator network. In this example, the network will be named “HQ Concentrator”. See Figure 61, “Naming the VPN Concentrator Network”. Figure 61 - Naming the VPN Concentrator Network After the network is created, it will appear in the network selector drop-down menu along with the other AP networks in the organization (see Figure 62).Meraki Cloud Controller Product Manual | 109 Figure 62 – New VPN Concentrator Network 25.2.2 Virtual Concentrator Configuration Settings For most deployments, minimal configuration of the concentrator is required in Dashboard. In order for the concentrator to establish a connection with the remote AP, a NAT must likely be traversed at headquarters. The concentrator will be configured for automatic NAT traversal, in which case the Meraki Cloud Controller will negotiate the connection automatically. This setting is found on the Concentrator settings page under the Configure tab. Figure 63 - Concentrator Settings To alert the administrator in case the concentrator were to go offline for any reason or in case another administrator were to make a configuration change, alerts for both of these scenarios will be enabled on the Alerts and administration page under the Configure tab. Figure 64 - Configuring Alerts for the ConcentratorMeraki Cloud Controller Product Manual | 110 25.2.3 Installing the Virtual Concentrator in VMware The concentrator virtual machine image can be downloaded directly from the Concentrator status page under the Monitor tab. Figure 65 - Downloading the Concentrator Image Once the image is downloaded it can be run in either VMware Player or Workstation on an existing server in the LAN at headquarters that is connected to the Internet. In this example, the concentrator is installed and running in VMware Player.Meraki Cloud Controller Product Manual | 111 Figure 66 - Virtual Concentrator Running in VMware Note that clients connected to remote APs that are connected to the concentrator will be assigned to the VLAN in which the concentrator resides, as they are connected to a Layer 2 extension of the LAN through the VPN tunnel. 25.3 Remote Site Network Configuration After the concentrator is configured, installed and running, a network for the remote site will now be created. 25.3.1 Remote Site Network A new network for the executive’s home office will be created called “VP Home”. During the network creation process, the configuration settings of the corporate network “Acme Enterprise” will be copied to the new network.Meraki Cloud Controller Product Manual | 112 Figure 67 - Creating Remote Network in Dashboard Copying these settings will copy the configuration of the corporate SSID, “Corporate”, to the VP Home network including RADIUS configuration settings for 802.1x authentication. This SSID will be selected to have traffic tunneled to the concentrator. This setting is found on the Access Control page under the Configure tab for the Corporate SSID. Figure 68 - Selecting Concentrator to Tunnel SSID Traffic This SSID is now completely configured for remote LAN access via the VPN connection. A second SSID will be configured for family access. The following settings will be configured: Association requirements: WPA2-PSK Network sign-on method: Direct access Bandwidth limit: 1 Mbps Client IP assignment: Bridge Mode (clients will receive IP addresses from the DSL modem/router from local ISP) Content filtering: Block adult content Firewall: Allow wireless clients to access my LAN (to print) Traffic Shaping: Streaming Music and Video limited to 500 kbpsMeraki Cloud Controller Product Manual | 113 VPN: Not tunneled A third SSID will also be configured for VoIP access so that an IP phone can be connected at the remote site and connect to the corporate PBX. The following settings will be configured: Association requirements: WPA2-PSK Network sign-on method: Direct access Bandwidth limit: Unlimited Client IP assignment: Bridge Mode (clients will receive IP addresses from the LAN DHCP server) Firewall: Allow wireless clients to access my LAN VPN: Tunneled to concentrator The IP phone will be connected to the 2nd Ethernet port on the MR12 AP that will be deployed to the executive’s home. To associate the wired port to the VoIP SSID, the setting “Clients wired directly to Meraki APs” should be set to “Behave like they are connected to “VoIP”. Figure 69 - Associating Wired Port on AP to SSID The following is an overview of the configuration of the various SSIDs in the VP Home network: Figure 70 - Overview of SSID Configurations at Remote Site In this example, the PBX server is located in a different VLAN than the concentrator, so a static routes or firewall exception must be created in the LAN to allow the IP phone to communicate with the PBX server. 25.4 AP Pre-Configuration No pre-provisioning or configuration of the APs is required. An AP can be sent home with the executive with instructions to plug it into their DSL connection. Meraki Cloud Controller Product Manual | 114 The AP will then download its configuration from the Meraki Enterprise Cloud Controller automatically.Meraki Cloud Controller Product Manual | 115 26 Appendix B: Miscellaneous Configuration Settings This section describes how to configure various 3rd party networking products that were not covered in Appendix A, such as FreeRADIUS servers and Cisco switches. 26.1 FreeRADIUS Configuration FreeRADIUS is an open-source alternative to Microsoft NPS/IAS. The following configuration examples come from a FreeRADIUS server running version 2.1.8. For more information on FreeRADIUS configuration, please refer to the FreeRADIUS Wiki: http://wiki.freeradius.org 26.1.1 Configuration for APs (clients.conf file) APs are configured as RADIUS clients in the FreeRADIUS clients.conf file. (In the context of wireless, a RADIUS “client” is not the wireless device itself, but rather, the AP that contacts the RADIUS server on the wireless device’s behalf.) An entry in clients.conf can define a single IP address or an IP address range. The following is an example IP address entry. (Note that the IP address entry has its own RADIUS shared secret, which overrides the global RADIUS shared secret that is configured in the “client localhost {}” configuration block.) client 172.16.2.0/24 { secret = randomkey } 26.1.2 Configuration for Users (Users file) Users and devices are configured in the FreeRADIUS Users file. (The Users file defines users locally on the FreeRADIUS server. Alternatively, the FreeRADIUS server can be configured to query an external authentication database. This latter configuration is outside the scope of this section.) Example 1: The following is an example user entry for Steve, which causes the FreeRADIUS server to send back a Filter-Id RADIUS attribute with the value “Guest”. If the Meraki wireless network is configured to evaluate the Filter-Id attribute to match a group policy, and if a group policy called “Guest” exists, the Meraki AP applies this policy to the user. Steve Cleartext-Password := "test" Filter-Id = "Guest", (For more information on group policies configured as part of IPM, see Section 11.2, “How to Configure IPM”.) Example 2: The following is an example user entry for Bob, which applies a VLAN ID of 5 to Bob’s traffic:Meraki Cloud Controller Product Manual | 116 Bob Cleartext-Password := "test" Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 5 (For more information on per-user VLAN tagging, see Section 9.2, “Per-User VLAN Tagging”.) Example 3: The following is an example device entry for MAC-based access control (MAC address 00:1b:77:18:44:00), which applies a VLAN ID of 30 to this device’s traffic: 001b77184400 Cleartext-Password := "001b77184400" Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-ID = 30 (For more information on MAC-based access control, see Section 7.1.2, “MACBased Access Control (Enterprise Only)”. For more information on per-user VLAN tagging, see Section 9.2, “Per-User VLAN Tagging”.) 26.1.3 Configuration for WPA2-Enterprise with 802.1x Authentication (eap.conf file) When using a FreeRADIUS server for WPA2-Enterprise with 802.1x authentication, the RADIUS client (in this case, the Meraki AP) must receive the RADIUS attributes in the EAP tunnel that is established. The following configuration in the eap.conf file allows a PEAP tunnel to receive these RADIUS attributes. These lines should appear in the existing “peap {}” configuration block in eap.conf. # the PEAP module also has these configuration # items, which are the same as for TTLS. copy_request_to_tunnel = yes use_tunneled_reply = yes 26.2 Switch Configuration for VLAN Tagging The following configuration from a Cisco switch can be used on a port that is connected to a Meraki AP. The configuration puts the port in trunk mode, which enables the port to handle VLAN tagged and untagged packets. interface FastEthernet0/3 duplex full speed 100 switchport trunk encapsulation dot1q switchport trunk native vlan 10 switchport mode trunkMeraki Cloud Controller Product Manual | 117 27 Appendix C: RADIUS Attributes The following sections describe the RADIUS attributes that the MCC supports for both splash page sign-on with RADIUS and 802.1x with RADIUS. In the below tables, “X” means attribute is supported. 27.1 Authentication Attributes For further details, see the RADIUS RFC (RFC 2865) and the Meraki Knowledge Base at http://meraki.com/support/knowledge_base. 27.1.1 Attributes Supported in Access-Request Messages Attribute Splash page with RADIUS 802.1x with RADIUS Notes User-Name X X User-Password X X NAS-IP-Address X X NAS-Identifier X X NAS-Port X X Set to 0 NAS-Port-Id X NAS-Port-Type X X Set to “WirelessIEEE-802-11” Calling-Station-Id X X Framed-IPAddress X Framed-MTU X Connect-Info X Acct-Session-Id X X Service-Type X Set to 1 Meraki-DeviceName X Meraki VSA containing the AP name as a string. Vendor ID=29671 Vendor Type=1 27.1.2 Attributes Supported in Access-Accept Messages Attribute Splash Page with 802.1x with NotesMeraki Cloud Controller Product Manual | 118 RADIUS RADIUS Maximum-DataRate-Upstream X In bit/s Maximum-DataRate-Downstream X In bit/s Session-Timeout X X In seconds Idle-Timeout X X In seconds Tunnel-PrivateGroup-ID X Tunnel-Type X Tunnel-MediumType X Reply-Message X X Useful for error reporting Filter-Id X Used for assigning group policies Reply-Message X X Used for assigning group policies Airespace-ACLName X Used for assigning group policies Aruba-User-Role X Used for assigning group policies 27.1.3 Attributes Supported in Access-Reject Messages Attribute Splash Page with RADIUS 802.1x with RADIUS Notes Reply-Message X Can be displayed to userMeraki Cloud Controller Product Manual | 119 27.2 Accounting Attributes For further details, see the RADIUS accounting RFC (RFC 2866). Attribute Supported in Accounting-Start Supported in Accounting-Stop Acct-Status-Type X X Acct-Input-Octets X Acct-Output-Octets X Acct-Session-Id X X Acct-Session-Time X Acct-Input-Packets X Acct-Output-Packets X Acct-Terminate-Cause X Acct-Input-Gigawords X Acct-Output-Gigawords X Event-Timestamp X X User-Name X X Framed-IP-Address X X NAS-Port-Id X X NAS-Port-Type X X NAS-Identifier X X Calling-Station-Id X X Called-Station-Id X X Meraki-Device-Name X X NAS-IP-Address X X NAS-Port X XMeraki Cloud Controller Product Manual | 120 28 Appendix D: Meraki-Hosted Splash Page Variables Meraki defines a set of variables to represent custom values in the HTML and CSS of the click-through splash page, the splash page with username/password login, or the blocked access page. Each of these pages is editable within a splash page theme under the Configure tab on the Splash Page page. The following pages are used by the MCC: • continue.html: Displayed for the click-through splash page. • auth.html: Displayed for the splash page with username/password login. • blocked.html: Displayed when a user or device has been blocked. When a user is served a splash page, each of these custom strings will be replaced with its underlying value in a simple substitution. The variables can be used anywhere in the HTML or CSS. They should only be used in places where the underlying value will make sense. For example, the variable $MERAKI:CONTENT2_LINK_COLOR$ will return a value representing a color in the form "#rrggbb" and thus is appropriate for use in style sheets or HTML style attributes where a color is required. The following custom variables are defined: $MERAKI:AD_TAG_300x250$ • Returns: HTML (including Javascript) • Value: An ad tag that inserts a 300 x 250 ad frame. • Arguments: None $MERAKI:AUTH_ALREADY_HAVE_ACCOUNT_SIGN_IN_HERE_FORM$ • Returns: HTML • Value: The login form, with fields for the user's email address and password. Used for networks with user-based authentication enabled. • Arguments: None $MERAKI:AUTH_ALREADY_HAVE_ACCOUNT_SIGN_IN_HERE_TEXT$ • Returns: Text string • Value: “If you already have an account on this network, sign in here” in the local language of the network. • Arguments: None $MERAKI:AUTH_AND_CONTINUE_URL$ • Returns: URL • Value: The URL that the user should follow to get authorized on the network. The user will be redirected to the URL that he was trying to Meraki Cloud Controller Product Manual | 121 fetch when he was served the splash page. Used to create the "Continue to the Internet" link. Used for open access (free) networks. • Arguments: None $MERAKI:AUTH_CREATE_ACCOUNT_FORM$ • Returns: HTML • Value: The form that allows the user to create an account. • Arguments: None $MERAKI:AUTH_CREATE_ACCOUNT_TEXT$ • Returns: Text string • Value: “If you don’t have an account, create one here” in the local language of the network. • Arguments: None $MERAKI:AUTH_ON_PAGE_LOAD$ • Returns: JavaScript • Value: Authorizes the user on the network as soon as the splash page is loaded. Used when advertising is enabled to allow user to click straight through to an ad without having to click on the “Continue to the Internet” button. • Arguments: None $MERAKI:AUTH_URL(http://example.com/)$ • Returns: URL • Value: Similar to AUTH_AND_CONTINUE_URL, but redirects to a URL that the administrator specifies, rather than the URL the user was originally trying to load. This can be used to display a post-splash "Welcome" or "Thank you" message. • Arguments: URL $MERAKI:BODY_BACKGROUND_COLOR$ • Returns: Color value in the form "#ffffff" • Value: The background color of the splash page. • Arguments: None $MERAKI:BODY_LINK_COLOR$ • Returns: Color value in the form "#ffffff" • Value: The color for links as specified in the tag on the splash page. • Arguments: None $MERAKI:BODY_TEXT_COLOR$ • Returns: Color value in the form "#ffffff" • Value: The color for the body as specified in the tag on the splash page. • Arguments: None $MERAKI:CLASSIC_TOP_HALF_RIGHT_PADDING$ • Returns: “0” or “215px”Meraki Cloud Controller Product Manual | 122 • Value: o 0 = there is no custom image on the splash screen o 215px = there is a custom image on the splash screen • Arguments: None $MERAKI:CONTENT1_BACKGROUND_COLOR$ • Returns: Color value in the form "#ffffff" • Value: Background color to the row of colors with the same name as “CONTENT1”. • Arguments: None $MERAKI:CONTENT1_LINK_COLOR$ • Returns: Color value in the form "#ffffff" • Value: The color for links for the row of colors with the same name as “CONTENT1”. • Arguments: None $MERAKI:CONTENT1_TEXT_COLOR$ • Returns: Color value in the form "#ffffff" • Value: Text color for the row of colors with the same name as “CONTENT1”. • Arguments: None $MERAKI:CONTENT2_BACKGROUND_COLOR$ • Returns: Color value in the form "#ffffff" • Value: Background color for the row of colors with the same name as “CONTENT2”. • Arguments: None $MERAKI:CONTENT2_LINK_COLOR$ • Returns: Color value in the form "#ffffff" • Value: Link color for the row of colors with the same name as “CONTENT2”. • Arguments: None $MERAKI:CONTENT2_TEXT_COLOR$ • Returns: Color value in the form "#ffffff" • Value: Text color for the row of colors with the same name as “CONTENT2”. • Arguments: None $MERAKI:NETWORK_ADMIN_BLOCK_MESSAGE$ • Returns: HTML • Value: Contains the message the administrator entered on the Clients page of the MCC to be displayed for blocked users. • Arguments: None $MERAKI:NETWORK_ADMIN_BLOCKED_YOU$ • Returns: TextMeraki Cloud Controller Product Manual | 123 • Value: “This network administrator has prevented you from using the network” in the local language of the network. • Arguments: None $MERAKI:NETWORK_LOGO_IMG_TAG $ • Returns: HTML tag • Value: References the network’s logo. • Arguments: None $MERAKI:NETWORK_MESSAGE$ • Returns: Text String • Value: The custom message entered on the Splash Page page in the MCC. Does not include HTML tags in the text. • Arguments: None $MERAKI:NETWORK_NAME$ • Returns: Text String • Value: The name of the network. • Arguments: None $MERAKI:NETWORK_SPLASH_IMAGE_IMG_SRC$ • Returns: URL • Value: Link to the custom image on the splash page. • Arguments: None $MERAKI:NETWORK_SPLASH_IMAGE_VISIBILITY$ • Returns: “block” or “none • Represents: Presence of a custom image on the splash page. o “block” = Image present o “none” = Image not present • Arguments: None $MERAKI:ROUND_CORNERS(div_name,rounding_preferences)$ • Returns: JavaScript • Value: Rounds the corners of the specified division ("div") • Arguments: name of the div, a comma, followed by a list of space separated values indicating what corner is to be rounded. Valid rounding_preferences are: Top, Bottom, Left, Right, or any of tl, bl, br, or tr, corresponding to top-left, bottom-left, etc. • Example: $MERAKI:ROUND_CORNERS(DIVISION_NAME, top bottom)$ $MERAKI:TOOLBAR_PRIVACY_POLICY_LINK$ • Returns: Text String • Value: “The use of this network is subject to Meraki’s privacy policy” The words “Privacy policy” are a link to Meraki’s privacy policy statement. If the toolbar is disabled this returns an empty string • Arguments: None $MERAKI:USER_ALERTS$Meraki Cloud Controller Product Manual | 124 • Returns: HTML • Value: A div containing alert messages resulting from the submission of a form (e.g., "login incorrect"). • Arguments: None IPsec Manual Keying Between Routers Configuration Example Document ID: 14140 Introduction Prerequisites Requirements Components Used Conventions Configure Network Diagram Configurations Verify Troubleshoot Troubleshooting Commands Transform Sets Do Not Match ACLs Do Not Match One Side has crypto map and the Other Does Not The Crypto Engine Accelerator Card is Enabled Related Information Introduction This sample configuration allows you to encrypt traffic between the 12.12.12.x and the 14.14.14.x networks with the help of IPsec manual keying. For test purposes, an access control list (ACL) and extended ping from host 12.12.12.12 to 14.14.14.14 were used. Manual keying is usually only necessary when a Cisco device is configured to encrypt traffic to another vendor's device which does not support Internet Key Exchange (IKE). If IKE is configurable on both devices, it is preferable to use automatic keying. Cisco device security parameter indexes (SPIs) are in decimal however some vendors do SPIs in hexadecimal. If this is the case, then sometimes conversion is needed. Prerequisites Requirements There are no specific prerequisites for this document. Components Used The information in this document is based on these software and hardware versions: • Cisco 3640 and 1605 routers • Cisco IOS® Software Release 12.3.3.a Note: On all platforms that contain hardware encryption adapters, manual encryption is not supported when the hardware encryption adapter is enabled. The information presented in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make surethat you understand the potential impact of any command before you use it. Conventions Refer to Cisco Technical Tips Conventions for more information on document conventions. Configure In this section, you are presented with the information to configure the features described in this document. Note: Use the Command Lookup Tool (registered customers only) to find more information on the commands used in this document. Network Diagram This document uses this network setup: Configurations This document uses these configurations: • Light Configuration • House Configuration Light Configuration light#show running−config Building configuration... Current configuration : 1177 bytes ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password−encryption ! hostname light! boot−start−marker boot−end−marker ! enable password cisco ! no aaa new−model ip subnet−zero ! no crypto isakmp enable ! !−−− IPsec configuration crypto ipsec transform−set encrypt−des esp−des esp−sha−hmac ! ! crypto map testcase 8 ipsec−manual set peer 11.11.11.12 set session−key inbound esp 1001 cipher 1234abcd1234abcd authenticator 20 set session−key outbound esp 1000 cipher abcd1234abcd1234 authenticator 20 set transform−set encrypt−des !−−− Traffic to encrypt match address 100 ! ! interface Ethernet2/0 ip address 12.12.12.12 255.255.255.0 half−duplex
! interface Ethernet2/1 ip address 11.11.11.11 255.255.255.0 half−duplex !−−− Apply crypto map. crypto map testcase ! ip http server no ip http secure−server ip classless ip route 0.0.0.0 0.0.0.0 11.11.11.12 ! ! !−−− Traffic to encrypt access−list 100 permit ip host 12.12.12.12 host 14.14.14.14 ! ! ! ! line con 0 line aux 0 line vty 0 4 login ! ! ! House Configuration house#show running−configCurrent configuration : 1194 bytes ! version 12.3 service timestamps debug uptime service timestamps log uptime no service password−encryption ! hostname house ! ! logging buffered 50000 debugging enable password cisco ! no aaa new−model ip subnet−zero ip domain name cisco.com ! ip cef ! ! no crypto isakmp enable ! ! !−−− IPsec configuration crypto ipsec transform−set encrypt−des esp−des esp−sha−hmac ! crypto map testcase 8 ipsec−manual set peer 11.11.11.11 set session−key inbound esp 1000 cipher abcd1234abcd1234 authenticator 20 set session−key outbound esp 1001 cipher 1234abcd1234abcd authenticator 20 set transform−set encrypt−des !−−− Traffic to encrypt match address 100 ! ! interface Ethernet0 ip address 11.11.11.12 255.255.255.0 !−−− Apply crypto map. crypto map testcase ! interface Ethernet1 ip address 14.14.14.14 255.255.255.0 ! ip classless ip route 0.0.0.0 0.0.0.0 11.11.11.11 no ip http server no ip http secure−server ! ! !−−− Traffic to encrypt access−list 100 permit ip host 14.14.14.14 host 12.12.12.12 ! ! line con 0 exec−timeout 0 0 transport preferred none transport output noneline vty 0 4 exec−timeout 0 0 password cisco login transport preferred none transport input none transport output none ! ! end Verify This section provides information you can use to confirm your configuration functions properly. The Output Interpreter Tool (registered customers only) (OIT) supports certain show commands. Use the OIT to view an analysis of show command output. • show crypto ipsec saShows the phase two security associations. Troubleshoot This section provides information you can use to troubleshoot your configuration. Troubleshooting Commands The Output Interpreter Tool (registered customers only) (OIT) supports certain show commands. Use the OIT to view an analysis of show command output. Note: Refer to Important Information on Debug Commands before you use debug commands. • debug crypto ipsecDisplays the IPsec negotiations of phase two. • debug crypto engineDisplays the traffic that is encrypted. Transform Sets Do Not Match Light has ah−sha−hmac and House has esp−des. *Mar 2 01:16:09.849: IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= 11.11.11.11, remote= 11.11.11.12, local_proxy= 12.12.12.12/255.255.255.255/0/0 (type=1), remote_proxy= 14.14.14.14/255.255.255.255/0/0 (type=1), protocol= AH, transform= ah−sha−hmac , lifedur= 3600s and 4608000kb, spi= 0xACD76816(2899798038), conn_id= 0, keysize= 0, flags= 0x400A *Mar 2 01:16:09.849: IPSEC(manual_key_stuffing): keys missing for addr 11.11.11.12/prot 51/spi 0..... ACLs Do Not Match On side_A (the "light" router) there is an inside host−to−inside−host and on side_B (the "house" router) there is an interface−to−interface. ACLs must always be symmetric (these are not). hostname house match address 101 access−list 101 permit ip host 11.11.11.12 host 11.11.11.11! hostname light match address 100 access−list 100 permit ip host 12.12.12.12 host 14.14.14.14 This output is taken from the side_A initiating ping: nothing light#show crypto engine connections active ID Interface IP−Address State Algorithm Encrypt Decrypt 2000 Ethernet2/1 11.11.11.11 set DES_56_CBC 5 0 2001 Ethernet2/1 11.11.11.11 set DES_56_CBC 0 0 This output is taken from the side_B when side_A is initiating ping: house# 1d00h: IPSEC(epa_des_crypt): decrypted packet failed SA identity check 1d00h: IPSEC(epa_des_crypt): decrypted packet failed SA identity check 1d00h: IPSEC(epa_des_crypt): decrypted packet failed SA identity check 1d00h: IPSEC(epa_des_crypt): decrypted packet failed SA identity check 1d00h: IPSEC(epa_des_crypt): decrypted packet failed SA identity check house#show crypto engine connections active ID Interface IP−Address State Algorithm Encrypt Decrypt 2000 Ethernet0 11.11.11.12 set DES_56_CBC 0 0 2001 Ethernet0 11.11.11.12 set DES_56_CBC 0 5 This output is taken from the side_B initiating ping: side_ B %CRYPTO−4−RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /12.12.12.12, src_addr= 14.14.14.14, prot= 1 One Side has crypto map and the Other Does Not %CRYPTO−4−RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /14.14.14.14, src_addr= 12.12.12.12, prot= 1 This output is taken from the side_B that has a crypto map: house#show crypto engine connections active ID Interface IP−Address State Algorithm Encrypt Decrypt 2000 Ethernet0 11.11.11.12 set DES_56_CBC 5 0 2001 Ethernet0 11.11.11.12 set DES_56_CBC 0 0 The Crypto Engine Accelerator Card is Enabled 1d05h: %HW_VPN−1−HPRXERR: Hardware VPN0/13: Packet Encryption/Decryption error, status=4098..... Related Information • IPsec Negotiation/IKE Protocols • Technical Support & Documentation − Cisco SystemsContacts & Feedback | Help | Site Map © 2012 − 2013 Cisco Systems, Inc. All rights reserved. Terms & Conditions | Privacy Statement | Cookie Policy | Trademarks of Cisco Systems, Inc. Updated: Oct 29, 2006 Document ID: 14140 Description de la gamme Cisco ASA Description de la gamme Cisco ASA 5500 Les serveurs de sécurité adaptatifs de la gamme Cisco® ASA 5500 s’appuient sur une plate-forme modulaire capable de fournir des services de sécurité et de VPN de prochaine génération à tous les environnements, depuis les petits bureaux, les bureaux à domicile et les PME/PMI jusqu’aux grandes entreprises. La gamme Cisco ASA 5500 met à la disposition de l’entreprise une gamme complète de services personnalisés au travers de ses diverses éditions spécifiquement conçues pour le pare-feu, la prévention des intrusions, la protection des contenus et les VPN. Ces éditions offrent une protection de haute qualité en fournissant les services adaptés à chaque site. Chaque édition associe un ensemble spécialisé de services Cisco ASA qui répondent très exactement aux besoins des environnements spécifiques du réseau de l’entreprise. En satisfaisant aux besoins de sécurité de chaque domaine du réseau, c’est la sécurité de l’ensemble du réseau qui se trouve renforcée. La gamme Cisco ASA 5500 permet la normalisation sur une unique plate-forme afin de réduire les frais opérationnels associés à la sécurité. L’environnement commun de configuration simplifie la gestion et réduit les coûts de formation du personnel tandis que la plate-forme matérielle commune de la gamme permet de réaliser des économies sur les pièces de rechange. Chaque édition répond aux besoins spécifiques d’un environnement du réseau de l’entreprise : • Firewall Edition : grâce à cette édition pare-feu, l’entreprise peut déployer ses applications et ses réseaux vitaux de manière fiable et sécurisée. La conception modulaire unique du Cisco ASA 5500 garantit une remarquable protection de l’investissement et des frais d’exploitation réduits. • IPS Edition : dotée d’un ensemble de services de pare-feu, de sécurité applicative et de prévention des intrusions, cette édition protège les serveurs et l’infrastructure essentiels de l’entreprise contre les vers, les pirates et les autres menaces. • Content Security Edition : avec son ensemble complet de services de sécurité, cette édition protège les utilisateurs des petits sites et des sites distants. Les services de parefeu et de VPN de qualité entreprise assurent une connectivité sécurisée vers le réseau du siège social. A la pointe de la technologie actuelle, les services de protection des contenus de Trend Micro mettent le système client à l’abri des sites Web malveillants et des autres menaces à base de contenus comme les virus, les logiciels espions et le phishing. • SSL/IPsec VPN Edition : cette édition protège l’accès des utilisateurs distants vers les systèmes et les équipements du réseau interne et supporte la mise en grappe des VPN pour les déploiements de grande taille en entreprise. Les technologies d’accès VPN à distance protégées par les normes SSL (Secure Sockets Layer) et IPSec (IP Security) sont renforcées par des technologies de réduction des menaces, comme Cisco Secure Desktop, et des services de pare-feu et de prévention des intrusions qui garantissent que le trafic VPN ne fera pas courir de risques au réseau de l’entreprise. Cinq raisons d’acheter les serveurs de sécurité adaptatifs de la gamme Cisco ASA 5500 adaptatifs de la gamme Cisco ASA 5500 1. .. Technologie de pare 1. Technologie de pare Technologie de pare----feu sécurisé et de protection feu sécurisé et de protection des VPN contre les menaces des VPN contre les menaces Développée autour de la même technologie éprouvée qui a fait le succès du serveur de sécurité Cisco PIX et de la gamme des concentrateurs Cisco VPN 3000, la gamme Cisco ASA 5500 est la première solution à proposer des services VPN SSL et IPSec protégés par la première technologie de pare-feu du marché. 2. .. Services de protection des contenus à la pointe de 2. Services de protection des contenus à la pointe de l’industrie l’industrie Réunit la maîtrise de Trend Micro en matière de protection contre les menaces et de contrôle des contenus à la périphérie Internet et les solutions éprouvées de Cisco pour fournir des services anti-X complets – protection contre les virus, les logiciels espions, le courrier indésirable et le phishing, ainsi que le blocage de fichiers, le blocage et le filtrage des URL et le filtrage des contenus. 3. .. Services 3. Services Services évolués de prévention des intrusions évolués de prévention des intrusions évolués de prévention des intrusions Les services proactifs de prévention des intrusions offrent toutes les fonctionnalités qui permettent de bloquer un large éventail de menaces – vers, attaques sur la couche applicative ou au niveau du système d'exploitation, rootkits, logiciels espions, partages de fichiers en « peer-to-peer » et messagerie instantanée. 4. .. Services multifonctions de gestion et de surveillance 4. Services multifonctions de gestion et de surveillance Services multifonctions de gestion et de surveillance Sur une même plate-forme, la gamme Cisco ASA 5500 fournit des services de gestion et de surveillance utilisables de manière intuitive grâce au gestionnaire Cisco ASDM (Adaptive Security Device Manager) ainsi que des services de gestion de catégorie entreprise avec Cisco Security Management Suite. 5. .. Réduction des frais de déploiement et d’exploitati 5. Réduction des frais de déploiement et d’exploitati Réduction des frais de déploiement et d’exploitationononon Développée autour d’un concept et d’une interface analogues à ceux des solutions de sécurité existantes de Cisco, la gamme Cisco ASA 5500 permet de réduire considérablement le coût d’acquisition que ce soit dans le cadre d’un premier déploiement d’une solution de sécurité ou d’une gestion au jour le jour. Serveurs de sécurité adaptatifs de la gamme Cisco ASA 5500 PRESENTATION SYNOPTIQUEACRONYMES ACRONYMES SSC : Security Services Card, SSM SSC SSM :::: Security Services Module, AIP----SSM :::: Advanced Inspection and Prevention Security Services Module, CSC----SSM :::: Content Security and Control Security Services Module, 4GE----SSM :::: Module de services de sécurité à 4 ports Ethernet Gigabit Modèles et licences de la gamme Cisco ASA Modèles et licences de la gamme Cisco ASA 5500 Cisco ASA 5505 Base / Security Plus Cisco ASA 5510 Base / Security Plus Cisco ASA 5520 Cisco ASA 5520 Cisco ASA 5550 Cisco ASA 5550 Cisco ASA 5540 Cisco ASA 5540 Utilisateur type Petit bureau / bureau à domicile ROBO / MSSP / Télétravailleur d’entreprise PME / Petite société Petite société Entreprise de taille moyenne Grande entreprise Résumé des performances Résumé des performances Débit maximal du pare-feu (Mbits/s) 150 300 450 650 1200 Débit maximal des VPN 3DES ou AES (Mbits/s) 100 170 225 325 425 Nombre maximal connexions VPN à distance et de site à site 10 / 25 250 750 5000 5000 Nombre maximal de connexions VPN SSL 1 25 250 750 2500 5000 Nombre maximal de connexions 10 000 / 25 000 50 000 / 130 000 280 000 400 000 650 000 Nombre maximal de connexions / seconde 3000 6000 9000 20 000 28 000 Paquets par seconde (64 octets) 85 000 190 000 320 000 500 000 600 000 Récapitulatif technique Récapitulatif technique Mémoire (Mo) 256 256 512 1024 4096 Mémoire Flash système (Mo) 64 64 64 64 64 Ports intégrés Commutateur 10/100 8 ports avec 2 ports à alimentation en ligne (PoE) 5-10/100 4-10/100/1000,1-10/100 4-10/100/1000,1-10/100 8-10/100/1000,1-10/100 Nombre maximal d’interfaces virtuelles (VLAN) 3 (ligne réseau désactivée) / 20 (ligne réseau activée) 50 /100 150 200 250 Emplacement d’extension SSC ou SSM Emplacement d’extension SSC ou SSM Oui (SSC) Oui (SSC) Oui (SSC) Oui (SSM) Oui (SSM) Oui (SSM) Oui (SSM) Oui (SSM) Oui (SSM) Oui (SSM) Oui (SSM) Oui (SSM) Nononon Capacités SSC/SSM Modules SSC/SSM supportés Ultérieurement, SSC CSC-SSM, AIP-SSM,4GESSM CSC-SSM, AIP-SSM,4GESSM CSC-SSM, AIP-SSM, 4GESSM Non Prévention des intrusions Non disponible Oui avec AIP-SSM Oui avec AIP-SSM Oui avec AIP-SSM Non Débit des services simultanés de limitation des risques (pare-feu et services IPS) (Mbits/s) Non disponible 150 (avec AIP-SSM-10) 300 (avec AIP-SSM-20) 225 (avec AIP-SSM-10) 375 (avec AIP-SSM-20) 450 avec AIP-SSM-20 Non disponible Protection des contenus (antivirus, anti-logiciel espion, blocage de fichiers, anti-courrier indésirable, anti-phishing, et filtrage des URL) Non disponible Oui avec CSC-SSM Oui avec CSC-SSM Oui avec CSC-SSM Non disponible Nombre maximal d’utilisateurs antivirus, anti-logiciel espion, blocage de fichiers (CSC-SSM seulement) Non disponible 500 (avec CSC-SSM-10) 1000 (avec CSC-SSM-20) 500 (avec CSC-SSM-10) 1000 (avec CSC-SSM-20) 500 (avec CSC-SSM-10) 1000 (avec CSC-SSM-20) Non disponible Fonctionnalités de la licence CSC SSM Plus Non disponible Anti-spam, anti-phishing, filtrage des URL Anti-spam, anti-phishing, filtrage des URL Anti-spam, anti-phishing, filtrage des URL Non disponible Caractéristiques Caractéristiques Protection de la couche applicative Oui Oui Oui Oui Oui Pare-feu de couche 2 transparent Oui Oui Oui Oui Oui Contextes de sécurité (intégrés / maximum) 2 0/0 0/0 / 2/5 2/20 2/50 2/50 Inspection GTP/GPRS 2 Non disponible Non disponible Oui Oui Oui Haute disponibilité 3 Non disponible / A/V à inspection d’état Non disponible / A/A et A/V A/A et A/V A/A et A/V A/A et A/V équilibrage de charge et mise en grappe des VPN Non disponible Non disponible / Oui Oui Oui Oui 1 A partir de la version v7.1 du logiciel Cisco ASA, la fonctionnalité VPN SSL (WebVPN) nécessite une licence. Les systèmes autorisent par défaut 2 utilisateurs VPN SSL pour évaluation et gestion à distance 2 Fonctionnalités sous licence 3 A/V= Actif/Veille ; A/A = Actif/Actif Copyright © 2007, Cisco Systems, Inc. Tous droits réservés. Cisco, Cisco IOS, Cisco Systems et le logo Cisco Systèmes sont des marques déposées de Cisco Systems, Inc. ou de ses filiales aux Etats-Unis et dans certains autres pays. C45-345380-04 6/07 Serveurs de sécurité adaptatifs de la gamme Cisco ASA 5500 PRESENTATION SYNOPTIQUE © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco Systems, Inc. sont fournies sur cisco.com Page 1/24 Description des Serveurs de Sécurité Adaptatifs de la gamme Cisco ASA 5500 Les Serveurs de Sécurité Adaptatifs Cisco® ASA 5500 combinent les meilleurs services de VPN et de sécurité, et l’architecture évolutive AIM (Adaptive Identification and Mitigation), pour constituer une solution de sécurité spécifique. Conçue comme l’élément principal de la solution Self-Defending Network de Cisco (le réseau qui se défend tout seul), la gamme Cisco ASA 5500 permet de mettre en place une défense proactive face aux menaces et de bloquer les attaques avant qu’elles ne se diffusent à travers le réseau, de contrôler l’activité du réseau et le trafic applicatif et d’offrir une connectivité VPN flexible. Le résultat est une gamme de puissants serveurs de sécurité réseau multifonctions capables d’assurer en profondeur la protection élargie des réseaux des PME/PMI et des grandes entreprises tout en réduisant l’ensemble des frais de déploiement et d’exploitation et en simplifiant les tâches généralement associées à un tel niveau de sécurité. Réunissant sur une même plate-forme une combinaison puissante de nombreuses technologies éprouvées, la gamme Cisco ASA 5500 vous donne les moyens opérationnels et économiques de déployer des services de sécurité complets vers un plus grand nombre de sites. La gamme complète des services disponibles avec la famille Cisco ASA 5500 permet de répondre aux besoins spécifiques de chaque site grâce à des éditions produits conçues pour les PME comme pour les grandes entreprises. Ces différentes éditions offrent une protection de qualité supérieure en apportant à chaque installation les services dont elle a besoin. Chaque édition de la gamme Cisco ASA 5500 regroupe un ensemble spécialisé de services – firewall, VPN SSL et IPSec, protection contre les intrusions, services Anti-X, etc. – qui répondent exactement aux besoins des différents environnements du réseau d’entreprise. Et lorsque les besoins de sécurité de chaque site sont correctement assurés, c’est l’ensemble de la sécurité du réseau qui en bénéficie. Figure 1. Les serveurs de sécurité adaptatifs de la gamme Cisco ASA 5500 Fiche Technique © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco Systems, Inc. sont fournies sur cisco.com Page 2/24 La gamme Cisco ASA 5500 aide les entreprises à protéger plus efficacement leurs réseaux tout en garantissant une exceptionnelle protection de leurs investissements grâce notamment, aux éléments clés suivants : • Des fonctionnalités éprouvées de sécurité et de connectivité VPN. Le système de prévention des intrusions (IPS) et de firewall multifonctions, ainsi que les technologies anti-X et VPN IPSec ou SSL (IP Security/Secure Sockets Layer) garantissent la robustesse de la sécurité des applications, le contrôle d’accès par utilisateur et par application, la protection contre les vers, les virus et les logiciels malveillants, le filtrage des contenus ainsi qu’une connectivité à distance par site ou par utilisateur. • L’architecture évolutive des services AIM (Adaptive Identification and Mitigation). Exploitant un cadre modulaire de traitement et de politique de services, l’architecture AIM de Cisco ASA 5500 autorise l’application, par flux de trafic, de services spécifiques de sécurité ou de réseau qui permettent des contrôles de politiques d’une très grande précision ainsi que la protection anti-X tout en accélérant le traitement du trafic. Les avantages en termes de performances et d’économies offerts par l’architecture AIM de la gamme Cisco ASA 5500, ainsi que l’évolutivité logicielle et matérielle garantie par les modules SSM (Security Service Module), permettent de faire évoluer les services existants et d’en déployer de nouveaux, sans remplacer la plate-forme et sans réduire les performances. Fondement architectural de la gamme Cisco ASA 5500, AIM permet l’application de politiques de sécurité hautement personnalisables ainsi qu’une évolutivité de service sans précédent qui renforce la protection des entreprises contre l’environnement toujours plus dangereux qui les menace. • La réduction des frais de déploiement et d’exploitation. La solution multifonctions Cisco ASA 5500 permet la normalisation de la plate-forme, de la configuration et de la gestion, contribuant à réduire les frais de déploiement et d’exploitation récurrents. PRÉSENTATION DE LA GAMME CISCO ASA 5500 La gamme Cisco ASA 5500 inclut les boîtiers de sécurité adaptatifs Cisco ASA 5505, 5510, 5520 et 5540. Il s’agit de quatre serveurs de sécurité ultra-performants issus de l’expertise de Cisco Systems® en matière de développement de solutions de sécurité et VPN reconnues et leaders sur leur marché. Cette gamme utilise les dernières technologies des serveurs de sécurité Cisco PIX® 500, des capteurs Cisco IPS 4200 et des concentrateurs Cisco VPN 3000. . Conçue comme l’élément principal de la solution Self-Defending Network de Cisco (réseau qui se défend tout seul), la gamme Cisco ASA 5500 permet de mettre en © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco Systems, Inc. sont fournies sur cisco.com Page 3/24 place une défense proactive face aux menaces et de bloquer les attaques avant qu’elles ne se diffusent à travers le réseau, de contrôler l’activité du réseau et le trafic applicatif et d’offrir une connectivité VPN flexible. Le résultat est une gamme de puissants serveurs de sécurité réseau multifonctions capables d’assurer en profondeur la protection élargie des réseaux des PME/PMI et des grandes entreprises tout en réduisant l’ensemble des frais de déploiement et d’exploitation et en simplifiant les tâches généralement associées à un tel niveau de sécurité. L’architecture extensible de services AIM de Cisco et la conception multiprocesseurs flexible de la gamme Cisco ASA 5500 offrent aux Serveurs de Sécurité Adaptatifs des performances sans précédent pour de multiples services de sécurité simultanés, tout en offrant une protection exceptionnelle des investissements. Les serveurs de sécurité adaptatifs de la gamme Cisco ASA 5500 associent plusieurs processeurs ultra-performants qui travaillent de concert pour fournir des services de firewall évolués. L’entreprise peut également installer les modules de services de sécurité de Cisco ASA 5500 : le module AIP-SSM (Advanced Inspection and Prevention Security Services Module) pour les services de prévention des intrusions ou le module CSC-SSM (Content Security and Control Security Services Module) pour les services anti-X évolués. Grâce à cette conception flexible, la gamme Cisco ASA 5500 est la seule capable de s’adapter pour protéger les réseaux face à des menaces évoluant sans cesse. Elle offre également une protection des investissements exceptionnelle grâce à du matériel programmable rendant la plate-forme évolutive à long terme. Ces fonctionnalités de sécurité et VPN ultra-performantes et éprouvées, se combinent à la connectivité Gigabit Ethernet intégrée et à une architecture sans disque dur local et à mémoire flash. Ainsi, la gamme Cisco ASA 5500 représente le choix idéal pour les entreprises qui recherchent la meilleure solution de sécurité haute performance, flexible, fiable et protégeant les investissements. .Chaque serveur de la gamme Cisco ASA 5500 accepte, sur le système de base, le nombre maximal d’utilisateurs de VPN IPSec. L’achat et l’octroi de licences des services VPN SSL se font séparément. En faisant converger les services VPN IPSec et SSL VPN avec les technologies complètes de défense contre les menaces, la gamme Cisco ASA 5500 fournit un accès réseau personnalisable adapté aux besoins de différents environnements de déploiement. Et cela en proposant un VPN totalement sécurisé avec une sécurité complète au niveau du réseau et du point d’extrémité. SERVEUR DE SÉCURITÉ ADAPTATIF CISCO ASA 5505 Le Cisco ASA 5505 est un Serveur de Sécurité Adaptatif complet de prochaine génération destiné aux petites entreprises, aux agences d’entreprise et aux environnements de télétravail. De conception modulaire et utilisable dès l’installation (« plug and pay »),il offre des services haute performance de firewall, de VPN SSL et IPSec ainsi que des services de © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco Systems, Inc. sont fournies sur cisco.com Page 4/24 réseau multifonctions. Son gestionnaire Web intégré, Cisco Adaptive Security Device Manager, permet de déployer rapidement et de gérer en toute simplicité le Cisco ASA 5505, contribuant ainsi à réduire les frais d’exploitation de l’entreprise. Le Cisco ASA 5505 est doté d’un commutateur Fast Ethernet à 8 ports qui peuvent être groupés dynamiquement afin de créer jusqu’à trois VLAN distincts pour l’utilisation domestique, les besoins professionnels et le trafic Internet – une répartition qui améliore la segmentation du trafic et la sécurité du réseau. Le Cisco ASA 5505 dispose également de deux ports à alimentation en ligne PoE (Power over Ethernet) pour simplifier le déploiement de téléphones IP Cisco avec leurs fonctionnalités VoIP automatiques sécurisées, et celui de points d’accès extérieurs sans fil pour apporter la mobilité au réseau. Particulièrement évolutif, comme les autres modèles de la gamme, le Cisco ASA 5505 protège les investissements grâce à sa conception modulaire et dispose d’un emplacement d’extension et de plusieurs ports USB en prévision de futurs services. A mesure que les besoins de l’entreprise augmenteront, vous pourrez installer une licence Security Plus complémentaire qui permettra au Serveur de Sécurité Adaptatif Cisco ASA 5505 d’évoluer pour supporter des capacités plus importantes de connexion et un plus grand nombre d’utilisateurs VPN IPSec, le support d’une zone démilitarisée (DMZ) et l’intégration aux environnements de réseau commuté avec le support des lignes réseaux VLAN. Plus encore, cette licence de mise à niveau maximise la continuité de l’entreprise en offrant un support pour les connexions redondantes vers les fournisseurs d’accès Internet et des services de haute disponibilité à inspection d’état Actif/Veille. Grâce à cette combinaison de services de sécurité et VPN à la pointe de l’industrie, de fonctionnalités réseaux évoluées, de gestion à distance et d’extensibilité, le Cisco ASA 5505 constitue la solution idéale de sécurité haut de gamme pour les petites entreprises, les agences et les télétravailleurs. Le Tableau 1 décrit les caractéristiques du Cisco ASA 5505. Tableau 1 : Fonctionnalités et capacités du Serveur de Sécurité Adaptatif Cisco ASA 5505 Fonction Description Débit du firewall Jusqu’à 150 Mbits/s Débit du VPN Jusqu’à 100 Mbits/s Connexions 10 000 ; 25 000* Homologues VPN IPSec 10 ; 25 * Niveaux de licence des homologues VPN SSL** 10, ou 25 Interfaces Commutateur Fast Ethernet 8 ports avec groupage dynamique des ports (dont 2 ports PoE) © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco Systems, Inc. sont fournies sur cisco.com Page 5/24 Interfaces virtuelles (VLAN) 3 (sans support de l’aggrégation de VLAN)/20 (avec support de l’aggrégation de VLAN) * Haute disponibilité Non prise en charge ; mode actif/veille à inspection d’état et support ISP redondant * * Mise à niveau disponible avec la licence Security Plus de Cisco ASA 5505 ** Fonction fournie sous licence distincte ; licence pour 2 homologues incluse dans le système de base SERVEUR DE SÉCURITÉ ADAPTATIF CISCO ASA 5510 Le Serveur de Sécurité Adaptatif Cisco ASA 5510 propose des services évolués de réseau et de sécurité aux PME et aux filiales et agences des grandes entreprises, sous la forme d’une solution économique et facile à déployer. L’application Web Adaptive Security Device Manager de Cisco, intégrée à la solution, permet de gérer et de surveiller facilement ces services. Les coûts de déploiement et d’exploitation liés à un tel niveau de sécurité sont ainsi réduits. Le serveur de sécurité adaptatif Cisco ASA 5510 fournit des services ultraperformants de firewall et VPN, trois interfaces 10/100 Fast Ethernet intégrées, des services optionnels de lutte contre les vers et de prévention des intrusions via le module AIP-SSM ou des services complets de protection contre les programmes nuisibles via le module CSCSSM. La combinaison exceptionnelle de ces services sur une plate-forme unique fait de Cisco ASA 5510 un choix idéal pour les entreprises cherchant une solution de sécurité économique et extensible avec DMZ. Pour répondre à la multiplication des besoins des entreprises, le serveur Cisco ASA 5510 peut évoluer vers une densité d’interfaces supérieure et s’intégrer dans des environnements de réseau commuté via la prise en charge VLAN, grâce à l’installation d’une licence de mise à niveau Security Plus. Cette licence de mise à niveau optimise également la continuité des activités grâce aux services de haute disponibilité de type actif/veille. Le tableau 2 dresse la liste des fonctionnalités du Cisco ASA 5510. Tableau 2 : Fonctionnalités et capacité de la plate-forme Cisco ASA 5510 Fonction Description Débit du firewall Jusqu’à 300 Mbits/s Débit de protection simultanée contre les menaces (firewall + services IPS) Jusqu’à 150 Mbits/s avec l’AIP-SSM-10 Débit du VPN Jusqu’à 170 Mbits/s © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco Systems, Inc. sont fournies sur cisco.com Page 6/24 Connexions 50 000 ; 130 000* Homologues VPN IPSec 250 Niveaux de licence des homologues VPN SSL** 10, 25, 50, 100 ou 250 Contextes de sécurité Jusqu’à 5 *** Interfaces 3 ports Fast Ethernet + 1 port de gestion ; 5 ports Fast Ethernet* Interfaces virtuelles (VLAN) 0 ; 25 * Haute disponibilité Non prise en charge ; mode actif/veille* * Mise à niveau disponible avec la licence Security Plus de Cisco ASA 5510 ** Fonction fournie sous licence distincte ; licence pour deux homologues incluse dans le système de base *** Fonction fournie sous licence distincte ; deux niveaux inclus avec la licence Cisco ASA 5010 Security Plus SERVEUR DE SÉCURITÉ ADAPTATIF CISCO ASA 5520 Le Serveur de Sécurité Adaptatif Cisco ASA 5520 fournit des services de sécurité à haute disponibilité de type actif/actif et une connectivité Gigabit Ethernet pour les réseaux des PME, dans une solution modulaire ultra-performante. Les quatre interfaces Gigabit Ethernet et la prise en charge de 100 VLAN permettent aux entreprises de déployer facilement le Cisco ASA 5520 dans plusieurs zones au sein de leur réseau. Ce serveur évolue avec l’entreprise, au rythme de ses besoins de sécurité réseau, et offre une solide protection des investissements. Les entreprises peuvent étendre leur capacité VPN IPSec et SSL pour gérer un plus grand nombre de travailleurs nomades, de sites distants et de partenaires commerciaux. Les fonctionnalités intégrées d’équilibrage de charge et de mise en grappe des VPN offertes par le Cisco ASA 5520 permettent d’augmenter la capacité des VPN. Il est également possible de mettre à niveau la capacité VPN SSL de chaque plate-forme via l’installation des licences de mise à niveau, au fur et à mesure de l’évolution des besoins de l’entreprise. Pour étendre les fonctions évoluées de sécurité de la couche applicative et de défenses anti-X offertes par ce serveur, il convient de déployer les fonctionnalités ultra-performantes de lutte contre les vers et de prévention des intrusions du module AIP-SSM ou la protection complète contre les programmes nuisibles du module CSC-SSM. Grâce aux fonctionnalités optionnelles de contexte de sécurité du Cisco ASA 5520, les entreprises peuvent déployer jusqu’à 10 firewall virtuels dans un serveur afin d’activer le contrôle compartimenté des règles de sécurité au niveau de leurs services. Cette virtualisation permet de renforcer la sécurité et de réduire les frais d’administration et d’assistance technique, en regroupant les multiples solutions de sécurité dans un seul serveur. © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco Systems, Inc. sont fournies sur cisco.com Page 7/24 Le tableau 3 dresse la liste des fonctionnalités du Cisco ASA 5520. Tableau 3 : Fonctionnalités et capacité de la plate-forme Cisco ASA 5520 Fonction Description Débit du firewall Jusqu’à 450 Mbits/s Débit de protection simultanée contre les menaces (firewall + services IPS) Jusqu’à 225 Mbits/s avec l’AIP-SSM-10 Jusqu’à 375 Mbits/s avec l’AIP-SSM-20 Débit du VPN Jusqu’à 225 Mbits/s Connexions 280 000 Homologues VPN IPSec 750 Niveaux de licence des homologues VPN SSL* 10, 25, 50, 100, 250, 500 ou 750 Contextes de sécurité Jusqu’à 20 * Interfaces 4 ports Gigabit Ethernet et 1 port Fast Ethernet Interfaces virtuelles (VLAN) 100 Évolutivité Équilibrage de charge et mise en grappe des VPN Haute disponibilité Actif/actif, actif/veille *Fonction fournie sous licence distincte ; licences pour 2 homologues incluse dans le système de base SERVEUR DE SÉCURITÉ ADAPTATIF CISCO ASA 5540 Le serveur de sécurité adaptatif Cisco ASA 5540 fournit des services de sécurité haute performance et haute densité, avec une haute disponibilité de type actif/actif et une connectivité Gigabit Ethernet. Il est destiné aux réseaux des grandes et moyennes entreprises et des fournisseurs d’accès, dans une solution modulaire et fiable. Grâce à quatre interfaces Gigabit Ethernet et à la prise en charge de 200 VLAN, le Cisco ASA 5540 permet aux entreprises de segmenter leur réseau en plusieurs zones, pour une plus grande sécurité. Ce serveur évolue avec l’entreprise, au rythme de ses besoins de sécurité, offrant une protection des investissements et une évolutivité des services exceptionnelles. Pour étendre les fonctions évoluées de sécurité au niveau de la couche applicative et du réseau, et de défenses anti-X offertes par le serveur, il convient de déployer le module AIP-SSM pour les fonctions ultra-performantes de prévention des intrusions et de lutte contre les vers. Les entreprises peuvent dimensionner leur capacité VPN IPSec et SSL de différentes façons pour gérer un plus grand nombre de travailleurs nomades, de sites distants et de partenaires commerciaux. Les fonctionnalités intégrées d’équilibrage de charge et de mise en grappe des VPN offertes par le Cisco ASA 5540 permettent d’augmenter la résistance et la capacité des VPN. Il prend en charge jusqu’à 10 serveurs par grappe, pour un maximum de 50 000 © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco Systems, Inc. sont fournies sur cisco.com Page 8/24 homologues VPN IPSec par grappe. Les entreprises peuvent aller jusqu’à 2 500 homologues VPN SSL sur chaque Cisco ASA 5540, en installant une licence de mise à niveau VPN SSL. La plate-forme de base peut prendre en charge 5 000 homologues VPN IPSec. Grâce aux fonctionnalités optionnelles de contexte de sécurité du Cisco ASA 5540, les entreprises peuvent déployer jusqu’à 50 firewall virtuels dans un serveur afin d’activer le contrôle compartimenté des règles de sécurité par service ou par client et générer une réduction des coûts de gestion et d’assistance technique. Le tableau 4 dresse la liste des fonctionnalités du Cisco ASA 5540. Tableau 4 : Fonctionnalités et capacité de la plate-forme Cisco ASA 5540 Fonction Description Débit du firewall Jusqu’à 650 Mbits/s Débit de protection simultanée contre les menaces (firewall + services IPS) Jusqu’à 450 Mbits/s avec l’AIP-SSM-20 Débit du VPN Jusqu’à 325 Mbits/s Connexions 400 000 Homologues VPN IPSec 5 000 Niveaux de licence des homologues VPN SSL* 10, 25, 50, 100, 250, 500, 750, 1000 et 2500 Contextes de sécurité Jusqu’à 50* Interfaces 4 ports Gigabit Ethernet et 1 port Fast Ethernet Interfaces virtuelles (VLAN) 200 Évolutivité Équilibrage des charges et mise en grappe des VPN Haute disponibilité Actif/actif, actif/veille *Fonction fournie sous licence distincte ; licence pour 2 homologues incluse dans le système de base SERVEUR DE SÉCURITÉ ADAPTATIF CISCO ASA 5550 De format compact (1 RU), le Serveur de Sécurité Adaptatif Cisco ASA 5550 fournit de manière fiable des services de sécurité de classe Gigabit avec haute disponibilité actif/actif et une connectivité fibre et Ethernet Gigabit pour les réseaux des grandes entreprises et des fournisseurs de services. Grâce à ses huit interfaces Ethernet Gigabit, ses quatre interfaces fibres SFP (Small Form-Factor Pluggable) et sa capacité à supporter jusqu’à 200 VLAN, il donne à l’entreprise les moyens de segmenter son réseau en un grand nombre de zones haute performance pour plus de sécurité. © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco Systems, Inc. sont fournies sur cisco.com Page 9/24 A mesure que les besoins de sécurité de l’entreprise augmentent, le Serveur de Sécurité Adaptatif Cisco ASA 5550 évolue avec eux pour garantir une exceptionnelle protection de l’investissement et des niveaux de services toujours adaptés. L’entreprise peut augmenter sa capacité VPN IPSec et SSL pour servir un nombre croissant de travailleurs mobiles, de sites distants et de partenaires : une licence de mise à niveau permet de supporter jusqu’à 5000 homologues VPN SSL sur chaque Cisco ASA 5550, tandis que la plate-forme de base accepte jusqu’à 5000 homologues VPN IPSec. Les fonctionnalités intégrées d’équilibrage de charge et de mise en grappes des VPN contribuent encore à augmenter la capacité et la robustesse VPN du Cisco ASA 5550 : jusqu’à 10 serveurs peuvent être mis en grappe pour une capacité maximale de 50 000 homologues VPN SSL et 50 000 homologues VPN IPSec par grappe. Grâce aux fonctionnalités de sécurité contextuelles en option du Serveur de Sécurité Adaptatif Cisco ASA 5550, l’entreprise peut déployer jusqu’à 50 firewall virtuels sur un même appareil afin de permettre le contrôle compartimenté des politiques de sécurité par service ou par client, ce qui réduit considérablement les frais de gestion et d’assistance. Note : Le système dispose de douze ports Ethernet Gigabit au total, dont huit peuvent être utilisés en même temps. Pour donner encore plus de souplesse à la connectivité de data centre, de réseau campus ou de périphérie de l’entreprise, le serveur de sécurité adaptatif Cisco ASA 5550 accepte les connectivités cuivre et fibre. Le Tableau 5 donne la liste des caractéristiques du Cisco ASA 5550 Tableau 5 : Fonctionnalités et capacité de la plate-forme Cisco ASA 5550 Fonction Description Débit du firewall Jusqu’à 1,2 Gbits/s Débit du VPN Jusqu’à 425 Mbits/s Connexions 650 000 Homologues VPN IPSec 5 000 Niveaux de licence des homologues VPN SSL* 10, 25, 50, 100, 250, 500, 750, 1000, 2500 et 5000 Contextes de sécurité Jusqu’à 50* Interfaces 8 ports Gigabit Ethernet, 4 ports fibres SFP et 1 port Fast Ethernet Interfaces virtuelles (VLAN) 200 Évolutivité Équilibrage de charge et mise en grappe des VPN Haute disponibilité Actif/actif, actif/veille *Fonction fournie sous licence distincte ; licence pour 2 homologues incluse dans le système de base © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco Systems, Inc. sont fournies sur cisco.com Page 10/24 CARACTÉRISTIQUES DES PRODUITS Le tableau 6 permet de comparer les Serveurs de Sécurité Adaptatifs Cisco ASA 5510, 5520 et 5540. Tableau 6 : Caractéristiques des Serveurs de Sécurité Adaptatifs de la gamme Cisco ASA 5500 Cisco ASA 5505 Cisco ASA 5510 Cisco ASA 5520 Cisco ASA 5540 Cisco ASA 5550 Utilisateurs/nœ uds 10, 50 ou illimité Illimité Illimité Illimité Illimité Débit du firewall Débit de protection simultanée contre les menaces (firewall + services IPS) Jusqu’à 150 Mbits/s Non disponible Jusqu’à 300 Mbits/s Jusqu’à 150 Mbits/s avec l’AIP-SSM-10 Jusqu’à 375 Mbits/s avec l’AIP-SSM-20 Jusqu’à 450 M Jusqu’à 225 Mbits/s avec l’AIP-SSM- 10bits/s Jusqu’à 650 Jusqu’à 450 Mbits/s avec l’AIP-SSM- 20Mbits/s Jusqu’à 1,2 Gbits/s Non disponible Débit du VPN 3DES/AES Jusqu’à 100 Mbits/s Jusqu’à 170 Mbits/s Jusqu’à 225 Mbits/s Jusqu’à 325 Mbits/s Jusqu’à 425 Mbits/s Homologues VPN IPSec 10 ; 25 * 250 750 5000 5000 Homologues VPN SSL* (inclus/maximu m) 2/25 2 /250 2/750 2/2 500 2/5000 Connexions Nouvelles sessions/secon de 10 000 ; 25 000 * 3 000 50 000 ; 130 000* 6 000 280 000 9 000 400 000 20 000 650000 28 000 Ports réseau intégrés Commutateur Fast Ethernet 8 ports (dont deux ports PoE) 3 ports Fast Ethernet + ; 1 port de gestion ; 5 ports Fast Ethernet* 4 ports Gigabit Ethernet ; 1 port Fast Ethernet 4 ports Gigabit Ethernet ; 1 port Fast Ethernet 8 ports Gigabit Ethernet, 4 ports fibres SFP ; 1 port Fast Ethernet Interfaces virtuelles (VLAN) 3 (sans support de ligne réseau)/20 (avec support de lignes réseaux) * 50/100* 100 200 250 © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco Systems, Inc. sont fournies sur cisco.com Page 11/24 Contextes de sécurité (inclus/max.) 0/0 0/0 (base) ; 2/5 (Security Plus) 2/20 2/50 2/50 Haute disponibilité Non prise en charge ; mode actif/veille à inspection d’état et support ISP redondant * Non prise en charge ; mode actif/veille* Actif/actif et actif/veille Actif/actif et actif/veille Actif/actif et actif/veille Emplacement d’extension SSM 1, SSC 1, SSM 1, SSM 1, SSM 0 Emplacement accessible mémoire flash 0 1 1 1 1 Ports USB 2.0 Ports série 3 (1 à l’avant, 2 à l’arrière) 1 RJ-45 console 2 2 RJ-45, console et auxiliaire 2 2 RJ-45, console et auxiliaire 2 2 RJ-45, console et auxiliaire 2 2 RJ-45, console et auxiliaire Ports série 1 RJ-45 console 2 RJ-45, console et auxiliaire 2 RJ-45, console et auxiliaire 2 RJ-45, console et auxiliaire 2 RJ-45, console et auxiliaire Montage sur rack Oui, avec kit de montage sur rack (disponible ultérieurement) Oui Oui Oui Oui Montage au mur Oui, avec kit de montage au mur (disponible ultérieurement) Non Non Non Non Spécifications techniques Mémoire 256 Mo 256 Mo 512 Mo 1024 Mo 4096 Mo Mémoire flash système minimum 64 Mo 64 Mo 64 Mo 64 Mo 64 Mo Bus système Architecture multi-bus Architecture multi-bus Architecture multi-bus Architecture multi-bus Architecture multi-bus Conditions de fonctionnement En fonctionnement Température 0 à 40ºC 0 à 40ºC Humidité relative 5 à 95 % sans condensation 5 à 95 % sans condensation Altitude 0 à 3000 m 0 à 3000 m Tolérance aux chocs 1/2 sinusoïdale à 1,14 m/s 1/2 sinusoïdale à 1,14 m/s Vibrations Aléatoire, 0,41 Grms2 (3 à 500 Hz) Aléatoire, 0,41 Grms2 (3 à 500 Hz) © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco Systems, Inc. sont fournies sur cisco.com Page 12/24 Bruit acoustique 0 dBa maximum 60 dBa maximum En mode stockage Température -25 à 70ºC -25 à 70ºC Humidité relative 5 à 95 % sans condensation 5 à 95 % sans condensation Altitude 0 à 4570 m 0 à 4570 m Tolérance aux chocs 30 G 30 G Vibrations Aléatoire, 0,41 Grms2 (3 à 500 Hz) Aléatoire, 0,41 Grms2 (3 à 500 Hz) Alimentation électrique Entrée (par alimentation électrique) Plage de tension 100 à 240 V c.a. 100 à 240 V c.a. Tension normale 100 à 240 V c.a. 100 à 240 V c.a. Courant 1,8 A 3 A Fréquence 50 à 60 Hz, monophasé 47 à 63 Hz, monophasé Sortie Régime permanent 20 W 150 W Pic maximal 96 W 190 W Dissipation thermique maximale 72 BTU/h 648 BTU/h Données physiques Facteur de forme Ordinateur de bureau Montage en rack 1 U de 19 pouces Dimensions (H x L x P) 4,45 x 20,04x 17,45 cm 4,45 x 44,5 x 33,5 cm Poids (avec l’alimentation) 1,8 kg 9,07 kg Conformité à la réglementation et aux normes Sécurité UL 60950, CSA C22.2 No. 60950, EN 60950, IEC 60950, AS/NZS3260 UL 1950, CSA C22.2 No. 950, EN 60950 IEC 60950, AS/NZS3260, TS001 Compatibilité électromagnéti que Marquage CE, FCC Part 15 Classe B, AS/NZS 3548 Classe B, VCCI Classe B, Marquage CE, FCC Part 15 Classe A, AS/NZS 3548 Classe A, VCCI Classe A, © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco Systems, Inc. sont fournies sur cisco.com Page 13/24 (EMC) EN55022 Classe B, CISPR22 Classe B, EN61000-3-2, EN61000-3-3 EN55022 Classe A, CISPR22 Classe A, EN61000-3-2, EN61000-3-3 Certifications industrielles En cours : ICSA Firewall, ICSA IPSec, Common Criteria EAL4, FIPS 140-2 Level 2 Common Criteria EAL4+ US DoD Application-Level Firewall for Medium- Robustness Environnements, FIPS 140-2 Level 2, NEBS Level 3, ICSA Firewall, ICSA IPSec, ICSA Gateway Anti-Virus (couplé à CSC SSM-10 ou CSC SSM-20). En cours: Common Criteria EAL4 for VPN, Common Criteria EAL2 for IPS on AIP SSM. *Disponible par l’intermédiaire d’une licence de mise à niveau MODULES DE SERVICES DE SÉCURITÉ La gamme Cisco ASA 5500 permet aux réseaux de franchir un nouveau palier en matière de sécurité intégrée, grâce à son architecture matérielle multi-processeurs et des services AIM exceptionnels. Cette architecture permet aux entreprises d’adapter et d’élargir le profil de services de sécurité haute performance de la gamme Cisco ASA 5500. Les clients peuvent ajouter des services de sécurité haute performance supplémentaires à l’aide des modules de services de sécurité associés à des coprocesseurs de sécurité dédiés. Ils peuvent également personnaliser les règles propres aux flux à l’aide d’une infrastructure extrêmement souple de définitions des règles. Cette architecture adaptable permet aux entreprises de déployer de nouveaux services de sécurité dès qu’elles en ont besoin. Par exemple, elles peuvent ajouter la vaste gamme de services évolués de lutte contre les vers et de prévention des intrusions fournis par le module AIP-SSM ou les services complets anti-X et de protection contre les programmes nuisibles offerts par le module CSC-SSM. D’autre part, cette architecture permet à Cisco de lancer de nouveaux services répondant à de nouvelles menaces, offrant aux entreprises une excellente protection des investissements pour la gamme Cisco ASA 5500. Module adaptatif de prévention et d’inspection Le module Cisco ASA 5500 AIP-SSM est une solution réseau en ligne conçue pour identifier avec précision, classifier et bloquer le trafic malveillant, avant qu’il n’entraîne des répercussions sur votre activité. Utilisant le logiciel IPS pour Cisco ASA 5500, le module AIPSSM combine les services de prévention en ligne et des technologies innovantes. Cela permet une confiance totale vis-à-vis de la protection offerte par la solution IPS déployée, sans crainte de suppression du trafic légitime. Le module AIP-SSM propose également une protection complète du réseau grâce à sa capacité exceptionnelle à collaborer avec d’autres ressources de sécurité, offrant une approche proactive de la protection du réseau. Il utilise des technologies précises de prévention en ligne, qui permettent de prendre des mesures préventives vis-à-vis d’un panel plus vaste de menaces, sans risque de suppression du trafic légitime. Ces technologies exceptionnelles offrent une analyse intelligente, automatisée et contextuelle des données, permettant de s’assurer que les entreprises exploitent au © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco Systems, Inc. sont fournies sur cisco.com Page 14/24 maximum leurs solutions de prévention des intrusions. Le module AIP-SSM utilise également une identification des menaces liées aux attaques multivecteurs pour protéger le réseau contre les violations de règles, l’exploitation des vulnérabilités et les activités anormales, grâce à une inspection minutieuse du trafic sur les couches 2 à 7. Le tableau 7 détaille les deux modèles AIP-SSM proposés, ainsi que leurs caractéristiques physiques et leurs performances respectives. Tableau 7 : Caractéristiques du module AIP-SSM pour la gamme Cisco ASA 5500 Cisco ASA 5500 AIP-SSM-10 Cisco ASA 5500 AIP-SSM- 20 Débit de protection simultanée contre les menaces (firewall + services IPS) 150 Mbits/s avec le Cisco ASA 5510 225 Mbits/s avec le Cisco ASA 5520 300 Mbits/s avec le Cisco ASA 5510 375 Mbits/s avec le Cisco ASA 5520 450 Mbits/s avec le Cisco ASA 5540 Spécifications techniques Mémoire 1 Go 2 Go Mémoire flash 256 Mo 256 Mo Conditions de fonctionnement En fonctionnement Température 0 à 40ºC Humidité relative 5 à 95 % sans condensation En mode stockage Température -25 à 70ºC Consommation électrique 90 W maximum Données physiques Dimensions (H x L x P) 4,32 x 17,27 x 27,.94 cm Poids (avec l’alimentation) 1,36 kg © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco Systems, Inc. sont fournies sur cisco.com Page 15/24 Conformité à la réglementation et aux normes Sécurité UL 1950, CSA C22.2 No. 950, EN 60950 IEC 60950, AS/NZS3260, TS001 Compatibilité électromagnétique (EMC) Marquage CE, FCC Part 15 Classe A, AS/NZS 3548 Classe A, VCCI Classe A, EN55022 Classe A, CISPR22 Classe A, EN61000- 3-2, EN61000-3-3 Module de contrôle et de sécurité du contenu Le module CSC-SSM de la gamme Cisco ASA 5500 offre le meilleur service du marché en matière de contrôle du contenu et de protection contre les menaces Internet à la périphérie du réseau. Cette solution facile à administrer comporte des fonctions complètes d’antivirus, d’antilogiciels espions, de blocage de fichiers, d’antispam, d’antiphishing, de blocage et filtrage d’URL et de filtrage du contenu. Le module CSC-SSM ajoute des fonctionnalités de sécurité performantes à la gamme Cisco ASA 5500, offrant aux clients une protection supplémentaire et le contrôle du contenu de leurs communications d’entreprise. Ce module procure une souplesse et un choix supplémentaire vis-à-vis du fonctionnement et du déploiement des serveurs de la gamme Cisco ASA 5500. Les options de licence permettent aux entreprises de personnaliser les fonctionnalités conformément aux besoins de chaque groupe d’utilisateurs, grâce à des fonctions incluant des services de contenu évolués et un nombre d’utilisateurs accru. Le module CSC-SSM est livré avec un ensemble de fonctions par défaut offrant des services d’antivirus, d’antilogiciels espions et de blocage des fichiers. Une licence «Plus» est disponible pour chaque module CSC-SSM ,à un coût additionnel. Cette licence permet de bénéficier de fonctionnalités d’antispam, d’antiphishing, de blocage et de filtrage d’URL et de contrôle du contenu. Pour augmenter la capacité utilisateur du module CSC-SSM, les entreprises peuvent acheter et installer des licences utilisateurs supplémentaires. Le tableau ci-dessous contient la liste détaillée de ces options, que vous retrouverez également dans la fiche technique du module CSC-SSM. Tableau 8 : Caractéristiques du module CSC-SSM pour la gamme Cisco ASA 5500 Cisco ASA 5500 CSC-SSM- 10 Cisco ASA 5500 CSC-SSM- 20 Plates-formes prises en charge • Serveur de Sécurité Adaptatif Cisco ASA 5510 • Serveur de Sécurité Adaptatif Cisco ASA 5510 © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco Systems, Inc. sont fournies sur cisco.com Page 16/24 • Serveur de Sécurité Adaptatif Cisco ASA 5520 • Serveur de Sécurité Adaptatif Cisco ASA 5520 • Serveur de Sécurité Adaptatif Cisco ASA 5540 Fonctionnalités standard et optionnelles Licence utilisateur standard 50 utilisateurs 500 utilisateurs Fonctionnalités standard Antivirus, antilogiciels espions, blocage des fichiers Mises à niveau facultatives du nombre d’utilisateurs (nombre total) • 100 utilisateurs • 250 utilisateurs • 500 utilisateurs • 750 utilisateurs • 1 000 utilisateurs Fonctionnalités en option Licence Plus : permet d’ajouter l’antispam, l’antiphishing, le blocage et le filtrage d’URL et le contrôle du contenu Spécifications techniques Mémoire 1 Go 2 Go Mémoire flash système 256 Mo 256 Mo Mémoire cache 256 Ko 512 Ko Conditions de fonctionnement En fonctionnement Température 0 à 40ºC Humidité relative 10 à 90 %, sans condensation En mode stockage Température -25 à 70ºC Consommation électrique 90 W maximum Données physiques Dimensions (H x L x P) 4,32 x 17,27 x 27,.94 cm Poids (avec l’alimentation) 1,36 kg Conformité à la réglementation et aux normes Sécurité UL 1950, CSA C22.2 No. 950, EN 60950 IEC 60950, AS/NZS3260, TS001 © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco Systems, Inc. sont fournies sur cisco.com Page 17/24 Compatibilité électromagnétique (EMC) Marquage CE, FCC Part 15 Classe A, AS/NZS 3548 Classe A, VCCI Classe A, EN55022 Classe A, CISPR22 Classe A, EN61000-3-2, EN61000- 3-3 Module Gigabit Ethernet 4 ports Cisco ASA Le module de services de sécurité Gigabit Ethernet 4 ports de Cisco ASA permet aux responsables de sécurité de mieux segmenter le trafic réseau et de créer des zones de sécurité séparées, chacune étant associée à son propre ensemble de règles de sécurité personnalisées. Ces séparations peuvent aller d’Internet aux sites/services internes d’entreprise, en passant par les zones démilitarisées (DMZ). Ce module ultra-performant prend en charge les options de connexion cuivre et optique via la sélection des quatre ports RJ-45 cuivre 10/100/1000 standard ou des quatre ports compacts enfichables (SFP, Small Form-Factor Pluggable) pour le SFP optique Gigabit Ethernet. Il offre une grande flexibilité pour la connectivité des centres de données, des campus ou à la périphérie de l’entreprise. Il est possible de configurer un mélange de types de port cuivre ou optique (jusqu’à 4 ports). Ce module étend le profil d’E/S de la gamme Cisco ASA 5500 à un total de cinq ports Fast Ethernet et quatre ports Gigabit Ethernet sur le Cisco ASA 5510, huit ports Gigabit Ethernet et un port Fast Ethernet sur les serveurs Cisco ASA 5520 et 5540 (Tableau 9). Tableau 9 : Caractéristiques du module SSM Ethernet Gigabit 4 ports de la gamme Cisco ASA 5500 Cisco ASA 5500 SSM-4GE Spécifications techniques Ports LAN intégrés Quatre 10/100/1000BASE-T (RJ-45) Ports SFP intégrés Quatre (SFP optique Gigabit Ethernet 1000BASE-SX ou émetteur-récepteur LX/LH pris en charge) Conditions de fonctionnement En fonctionnement Température 0 à 40ºC Humidité relative 5 à 95 % sans condensation En mode stockage Température -25 à 70ºC Consommation électrique 25 W maximum © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco Systems, Inc. sont fournies sur cisco.com Page 18/24 Données physiques Dimensions (H x L x P) 3,81 x 17,27 x 27,.94 cm Poids (avec l’alimentation) 0,91 kg Conformité à la réglementation et aux normes Sécurité UL 1950, CSA C22.2 No. 950, EN 60950 IEC 60950, AS/NZS3260, TS001 Compatibilité électromagnétique (EMC) Marquage CE, FCC Part 15 Classe A, AS/NZS 3548 Classe A, VCCI Classe A, EN55022 Classe A, CISPR22 Classe A, EN61000-3-2, EN61000- 3-3 © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco Systems, Inc. sont fournies sur cisco.com Page 19/24 INFORMATIONS DE COMMANDE Pour passer une commande, rendez-vous sur le site Cisco (http://www.cisco.com/web/FR/acheter/acheter_home.html). Le tableau 8 fournit des informations nécessaires à l’achat de produits de la gamme Cisco ASA 5500. Tableau 10 : Informations de commande Nom du produit Packs Cisco ASA 5500 Firewall Edition Référence produit Pack Cisco ASA 5505 10 utilisateurs avec commutateur Fast Ethernet 8 ports, 10 homologues VPN IPsec, 2 homologues VPN SSL, licence 3DES/AES (Triple Data Encryption Standard/Advanced Encryption Standard) ASA5505-BUN-K9 Pack Cisco ASA 5505 50 utilisateurs avec commutateur Fast Ethernet 8 ports, 10 homologues VPN IPsec, 2 homologues VPN SSL, licence 3DES/AES ASA5505-50-BUN-K9 Pack Cisco ASA 5505 nombre illimité d’utilisateurs avec commutateur Fast Ethernet 8 ports, 10 homologues VPN IPsec, 2 homologues VPN SSL, licence 3DES/AES ASA5505-UL-BUN-K9 Pack Cisco ASA 5505 nombre illimité d’utilisateurs avec Security Plus, commutateur Fast Ethernet 8 ports, 25 homologues VPN IPsec, 2 homologues VPN SSL, zone démilitarisée (DMZ), haute disponibilité actif/veille à inspection d’état, licence 3DES/AES ASA5505-SEC-BUN-K9 Cisco ASA 5510 Firewall Edition, avec 3 interfaces Fast Ethernet, 250 homologues VPN IPSec, 2 homologues VPN SSL, licence 3DES/AES ASA5510-BUN-K9 Cisco ASA 5510 Security Plus Firewall Edition, avec 5 interfaces Fast Ethernet, 250 homologues VPN IPSec, 2 homologues VPN SSL, haute disponibilité actif/veille, licence 3DES/AES ASA5510-SEC-BUN-K9 Cisco ASA 5520 Firewall Edition, avec 4 interfaces Gigabit Ethernet et 1 interface Fast Ethernet, 750 homologues VPN IPSec et 2 homologues VPN SSL, , haute disponibilité actif/veille et actif/actif, licence 3DES/AES ASA5520-BUN-K9 Cisco ASA 5540 Firewall Edition, avec 4 interfaces Gigabit Ethernet et 1 interface Fast Ethernet, 5 000 homologues VPN IPSec et 2 homologues ASA5540-BUN-K9 © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco Systems, Inc. sont fournies sur cisco.com Page 20/24 VPN SSL, licence 3DES/AES Cisco ASA 5550 Firewall Edition, avec 8 interfaces Gigabit Ethernet et 1 interface Fast Ethernet, 4 interfaces SFP Gigabit, 5 000 homologues VPN IPSec et 2 homologues VPN SSL, licence 3DES/AES ASA5550-BUN-K9 Packs Cisco ASA 5500 IPS Edition Cisco ASA 5510 IPS Edition, avec le module AIP-SSM-10, les services de firewall, 250 homologues VPN IPSec, 2 homologues VPN SSL, 3 interfaces Fast Ethernet ASA5510-AIP10-K9 Cisco ASA 5520 IPS Edition, avec le module AIP-SSM-10, les services de firewall, 250 homologues VPN IPSec, 2 homologues VPN SSL, 4 interfaces Gigabit Ethernet et 1 interface Fast Ethernet ASA5520-AIP10-K9 Cisco ASA 5520 IPS Edition, avec le module AIP-SSM-20, les services de firewall, 750 homologues VPN IPSec, 2 homologues VPN SSL, 4 interfaces Gigabit Ethernet et 1 interface Fast Ethernet ASA5520-AIP20-K9 Cisco ASA 5540 IPS Edition, avec le module AIP-SSM-20, les services de firewall, 5 000 homologues VPN IPSec, 2 homologues VPN SSL, 4 interfaces Gigabit Ethernet et 1 interface Fast Ethernet ASA5540-AIP20-K9 Packs Cisco ASA 5500 Anti-X Edition Cisco ASA 5510 Anti-X Edition, avec le module CSC-SSM- 10, un antivirus/antilogiciels espions pour 50 utilisateurs avec abonnement d’un an, des services de firewall, 250 homologues VPN IPSec, 2 homologues VPN SSL, 3 interfaces Fast Ethernet ASA5510-CSC10-K9 Cisco ASA 5510 Anti-X Edition, avec le module CSC-SSM- 20, un antivirus/antilogiciels espions pour 500 utilisateurs avec abonnement d’un an, des services de firewall, 250 homologues VPN IPSec, 2 homologues VPN SSL, 3 interfaces Fast Ethernet ASA5510-CSC20-K9 Cisco ASA 5520 Anti-X Edition, avec le module CSC-SSM- 10, un antivirus/antilogiciels espions pour 50 utilisateurs avec abonnement d’un an, des services de firewall, ASA5520-CSC10-K9 © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco Systems, Inc. sont fournies sur cisco.com Page 21/24 750 homologues VPN IPSec, 2 homologues VPN SSL, 4 interfaces Gigabit Ethernet et 1 interface Fast Ethernet Cisco ASA 5520 Anti-X Edition, avec le module CSC-SSM- 20, un antivirus/antilogiciels espions pour 500 utilisateurs avec abonnement d’un an, des services de firewall, 750 homologues VPN IPSec, 2 homologues VPN SSL, 4 interfaces Gigabit Ethernet et 1 interface Fast Ethernet ASA5520-CSC20-K9 Packs Cisco ASA 5500 VPN Edition Cisco ASA 5505 SSL/IPsec VPN Edition, avec 10 homologues VPN Ipsec, 10 homologues VPN SSL, 50 utilisateurs de services de firewall, commutateur Fast Ethernet 8 ports ASA5505-SSL10-K9 Cisco ASA 5505 SSL/IPsec VPN Edition, avec 25 homologues VPN Ipsec, 25 homologues VPN SSL, 50 utilisateurs de services de firewall, commutateur Fast Ethernet 8 ports, licence Security Plus ASA5505-SSL25-K9 Cisco ASA 5510 SSL/IPsec VPN Edition, 250 homologues VPN IPsec et 50 homologues VPN SSL, services de firewall, 3 interfaces Fast Ethernet ASA5510-SSL50-K9 Cisco ASA 5510 SSL/IPsec VPN Edition, 250 homologues VPN IPsec, 100 homologues VPN SSL, services de firewall, 3 interfaces Fast Ethernet ASA5510-SSL100-K9 Cisco ASA 5510 SSL/IPsec VPN Edition, 250 homologues VPN IPsec et 250 homologues VPN SSL, services de firewall, 3 interfaces Fast Ethernet ASA5510-SSL250-K9 Cisco ASA 5520 SSL/IPsec VPN Edition, 750 homologues VPN IPsec et 500 homologues VPN SSL, services de firewall, 4 interfaces Ethernet Gigabit, 1 interface Fast Ethernet ASA5520-SSL500-K9 Cisco ASA 5540 SSL/IPsec VPN Edition, 5000 homologues VPN IPsec et 1000 homologues VPN SSL, services de firewall, 4 interfaces Ethernet Gigabit, 1 interface Fast Ethernet ASA5540-SSL1000-K9 Cisco ASA 5540 SSL/IPsec VPN Edition, 5000 homologues VPN IPsec et 2500 homologues VPN SSL, services de firewall, 4 interfaces Ethernet Gigabit, 1 interface Fast Ethernet ASA5540-SSL2500-K9 Cisco ASA 5550 SSL/IPsec VPN Edition, 5000 homologues ASA5550-SSL2500-K9 © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco Systems, Inc. sont fournies sur cisco.com Page 22/24 VPN IPsec et 2500 homologues VPN SSL, services de firewall, 8 interfaces Ethernet Gigabit, 1 interface Fast Ethernet Cisco ASA 5550 SSL/IPsec VPN Edition, 5000 homologues VPN IPsec et 5000 homologues VPN SSL, services de firewall, 8 interfaces Ethernet Gigabit, 1 interface Fast Ethernet ASA5550-SSL5000-K9 Modules de services de sécurité Cisco ASA Advanced Inspection and Prevention Security Services Module 10 ASA-SSM-AIP-10-K9= Cisco ASA Advanced Inspection and Prevention Security Services Module 20 ASA-SSM-AIP-20-K9= Cisco ASA Content Security and Control Security Services Module 10 pour 50 utilisateurs Antivirus/antilogiciels espions, abonnement d’un an ASA-SSM-CSC-10-K9= Cisco ASA Content Security and Control Security Services Module 20 pour 500 utilisateurs Antivirus/antilogiciels espions, abonnement d’un an ASA-SSM-CSC-20-K9= Cisco ASA 4-Port Gigabit Ethernet Security Services Module SSM-4GE= Logiciels de la gamme Cisco ASA 5500 Mise à niveau unique du logiciel Cisco ASA pour les clients non pris en charge ASA-SW-UPGRADE= Accessoires de la gamme Cisco ASA 5500 Mémoire compact flash pour la gamme Cisco ASA 5500, 256 Mo ASA5500-CF-256MB= Mémoire compact flash pour la gamme Cisco ASA 5500, 512 Mo ASA5500-CF-512MB= Bloc d’alimentation 180 W c.a. pour la gamme Cisco ASA ASA-180W-PWR-AC= Connecteur SFP Gigabit Ethernet optique, émetteurrécepteur 1000BASE-SX à courte longueur d’onde GLC-SX-MM= Connecteur SFP Gigabit Ethernet optique, émetteurrécepteur 1000BASE-LX/LH longue distance/à grande longueur d’onde GLC-LH-SM= © 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco Systems, Inc. sont fournies sur cisco.com Page 23/24 POUR TÉLÉCHARGER LE LOGICIEL Pour télécharger le logiciel Cisco ASA, visitez le Centre de téléchargement Cisco. MAINTENANCE ET ASSISTANCE Cisco propose une large gamme de programmes de services pour accélérer la réussite de ses clients. Ces programmes de services innovants sont proposés grâce à une combinaison unique de personnes, de processus, d’outils et de partenaires pour augmenter la satisfaction de nos clients. Cisco Services vous aide à protéger votre investissement en matière de réseaux, à optimiser leur exploitation et à les préparer aux nouvelles applications afin d’en étendre l’intelligence et d’accroître le succès de votre activité. Pour plus d’informations sur Cisco Services, consultez les services d’assistance technique de Cisco ou Cisco Advanced Services. Pour les services propres aux fonctionnalités de prévention des intrusions (IPS) offertes via le module AIP-SSM, visitez le site Cisco Services for IPS. POUR PLUS D’INFORMATIONS Pour plus d’informations, consultez les sites suivants : • Serveur de Sécurité Adaptatif Cisco ASA 5500 : http://www.cisco.com/go/asa • Cisco Adaptive Security Device Manager : http://www.cisco.com/go/asdm© 2007 Cisco Systems, Inc. Tous droits réservés.Les mentions légales, la charte sur la vie privée et les marques de Cisco Systems, Inc. sont fournies sur cisco.com Page 24/24 Siège social Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134 1706 Etats-Unis www.cisco.com Tél. : 408 526-4000 800 553-NETS (6387) Fax : 408 526-4100 Siège Europe Cisco Systems International BV Haarlerbergpark Haarlerbergweg 13-19 1101 CH Amsterdam Pays-Bas wwweurope.cisco.com Tél. : 31 0 20 357 1000 Fax : 31 0 20 357 1100 Siège Etats-Unis Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134 1706 Etats-Unis www.cisco.com Tél. : 408 526-7660 Fax : 408 527-0883 Siège Asie Pacifi que Cisco Systems, Inc. 168 Robinson Road #28-01 Capital Tower Singapour 068912 www.cisco.com Tél. : +65 6317 7777 Fax : +65 6317 7799 Cisco has more than 200 offi ces in the following countries and regions. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices Copyright©2007 Cisco Systems, Inc. Tous droits réservés. CCSP, CCVP, le logo Cisco Square Bridge, Follow Me Browsing et StackWise sont des marques de Cisco Systems, Inc. ; Changing the Way We Work, Live, Play, and Learn, et iQuick Study sont des marques de service de Cisco Systems, Inc. ; et Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, le logo Cisco Certifi ed Internetwork Expert, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, le logo Cisco Systems, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, le logo iQ, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, le logo Networkers, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, The Fastest Way to Increase Your Internet Quotient et TransPath sont des marques déposées de Cisco Systems, Inc. et/ou de ses fi liales aux États-Unis et dans d’autres pays. Toutes les autres marques mentionnées dans ce document ou sur le site Web appartiennent à leurs propriétaires respectifs. L’emploi du mot partenaire n’implique pas nécessairement une relation de partenariat entre Cisco et une autre société. (0601R) Manuel de migration de Cisco PIX 500 vers la gamme Cisco ASA 5500 PRESENTATION SYNOPTIQUE Réunissant sur une même plate- Réunissant sur une même plate---forme une combinaison puissante de nombreuses forme une combinaison puissante de nombreuses technologies éprouvées, la gamme Cisco ASA 5500 (Adaptive Security Appliance) donne à l’entreprise les moyens opérationnels et économiques de déployer des services de sécurité complets vers un plus grand nom services de sécurité complets vers un plus grand nombre de sites. plets vers un plus grand nombre de sites. bre de sites. Faites migrer dès Faites migrer dès maintenant vos serveurs de sécurité Cisco PIX® vers la gamme Cisco ASA 5500 pour bénéficier, sur une même plate- bénéficier, sur une même plate---forme, de services de sécurité et de VPN convergen forme, de services de sécurité et de VPN convergents s et multifonctions. et multifonctions. Principaux avantages économiques Principaux avantages économiques avantages économiques Options souples de déploiement Options souples de déploiement Editions produits personnalisées qui s’adaptent exactement aux besoins spécifiques de l’entreprise • Firewall Edition - Firewall • IPS Edition - système de prévention d'intrusions • Anti-X Edition - protection antivirus, anti logiciels espions, etc. • SSL/IPsec VPN Edition - VPN sécurisés Frais d’exploitations réduits Frais d’exploitations réduits Gestion et surveillance unifiée des équipements pour diminuer les frais généraux d’installation et de maintenance. Plate-forme unique qui réduit la complexité et simplifie les opérations de déploiement et d’assistance technique courantes. Frais d’investissements réduits Frais d’investissements réduits La convergence et les crédits de reprise d’ancien matériel TMP (Technology Migration Plan) renforcés font dès maintenant baisser le coût total de migration. Avantage du leasing Avantage du leasing Avec Cisco Finance, bénéficiez de nos promotions en leasing pour réduire encore plus vos coûts et obtenir dès maintenant votre nouvelle solution. Principaux avantages technologiques et nouveautés d Principaux avantages technologiques et nouveautés de la gamme ASA 5500 e la gamme ASA 5500 Technologie reconnue de firewall et VPN protégé contre les menaces tre les menaces Développée autour de la même technologie éprouvée qui a fait le succès du serveur de sécurité Cisco PIX et de la gamme des concentrateurs Cisco VPN 3000, la gamme Cisco ASA 5500 est la première solution à proposer des services VPN SSL (Secure Sockets Layer) et IPSec (IP Security) protégés par la première technologie de firewall du marché. Avec le VPN SSL, l’ASA 5500 est une passerelle SSL performante qui permet l’accès distant sécurisé au réseau au travers d’un navigateur web banalisé pour les utilisateurs nomades. Service évolué de prévention des intrusions Service évolué de prévention des intrusions Les services proactifs de prévention des intrusions offrent toutes les fonctionnalités qui permettent de bloquer un large éventail de menaces – vers, attaques sur la couche applicative ou au niveau du système d'exploitation, rootkits, logiciels espions, messagerie instantanée, P2P, et bien plus encore. En combinant plusieurs méthodes d’analyse détaillée du trafic, l’IPS de l’ASA 5500 protège le réseau des violations de politique de sécurité, de l’exploitation des vulnérabilités des systèmes et du trafic anormal. L’IPS collabore avec d’autres systèmes Cisco de gestion de la sécurité pour assurer une mise à jour constante de la posture de sécurité du réseau et une réactivité totale aux nouvelles attaques ou vulnérabilités. Services Anti- Services Anti---X à la pointe de l’industrie X à la pointe de l’industrie X à la pointe de l’industrie La gamme Cisco ASA 5500 offre des services complets anti-X à la pointe de la technologie – protection contre les virus, les logiciels espions, le courrier indésirable et le phishing ainsi que le blocage de fichiers, le blocage et le filtrage des URL et le filtrage de contenu – en associant le savoir-faire de Trend Micro en matière de protection informatique à une solution Cisco de sécurité réseau éprouvée. Ces services anti-X embarqués dans le module d’extension hardware CSC SSM et le renouvellement des abonnements Trend Micro pour la gamme ASA sont commercialisés par Cisco au travers de ses partenaires agréés. Migration transparente pour l’utilisateur Migration transparente pour l’utilisateur Les utilisateurs actuels des serveurs de sécurité Cisco PIX n’auront aucune difficulté à s’adapter aux solutions Cisco ASA 5500. Les fichiers de configuration des Cisco PIX sont transposables sur les serveurs ASA 5500. Le logiciel d’administration graphique Cisco Adaptive Security Device Manager (ASDM) livré avec la gamme ASA est un logiciel puissant et facile à utiliser Il accélère la création de politiques de sécurité, et réduit la charge de travail et les erreurs humaines, grâce à des assistants graphiques, des outils de débogage et de surveillance. ASDM permet de gérer aussi bien des serveurs Cisco PIX que des serveurs ASA 5500, facilitant la migration vers la dernière génération de matériel et ses nouvelles fonctions. Manuel de migration de Cisco PIX 500 vers la gamme Cisco ASA 5500 PRESENTATION SYNOPTIQUE Chemins de migration Chemins de migration Firewall IPS Anti-X VPN Modèle de serveur de sécurité Cisco PIX sécurité Cisco PIX Référence de la gamme Cisco ASA Cisco ASA 5500 Description du Cisco ASA Description du Cisco ASA 5500 ASA5505-K8 Cisco ASA 5505 Firewall Edition 10 utilisateurs, commutateur Fast Ethernet 8 ports, 10 homologues VPN IPsec et 2 SSL, DES ASA5505-BUN-K9 Cisco ASA 5505 Firewall Edition 10 utilisateurs, commutateur Fast Ethernet 8 ports, 10 homologues VPN IPsec et 2 SSL, 3DES/AES ASA5505-50-BUN-K9 Cisco ASA 5505 Firewall Edition 50 utilisateurs, commutateur Fast Ethernet 8 ports, 10 homologues VPN IPsec et 2 SSL, 3DES/AES Cisco PIX 501 pour 10 utilisateurs 10 utilisateurs ASA5505-SSL10-K9 Cisco ASA 5505 SSL/IPsec VPN Edition, 10 homologues VPN IPsec et 10 SSL, services de firewall, commutateur Fast Ethernet 8 ports ASA5505-50-BUN-K9 Cisco ASA 5505 Firewall Edition 50 utilisateurs, commutateur Fast Ethernet 8 ports, 10 homologues VPN IPsec et 2 SSL, 3DES/AES ASA5505-UL-BUN-K9 Cisco ASA 5505 Firewall Edition nombre d’utilisateurs illimité, commutateur Fast Ethernet 8 ports, 10 homologues VPN IPsec et 2 SSL, 3DES/AES Cisco PIX 501 pour 50 utilisateurs 50 utilisateurs ASA5505-SSL10-K9 Cisco ASA 5505 SSL/IPsec VPN Edition, 10 homologues VPN IPsec et 10 SSL, services de firewall, commutateur Fast Ethernet 8 ports ASA5505-UL-BUN-K9 Cisco ASA 5505 Firewall Edition nombre d’utilisateurs illimité, commutateur Fast Ethernet 8 ports, 10 homologues VPN IPsec et 2 SSL, 3DES/AES ASA5505-SEC-BUN-K9 Cisco ASA 5505 Firewall Edition nombre d’utilisateurs illimité Security Plus, commutateur Fast Ethernet 8 ports, 25 homologues VPN IPsec et 2 SSL,DMZ, haute disponibilité Actif / Veille à inspection d’état, 3DES/AES Cisco PIX 501 pour un nombre d’utilisateurs illimité illimité ASA5505-SSL10-K9 Cisco ASA 5505 SSL/IPsec VPN Edition, 10 homologues VPN IPsec et 10 SSL, services de firewall, commutateur Fast Ethernet 8 ports ASA5505-SEC-BUN-K9 Cisco ASA 5505 Firewall Edition nombre d’utilisateurs illimité Security Plus, commutateur Fast Ethernet 8 ports, 25 homologues VPN IPsec et 2 SSL,DMZ, haute disponibilité Actif / Veille à inspection d’état, 3DES/AES ASA5505-SSL25-K9 Cisco ASA 5505 SSL/IPsec VPN Edition, 25 homologues VPN IPsec et 25 SSL, services de firewall, commutateur Fast Ethernet 8 ports, licence Security Plus ASA5510-K8 Cisco ASA 5510 Firewall Edition, 3 ports Fast Ethernet, 250 homologues VPN IPsec et 2 SSL, DES ASA5510-BUN-K9 Cisco ASA 5510 Firewall Edition, 3 ports Fast Ethernet, 250 homologues VPN IPsec et 2 SSL, 3DES/AES ASA5510-AIP10-K9 Cisco ASA 5510 IPS Edition, module AIP SSM 10, services de firewall, 250 homologues VPN IPsec et 2 SSL, 3 ports Fast Ethernet ASA5510-CSC10-K9 Cisco ASA 5510 Anti X Edition, module CSC SSM 10, 50 utilisateurs antivirus / anti logiciels espions avec un an d’abonnement, services de firewall, 250 homologues VPN IPsec et 2 SSL, 3 ports Fast Ethernet ASA5510-CSC20-K9 Cisco ASA 5510 Anti X Edition, module CSC SSM 20, 500 utilisateurs antivirus / anti logiciels espions avec un an d’abonnement, services de firewall, 250 homologues VPN IPsec et 2 SSL, 3 ports Fast Ethernet ASA5510-SSL50-K9 Cisco ASA 5510 SSL/IPsec VPN Edition, 250 homologues VPN IPsec et 50 SSL, services de firewall, 3 ports Fast Ethernet ASA5510-SSL100-K9 Cisco ASA 5510 SSL/IPsec VPN Edition, 250 homologues VPN IPsec et 100 SSL, services de firewall, 3 ports Fast Ethernet Cisco PIX 506E Cisco PIX 506E ASA5510-SSL250-K9 Cisco ASA 5510 SSL/IPsec VPN Edition, 250 homologues VPN IPsec et 250 SSL, services de firewall, 3 ports Fast Ethernet ASA5510-K8 Cisco ASA 5510 Firewall Edition, 3 ports Fast Ethernet, 250 homologues VPN IPsec et 2 SSL, DES ASA5510-BUN-K9 Cisco ASA 5510 Firewall Edition, 3 ports Fast Ethernet, 250 homologues VPN IPsec et 2 SSL, 3DES/AES ASA5510-SEC-BUN-K9 Cisco ASA 5510 Firewall Edition Security Plus, 5 ports Fast Ethernet, 250 homologues VPN IPsec et 2 SSL, haute disponibilité Actif / Veille, 3DES/AES ASA5510-AIP10-K9 Cisco ASA 5510 IPS Edition, module AIP SSM 10, services de firewall, 250 homologues VPN IPsec et 2 SSL, 3 ports Fast Ethernet Cisco PIX 515E R/DMZ ASA5510-CSC10-K9 Cisco ASA 5510 Anti X Edition, module CSC SSM 10, 50 utilisateurs antivirus / anti logiciels espions avec un an d’abonnement, Manuel de migration de Cisco PIX 500 vers la gamme Cisco ASA 5500 PRESENTATION SYNOPTIQUE services de firewall, 250 homologues VPN IPsec et 2 SSL, 3 ports Fast Ethernet ASA5510-CSC20-K9 Cisco ASA 5510 Anti X Edition, module CSC SSM 20, 500 utilisateurs antivirus / anti logiciels espions avec un an d’abonnement, services de firewall, 250 homologues VPN IPsec et 2 SSL, 3 ports Fast Ethernet ASA5510-SSL50-K9 Cisco ASA 5510 SSL/IPsec VPN Edition, 250 homologues VPN IPsec et 50 SSL, services de firewall, 3 ports Fast Ethernet ASA5510-SSL100-K9 Cisco ASA 5510 SSL/IPsec VPN Edition, 250 homologues VPN IPsec et 100 SSL, services de firewall, 3 ports Fast Ethernet ASA5510-SSL250-K9 Cisco ASA 5510 SSL/IPsec VPN Edition, 250 homologues VPN IPsec et 250 SSL, services de firewall, 3 ports Fast Ethernet ASA5510-SEC-BUN-K9 Cisco ASA 5510 Firewall Edition Security Plus, 5 ports Fast Ethernet, 250 homologues VPN IPsec et 2 SSL, haute disponibilité Actif / Veille, 3DES/AES ASA5510-AIP10-K9 Cisco ASA 5510 IPS Edition, module AIP SSM 10, services de firewall, 250 homologues VPN IPsec et 2 SSL, 3 ports Fast Ethernet ASA5510-CSC10-K9 Cisco ASA 5510 Anti X Edition, module CSC SSM 10, 50 utilisateurs antivirus / anti logiciels espions avec un an d’abonnement, services de firewall, 250 homologues VPN IPsec et 2 SSL, 3 ports Fast Ethernet ASA5510-CSC20-K9 Cisco ASA 5510 Anti X Edition, module CSC SSM 20, 500 utilisateurs antivirus / anti logiciels espions avec un an d’abonnement, services de firewall, 250 homologues VPN IPsec et 2 SSL, 3 ports Fast Ethernet ASA5510-SSL50-K9 Cisco ASA 5510 SSL/IPsec VPN Edition, 250 homologues VPN IPsec et 50 SSL, services de firewall, 3 ports Fast Ethernet ASA5510-SSL100-K9 Cisco ASA 5510 SSL/IPsec VPN Edition, 250 homologues VPN IPsec et 100 SSL, services de firewall, 3 ports Fast Ethernet Cisco PIX 515E UR/FO/FO AA UR/FO/FO AA ASA5510-SSL250-K9 Cisco ASA 5510 SSL/IPsec VPN Edition, 250 homologues VPN IPsec et 250 SSL, services de firewall, 3 ports Fast Ethernet ASA5520-K8 Cisco ASA 5520 Firewall Edition, 4 ports Ethernet Gigabit + 1 interface Fast Ethernet, 750 homologues VPN IPsec et 2 SSL, haute disponibilité Actif / Actif et Actif / Veille, DES ASA5520-BUN-K9 Cisco ASA 5520 Firewall Edition, 4 ports Ethernet Gigabit + 1 interface Fast Ethernet, 750 homologues VPN IPsec et 2 SSL, haute disponibilité Actif / Actif et Actif / Veille, 3DES/AES ASA5520-AIP10-K9 Cisco ASA 5520 IPS Edition, module AIP SSM 10, services de firewall, 750 homologues VPN IPsec et 2 SSL, 4 ports Ethernet Gigabit, 1 interface Fast Ethernet ASA5520-AIP20-K9 Cisco ASA 5520 IPS Edition, module AIP SSM 20, services de firewall, 750 homologues VPN IPsec et 2 SSL, 4 ports Ethernet Gigabit, 1 interface Fast Ethernet ASA5520-CSC10-K9 Cisco ASA 5520 Anti X Edition, module CSC SSM 10, 50 utilisateurs antivirus / anti logiciels espions avec un an d’abonnement, services de firewall, 750 homologues VPN IPsec et 2 SSL, 4 ports Ethernet Gigabit, 1 interface Fast Ethernet ASA5520-CSC20-K9 Cisco ASA 5520 Anti X Edition, module CSC SSM 20, 500 utilisateurs antivirus / anti logiciels espions avec un an d’abonnement, services de firewall, 750 homologues VPN IPsec et 2 SSL, 4 ports Ethernet Gigabit, 1 interface Fast Ethernet Cisco PIX 520 (Fin de vie – ve ––– juin 2006) juin 2006) juin 2006) ASA5520-SSL500-K9 Cisco ASA 5520 SSL/IPsec VPN Edition, 750 homologues VPN IPsec et 500 SSL, services de firewall, 4 ports Ethernet Gigabit, 1 interface Fast Ethernet ASA5520-K8 Cisco ASA 5520 Firewall Edition, 4 ports Ethernet Gigabit + 1 interface Fast Ethernet, 750 homologues VPN IPsec et 2 SSL, haute disponibilité Actif / Actif et Actif / Veille, DES ASA5520-BUN-K9 Cisco ASA 5520 Firewall Edition, 4 ports Ethernet Gigabit + 1 interface Fast Ethernet, 750 homologues VPN IPsec et 2 SSL, haute disponibilité Actif / Actif et Actif / Veille, 3DES/AES ASA5520-AIP10-K9 Cisco ASA 5520 IPS Edition, module AIP SSM 10, services de firewall, 750 homologues VPN IPsec et 2 SSL, 4 ports Ethernet Gigabit, 1 interface Fast Ethernet ASA5520-AIP20-K9 Cisco ASA 5520 IPS Edition, module AIP SSM 20, services de firewall, 750 homologues VPN IPsec et 2 SSL, 4 ports Ethernet Gigabit, 1 interface Fast Ethernet ASA5520-CSC10-K9 Cisco ASA 5520 Anti X Edition, module CSC SSM 10, 50 utilisateurs antivirus / anti logiciels espions avec un an d’abonnement, services de firewall, 750 homologues VPN IPsec et 2 SSL, 4 ports Ethernet Gigabit, 1 interface Fast Ethernet ASA5520-CSC20-K9 Cisco ASA 5520 Anti X Edition, module CSC SSM 20, 500 utilisateurs antivirus / anti logiciels espions avec un an d’abonnement, services de firewall, 750 homologues VPN IPsec et 2 SSL, 4 ports Ethernet Gigabit, 1 interface Fast Ethernet Cisco PIX 525R Cisco PIX 525R ASA5520-SSL500-K9 Cisco ASA 5520 SSL/IPsec VPN Edition, 750 homologues VPN IPsec et 500 SSL, services de firewall, 4 ports Ethernet Gigabit, 1 interface Fast Ethernet ASA5520-K8 Cisco ASA 5520 Firewall Edition, 4 ports Ethernet Gigabit + 1 interface Fast Ethernet, 750 homologues VPN IPsec et 2 SSL, haute disponibilité Actif / Actif et Actif / Veille, DES Cisco PIX 525 UR/FO/FO AA UR/FO/FO AA ASA5520-BUN-K9 Cisco ASA 5520 Firewall Edition, 4 ports Ethernet Gigabit + 1 interface Fast Ethernet, 750 homologues VPN IPsec et 2 SSL, haute disponibilité Actif / Actif et Actif / Veille, 3DES/AES Manuel de migration de Cisco PIX 500 vers la gamme Cisco ASA 5500 PRESENTATION SYNOPTIQUE ASA5520-AIP10-K9 Cisco ASA 5520 IPS Edition, module AIP SSM 10, services de firewall, 750 homologues VPN IPsec et 2 SSL, 4 ports Ethernet Gigabit, 1 interface Fast Ethernet ASA5520-AIP20-K9 Cisco ASA 5520 IPS Edition, module AIP SSM 20, services de firewall, 750 homologues VPN IPsec et 2 SSL, 4 ports Ethernet Gigabit, 1 interface Fast Ethernet ASA5520-CSC10-K9 Cisco ASA 5520 Anti X Edition, module CSC SSM 10, 50 utilisateurs antivirus / anti logiciels espions avec un an d’abonnement, services de firewall, 750 homologues VPN IPsec et 2 SSL, 4 ports Ethernet Gigabit, 1 interface Fast Ethernet ASA5520-CSC20-K9 Cisco ASA 5520 Anti X Edition, module CSC SSM 20, 500 utilisateurs antivirus / anti logiciels espions avec un an d’abonnement, services de firewall, 750 homologues VPN IPsec et 2 SSL, 4 ports Ethernet Gigabit, 1 interface Fast Ethernet ASA5520-SSL500-K9 Cisco ASA 5520 SSL/IPsec VPN Edition, 750 homologues VPN IPsec et 500 SSL, services de firewall, 4 ports Ethernet Gigabit, 1 interface Fast Ethernet ASA5540-K8 Cisco ASA 5540 Firewall Edition, 4 ports Ethernet Gigabit, 1 interface Fast Ethernet, 5000 homologues VPN IPsec et 2 SSL, DES ASA5540-BUN-K9 Cisco ASA 5540 Firewall Edition, 4 ports Ethernet Gigabit, 1 interface Fast Ethernet, 5000 homologues VPN IPsec et 2 SSL, 3DES/AES ASA5540-AIP20-K9 Cisco ASA 5540 IPS Edition, module AIP SSM 20, services de firewall, 5000 homologues VPN IPsec et 2 SSL, 4 ports Ethernet Gigabit, 1 interface Fast Ethernet ASA5540-SSL1000-K9 Cisco ASA 5540 SSL/IPsec VPN Edition, 5000 homologues VPN IPsec et 1000 SSL, services de firewall, 4 ports Ethernet Gigabit, 1 interface Fast Ethernet ASA5540-SSL2500-K9 Cisco ASA 5540 SSL/IPsec VPN Edition, 5000 homologues VPN IPsec et 2500 SSL, services de firewall, 4 ports Ethernet Gigabit, 1 interface Fast Ethernet ASA5550-K8 Cisco ASA 5550 Firewall Edition, 8 ports Ethernet Gigabit, 1 interface Fast Ethernet, 4 ports SFP Gigabit, 5000 homologues VPN IPsec et 2 SSL, DES ASA5550-BUN-K9 Cisco ASA 5550 Firewall Edition, 8 ports Ethernet Gigabit, 1 interface Fast Ethernet, 4 ports SFP Gigabit, 5000 homologues VPN IPsec et 2 SSL, 3DES/AES ASA5550-SSL2500-K9 Cisco ASA 5550 SSL/IPsec VPN Edition, 5000 homologues VPN IPsec et 2500 SSL, services de firewall, 8 ports Ethernet Gigabit, 1 interface Fast Ethernet Cisco PIX 535 Cisco PIX 535 ASA5550-SSL5000-K9 Cisco ASA 5550 SSL/IPsec VPN Edition, 5000 homologues VPN IPsec et 5000 SSL, services de firewall, 8 ports Ethernet Gigabit, 1 interface Fast Ethernet Caractéristiques techniques Caractéristiques techniques Cisco ASA 5505 Cisco ASA 5505 Cisco ASA 5510 Cisco ASA 5510 Cisco ASA 5520 Cisco ASA 5520 Cisco ASA 5540 Cisco ASA 5540 Cisco ASA 5550 Cisco ASA 5550 Utilisateurs et nœuds Utilisateurs et nœuds 10, 50 ou illimité Illimité Illimité Illimité Illimité Débit du firewall Débit du firewall Jusqu’à 150 Mbits/s Jusqu’à 300 Mbits/s Jusqu’à 450 Mbits/s Jusqu’à 650 Mbits/s Jusqu’à 1,2 Gbits/s Débit des services simultanés de limitation des risques (firewall et services IPS) Non disponible Jusqu’à 150 Mbits/s avec le module AIP SSM (Advanced Inspection and Prevention Security Services Module) 10 (référence AIP SSM 10) pour la gamme Cisco ASA 5500 – Jusqu’à 300 Mbits/s avec le module AIP SSM 20 (référence AIP SSM 20) pour la gamme Cisco ASA 5500 Jusqu’à 225 Mbits/s avec le module AIP SSM 10 – Jusqu’à 375 225 Mbits/s avec le module AIP SSM 20 Jusqu‘à 450 Mbits/s, avec le module AIP-SSM20 Non disponible Débit des VPN 3DES ou AES ou Jusqu’à 100 Mbits/s Jusqu’à 170 Mbits/s Jusqu’à 225 Mbits/s Jusqu’à 325 Mbits/s Jusqu’à 360 Mbits/s Homologues VPN IPSecec 10 ; 25* 250 750 5000 5000 Homologues VPN 2/25 2/250 2/750 2/2500 2/5000 Homologues VPN Manuel de migration de Cisco PIX 500 vers la gamme Cisco ASA 5500 PRESENTATION SYNOPTIQUE SSL * (inclus/maximum) (inclus/maximum) Sessions simultanées 10 000 ; 25 000* 50 000 ; 130 Sessions simultanées 000* 280 000 400 000 650 000 Nouvelles sessions par seconde par seconde 3 000 6 000 9 000 20 000 28 000 Port s réseaux Port s réseaux intégrés intégrés Commutateur Fast Ethernet 8 ports (dont 2 ports PoE) 5 ports Fast Ethernet 4 ports Ethernet Gigabit + 1 port Fast Ethernet 4 ports Ethernet Gigabit + 1 port Fast Ethernet 8 ports Ethernet Gigabit, fibre SFP et 1 port Fast Ethernet Interfaces virtuelles Interfaces virtuelles (VLAN) 3 (ligne réseau désactivée) / 20* (ligne réseau activée) 50/100 * 150 200 250 Contextes de sécurité (intégrés / maximum) (intégrés / maximum) 0/0 0/0 (Base) ; 2/5 (Security Plus) 2/20 2/50 2/50 Haute disponibilité Haute disponibilité Non supportée / Actif/Veille* à inspection d’état Non supportée / Actif/Actif et Actif/Veille* Actif/Actif et Actif/Veille Actif/Actif et Actif/Veille Actif/Actif et Actif/Veille Emplacement d'extension d'extension 1, SSC 1, SSM 1, SSM 1, SSM 0 * Exige une licence de mise à niveau. Copyright © 2007, Cisco Systems, Inc. Tous droits réservés. Cisco, Cisco IOS, Cisco Systems et le logo Cisco Systèmes sont des marques déposées de Cisco Systems, Inc. ou de ses filiales aux Etats-Unis et dans certains autres pays. C45 364598 01 01/07 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Cisco Security Appliance Command Line Configuration Guide For the Cisco ASA 5500 Series and Cisco PIX 500 Series Software Version 7.2 Customer Order Number: N/A, Online only Text Part Number: OL-10088-02THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. CCDE, CCSI, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Stackpower, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0903R) Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental. Cisco Security Appliance Command Line Configuration Guide Copyright © 2008 Cisco Systems, Inc. All rights reserved.iii Cisco Security Appliance Command Line Configuration Guide OL-10088-02 C O N T E N T S About This Guide xxxv Document Objectives xxxv Audience xxxv Related Documentation xxxvi Document Organization xxxvi Document Conventions xxxix Obtaining Documentation and Submitting a Service Request xxxix 1-xl P A R T 1 Getting Started and General Information C H A P T E R 1 Introduction to the Security Appliance 1-1 Firewall Functional Overview 1-1 Security Policy Overview 1-2 Permitting or Denying Traffic with Access Lists 1-2 Applying NAT 1-2 Using AAA for Through Traffic 1-2 Applying HTTP, HTTPS, or FTP Filtering 1-3 Applying Application Inspection 1-3 Sending Traffic to the Advanced Inspection and Prevention Security Services Module 1-3 Sending Traffic to the Content Security and Control Security Services Module 1-3 Applying QoS Policies 1-3 Applying Connection Limits and TCP Normalization 1-3 Firewall Mode Overview 1-3 Stateful Inspection Overview 1-4 VPN Functional Overview 1-5 Intrusion Prevention Services Functional Overview 1-5 Security Context Overview 1-6 C H A P T E R 2 Getting Started 2-1 Getting Started with Your Platform Model 2-1 Factory Default Configurations 2-1 Restoring the Factory Default Configuration 2-2Contents iv Cisco Security Appliance Command Line Configuration Guide OL-10088-02 ASA 5505 Default Configuration 2-2 ASA 5510 and Higher Default Configuration 2-3 PIX 515/515E Default Configuration 2-4 Accessing the Command-Line Interface 2-4 Setting Transparent or Routed Firewall Mode 2-5 Working with the Configuration 2-6 Saving Configuration Changes 2-6 Saving Configuration Changes in Single Context Mode 2-7 Saving Configuration Changes in Multiple Context Mode 2-7 Copying the Startup Configuration to the Running Configuration 2-8 Viewing the Configuration 2-8 Clearing and Removing Configuration Settings 2-9 Creating Text Configuration Files Offline 2-9 C H A P T E R 3 Enabling Multiple Context Mode 3-1 Security Context Overview 3-1 Common Uses for Security Contexts 3-1 Unsupported Features 3-2 Context Configuration Files 3-2 Context Configurations 3-2 System Configuration 3-2 Admin Context Configuration 3-2 How the Security Appliance Classifies Packets 3-3 Valid Classifier Criteria 3-3 Invalid Classifier Criteria 3-4 Classification Examples 3-5 Cascading Security Contexts 3-8 Management Access to Security Contexts 3-9 System Administrator Access 3-9 Context Administrator Access 3-10 Enabling or Disabling Multiple Context Mode 3-10 Backing Up the Single Mode Configuration 3-10 Enabling Multiple Context Mode 3-10 Restoring Single Context Mode 3-11 C H A P T E R 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance 4-1 Interface Overview 4-1 Understanding ASA 5505 Ports and Interfaces 4-2Contents v Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Maximum Active VLAN Interfaces for Your License 4-2 Default Interface Configuration 4-4 VLAN MAC Addresses 4-4 Power Over Ethernet 4-4 Monitoring Traffic Using SPAN 4-4 Security Level Overview 4-5 Configuring VLAN Interfaces 4-5 Configuring Switch Ports as Access Ports 4-9 Configuring a Switch Port as a Trunk Port 4-11 Allowing Communication Between VLAN Interfaces on the Same Security Level 4-13 C H A P T E R 5 Configuring Ethernet Settings and Subinterfaces 5-1 Configuring and Enabling RJ-45 Interfaces 5-1 Configuring and Enabling Fiber Interfaces 5-3 Configuring and Enabling VLAN Subinterfaces and 802.1Q Trunking 5-3 C H A P T E R 6 Adding and Managing Security Contexts 6-1 Configuring Resource Management 6-1 Classes and Class Members Overview 6-1 Resource Limits 6-2 Default Class 6-3 Class Members 6-4 Configuring a Class 6-4 Configuring a Security Context 6-7 Automatically Assigning MAC Addresses to Context Interfaces 6-11 Changing Between Contexts and the System Execution Space 6-11 Managing Security Contexts 6-12 Removing a Security Context 6-12 Changing the Admin Context 6-13 Changing the Security Context URL 6-13 Reloading a Security Context 6-14 Reloading by Clearing the Configuration 6-14 Reloading by Removing and Re-adding the Context 6-15 Monitoring Security Contexts 6-15 Viewing Context Information 6-15 Viewing Resource Allocation 6-16 Viewing Resource Usage 6-19 Monitoring SYN Attacks in Contexts 6-20Contents vi Cisco Security Appliance Command Line Configuration Guide OL-10088-02 C H A P T E R 7 Configuring Interface Parameters 7-1 Security Level Overview 7-1 Configuring the Interface 7-2 Allowing Communication Between Interfaces on the Same Security Level 7-6 C H A P T E R 8 Configuring Basic Settings 8-1 Changing the Login Password 8-1 Changing the Enable Password 8-1 Setting the Hostname 8-2 Setting the Domain Name 8-2 Setting the Date and Time 8-2 Setting the Time Zone and Daylight Saving Time Date Range 8-3 Setting the Date and Time Using an NTP Server 8-4 Setting the Date and Time Manually 8-5 Setting the Management IP Address for a Transparent Firewall 8-5 C H A P T E R 9 Configuring IP Routing 9-1 How Routing Behaves Within the ASA Security Appliance 9-1 Egress Interface Selection Process 9-1 Next Hop Selection Process 9-2 Configuring Static and Default Routes 9-2 Configuring a Static Route 9-3 Configuring a Default Route 9-4 Configuring Static Route Tracking 9-5 Defining Route Maps 9-7 Configuring OSPF 9-8 OSPF Overview 9-9 Enabling OSPF 9-10 Redistributing Routes Into OSPF 9-10 Configuring OSPF Interface Parameters 9-11 Configuring OSPF Area Parameters 9-13 Configuring OSPF NSSA 9-14 Configuring Route Summarization Between OSPF Areas 9-15 Configuring Route Summarization When Redistributing Routes into OSPF 9-16 Defining Static OSPF Neighbors 9-16 Generating a Default Route 9-17 Configuring Route Calculation Timers 9-17 Logging Neighbors Going Up or Down 9-18Contents vii Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Displaying OSPF Update Packet Pacing 9-19 Monitoring OSPF 9-19 Restarting the OSPF Process 9-20 Configuring RIP 9-20 Enabling and Configuring RIP 9-20 Redistributing Routes into the RIP Routing Process 9-22 Configuring RIP Send/Receive Version on an Interface 9-22 Enabling RIP Authentication 9-23 Monitoring RIP 9-23 The Routing Table 9-24 Displaying the Routing Table 9-24 How the Routing Table is Populated 9-24 Backup Routes 9-26 How Forwarding Decisions are Made 9-26 Dynamic Routing and Failover 9-26 C H A P T E R 10 Configuring DHCP, DDNS, and WCCP Services 10-1 Configuring a DHCP Server 10-1 Enabling the DHCP Server 10-2 Configuring DHCP Options 10-3 Using Cisco IP Phones with a DHCP Server 10-4 Configuring DHCP Relay Services 10-5 Configuring Dynamic DNS 10-6 Example 1: Client Updates Both A and PTR RRs for Static IP Addresses 10-7 Example 2: Client Updates Both A and PTR RRs; DHCP Server Honors Client Update Request; FQDN Provided Through Configuration 10-7 Example 3: Client Includes FQDN Option Instructing Server Not to Update Either RR; Server Overrides Client and Updates Both RRs. 10-8 Example 4: Client Asks Server To Perform Both Updates; Server Configured to Update PTR RR Only; Honors Client Request and Updates Both A and PTR RR 10-8 Example 5: Client Updates A RR; Server Updates PTR RR 10-9 Configuring Web Cache Services Using WCCP 10-9 WCCP Feature Support 10-9 WCCP Interaction With Other Features 10-10 Enabling WCCP Redirection 10-10 C H A P T E R 11 Configuring Multicast Routing 11-13 Multicast Routing Overview 11-13 Enabling Multicast Routing 11-14Contents viii Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Configuring IGMP Features 11-14 Disabling IGMP on an Interface 11-15 Configuring Group Membership 11-15 Configuring a Statically Joined Group 11-15 Controlling Access to Multicast Groups 11-15 Limiting the Number of IGMP States on an Interface 11-16 Modifying the Query Interval and Query Timeout 11-16 Changing the Query Response Time 11-17 Changing the IGMP Version 11-17 Configuring Stub Multicast Routing 11-17 Configuring a Static Multicast Route 11-17 Configuring PIM Features 11-18 Disabling PIM on an Interface 11-18 Configuring a Static Rendezvous Point Address 11-19 Configuring the Designated Router Priority 11-19 Filtering PIM Register Messages 11-19 Configuring PIM Message Intervals 11-20 Configuring a Multicast Boundary 11-20 Filtering PIM Neighbors 11-20 Supporting Mixed Bidirectional/Sparse-Mode PIM Networks 11-21 For More Information about Multicast Routing 11-22 C H A P T E R 12 Configuring IPv6 12-1 IPv6-enabled Commands 12-1 Configuring IPv6 12-2 Configuring IPv6 on an Interface 12-3 Configuring a Dual IP Stack on an Interface 12-4 Enforcing the Use of Modified EUI-64 Interface IDs in IPv6 Addresses 12-4 Configuring IPv6 Duplicate Address Detection 12-4 Configuring IPv6 Default and Static Routes 12-5 Configuring IPv6 Access Lists 12-6 Configuring IPv6 Neighbor Discovery 12-7 Configuring Neighbor Solicitation Messages 12-7 Configuring Router Advertisement Messages 12-9 Multicast Listener Discovery Support 12-11 Configuring a Static IPv6 Neighbor 12-11 Verifying the IPv6 Configuration 12-11 The show ipv6 interface Command 12-12 The show ipv6 route Command 12-12Contents ix Cisco Security Appliance Command Line Configuration Guide OL-10088-02 The show ipv6 mld traffic Command 12-13 C H A P T E R 13 Configuring AAA Servers and the Local Database 13-1 AAA Overview 13-1 About Authentication 13-1 About Authorization 13-2 About Accounting 13-2 AAA Server and Local Database Support 13-2 Summary of Support 13-3 RADIUS Server Support 13-3 Authentication Methods 13-4 Attribute Support 13-4 RADIUS Authorization Functions 13-4 TACACS+ Server Support 13-4 SDI Server Support 13-4 SDI Version Support 13-5 Two-step Authentication Process 13-5 SDI Primary and Replica Servers 13-5 NT Server Support 13-5 Kerberos Server Support 13-5 LDAP Server Support 13-6 Authentication with LDAP 13-6 Authorization with LDAP for VPN 13-7 LDAP Attribute Mapping 13-8 SSO Support for WebVPN with HTTP Forms 13-9 Local Database Support 13-9 User Profiles 13-10 Fallback Support 13-10 Configuring the Local Database 13-10 Identifying AAA Server Groups and Servers 13-12 Using Certificates and User Login Credentials 13-15 Using User Login Credentials 13-15 Using certificates 13-16 Supporting a Zone Labs Integrity Server 13-16 Overview of Integrity Server and Security Appliance Interaction 13-17 Configuring Integrity Server Support 13-17 C H A P T E R 14 Configuring Failover 14-1 Understanding Failover 14-1Contents x Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Failover System Requirements 14-2 Hardware Requirements 14-2 Software Requirements 14-2 License Requirements 14-2 The Failover and Stateful Failover Links 14-3 Failover Link 14-3 Stateful Failover Link 14-5 Active/Active and Active/Standby Failover 14-6 Active/Standby Failover 14-6 Active/Active Failover 14-10 Determining Which Type of Failover to Use 14-15 Regular and Stateful Failover 14-15 Regular Failover 14-16 Stateful Failover 14-16 Failover Health Monitoring 14-16 Unit Health Monitoring 14-17 Interface Monitoring 14-17 Failover Feature/Platform Matrix 14-18 Failover Times by Platform 14-18 Configuring Failover 14-19 Failover Configuration Limitations 14-19 Configuring Active/Standby Failover 14-19 Prerequisites 14-20 Configuring Cable-Based Active/Standby Failover (PIX Security Appliance Only) 14-20 Configuring LAN-Based Active/Standby Failover 14-21 Configuring Optional Active/Standby Failover Settings 14-25 Configuring Active/Active Failover 14-27 Prerequisites 14-27 Configuring Cable-Based Active/Active Failover (PIX security appliance) 14-27 Configuring LAN-Based Active/Active Failover 14-29 Configuring Optional Active/Active Failover Settings 14-33 Configuring Unit Health Monitoring 14-39 Configuring Failover Communication Authentication/Encryption 14-39 Verifying the Failover Configuration 14-40 Using the show failover Command 14-40 Viewing Monitored Interfaces 14-48 Displaying the Failover Commands in the Running Configuration 14-48 Testing the Failover Functionality 14-49 Controlling and Monitoring Failover 14-49 Forcing Failover 14-49Contents xi Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Disabling Failover 14-50 Restoring a Failed Unit or Failover Group 14-50 Monitoring Failover 14-50 Failover System Messages 14-51 Debug Messages 14-51 SNMP 14-51 P A R T 2 Configuring the Firewall C H A P T E R 15 Firewall Mode Overview 15-1 Routed Mode Overview 15-1 IP Routing Support 15-1 Network Address Translation 15-2 How Data Moves Through the Security Appliance in Routed Firewall Mode 15-3 An Inside User Visits a Web Server 15-3 An Outside User Visits a Web Server on the DMZ 15-4 An Inside User Visits a Web Server on the DMZ 15-6 An Outside User Attempts to Access an Inside Host 15-7 A DMZ User Attempts to Access an Inside Host 15-8 Transparent Mode Overview 15-8 Transparent Firewall Network 15-9 Allowing Layer 3 Traffic 15-9 Allowed MAC Addresses 15-9 Passing Traffic Not Allowed in Routed Mode 15-9 MAC Address Lookups 15-10 Using the Transparent Firewall in Your Network 15-10 Transparent Firewall Guidelines 15-10 Unsupported Features in Transparent Mode 15-11 How Data Moves Through the Transparent Firewall 15-13 An Inside User Visits a Web Server 15-14 An Outside User Visits a Web Server on the Inside Network 15-15 An Outside User Attempts to Access an Inside Host 15-16 C H A P T E R 16 Identifying Traffic with Access Lists 16-1 Access List Overview 16-1 Access List Types 16-2 Access Control Entry Order 16-2 Access Control Implicit Deny 16-3 IP Addresses Used for Access Lists When You Use NAT 16-3Contents xii Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Adding an Extended Access List 16-5 Extended Access List Overview 16-5 Allowing Broadcast and Multicast Traffic through the Transparent Firewall 16-6 Adding an Extended ACE 16-6 Adding an EtherType Access List 16-8 EtherType Access List Overview 16-8 Supported EtherTypes 16-8 Implicit Permit of IP and ARPs Only 16-9 Implicit and Explicit Deny ACE at the End of an Access List 16-9 IPv6 Unsupported 16-9 Using Extended and EtherType Access Lists on the Same Interface 16-9 Allowing MPLS 16-9 Adding an EtherType ACE 16-10 Adding a Standard Access List 16-11 Adding a Webtype Access List 16-11 Simplifying Access Lists with Object Grouping 16-11 How Object Grouping Works 16-12 Adding Object Groups 16-12 Adding a Protocol Object Group 16-13 Adding a Network Object Group 16-13 Adding a Service Object Group 16-14 Adding an ICMP Type Object Group 16-15 Nesting Object Groups 16-15 Using Object Groups with an Access List 16-16 Displaying Object Groups 16-17 Removing Object Groups 16-17 Adding Remarks to Access Lists 16-18 Scheduling Extended Access List Activation 16-18 Adding a Time Range 16-18 Applying the Time Range to an ACE 16-19 Logging Access List Activity 16-20 Access List Logging Overview 16-20 Configuring Logging for an Access Control Entry 16-21 Managing Deny Flows 16-22 C H A P T E R 17 Applying NAT 17-1 NAT Overview 17-1 Introduction to NAT 17-2 NAT Control 17-3Contents xiii Cisco Security Appliance Command Line Configuration Guide OL-10088-02 NAT Types 17-5 Dynamic NAT 17-5 PAT 17-7 Static NAT 17-7 Static PAT 17-8 Bypassing NAT When NAT Control is Enabled 17-9 Policy NAT 17-9 NAT and Same Security Level Interfaces 17-13 Order of NAT Commands Used to Match Real Addresses 17-14 Mapped Address Guidelines 17-14 DNS and NAT 17-14 Configuring NAT Control 17-16 Using Dynamic NAT and PAT 17-17 Dynamic NAT and PAT Implementation 17-17 Configuring Dynamic NAT or PAT 17-23 Using Static NAT 17-26 Using Static PAT 17-27 Bypassing NAT 17-29 Configuring Identity NAT 17-30 Configuring Static Identity NAT 17-30 Configuring NAT Exemption 17-32 NAT Examples 17-33 Overlapping Networks 17-34 Redirecting Ports 17-35 C H A P T E R 18 Permitting or Denying Network Access 18-1 Inbound and Outbound Access List Overview 18-1 Applying an Access List to an Interface 18-2 C H A P T E R 19 Applying AAA for Network Access 19-1 AAA Performance 19-1 Configuring Authentication for Network Access 19-1 Authentication Overview 19-2 One-Time Authentication 19-2 Applications Required to Receive an Authentication Challenge 19-2 Security Appliance Authentication Prompts 19-2 Static PAT and HTTP 19-3 Enabling Network Access Authentication 19-3Contents xiv Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Enabling Secure Authentication of Web Clients 19-5 Authenticating Directly with the Security Appliance 19-6 Enabling Direct Authentication Using HTTP and HTTPS 19-6 Enabling Direct Authentication Using Telnet 19-6 Configuring Authorization for Network Access 19-6 Configuring TACACS+ Authorization 19-7 Configuring RADIUS Authorization 19-8 Configuring a RADIUS Server to Send Downloadable Access Control Lists 19-9 Configuring a RADIUS Server to Download Per-User Access Control List Names 19-12 Configuring Accounting for Network Access 19-13 Using MAC Addresses to Exempt Traffic from Authentication and Authorization 19-14 C H A P T E R 20 Applying Filtering Services 20-1 Filtering Overview 20-1 Filtering ActiveX Objects 20-2 ActiveX Filtering Overview 20-2 Enabling ActiveX Filtering 20-2 Filtering Java Applets 20-3 Filtering URLs and FTP Requests with an External Server 20-4 URL Filtering Overview 20-4 Identifying the Filtering Server 20-4 Buffering the Content Server Response 20-6 Caching Server Addresses 20-6 Filtering HTTP URLs 20-7 Configuring HTTP Filtering 20-7 Enabling Filtering of Long HTTP URLs 20-7 Truncating Long HTTP URLs 20-7 Exempting Traffic from Filtering 20-8 Filtering HTTPS URLs 20-8 Filtering FTP Requests 20-9 Viewing Filtering Statistics and Configuration 20-9 Viewing Filtering Server Statistics 20-10 Viewing Buffer Configuration and Statistics 20-11 Viewing Caching Statistics 20-11 Viewing Filtering Performance Statistics 20-11 Viewing Filtering Configuration 20-12Contents xv Cisco Security Appliance Command Line Configuration Guide OL-10088-02 C H A P T E R 21 Using Modular Policy Framework 21-1 Modular Policy Framework Overview 21-1 Modular Policy Framework Features 21-1 Modular Policy Framework Configuration Overview 21-2 Default Global Policy 21-3 Identifying Traffic (Layer 3/4 Class Map) 21-4 Default Class Maps 21-4 Creating a Layer 3/4 Class Map for Through Traffic 21-5 Creating a Layer 3/4 Class Map for Management Traffic 21-7 Configuring Special Actions for Application Inspections (Inspection Policy Map) 21-7 Inspection Policy Map Overview 21-8 Defining Actions in an Inspection Policy Map 21-8 Identifying Traffic in an Inspection Class Map 21-11 Creating a Regular Expression 21-12 Creating a Regular Expression Class Map 21-14 Defining Actions (Layer 3/4 Policy Map) 21-15 Layer 3/4 Policy Map Overview 21-15 Policy Map Guidelines 21-16 Supported Feature Types 21-16 Hierarchical Policy Maps 21-16 Feature Directionality 21-17 Feature Matching Guidelines within a Policy Map 21-17 Feature Matching Guidelines for multiple Policy Maps 21-18 Order in Which Multiple Feature Actions are Applied 21-18 Default Layer 3/4 Policy Map 21-18 Adding a Layer 3/4 Policy Map 21-19 Applying Actions to an Interface (Service Policy) 21-21 Modular Policy Framework Examples 21-21 Applying Inspection and QoS Policing to HTTP Traffic 21-22 Applying Inspection to HTTP Traffic Globally 21-22 Applying Inspection and Connection Limits to HTTP Traffic to Specific Servers 21-23 Applying Inspection to HTTP Traffic with NAT 21-24 C H A P T E R 22 Managing AIP SSM and CSC SSM 22-1 Managing the AIP SSM 22-1 About the AIP SSM 22-1 Getting Started with the AIP SSM 22-2 Diverting Traffic to the AIP SSM 22-2 Sessioning to the AIP SSM and Running Setup 22-4Contents xvi Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Managing the CSC SSM 22-5 About the CSC SSM 22-5 Getting Started with the CSC SSM 22-7 Determining What Traffic to Scan 22-9 Limiting Connections Through the CSC SSM 22-11 Diverting Traffic to the CSC SSM 22-11 Checking SSM Status 22-13 Transferring an Image onto an SSM 22-14 C H A P T E R 23 Preventing Network Attacks 23-1 Configuring TCP Normalization 23-1 TCP Normalization Overview 23-1 Enabling the TCP Normalizer 23-2 Configuring Connection Limits and Timeouts 23-6 Connection Limit Overview 23-7 TCP Intercept Overview 23-7 Disabling TCP Intercept for Management Packets for Clientless SSL Compatibility 23-7 Dead Connection Detection (DCD) Overview 23-7 TCP Sequence Randomization Overview 23-8 Enabling Connection Limits and Timeouts 23-8 Preventing IP Spoofing 23-10 Configuring the Fragment Size 23-11 Blocking Unwanted Connections 23-11 Configuring IP Audit for Basic IPS Support 23-12 C H A P T E R 24 Configuring QoS 24-1 QoS Overview 24-1 Supported QoS Features 24-2 What is a Token Bucket? 24-2 Policing Overview 24-3 Priority Queueing Overview 24-3 Traffic Shaping Overview 24-4 How QoS Features Interact 24-4 DSCP and DiffServ Preservation 24-5 Creating the Standard Priority Queue for an Interface 24-5 Determining the Queue and TX Ring Limits 24-6 Configuring the Priority Queue 24-7 Identifying Traffic for QoS Using Class Maps 24-8Contents xvii Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Creating a QoS Class Map 24-8 QoS Class Map Examples 24-8 Creating a Policy for Standard Priority Queueing and/or Policing 24-9 Creating a Policy for Traffic Shaping and Hierarchical Priority Queueing 24-11 Viewing QoS Statistics 24-13 Viewing QoS Police Statistics 24-13 Viewing QoS Standard Priority Statistics 24-14 Viewing QoS Shaping Statistics 24-14 Viewing QoS Standard Priority Queue Statistics 24-15 C H A P T E R 25 Configuring Application Layer Protocol Inspection 25-1 Inspection Engine Overview 25-2 When to Use Application Protocol Inspection 25-2 Inspection Limitations 25-2 Default Inspection Policy 25-3 Configuring Application Inspection 25-5 CTIQBE Inspection 25-9 CTIQBE Inspection Overview 25-9 Limitations and Restrictions 25-10 Verifying and Monitoring CTIQBE Inspection 25-10 DCERPC Inspection 25-11 DCERPC Overview 25-11 Configuring a DCERPC Inspection Policy Map for Additional Inspection Control 25-12 DNS Inspection 25-13 How DNS Application Inspection Works 25-13 How DNS Rewrite Works 25-14 Configuring DNS Rewrite 25-15 Using the Static Command for DNS Rewrite 25-15 Using the Alias Command for DNS Rewrite 25-16 Configuring DNS Rewrite with Two NAT Zones 25-16 DNS Rewrite with Three NAT Zones 25-17 Configuring DNS Rewrite with Three NAT Zones 25-19 Verifying and Monitoring DNS Inspection 25-20 Configuring a DNS Inspection Policy Map for Additional Inspection Control 25-20 ESMTP Inspection 25-23 Configuring an ESMTP Inspection Policy Map for Additional Inspection Control 25-24 FTP Inspection 25-26 FTP Inspection Overview 25-27Contents xviii Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Using the strict Option 25-27 Configuring an FTP Inspection Policy Map for Additional Inspection Control 25-28 Verifying and Monitoring FTP Inspection 25-31 GTP Inspection 25-32 GTP Inspection Overview 25-32 Configuring a GTP Inspection Policy Map for Additional Inspection Control 25-33 Verifying and Monitoring GTP Inspection 25-37 H.323 Inspection 25-38 H.323 Inspection Overview 25-38 How H.323 Works 25-38 Limitations and Restrictions 25-39 Configuring an H.323 Inspection Policy Map for Additional Inspection Control 25-40 Configuring H.323 and H.225 Timeout Values 25-42 Verifying and Monitoring H.323 Inspection 25-43 Monitoring H.225 Sessions 25-43 Monitoring H.245 Sessions 25-43 Monitoring H.323 RAS Sessions 25-44 HTTP Inspection 25-44 HTTP Inspection Overview 25-44 Configuring an HTTP Inspection Policy Map for Additional Inspection Control 25-45 Instant Messaging Inspection 25-49 IM Inspection Overview 25-49 Configuring an Instant Messaging Inspection Policy Map for Additional Inspection Control 25-49 ICMP Inspection 25-52 ICMP Error Inspection 25-52 ILS Inspection 25-53 IPSec Pass Through Inspection 25-54 IPSec Pass Through Inspection Overview 25-54 Configuring an IPSec Pass Through Inspection Policy Map for Additional Inspection Control 25-54 MGCP Inspection 25-56 MGCP Inspection Overview 25-56 Configuring an MGCP Inspection Policy Map for Additional Inspection Control 25-58 Configuring MGCP Timeout Values 25-59 Verifying and Monitoring MGCP Inspection 25-59 NetBIOS Inspection 25-60 Configuring a NetBIOS Inspection Policy Map for Additional Inspection Control 25-60 PPTP Inspection 25-62 RADIUS Accounting Inspection 25-62Contents xix Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Configuring a RADIUS Inspection Policy Map for Additional Inspection Control 25-63 RSH Inspection 25-63 RTSP Inspection 25-63 RTSP Inspection Overview 25-63 Using RealPlayer 25-64 Restrictions and Limitations 25-64 SIP Inspection 25-65 SIP Inspection Overview 25-65 SIP Instant Messaging 25-65 Configuring a SIP Inspection Policy Map for Additional Inspection Control 25-66 Configuring SIP Timeout Values 25-70 Verifying and Monitoring SIP Inspection 25-70 Skinny (SCCP) Inspection 25-71 SCCP Inspection Overview 25-71 Supporting Cisco IP Phones 25-71 Restrictions and Limitations 25-72 Verifying and Monitoring SCCP Inspection 25-72 Configuring a Skinny (SCCP) Inspection Policy Map for Additional Inspection Control 25-73 SMTP and Extended SMTP Inspection 25-74 SNMP Inspection 25-76 SQL*Net Inspection 25-76 Sun RPC Inspection 25-77 Sun RPC Inspection Overview 25-77 Managing Sun RPC Services 25-77 Verifying and Monitoring Sun RPC Inspection 25-78 TFTP Inspection 25-79 XDMCP Inspection 25-80 C H A P T E R 26 Configuring ARP Inspection and Bridging Parameters 26-1 Configuring ARP Inspection 26-1 ARP Inspection Overview 26-1 Adding a Static ARP Entry 26-2 Enabling ARP Inspection 26-2 Customizing the MAC Address Table 26-3 MAC Address Table Overview 26-3 Adding a Static MAC Address 26-3 Setting the MAC Address Timeout 26-4 Disabling MAC Address Learning 26-4Contents xx Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Viewing the MAC Address Table 26-4 P A R T 3 Configuring VPN C H A P T E R 27 Configuring IPsec and ISAKMP 27-1 Tunneling Overview 27-1 IPsec Overview 27-2 Configuring ISAKMP 27-2 ISAKMP Overview 27-2 Configuring ISAKMP Policies 27-5 Enabling ISAKMP on the Outside Interface 27-6 Disabling ISAKMP in Aggressive Mode 27-6 Determining an ID Method for ISAKMP Peers 27-6 Enabling IPsec over NAT-T 27-7 Using NAT-T 27-7 Enabling IPsec over TCP 27-8 Waiting for Active Sessions to Terminate Before Rebooting 27-9 Alerting Peers Before Disconnecting 27-9 Configuring Certificate Group Matching 27-9 Creating a Certificate Group Matching Rule and Policy 27-10 Using the Tunnel-group-map default-group Command 27-11 Configuring IPsec 27-11 Understanding IPsec Tunnels 27-11 Understanding Transform Sets 27-12 Defining Crypto Maps 27-12 Applying Crypto Maps to Interfaces 27-20 Using Interface Access Lists 27-20 Changing IPsec SA Lifetimes 27-22 Creating a Basic IPsec Configuration 27-22 Using Dynamic Crypto Maps 27-24 Providing Site-to-Site Redundancy 27-26 Viewing an IPsec Configuration 27-26 Clearing Security Associations 27-27 Clearing Crypto Map Configurations 27-27 Supporting the Nokia VPN Client 27-28 C H A P T E R 28 Configuring L2TP over IPSec 28-1 L2TP Overview 28-1Contents xxi Cisco Security Appliance Command Line Configuration Guide OL-10088-02 IPSec Transport and Tunnel Modes 28-2 Configuring L2TP over IPSec Connections 28-2 Tunnel Group Switching 28-5 Viewing L2TP over IPSec Connection Information 28-5 Using L2TP Debug Commands 28-7 Enabling IPSec Debug 28-7 Getting Additional Information 28-8 C H A P T E R 29 Setting General IPSec VPN Parameters 29-1 Configuring VPNs in Single, Routed Mode 29-1 Configuring IPSec to Bypass ACLs 29-1 Permitting Intra-Interface Traffic 29-2 NAT Considerations for Intra-Interface Traffic 29-3 Setting Maximum Active IPSec VPN Sessions 29-3 Using Client Update to Ensure Acceptable Client Revision Levels 29-3 Understanding Load Balancing 29-5 Implementing Load Balancing 29-6 Prerequisites 29-6 Eligible Platforms 29-7 Eligible Clients 29-7 VPN Load-Balancing Cluster Configurations 29-7 Some Typical Mixed Cluster Scenarios 29-8 Scenario 1: Mixed Cluster with No WebVPN Connections 29-8 Scenario 2: Mixed Cluster Handling WebVPN Connections 29-8 Configuring Load Balancing 29-9 Configuring the Public and Private Interfaces for Load Balancing 29-9 Configuring the Load Balancing Cluster Attributes 29-10 Configuring VPN Session Limits 29-11 C H A P T E R 30 Configuring Tunnel Groups, Group Policies, and Users 30-1 Overview of Tunnel Groups, Group Policies, and Users 30-1 Tunnel Groups 30-2 General Tunnel-Group Connection Parameters 30-2 IPSec Tunnel-Group Connection Parameters 30-3 WebVPN Tunnel-Group Connection Parameters 30-4 Configuring Tunnel Groups 30-5 Maximum Tunnel Groups 30-5 Default IPSec Remote Access Tunnel Group Configuration 30-5Contents xxii Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Configuring IPSec Tunnel-Group General Attributes 30-6 Configuring IPSec Remote-Access Tunnel Groups 30-6 Specifying a Name and Type for the IPSec Remote Access Tunnel Group 30-6 Configuring IPSec Remote-Access Tunnel Group General Attributes 30-7 Configuring IPSec Remote-Access Tunnel Group IPSec Attributes 30-10 Configuring IPSec Remote-Access Tunnel Group PPP Attributes 30-12 Configuring LAN-to-LAN Tunnel Groups 30-13 Default LAN-to-LAN Tunnel Group Configuration 30-13 Specifying a Name and Type for a LAN-to-LAN Tunnel Group 30-14 Configuring LAN-to-LAN Tunnel Group General Attributes 30-14 Configuring LAN-to-LAN IPSec Attributes 30-15 Configuring WebVPN Tunnel Groups 30-17 Specifying a Name and Type for a WebVPN Tunnel Group 30-17 Configuring WebVPN Tunnel-Group General Attributes 30-17 Configuring WebVPN Tunnel-Group WebVPN Attributes 30-20 Customizing Login Windows for WebVPN Users 30-23 Configuring Microsoft Active Directory Settings for Password Management 30-24 Using Active Directory to Force the User to Change Password at Next Logon 30-25 Using Active Directory to Specify Maximum Password Age 30-27 Using Active Directory to Override an Account Disabled AAA Indicator 30-28 Using Active Directory to Enforce Minimum Password Length 30-29 Using Active Directory to Enforce Password Complexity 30-30 Group Policies 30-31 Default Group Policy 30-32 Configuring Group Policies 30-34 Configuring an External Group Policy 30-34 Configuring an Internal Group Policy 30-35 Configuring Group Policy Attributes 30-35 Configuring WINS and DNS Servers 30-35 Configuring VPN-Specific Attributes 30-36 Configuring Security Attributes 30-39 Configuring the Banner Message 30-41 Configuring IPSec-UDP Attributes 30-41 Configuring Split-Tunneling Attributes 30-42 Configuring Domain Attributes for Tunneling 30-43 Configuring Attributes for VPN Hardware Clients 30-45 Configuring Backup Server Attributes 30-48 Configuring Microsoft Internet Explorer Client Parameters 30-49 Configuring Network Admission Control Parameters 30-51 Configuring Address Pools 30-54Contents xxiii Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Configuring Firewall Policies 30-55 Configuring Client Access Rules 30-58 Configuring Group-Policy WebVPN Attributes 30-59 Configuring User Attributes 30-70 Viewing the Username Configuration 30-71 Configuring Attributes for Specific Users 30-71 Setting a User Password and Privilege Level 30-71 Configuring User Attributes 30-72 Configuring VPN User Attributes 30-72 Configuring WebVPN for Specific Users 30-76 C H A P T E R 31 Configuring IP Addresses for VPNs 31-1 Configuring an IP Address Assignment Method 31-1 Configuring Local IP Address Pools 31-2 Configuring AAA Addressing 31-2 Configuring DHCP Addressing 31-3 C H A P T E R 32 Configuring Remote Access IPSec VPNs 32-1 Summary of the Configuration 32-1 Configuring Interfaces 32-2 Configuring ISAKMP Policy and Enabling ISAKMP on the Outside Interface 32-3 Configuring an Address Pool 32-4 Adding a User 32-4 Creating a Transform Set 32-4 Defining a Tunnel Group 32-5 Creating a Dynamic Crypto Map 32-6 Creating a Crypto Map Entry to Use the Dynamic Crypto Map 32-7 C H A P T E R 33 Configuring Network Admission Control 33-1 Uses, Requirements, and Limitations 33-1 Configuring Basic Settings 33-1 Specifying the Access Control Server Group 33-2 Enabling NAC 33-2 Configuring the Default ACL for NAC 33-3 Configuring Exemptions from NAC 33-4 Changing Advanced Settings 33-5 Changing Clientless Authentication Settings 33-5 Enabling and Disabling Clientless Authentication 33-5Contents xxiv Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Changing the Login Credentials Used for Clientless Authentication 33-6 Configuring NAC Session Attributes 33-7 Setting the Query-for-Posture-Changes Timer 33-8 Setting the Revalidation Timer 33-9 C H A P T E R 34 Configuring Easy VPN Services on the ASA 5505 34-1 Specifying the Client/Server Role of the Cisco ASA 5505 34-1 Specifying the Primary and Secondary Servers 34-2 Specifying the Mode 34-3 NEM with Multiple Interfaces 34-3 Configuring Automatic Xauth Authentication 34-4 Configuring IPSec Over TCP 34-4 Comparing Tunneling Options 34-5 Specifying the Tunnel Group or Trustpoint 34-6 Specifying the Tunnel Group 34-6 Specifying the Trustpoint 34-7 Configuring Split Tunneling 34-7 Configuring Device Pass-Through 34-8 Configuring Remote Management 34-8 Guidelines for Configuring the Easy VPN Server 34-9 Group Policy and User Attributes Pushed to the Client 34-9 Authentication Options 34-11 C H A P T E R 35 Configuring the PPPoE Client 35-1 PPPoE Client Overview 35-1 Configuring the PPPoE Client Username and Password 35-2 Enabling PPPoE 35-3 Using PPPoE with a Fixed IP Address 35-3 Monitoring and Debugging the PPPoE Client 35-4 Clearing the Configuration 35-5 Using Related Commands 35-5 C H A P T E R 36 Configuring LAN-to-LAN IPsec VPNs 36-1 Summary of the Configuration 36-1 Configuring Interfaces 36-2 Configuring ISAKMP Policy and Enabling ISAKMP on the Outside Interface 36-2 Creating a Transform Set 36-4Contents xxv Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Configuring an ACL 36-4 Defining a Tunnel Group 36-5 Creating a Crypto Map and Applying It To an Interface 36-6 Applying Crypto Maps to Interfaces 36-7 C H A P T E R 37 Configuring WebVPN 37-1 Getting Started with WebVPN 37-1 Observing WebVPN Security Precautions 37-2 Understanding Features Not Supported for WebVPN 37-2 Using SSL to Access the Central Site 37-3 Using HTTPS for WebVPN Sessions 37-3 Configuring WebVPN and ASDM on the Same Interface 37-3 Setting WebVPN HTTP/HTTPS Proxy 37-4 Configuring SSL/TLS Encryption Protocols 37-4 Authenticating with Digital Certificates 37-5 Enabling Cookies on Browsers for WebVPN 37-5 Managing Passwords 37-5 Using Single Sign-on with WebVPN 37-6 Configuring SSO with HTTP Basic or NTLM Authentication 37-6 Configuring SSO Authentication Using SiteMinder 37-7 Configuring SSO with the HTTP Form Protocol 37-9 Authenticating with Digital Certificates 37-15 Creating and Applying WebVPN Policies 37-15 Creating Port Forwarding, URL, and Access Lists in Global Configuration Mode 37-16 Assigning Lists to Group Policies and Users in Group-Policy or User Mode 37-16 Enabling Features for Group Policies and Users 37-16 Assigning Users to Group Policies 37-16 Using the Security Appliance Authentication Server 37-16 Using a RADIUS Server 37-16 Configuring WebVPN Tunnel Group Attributes 37-17 Configuring WebVPN Group Policy and User Attributes 37-17 Configuring Application Access 37-18 Downloading the Port-Forwarding Applet Automatically 37-18 Closing Application Access to Prevent hosts File Errors 37-18 Recovering from hosts File Errors When Using Application Access 37-18 Understanding the hosts File 37-19 Stopping Application Access Improperly 37-19 Reconfiguring a hosts File 37-20 Configuring File Access 37-22Contents xxvi Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Configuring Access to Citrix MetaFrame Services 37-24 Using WebVPN with PDAs 37-25 Using E-Mail over WebVPN 37-26 Configuring E-mail Proxies 37-26 E-mail Proxy Certificate Authentication 37-27 Configuring MAPI 37-27 Configuring Web E-mail: MS Outlook Web Access 37-27 Optimizing WebVPN Performance 37-28 Configuring Caching 37-28 Configuring Content Transformation 37-28 Configuring a Certificate for Signing Rewritten Java Content 37-29 Disabling Content Rewrite 37-29 Using Proxy Bypass 37-29 Configuring Application Profile Customization Framework 37-30 APCF Syntax 37-30 APCF Example 37-32 WebVPN End User Setup 37-32 Defining the End User Interface 37-32 Viewing the WebVPN Home Page 37-33 Viewing the WebVPN Application Access Panel 37-33 Viewing the Floating Toolbar 37-34 Customizing WebVPN Pages 37-35 Using Cascading Style Sheet Parameters 37-35 Customizing the WebVPN Login Page 37-36 Customizing the WebVPN Logout Page 37-37 Customizing the WebVPN Home Page 37-38 Customizing the Application Access Window 37-40 Customizing the Prompt Dialogs 37-41 Applying Customizations to Tunnel Groups, Groups and Users 37-42 Requiring Usernames and Passwords 37-43 Communicating Security Tips 37-44 Configuring Remote Systems to Use WebVPN Features 37-44 Capturing WebVPN Data 37-50 Creating a Capture File 37-51 Using a Browser to Display Capture Data 37-51 C H A P T E R 38 Configuring SSL VPN Client 38-1 Installing SVC 38-1 Platform Requirements 38-1Contents xxvii Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Installing the SVC Software 38-2 Enabling SVC 38-3 Enabling Permanent SVC Installation 38-4 Enabling Rekey 38-5 Enabling and Adjusting Dead Peer Detection 38-5 Enabling Keepalive 38-6 Using SVC Compression 38-6 Viewing SVC Sessions 38-7 Logging Off SVC Sessions 38-8 Updating SVCs 38-8 C H A P T E R 39 Configuring Certificates 39-1 Public Key Cryptography 39-1 About Public Key Cryptography 39-1 Certificate Scalability 39-2 About Key Pairs 39-2 About Trustpoints 39-3 About Revocation Checking 39-3 About CRLs 39-3 About OCSP 39-4 Supported CA Servers 39-5 Certificate Configuration 39-5 Preparing for Certificates 39-5 Configuring Key Pairs 39-6 Generating Key Pairs 39-6 Removing Key Pairs 39-7 Configuring Trustpoints 39-7 Obtaining Certificates 39-9 Obtaining Certificates with SCEP 39-9 Obtaining Certificates Manually 39-11 Configuring CRLs for a Trustpoint 39-13 Exporting and Importing Trustpoints 39-14 Exporting a Trustpoint Configuration 39-15 Importing a Trustpoint Configuration 39-15 Configuring CA Certificate Map Rules 39-15 P A R T 4 System AdministrationContents xxviii Cisco Security Appliance Command Line Configuration Guide OL-10088-02 C H A P T E R 40 Managing System Access 40-1 Allowing Telnet Access 40-1 Allowing SSH Access 40-2 Configuring SSH Access 40-2 Using an SSH Client 40-3 Allowing HTTPS Access for ASDM 40-3 Configuring ASDM and WebVPN on the Same Interface 40-4 Configuring AAA for System Administrators 40-5 Configuring Authentication for CLI Access 40-5 Configuring Authentication To Access Privileged EXEC Mode 40-6 Configuring Authentication for the Enable Command 40-6 Authenticating Users Using the Login Command 40-6 Configuring Command Authorization 40-7 Command Authorization Overview 40-7 Configuring Local Command Authorization 40-8 Configuring TACACS+ Command Authorization 40-11 Configuring Command Accounting 40-14 Viewing the Current Logged-In User 40-14 Recovering from a Lockout 40-15 Configuring a Login Banner 40-16 C H A P T E R 41 Managing Software, Licenses, and Configurations 41-1 Managing Licenses 41-1 Obtaining an Activation Key 41-1 Entering a New Activation Key 41-2 Viewing Files in Flash Memory 41-2 Retrieving Files from Flash Memory 41-3 Downloading Software or Configuration Files to Flash Memory 41-3 Downloading a File to a Specific Location 41-4 Downloading a File to the Startup or Running Configuration 41-4 Configuring the Application Image and ASDM Image to Boot 41-5 Configuring the File to Boot as the Startup Configuration 41-6 Performing Zero Downtime Upgrades for Failover Pairs 41-6 Upgrading an Active/Standby Failover Configuration 41-7 Upgrading and Active/Active Failover Configuration 41-8 Backing Up Configuration Files 41-8 Backing up the Single Mode Configuration or Multiple Mode System Configuration 41-9 Backing Up a Context Configuration in Flash Memory 41-9Contents xxix Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Backing Up a Context Configuration within a Context 41-9 Copying the Configuration from the Terminal Display 41-10 Configuring Auto Update Support 41-10 Configuring Communication with an Auto Update Server 41-10 Configuring Client Updates as an Auto Update Server 41-12 Viewing Auto Update Status 41-13 C H A P T E R 42 Monitoring the Security Appliance 42-1 Using SNMP 42-1 SNMP Overview 42-1 Enabling SNMP 42-3 Configuring and Managing Logs 42-5 Logging Overview 42-5 Logging in Multiple Context Mode 42-5 Enabling and Disabling Logging 42-6 Enabling Logging to All Configured Output Destinations 42-6 Disabling Logging to All Configured Output Destinations 42-6 Viewing the Log Configuration 42-6 Configuring Log Output Destinations 42-7 Sending System Log Messages to a Syslog Server 42-7 Sending System Log Messages to the Console Port 42-8 Sending System Log Messages to an E-mail Address 42-9 Sending System Log Messages to ASDM 42-10 Sending System Log Messages to a Telnet or SSH Session 42-11 Sending System Log Messages to the Log Buffer 42-12 Filtering System Log Messages 42-14 Message Filtering Overview 42-15 Filtering System Log Messages by Class 42-15 Filtering System Log Messages with Custom Message Lists 42-17 Customizing the Log Configuration 42-18 Customizing the Log Configuration 42-18 Configuring the Logging Queue 42-19 Including the Date and Time in System Log Messages 42-19 Including the Device ID in System Log Messages 42-19 Generating System Log Messages in EMBLEM Format 42-20 Disabling a System Log Message 42-20 Changing the Severity Level of a System Log Message 42-21 Changing the Amount of Internal Flash Memory Available for Logs 42-22 Understanding System Log Messages 42-23Contents xxx Cisco Security Appliance Command Line Configuration Guide OL-10088-02 System Log Message Format 42-23 Severity Levels 42-23 C H A P T E R 43 Troubleshooting the Security Appliance 43-1 Testing Your Configuration 43-1 Enabling ICMP Debug Messages and System Messages 43-1 Pinging Security Appliance Interfaces 43-2 Pinging Through the Security Appliance 43-4 Disabling the Test Configuration 43-5 Traceroute 43-6 Packet Tracer 43-6 Reloading the Security Appliance 43-6 Performing Password Recovery 43-7 Performing Password Recovery for the ASA 5500 Series Adaptive Security Appliance 43-7 Password Recovery for the PIX 500 Series Security Appliance 43-8 Disabling Password Recovery 43-9 Resetting the Password on the SSM Hardware Module 43-10 Other Troubleshooting Tools 43-10 Viewing Debug Messages 43-11 Capturing Packets 43-11 Viewing the Crash Dump 43-11 Common Problems 43-11 P A R T 2 Reference Supported Platforms and Feature Licenses A-1 Security Services Module Support A-9 VPN Specifications A-10 Cisco VPN Client Support A-11 Cisco Secure Desktop Support A-11 Site-to-Site VPN Compatibility A-11 Cryptographic Standards A-12 Example 1: Multiple Mode Firewall With Outside Access B-1 Example 1: System Configuration B-2 Example 1: Admin Context Configuration B-4 Example 1: Customer A Context Configuration B-4 Example 1: Customer B Context Configuration B-4 Example 1: Customer C Context Configuration B-5 Example 2: Single Mode Firewall Using Same Security Level B-6Contents xxxi Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Example 3: Shared Resources for Multiple Contexts B-8 Example 3: System Configuration B-9 Example 3: Admin Context Configuration B-9 Example 3: Department 1 Context Configuration B-10 Example 3: Department 2 Context Configuration B-11 Example 4: Multiple Mode, Transparent Firewall with Outside Access B-12 Example 4: System Configuration B-13 Example 4: Admin Context Configuration B-14 Example 4: Customer A Context Configuration B-15 Example 4: Customer B Context Configuration B-15 Example 4: Customer C Context Configuration B-16 Example 5: WebVPN Configuration B-16 Example 6: IPv6 Configuration B-18 Example 7: Cable-Based Active/Standby Failover (Routed Mode) B-20 Example 8: LAN-Based Active/Standby Failover (Routed Mode) B-21 Example 8: Primary Unit Configuration B-21 Example 8: Secondary Unit Configuration B-22 Example 9: LAN-Based Active/Active Failover (Routed Mode) B-22 Example 9: Primary Unit Configuration B-23 Example 9: Primary System Configuration B-23 Example 9: Primary admin Context Configuration B-24 Example 9: Primary ctx1 Context Configuration B-25 Example 9: Secondary Unit Configuration B-25 Example 10: Cable-Based Active/Standby Failover (Transparent Mode) B-26 Example 11: LAN-Based Active/Standby Failover (Transparent Mode) B-27 Example 11: Primary Unit Configuration B-27 Example 11: Secondary Unit Configuration B-28 Example 12: LAN-Based Active/Active Failover (Transparent Mode) B-28 Example 12: Primary Unit Configuration B-29 Example 12: Primary System Configuration B-29 Example 12: Primary admin Context Configuration B-30 Example 12: Primary ctx1 Context Configuration B-31 Example 12: Secondary Unit Configuration B-31 Example 13: Dual ISP Support Using Static Route Tracking B-31 Example 14: ASA 5505 Base License B-33 Example 15: ASA 5505 Security Plus License with Failover and Dual-ISP Backup B-35 Example 15: Primary Unit Configuration B-35 Example 15: Secondary Unit Configuration B-37Contents xxxii Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Example 16: Network Traffic Diversion B-37 Inspecting All Traffic with the AIP SSM B-43 Inspecting Specific Traffic with the AIP SSM B-44 Verifying the Recording of Alert Events B-45 Troubleshooting the Configuration B-47 Firewall Mode and Security Context Mode C-1 Command Modes and Prompts C-2 Syntax Formatting C-3 Abbreviating Commands C-3 Command-Line Editing C-3 Command Completion C-4 Command Help C-4 Filtering show Command Output C-4 Command Output Paging C-5 Adding Comments C-6 Text Configuration Files C-6 How Commands Correspond with Lines in the Text File C-6 Command-Specific Configuration Mode Commands C-6 Automatic Text Entries C-7 Line Order C-7 Commands Not Included in the Text Configuration C-7 Passwords C-7 Multiple Security Context Files C-7 IPv4 Addresses and Subnet Masks D-1 Classes D-1 Private Networks D-2 Subnet Masks D-2 Determining the Subnet Mask D-3 Determining the Address to Use with the Subnet Mask D-3 IPv6 Addresses D-5 IPv6 Address Format D-5 IPv6 Address Types D-6 Unicast Addresses D-6 Multicast Address D-8 Anycast Address D-9 Required Addresses D-10 IPv6 Address Prefixes D-10 Protocols and Applications D-11Contents xxxiii Cisco Security Appliance Command Line Configuration Guide OL-10088-02 TCP and UDP Ports D-11 Local Ports and Protocols D-14 ICMP Types D-15 Selecting LDAP, RADIUS, or Local Authentication and Authorization E-1 Understanding Policy Enforcement of Permissions and Attributes E-2 Configuring an External LDAP Server E-2 Reviewing the LDAP Directory Structure and Configuration Procedure E-3 Organizing the Security Appliance LDAP Schema E-3 Searching the Hierarchy E-4 Binding the Security Appliance to the LDAP Server E-5 Defining the Security Appliance LDAP Schema E-5 Cisco -AV-Pair Attribute Syntax E-14 Example Security Appliance Authorization Schema E-15 Loading the Schema in the LDAP Server E-18 Defining User Permissions E-18 Example User File E-18 Reviewing Examples of Active Directory Configurations E-19 Example 1: Configuring LDAP Authorization with Microsoft Active Directory (ASA/PIX) E-19 Example 2: Configuring LDAP Authentication with Microsoft Active Directory E-20 Example 3: LDAP Authentication and LDAP Authorization with Microsoft Active Directory E-22 Configuring an External RADIUS Server E-24 Reviewing the RADIUS Configuration Procedure E-24 Security Appliance RADIUS Authorization Attributes E-25 Security Appliance TACACS+ Attributes E-32 GL O S S A R Y I N D E XContents xxxiv Cisco Security Appliance Command Line Configuration Guide OL-10088-02xxxv Cisco Security Appliance Command Line Configuration Guide OL-10088-02 About This Guide This preface introduce the Cisco Security Appliance Command Line Configuration Guide, and includes the following sections: • Document Objectives, page xxxv • Audience, page xxxv • Related Documentation, page xxxvi • Document Organization, page xxxvi • Document Conventions, page xxxix • , page xxxix Document Objectives The purpose of this guide is to help you configure the security appliance using the command-line interface. This guide does not cover every feature, but describes only the most common configuration scenarios. You can also configure and monitor the security appliance by using ASDM, a web-based GUI application. ASDM includes configuration wizards to guide you through some common configuration scenarios, and online Help for less common scenarios. For more information, see: http://www.cisco.com/univercd/cc/td/doc/product/netsec/secmgmt/asdm/index.htm This guide applies to the Cisco PIX 500 series security appliances (PIX 515E, PIX 525, and PIX 535) and the Cisco ASA 5500 series security appliances (ASA 5505, ASA 5510, ASA 5520, ASA 5540, and ASA 5550). Throughout this guide, the term “security appliance” applies generically to all supported models, unless specified otherwise. The PIX 501, PIX 506E, and PIX 520 security appliances are not supported. Audience This guide is for network managers who perform any of the following tasks: • Manage network security • Install and configure firewalls/security appliances • Configure VPNs • Configure intrusion detection softwarexxxvi Cisco Security Appliance Command Line Configuration Guide OL-10088-02 About This Guide Related Documentation For more information, refer to the following documentation: • Cisco PIX Security Appliance Release Notes • Cisco ASDM Release Notes • Cisco PIX 515E Quick Start Guide • Guide for Cisco PIX 6.2 and 6.3 Users Upgrading to Cisco PIX Software Version 7.0 • Migrating to ASA for VPN 3000 Series Concentrator Administrators • Cisco Security Appliance Command Reference • Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide • Cisco ASA 5500 Series Release Notes • Cisco Security Appliance Logging Configuration and System Log Messages • Cisco Secure Desktop Configuration Guide for Cisco ASA 5500 Series Administrators Document Organization This guide includes the chapters and appendixes described in Table 1. Table 1 Document Organization Chapter/Appendix Definition Part 1: Getting Started and General Information Chapter 1, “Introduction to the Security Appliance” Provides a high-level overview of the security appliance. Chapter 2, “Getting Started” Describes how to access the command-line interface, configure the firewall mode, and work with the configuration. Chapter 3, “Enabling Multiple Context Mode” Describes how to use security contexts and enable multiple context mode. Chapter 4, “Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance” Describes how to configure switch ports and VLAN interfaces for the ASA 5505 adaptive security appliance. Chapter 5, “Configuring Ethernet Settings and Subinterfaces” Describes how to configure Ethernet settings for physical interfaces and add subinterfaces. Chapter 6, “Adding and Managing Security Contexts” Describes how to configure multiple security contexts on the security appliance. Chapter 7, “Configuring Interface Parameters” Describes how to configure each interface and subinterface for a name, security, level, and IP address. Chapter 8, “Configuring Basic Settings” Describes how to configure basic settings that are typically required for a functioning configuration. Chapter 9, “Configuring IP Routing” Describes how to configure IP routing.xxxvii Cisco Security Appliance Command Line Configuration Guide OL-10088-02 About This Guide Chapter 10, “Configuring DHCP, DDNS, and WCCP Services” Describes how to configure the DHCP server and DHCP relay. Chapter 11, “Configuring Multicast Routing” Describes how to configure multicast routing. Chapter 12, “Configuring IPv6” Describes how to enable and configure IPv6. Chapter 13, “Configuring AAA Servers and the Local Database” Describes how to configure AAA servers and the local database. Chapter 14, “Configuring Failover” Describes the failover feature, which lets you configure two security appliances so that one will take over operation if the other one fails. Part 2: Configuring the Firewall Chapter 15, “Firewall Mode Overview” Describes in detail the two operation modes of the security appliance, routed and transparent mode, and how data is handled differently with each mode. Chapter 16, “Identifying Traffic with Access Lists” Describes how to identify traffic with access lists. Chapter 17, “Applying NAT” Describes how address translation is performed. Chapter 18, “Permitting or Denying Network Access” Describes how to control network access through the security appliance using access lists. Chapter 19, “Applying AAA for Network Access” Describes how to enable AAA for network access. Chapter 20, “Applying Filtering Services” Describes ways to filter web traffic to reduce security risks or prevent inappropriate use. Chapter 21, “Using Modular Policy Framework” Describes how to use the Modular Policy Framework to create security policies for TCP, general connection settings, inspection, and QoS. Chapter 22, “Managing AIP SSM and CSC SSM” Describes how to configure the security appliance to send traffic to an AIP SSM or a CSC SSM, how to check the status of an SSM, and how to update the software image on an intelligent SSM. Chapter 23, “Preventing Network Attacks” Describes how to configure protection features to intercept and respond to network attacks. Chapter 24, “Configuring QoS” Describes how to configure the network to provide better service to selected network traffic over various technologies, including Frame Relay, Asynchronous Transfer Mode (ATM), Ethernet and 802.1 networks, SONET, and IP routed networks. Chapter 25, “Configuring Application Layer Protocol Inspection” Describes how to use and configure application inspection. Chapter 26, “Configuring ARP Inspection and Bridging Parameters” Describes how to enable ARP inspection and how to customize bridging operations. Part 3: Configuring VPN Chapter 27, “Configuring IPsec and ISAKMP” Describes how to configure ISAKMP and IPSec tunneling to build and manage VPN “tunnels,” or secure connections between remote users and a private corporate network. Table 1 Document Organization (continued) Chapter/Appendix Definitionxxxviii Cisco Security Appliance Command Line Configuration Guide OL-10088-02 About This Guide Chapter 28, “Configuring L2TP over IPSec” Describes how to configure IPSec over L2TP on the security appliance. Chapter 29, “Setting General IPSec VPN Parameters” Describes miscellaneous VPN configuration procedures. Chapter 30, “Configuring Tunnel Groups, Group Policies, and Users” Describes how to configure VPN tunnel groups, group policies, and users. Chapter 31, “Configuring IP Addresses for VPNs” Describes how to configure IP addresses in your private network addressing scheme, which let the client function as a tunnel endpoint. Chapter 32, “Configuring Remote Access IPSec VPNs” Describes how to configure a remote access VPN connection. Chapter 33, “Configuring Network Admission Control” Describes how to configure Network Admission Control (NAC). Chapter 34, “Configuring Easy VPN Services on the ASA 5505” Describes how to configure Easy VPN on the ASA 5505 adaptive security appliance. Chapter 35, “Configuring the PPPoE Client” Describes how to configure the PPPoE client provided with the security appliance. Chapter 36, “Configuring LAN-to-LAN IPsec VPNs” Describes how to build a LAN-to-LAN VPN connection. Chapter 37, “Configuring WebVPN” Describes how to establish a secure, remote-access VPN tunnel to a security appliance using a web browser. Chapter 38, “Configuring SSL VPN Client” Describes how to install and configure the SSL VPN Client. Chapter 39, “Configuring Certificates” Describes how to configure a digital certificates, which contains information that identifies a user or device. Such information can include a name, serial number, company, department, or IP address. A digital certificate also contains a copy of the public key for the user or device. Part 4: System Administration Chapter 40, “Managing System Access” Describes how to access the security appliance for system management through Telnet, SSH, and HTTPS. Chapter 41, “Managing Software, Licenses, and Configurations” Describes how to enter license keys and download software and configurations files. Chapter 42, “Monitoring the Security Appliance” Describes how to monitor the security appliance. Chapter 43, “Troubleshooting the Security Appliance” Describes how to troubleshoot the security appliance. Part 4: Reference Appendix A, “Feature Licenses and Specifications” Describes the feature licenses and specifications. Appendix B, “Sample Configurations” Describes a number of common ways to implement the security appliance. Table 1 Document Organization (continued) Chapter/Appendix Definitionxxxix Cisco Security Appliance Command Line Configuration Guide OL-10088-02 About This Guide Document Conventions Command descriptions use these conventions: • Braces ({ }) indicate a required choice. • Square brackets ([ ]) indicate optional elements. • Vertical bars ( | ) separate alternative, mutually exclusive elements. • Boldface indicates commands and keywords that are entered literally as shown. • Italics indicate arguments for which you supply values. Examples use these conventions: • Examples depict screen displays and the command line in screen font. • Information you need to enter in examples is shown in boldface screen font. • Variables for which you must supply a value are shown in italic screen font. Note Means reader take note. Notes contain helpful suggestions or references to material not covered in the manual. Obtaining Documentation and Submitting a Service Request For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0. Appendix C, “Using the Command-Line Interface” Describes how to use the CLI to configure the the security appliance. Appendix D, “Addresses, Protocols, and Ports” Provides a quick reference for IP addresses, protocols, and applications. Appendix E, “Configuring an External Server for Authorization and Authentication” Provides information about configuring LDAP and RADIUS authorization servers. “Glossary” Provides a handy reference for commonly-used terms and acronyms. “Index” Provides an index for the guide. Table 1 Document Organization (continued) Chapter/Appendix Definitionxl Cisco Security Appliance Command Line Configuration Guide OL-10088-02 About This Guide P A R T 1 Getting Started and General InformationC H A P T E R 1-1 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 1 Introduction to the Security Appliance The security appliance combines advanced stateful firewall and VPN concentrator functionality in one device, and for some models, an integrated intrusion prevention module called the AIP SSM or an integrated content security and control module called the CSC SSM. The security appliance includes many advanced features, such as multiple security contexts (similar to virtualized firewalls), transparent (Layer 2) firewall or routed (Layer 3) firewall operation, advanced inspection engines, IPSec and WebVPN support, and many more features. See Appendix A, “Feature Licenses and Specifications,” for a list of supported platforms and features. For a list of new features, see the Cisco ASA 5500 Series Release Notes or the Cisco PIX Security Appliance Release Notes. Note The Cisco PIX 501 and PIX 506E security appliances are not supported. This chapter includes the following sections: • Firewall Functional Overview, page 1-1 • VPN Functional Overview, page 1-5 • Intrusion Prevention Services Functional Overview, page 1-5 • Security Context Overview, page 1-6 Firewall Functional Overview Firewalls protect inside networks from unauthorized access by users on an outside network. A firewall can also protect inside networks from each other, for example, by keeping a human resources network separate from a user network. If you have network resources that need to be available to an outside user, such as a web or FTP server, you can place these resources on a separate network behind the firewall, called a demilitarized zone (DMZ). The firewall allows limited access to the DMZ, but because the DMZ only includes the public servers, an attack there only affects the servers and does not affect the other inside networks. You can also control when inside users access outside networks (for example, access to the Internet), by allowing only certain addresses out, by requiring authentication or authorization, or by coordinating with an external URL filtering server. When discussing networks connected to a firewall, the outside network is in front of the firewall, the inside network is protected and behind the firewall, and a DMZ, while behind the firewall, allows limited access to outside users. Because the security appliance lets you configure many interfaces with varied security policies, including many inside interfaces, many DMZs, and even many outside interfaces if desired, these terms are used in a general sense only.1-2 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 1 Introduction to the Security Appliance Firewall Functional Overview This section includes the following topics: • Security Policy Overview, page 1-2 • Firewall Mode Overview, page 1-3 • Stateful Inspection Overview, page 1-4 Security Policy Overview A security policy determines which traffic is allowed to pass through the firewall to access another network. By default, the security appliance allows traffic to flow freely from an inside network (higher security level) to an outside network (lower security level). You can apply actions to traffic to customize the security policy. This section includes the following topics: • Permitting or Denying Traffic with Access Lists, page 1-2 • Applying NAT, page 1-2 • Using AAA for Through Traffic, page 1-2 • Applying HTTP, HTTPS, or FTP Filtering, page 1-3 • Applying Application Inspection, page 1-3 • Sending Traffic to the Advanced Inspection and Prevention Security Services Module, page 1-3 • Sending Traffic to the Content Security and Control Security Services Module, page 1-3 • Applying QoS Policies, page 1-3 • Applying Connection Limits and TCP Normalization, page 1-3 Permitting or Denying Traffic with Access Lists You can apply an access list to limit traffic from inside to outside, or allow traffic from outside to inside. For transparent firewall mode, you can also apply an EtherType access list to allow non-IP traffic. Applying NAT Some of the benefits of NAT include the following: • You can use private addresses on your inside networks. Private addresses are not routable on the Internet. • NAT hides the local addresses from other networks, so attackers cannot learn the real address of a host. • NAT can resolve IP routing problems by supporting overlapping IP addresses. Using AAA for Through Traffic You can require authentication and/or authorization for certain types of traffic, for example, for HTTP. The security appliance also sends accounting information to a RADIUS or TACACS+ server.1-3 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 1 Introduction to the Security Appliance Firewall Functional Overview Applying HTTP, HTTPS, or FTP Filtering Although you can use access lists to prevent outbound access to specific websites or FTP servers, configuring and managing web usage this way is not practical because of the size and dynamic nature of the Internet. We recommend that you use the security appliance in conjunction with a separate server running one of the following Internet filtering products: • Websense Enterprise • Secure Computing SmartFilter Applying Application Inspection Inspection engines are required for services that embed IP addressing information in the user data packet or that open secondary channels on dynamically assigned ports. These protocols require the security appliance to do a deep packet inspection. Sending Traffic to the Advanced Inspection and Prevention Security Services Module If your model supports the AIP SSM for intrusion prevention, then you can send traffic to the AIP SSM for inspection. Sending Traffic to the Content Security and Control Security Services Module If your model supports it, the CSC SSM provides protection against viruses, spyware, spam, and other unwanted traffic. It accomplishes this by scanning the FTP, HTTP, POP3, and SMTP traffic that you configure the adaptive security appliance to send to it. Applying QoS Policies Some network traffic, such as voice and streaming video, cannot tolerate long latency times. QoS is a network feature that lets you give priority to these types of traffic. QoS refers to the capability of a network to provide better service to selected network traffic. Applying Connection Limits and TCP Normalization You can limit TCP and UDP connections and embryonic connections. Limiting the number of connections and embryonic connections protects you from a DoS attack. The security appliance uses the embryonic limit to trigger TCP Intercept, which protects inside systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination. TCP normalization is a feature consisting of advanced TCP connection settings designed to drop packets that do not appear normal. Firewall Mode Overview The security appliance runs in two different firewall modes: • Routed • Transparent 1-4 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 1 Introduction to the Security Appliance Firewall Functional Overview In routed mode, the security appliance is considered to be a router hop in the network. In transparent mode, the security appliance acts like a “bump in the wire,” or a “stealth firewall,” and is not considered a router hop. The security appliance connects to the same network on its inside and outside interfaces. You might use a transparent firewall to simplify your network configuration. Transparent mode is also useful if you want the firewall to be invisible to attackers. You can also use a transparent firewall for traffic that would otherwise be blocked in routed mode. For example, a transparent firewall can allow multicast streams using an EtherType access list. Stateful Inspection Overview All traffic that goes through the security appliance is inspected using the Adaptive Security Algorithm and either allowed through or dropped. A simple packet filter can check for the correct source address, destination address, and ports, but it does not check that the packet sequence or flags are correct. A filter also checks every packet against the filter, which can be a slow process. A stateful firewall like the security appliance, however, takes into consideration the state of a packet: • Is this a new connection? If it is a new connection, the security appliance has to check the packet against access lists and perform other tasks to determine if the packet is allowed or denied. To perform this check, the first packet of the session goes through the “session management path,” and depending on the type of traffic, it might also pass through the “control plane path.” The session management path is responsible for the following tasks: – Performing the access list checks – Performing route lookups – Allocating NAT translations (xlates) – Establishing sessions in the “fast path” Note The session management path and the fast path make up the “accelerated security path.” Some packets that require Layer 7 inspection (the packet payload must be inspected or altered) are passed on to the control plane path. Layer 7 inspection engines are required for protocols that have two or more channels: a data channel, which uses well-known port numbers, and a control channel, which uses different port numbers for each session. These protocols include FTP, H.323, and SNMP. • Is this an established connection? If the connection is already established, the security appliance does not need to re-check packets; most matching packets can go through the fast path in both directions. The fast path is responsible for the following tasks: – IP checksum verification – Session lookup – TCP sequence number check – NAT translations based on existing sessions – Layer 3 and Layer 4 header adjustments1-5 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 1 Introduction to the Security Appliance VPN Functional Overview For UDP or other connectionless protocols, the security appliance creates connection state information so that it can also use the fast path. Data packets for protocols that require Layer 7 inspection can also go through the fast path. Some established session packets must continue to go through the session management path or the control plane path. Packets that go through the session management path include HTTP packets that require inspection or content filtering. Packets that go through the control plane path include the control packets for protocols that require Layer 7 inspection. VPN Functional Overview A VPN is a secure connection across a TCP/IP network (such as the Internet) that appears as a private connection. This secure connection is called a tunnel. The security appliance uses tunneling protocols to negotiate security parameters, create and manage tunnels, encapsulate packets, transmit or receive them through the tunnel, and unencapsulate them. The security appliance functions as a bidirectional tunnel endpoint: it can receive plain packets, encapsulate them, and send them to the other end of the tunnel where they are unencapsulated and sent to their final destination. It can also receive encapsulated packets, unencapsulate them, and send them to their final destination. The security appliance invokes various standard protocols to accomplish these functions. The security appliance performs the following functions: • Establishes tunnels • Negotiates tunnel parameters • Authenticates users • Assigns user addresses • Encrypts and decrypts data • Manages security keys • Manages data transfer across the tunnel • Manages data transfer inbound and outbound as a tunnel endpoint or router The security appliance invokes various standard protocols to accomplish these functions. Intrusion Prevention Services Functional Overview The Cisco ASA 5500 series adaptive security appliance supports the AIP SSM, an intrusion prevention services module that monitors and performs real-time analysis of network traffic by looking for anomalies and misuse based on an extensive, embedded signature library. When the system detects unauthorized activity, it can terminate the specific connection, permanently block the attacking host, log the incident, and send an alert to the device manager. Other legitimate connections continue to operate independently without interruption. For more information, see Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface.1-6 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 1 Introduction to the Security Appliance Security Context Overview Security Context Overview You can partition a single security appliance into multiple virtual devices, known as security contexts. Each context is an independent device, with its own security policy, interfaces, and administrators. Multiple contexts are similar to having multiple standalone devices. Many features are supported in multiple context mode, including routing tables, firewall features, IPS, and management. Some features are not supported, including VPN and dynamic routing protocols. In multiple context mode, the security appliance includes a configuration for each context that identifies the security policy, interfaces, and almost all the options you can configure on a standalone device. The system administrator adds and manages contexts by configuring them in the system configuration, which, like a single mode configuration, is the startup configuration. The system configuration identifies basic settings for the security appliance. The system configuration does not include any network interfaces or network settings for itself; rather, when the system needs to access network resources (such as downloading the contexts from the server), it uses one of the contexts that is designated as the admin context. The admin context is just like any other context, except that when a user logs into the admin context, then that user has system administrator rights and can access the system and all other contexts. Note You can run all your contexts in routed mode or transparent mode; you cannot run some contexts in one mode and others in another. Multiple context mode supports static routing only.C H A P T E R 2-1 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 2 Getting Started This chapter describes how to access the command-line interface, configure the firewall mode, and work with the configuration. This chapter includes the following sections: • Getting Started with Your Platform Model, page 2-1 • Factory Default Configurations, page 2-1 • Accessing the Command-Line Interface, page 2-4 • Setting Transparent or Routed Firewall Mode, page 2-5 • Working with the Configuration, page 2-6 Getting Started with Your Platform Model This guide applies to multiple security appliance platforms and models: the PIX 500 series security appliances and the ASA 5500 series adaptive security appliances. There are some hardware differences between the PIX and the ASA security appliance. Moreover, the ASA 5505 includes a built-in switch, and requires some special configuration. For these hardware-based differences, the platforms or models supported are noted directly in each section. Some models do not support all features covered in this guide. For example, the ASA 5505 adaptive security appliance does not support security contexts. This guide might not list each supported model when discussing a feature. To determine the features that are supported for your model before you start your configuration, see the “Supported Platforms and Feature Licenses” section on page A-1 for a detailed list of the features supported for each model. Factory Default Configurations The factory default configuration is the configuration applied by Cisco to new security appliances. The factory default configuration is supported on all models except for the PIX 525 and PIX 535 security appliances. For the PIX 515/515E and the ASA 5510 and higher security appliances, the factory default configuration configures an interface for management so you can connect to it using ASDM, with which you can then complete your configuration. For the ASA 5505 adaptive security appliance, the factory default configuration configures interfaces and NAT so that the security appliance is ready to use in your network immediately.2-2 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 2 Getting Started Factory Default Configurations The factory default configuration is available only for routed firewall mode and single context mode. See Chapter 3, “Enabling Multiple Context Mode,” for more information about multiple context mode. See the “Setting Transparent or Routed Firewall Mode” section on page 2-5 for more information about routed and transparent firewall mode. This section includes the following topics: • Restoring the Factory Default Configuration, page 2-2 • ASA 5505 Default Configuration, page 2-2 • ASA 5510 and Higher Default Configuration, page 2-3 • PIX 515/515E Default Configuration, page 2-4 Restoring the Factory Default Configuration To restore the factory default configuration, enter the following command: hostname(config)# configure factory-default [ip_address [mask]] If you specify the ip_address, then you set the inside or management interface IP address, depending on your model, instead of using the default IP address of 192.168.1.1. The http command uses the subnet you specify. Similarly, the dhcpd address command range consists of addresses within the subnet that you specify. After you restore the factory default configuration, save it to internal Flash memory using the write memory command. The write memory command saves the running configuration to the default location for the startup configuration, even if you previously configured the boot config command to set a different location; when the configuration was cleared, this path was also cleared. Note This command also clears the boot system command, if present, along with the rest of the configuration. The boot system command lets you boot from a specific image, including an image on the external Flash memory card. The next time you reload the security appliance after restoring the factory configuration, it boots from the first image in internal Flash memory; if you do not have an image in internal Flash memory, the security appliance does not boot. To configure additional settings that are useful for a full configuration, see the setup command. ASA 5505 Default Configuration The default factory configuration for the ASA 5505 adaptive security appliance configures the following: • An inside VLAN 1 interface that includes the Ethernet 0/1 through 0/7 switch ports. If you did not set the IP address in the configure factory-default command, then the VLAN 1 IP address and mask are 192.168.1.1 and 255.255.255.0. • An outside VLAN 2 interface that includes the Ethernet 0/0 switch port. VLAN 2 derives its IP address using DHCP. • The default route is also derived from DHCP. • All inside IP addresses are translated when accessing the outside using interface PAT. • By default, inside users can access the outside with an access list, and outside users are prevented from accessing the inside.2-3 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 2 Getting Started Factory Default Configurations • The DHCP server is enabled on the security appliance, so a PC connecting to the VLAN 1 interface receives an address between 192.168.1.2 and 192.168.1.254. • The HTTP server is enabled for ASDM and is accessible to users on the 192.168.1.0 network. The configuration consists of the following commands: interface Ethernet 0/0 switchport access vlan 2 no shutdown interface Ethernet 0/1 switchport access vlan 1 no shutdown interface Ethernet 0/2 switchport access vlan 1 no shutdown interface Ethernet 0/3 switchport access vlan 1 no shutdown interface Ethernet 0/4 switchport access vlan 1 no shutdown interface Ethernet 0/5 switchport access vlan 1 no shutdown interface Ethernet 0/6 switchport access vlan 1 no shutdown interface Ethernet 0/7 switchport access vlan 1 no shutdown interface vlan2 nameif outside no shutdown ip address dhcp setroute interface vlan1 nameif inside ip address 192.168.1.1 255.255.255.0 security-level 100 no shutdown global (outside) 1 interface nat (inside) 1 0 0 http server enable http 192.168.1.0 255.255.255.0 inside dhcpd address 192.168.1.2-192.168.1.254 inside dhcpd auto_config outside dhcpd enable inside logging asdm informational ASA 5510 and Higher Default Configuration The default factory configuration for the ASA 5510 and higher adaptive security appliance configures the following: • The management interface, Management 0/0. If you did not set the IP address in the configure factory-default command, then the IP address and mask are 192.168.1.1 and 255.255.255.0. • The DHCP server is enabled on the security appliance, so a PC connecting to the interface receives an address between 192.168.1.2 and 192.168.1.254. • The HTTP server is enabled for ASDM and is accessible to users on the 192.168.1.0 network.2-4 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 2 Getting Started Accessing the Command-Line Interface The configuration consists of the following commands: interface management 0/0 ip address 192.168.1.1 255.255.255.0 nameif management security-level 100 no shutdown asdm logging informational 100 asdm history enable http server enable http 192.168.1.0 255.255.255.0 management dhcpd address 192.168.1.2-192.168.1.254 management dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd enable management PIX 515/515E Default Configuration The default factory configuration for the PIX 515/515E security appliance configures the following: • The inside Ethernet1 interface. If you did not set the IP address in the configure factory-default command, then the IP address and mask are 192.168.1.1 and 255.255.255.0. • The DHCP server is enabled on the security appliance, so a PC connecting to the interface receives an address between 192.168.1.2 and 192.168.1.254. • The HTTP server is enabled for ASDM and is accessible to users on the 192.168.1.0 network. The configuration consists of the following commands: interface ethernet 1 ip address 192.168.1.1 255.255.255.0 nameif management security-level 100 no shutdown asdm logging informational 100 asdm history enable http server enable http 192.168.1.0 255.255.255.0 management dhcpd address 192.168.1.2-192.168.1.254 management dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd enable management Accessing the Command-Line Interface For initial configuration, access the command-line interface directly from the console port. Later, you can configure remote access using Telnet or SSH according to Chapter 40, “Managing System Access.” If your system is already in multiple context mode, then accessing the console port places you in the system execution space. See Chapter 3, “Enabling Multiple Context Mode,” for more information about multiple context mode. Note If you want to use ASDM to configure the security appliance instead of the command-line interface, you can connect to the default management address of 192.168.1.1 (if your security appliance includes a factory default configuration. See the “Factory Default Configurations” section on page 2-1.). On the 2-5 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 2 Getting Started Setting Transparent or Routed Firewall Mode ASA 5510 and higher adaptive security appliances, the interface to which you connect with ASDM is Management 0/0. For the ASA 5505 adaptive security appliance, the switch port to which you connect with ASDM is any port, except for Ethernet 0/0. For the PIX 515/515E security appliance, the interface to which you connect with ASDM is Ethernet 1. If you do not have a factory default configuration, follow the steps in this section to access the command-line interface. You can then configure the minimum parameters to access ASDM by entering the setup command. To access the command-line interface, perform the following steps: Step 1 Connect a PC to the console port using the provided console cable, and connect to the console using a terminal emulator set for 9600 baud, 8 data bits, no parity, 1 stop bit, no flow control. See the hardware guide that came with your security appliance for more information about the console cable. Step 2 Press the Enter key to see the following prompt: hostname> This prompt indicates that you are in user EXEC mode. Step 3 To access privileged EXEC mode, enter the following command: hostname> enable The following prompt appears: Password: Step 4 Enter the enable password at the prompt. By default, the password is blank, and you can press the Enter key to continue. See the “Changing the Enable Password” section on page 8-1 to change the enable password. The prompt changes to: hostname# To exit privileged mode, enter the disable, exit, or quit command. Step 5 To access global configuration mode, enter the following command: hostname# configure terminal The prompt changes to the following: hostname(config)# To exit global configuration mode, enter the exit, quit, or end command. Setting Transparent or Routed Firewall Mode You can set the security appliance to run in routed firewall mode (the default) or transparent firewall mode. For multiple context mode, you can use only one firewall mode for all contexts. You must set the mode in the system execution space.2-6 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 2 Getting Started Working with the Configuration When you change modes, the security appliance clears the configuration because many commands are not supported for both modes. If you already have a populated configuration, be sure to back up your configuration before changing the mode; you can use this backup for reference when creating your new configuration. See the “Backing Up Configuration Files” section on page 41-8. For multiple context mode, the system configuration is erased. This action removes any contexts from running. If you then re-add a context that has an existing configuration that was created for the wrong mode, the context configuration will not work correctly. Be sure to recreate your context configurations for the correct mode before you re-add them, or add new contexts with new paths for the new configurations. If you download a text configuration to the security appliance that changes the mode with the firewall transparent command, be sure to put the command at the top of the configuration; the security appliance changes the mode as soon as it reads the command and then continues reading the configuration you downloaded. If the command is later in the configuration, the security appliance clears all the preceding lines in the configuration. See the “Downloading Software or Configuration Files to Flash Memory” section on page 41-3 for information about downloading text files. • To set the mode to transparent, enter the following command in the system execution space: hostname(config)# firewall transparent This command also appears in each context configuration for informational purposes only; you cannot enter this command in a context. • To set the mode to routed, enter the following command in the system execution space: hostname(config)# no firewall transparent Working with the Configuration This section describes how to work with the configuration. The security appliance loads the configuration from a text file, called the startup configuration. This file resides by default as a hidden file in internal Flash memory. You can, however, specify a different path for the startup configuration. (For more information, see Chapter 41, “Managing Software, Licenses, and Configurations.”) When you enter a command, the change is made only to the running configuration in memory. You must manually save the running configuration to the startup configuration for your changes to remain after a reboot. The information in this section applies to both single and multiple security contexts, except where noted. Additional information about contexts is in Chapter 3, “Enabling Multiple Context Mode.” This section includes the following topics: • Saving Configuration Changes, page 2-6 • Copying the Startup Configuration to the Running Configuration, page 2-8 • Viewing the Configuration, page 2-8 • Clearing and Removing Configuration Settings, page 2-9 • Creating Text Configuration Files Offline, page 2-9 Saving Configuration Changes This section describes how to save your configuration, and includes the following topics: • Saving Configuration Changes in Single Context Mode, page 2-72-7 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 2 Getting Started Working with the Configuration • Saving Configuration Changes in Multiple Context Mode, page 2-7 Saving Configuration Changes in Single Context Mode To save the running configuration to the startup configuration, enter the following command: hostname# write memory Note The copy running-config startup-config command is equivalent to the write memory command. Saving Configuration Changes in Multiple Context Mode You can save each context (and system) configuration separately, or you can save all context configurations at the same time. This section includes the following topics: • Saving Each Context and System Separately, page 2-7 • Saving All Context Configurations at the Same Time, page 2-7 Saving Each Context and System Separately To save the system or context configuration, enter the following command within the system or context: hostname# write memory Note The copy running-config startup-config command is equivalent to the write memory command. For multiple context mode, context startup configurations can reside on external servers. In this case, the security appliance saves the configuration back to the server you identified in the context URL, except for an HTTP or HTTPS URL, which do not let you save the configuration to the server. Saving All Context Configurations at the Same Time To save all context configurations at the same time, as well as the system configuration, enter the following command in the system execution space: hostname# write memory all [/noconfirm] If you do not enter the /noconfirm keyword, you see the following prompt: Are you sure [Y/N]: After you enter Y, the security appliance saves the system configuration and each context. Context startup configurations can reside on external servers. In this case, the security appliance saves the configuration back to the server you identified in the context URL, except for an HTTP or HTTPS URL, which do not let you save the configuration to the server. After the security appliance saves each context, the following message appears: ‘Saving context ‘b’ ... ( 1/3 contexts saved ) ’ Sometimes, a context is not saved because of an error. See the following information for errors: • For contexts that are not saved because of low memory, the following message appears: The context 'context a' could not be saved due to Unavailability of resources2-8 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 2 Getting Started Working with the Configuration • For contexts that are not saved because the remote destination is unreachable, the following message appears: The context 'context a' could not be saved due to non-reachability of destination • For contexts that are not saved because the context is locked, the following message appears: Unable to save the configuration for the following contexts as these contexts are locked. context ‘a’ , context ‘x’ , context ‘z’ . A context is only locked if another user is already saving the configuration or in the process of deleting the context. • For contexts that are not saved because the startup configuration is read-only (for example, on an HTTP server), the following message report is printed at the end of all other messages: Unable to save the configuration for the following contexts as these contexts have read-only config-urls: context ‘a’ , context ‘b’ , context ‘c’ . • For contexts that are not saved because of bad sectors in the Flash memory, the following message appears: The context 'context a' could not be saved due to Unknown errors Copying the Startup Configuration to the Running Configuration Copy a new startup configuration to the running configuration using one of these options: • To merge the startup configuration with the running configuration, enter the following command: hostname(config)# copy startup-config running-config A merge adds any new commands from the new configuration to the running configuration. If the configurations are the same, no changes occur. If commands conflict or if commands affect the running of the context, then the effect of the merge depends on the command. You might get errors, or you might have unexpected results. • To load the startup configuration and discard the running configuration, restart the security appliance by entering the following command: hostname# reload Alternatively, you can use the following commands to load the startup configuration and discard the running configuration without requiring a reboot: hostname/contexta(config)# clear configure all hostname/contexta(config)# copy startup-config running-config Viewing the Configuration The following commands let you view the running and startup configurations. • To view the running configuration, enter the following command: hostname# show running-config2-9 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 2 Getting Started Working with the Configuration • To view the running configuration of a specific command, enter the following command: hostname# show running-config command • To view the startup configuration, enter the following command: hostname# show startup-config Clearing and Removing Configuration Settings To erase settings, enter one of the following commands. • To clear all the configuration for a specified command, enter the following command: hostname(config)# clear configure configurationcommand [level2configurationcommand] This command clears all the current configuration for the specified configuration command. If you only want to clear the configuration for a specific version of the command, you can enter a value for level2configurationcommand. For example, to clear the configuration for all aaa commands, enter the following command: hostname(config)# clear configure aaa To clear the configuration for only aaa authentication commands, enter the following command: hostname(config)# clear configure aaa authentication • To disable the specific parameters or options of a command, enter the following command: hostname(config)# no configurationcommand [level2configurationcommand] qualifier In this case, you use the no command to remove the specific configuration identified by qualifier. For example, to remove a specific nat command, enter enough of the command to identify it uniquely as follows: hostname(config)# no nat (inside) 1 • To erase the startup configuration, enter the following command: hostname(config)# write erase • To erase the running configuration, enter the following command: hostname(config)# clear configure all Note In multiple context mode, if you enter clear configure all from the system configuration, you also remove all contexts and stop them from running. Creating Text Configuration Files Offline This guide describes how to use the CLI to configure the security appliance; when you save commands, the changes are written to a text file. Instead of using the CLI, however, you can edit a text file directly on your PC and paste a configuration at the configuration mode command-line prompt in its entirety, or line by line. Alternatively, you can download a text file to the security appliance internal Flash memory. See Chapter 41, “Managing Software, Licenses, and Configurations,” for information on downloading the configuration file to the security appliance.2-10 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 2 Getting Started Working with the Configuration In most cases, commands described in this guide are preceded by a CLI prompt. The prompt in the following example is “hostname(config)#”: hostname(config)# context a In the text configuration file you are not prompted to enter commands, so the prompt is omitted as follows: context a For additional information about formatting the file, see Appendix C, “Using the Command-Line Interface.”C H A P T E R 3-1 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 3 Enabling Multiple Context Mode This chapter describes how to use security contexts and enable multiple context mode. This chapter includes the following sections: • Security Context Overview, page 3-1 • Enabling or Disabling Multiple Context Mode, page 3-10 Security Context Overview You can partition a single security appliance into multiple virtual devices, known as security contexts. Each context is an independent device, with its own security policy, interfaces, and administrators. Multiple contexts are similar to having multiple standalone devices. Many features are supported in multiple context mode, including routing tables, firewall features, IPS, and management. Some features are not supported, including VPN and dynamic routing protocols. This section provides an overview of security contexts, and includes the following topics: • Common Uses for Security Contexts, page 3-1 • Unsupported Features, page 3-2 • Context Configuration Files, page 3-2 • How the Security Appliance Classifies Packets, page 3-3 • Cascading Security Contexts, page 3-8 • Management Access to Security Contexts, page 3-9 Common Uses for Security Contexts You might want to use multiple security contexts in the following situations: • You are a service provider and want to sell security services to many customers. By enabling multiple security contexts on the security appliance, you can implement a cost-effective, space-saving solution that keeps all customer traffic separate and secure, and also eases configuration. • You are a large enterprise or a college campus and want to keep departments completely separate. • You are an enterprise that wants to provide distinct security policies to different departments. • You have any network that requires more than one security appliance.3-2 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 3 Enabling Multiple Context Mode Security Context Overview Unsupported Features Multiple context mode does not support the following features: • Dynamic routing protocols Security contexts support only static routes. You cannot enable OSPF or RIP in multiple context mode. • VPN • Multicast Context Configuration Files This section describes how the security appliance implements multiple context mode configurations and includes the following sections: • Context Configurations, page 3-2 • System Configuration, page 3-2 • Admin Context Configuration, page 3-2 Context Configurations The security appliance includes a configuration for each context that identifies the security policy, interfaces, and almost all the options you can configure on a standalone device. You can store context configurations on the internal Flash memory or the external Flash memory card, or you can download them from a TFTP, FTP, or HTTP(S) server. System Configuration The system administrator adds and manages contexts by configuring each context configuration location, allocated interfaces, and other context operating parameters in the system configuration, which, like a single mode configuration, is the startup configuration. The system configuration identifies basic settings for the security appliance. The system configuration does not include any network interfaces or network settings for itself; rather, when the system needs to access network resources (such as downloading the contexts from the server), it uses one of the contexts that is designated as the admin context. The system configuration does include a specialized failover interface for failover traffic only. Admin Context Configuration The admin context is just like any other context, except that when a user logs in to the admin context, then that user has system administrator rights and can access the system and all other contexts. The admin context is not restricted in any way, and can be used as a regular context. However, because logging into the admin context grants you administrator privileges over all contexts, you might need to restrict access to the admin context to appropriate users. The admin context must reside on Flash memory, and not remotely. If your system is already in multiple context mode, or if you convert from single mode, the admin context is created automatically as a file on the internal Flash memory called admin.cfg. This context is named “admin.” If you do not want to use admin.cfg as the admin context, you can change the admin context.3-3 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 3 Enabling Multiple Context Mode Security Context Overview How the Security Appliance Classifies Packets Each packet that enters the security appliance must be classified, so that the security appliance can determine to which context to send a packet. This section includes the following topics: • Valid Classifier Criteria, page 3-3 • Invalid Classifier Criteria, page 3-4 • Classification Examples, page 3-5 Note If the destination MAC address is a multicast or broadcast MAC address, the packet is duplicated and delivered to each context. Valid Classifier Criteria This section describes the criteria used by the classifier, and includes the following topics: • Unique Interfaces, page 3-3 • Unique MAC Addresses, page 3-3 • NAT Configuration, page 3-3 Unique Interfaces If only one context is associated with the ingress interface, the security appliance classifies the packet into that context. In transparent firewall mode, unique interfaces for contexts are required, so this method is used to classify packets at all times. Unique MAC Addresses If multiple contexts share an interface, then the classifier uses the interface MAC address. The security appliance lets you assign a different MAC address in each context to the same shared interface, whether it is a shared physical interface or a shared subinterface. By default, shared interfaces do not have unique MAC addresses; the interface uses the physical interface burned-in MAC address in every context. An upstream router cannot route directly to a context without unique MAC addresses. You can set the MAC addresses manually when you configure each interface (see the “Configuring the Interface” section on page 7-2), or you can automatically generate MAC addresses (see the “Automatically Assigning MAC Addresses to Context Interfaces” section on page 6-11). NAT Configuration If you do not have unique MAC addresses, then the classifier intercepts the packet and performs a destination IP address lookup. All other fields are ignored; only the destination IP address is used. To use the destination address for classification, the classifier must have knowledge about the subnets located behind each security context. The classifier relies on the NAT configuration to determine the subnets in each context. The classifier matches the destination IP address to either a static command or a global command. In the case of the global command, the classifier does not need a matching nat command or an active NAT session to classify the packet. Whether the packet can communicate with the destination IP address after classification depends on how you configure NAT and NAT control. For example, the classifier gains knowledge about subnets 10.10.10.0, 10.20.10.0 and 10.30.10.0 when the context administrators configure static commands in each context: • Context A:3-4 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 3 Enabling Multiple Context Mode Security Context Overview static (inside,shared) 10.10.10.0 10.10.10.0 netmask 255.255.255.0 • Context B: static (inside,shared) 10.20.10.0 10.20.10.0 netmask 255.255.255.0 • Context C: static (inside,shared) 10.30.10.0 10.30.10.0 netmask 255.255.255.0 Note For management traffic destined for an interface, the interface IP address is used for classification. Invalid Classifier Criteria The following configurations are not used for packet classification: • NAT exemption—The classifier does not use a NAT exemption configuration for classification purposes because NAT exemption does not identify a mapped interface. • Routing table—If a context includes a static route that points to an external router as the next-hop to a subnet, and a different context includes a static command for the same subnet, then the classifier uses the static command to classify packets destined for that subnet and ignores the static route.3-5 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 3 Enabling Multiple Context Mode Security Context Overview Classification Examples Figure 3-2 shows multiple contexts sharing an outside interface. The classifier assigns the packet to Context B because Context B includes the MAC address to which the router sends the packet. Figure 3-1 Packet Classification with a Shared Interface using MAC Addresses Classifier Context A Context B MAC 000C.F142.4CDA MAC 000C.F142.4CDB MAC 000C.F142.4CDC GE 0/1.2 GE 0/1.3 GE 0/0.1 (Shared Interface) Admin Context GE 0/1.1 Host 209.165.201.1 Host 209.165.200.225 Host 209.165.202.129 Packet Destination: 209.165.201.1 via MAC 000C.F142.4CDC Internet Inside Customer A Inside Customer B Admin Network 1533673-6 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 3 Enabling Multiple Context Mode Security Context Overview Figure 3-2 shows multiple contexts sharing an outside interface without MAC addresses assigned. The classifier assigns the packet to Context B because Context B includes the address translation that matches the destination address. Figure 3-2 Packet Classification with a Shared Interface using NAT Note that all new incoming traffic must be classified, even from inside networks. Figure 3-3 shows a host on the Context B inside network accessing the Internet. The classifier assigns the packet to Context B because the ingress interface is Gigabit Ethernet 0/1.3, which is assigned to Context B. Note If you share an inside interface and do not use unique MAC addresses, the classifier imposes some major restrictions. The classifier relies on the address translation configuration to classify the packet within a context, and you must translate the destination addresses of the traffic. Because you do not usually perform NAT on outside addresses, sending packets from inside to outside on a shared interface is not always possible; the outside network is large, (the Web, for example), and addresses are not predictable for an outside NAT configuration. If you share an inside interface, we suggest you use unique MAC addresses. Classifier Context A Context B GE 0/1.2 GE 0/1.3 GE 0/0.1 (Shared Interface) Admin Context GE 0/1.1 Host 10.1.1.13 Host 10.1.1.13 Host 10.1.1.13 Dest Addr Translation 209.165.201.3 Packet Destination: 209.165.201.3 10.1.1.13 Internet Inside Customer A Inside Customer B Admin Network 923993-7 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 3 Enabling Multiple Context Mode Security Context Overview Figure 3-3 Incoming Traffic from Inside Networks Host 10.1.1.13 Host 10.1.1.13 Host 10.1.1.13 Classifier Context A Context B GE 0/1.2 GE 0/1.3 GE 0/0.1 Admin Context GE 0/1.1 Inside Customer A Inside Customer B Internet Admin Network 923953-8 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 3 Enabling Multiple Context Mode Security Context Overview For transparent firewalls, you must use unique interfaces. Figure 3-4 shows a host on the Context B inside network accessing the Internet. The classifier assigns the packet to Context B because the ingress interface is Gigabit Ethernet 1/0.3, which is assigned to Context B. Figure 3-4 Transparent Firewall Contexts Cascading Security Contexts Placing a context directly in front of another context is called cascading contexts; the outside interface of one context is the same interface as the inside interface of another context. You might want to cascade contexts if you want to simplify the configuration of some contexts by configuring shared parameters in the top context. Note Cascading contexts requires that you configure unique MAC addresses for each context interface. Because of the limitations of classifying packets on shared interfaces without MAC addresses, we do not recommend using cascading contexts without unique MAC addresses. Host 10.1.3.13 Host 10.1.2.13 Host 10.1.1.13 Context A Context B GE 1/0.2 GE 1/0.3 Admin Context GE 1/0.1 GE 0/0.1 GE 0/0.3 GE 0/0.2 Classifier Inside Customer A Inside Customer B Internet Admin Network 924013-9 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 3 Enabling Multiple Context Mode Security Context Overview Figure 3-5 shows a gateway context with two contexts behind the gateway. Figure 3-5 Cascading Contexts Management Access to Security Contexts The security appliance provides system administrator access in multiple context mode as well as access for individual context administrators. The following sections describe logging in as a system administrator or as a a context administrator: • System Administrator Access, page 3-9 • Context Administrator Access, page 3-10 System Administrator Access You can access the security appliance as a system administrator in two ways: • Access the security appliance console. From the console, you access the system execution space. • Access the admin context using Telnet, SSH, or ASDM. See Chapter 40, “Managing System Access,” to enable Telnet, SSH, and SDM access. As the system administrator, you can access all contexts. When you change to a context from admin or the system, your username changes to the default “enable_15” username. If you configured command authorization in that context, you need to either configure authorization privileges for the “enable_15” user, or you can log in as a different name for which you provide sufficient privileges in the command authorization configuration for the context. To log in with a username, enter the login command. For example, you log in to the admin context with the Admin Context Context A Gateway Context GE 1/1.43 GE 0/0.2 Outside GE 1/1.8 GE 0/0.1 (Shared Interface) Internet Inside Inside Outside Inside Outside 1533663-10 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 3 Enabling Multiple Context Mode Enabling or Disabling Multiple Context Mode username “admin.” The admin context does not have any command authorization configuration, but all other contexts include command authorization. For convenience, each context configuration includes a user “admin” with maximum privileges. When you change from the admin context to context A, your username is altered, so you must log in again as “admin” by entering the login command. When you change to context B, you must again enter the login command to log in as “admin.” The system execution space does not support any AAA commands, but you can configure its own enable password, as well as usernames in the local database to provide individual logins. Context Administrator Access You can access a context using Telnet, SSH, or ASDM. If you log in to a non-admin context, you can only access the configuration for that context. You can provide individual logins to the context. See See Chapter 40, “Managing System Access,” to enable Telnet, SSH, and SDM access and to configure management authentication. Enabling or Disabling Multiple Context Mode Your security appliance might already be configured for multiple security contexts depending on how you ordered it from Cisco. If you are upgrading, however, you might need to convert from single mode to multiple mode by following the procedures in this section. ASDM does not support changing modes, so you need to change modes using the CLI. This section includes the following topics: • Backing Up the Single Mode Configuration, page 3-10 • Enabling Multiple Context Mode, page 3-10 • Restoring Single Context Mode, page 3-11 Backing Up the Single Mode Configuration When you convert from single mode to multiple mode, the security appliance converts the running configuration into two files. The original startup configuration is not saved, so if it differs from the running configuration, you should back it up before proceeding. Enabling Multiple Context Mode The context mode (single or multiple) is not stored in the configuration file, even though it does endure reboots. If you need to copy your configuration to another device, set the mode on the new device to match using the mode command. When you convert from single mode to multiple mode, the security appliance converts the running configuration into two files: a new startup configuration that comprises the system configuration, and admin.cfg that comprises the admin context (in the root directory of the internal Flash memory). The original running configuration is saved as old_running.cfg (in the root directory of the internal Flash memory). The original startup configuration is not saved. The security appliance automatically adds an entry for the admin context to the system configuration with the name “admin.” To enable multiple mode, enter the following command: hostname(config)# mode multiple3-11 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 3 Enabling Multiple Context Mode Enabling or Disabling Multiple Context Mode You are prompted to reboot the security appliance. Restoring Single Context Mode If you convert from multiple mode to single mode, you might want to first copy a full startup configuration (if available) to the security appliance; the system configuration inherited from multiple mode is not a complete functioning configuration for a single mode device. Because the system configuration does not have any network interfaces as part of its configuration, you must access the security appliance from the console to perform the copy. To copy the old running configuration to the startup configuration and to change the mode to single mode, perform the following steps in the system execution space: Step 1 To copy the backup version of your original running configuration to the current startup configuration, enter the following command in the system execution space: hostname(config)# copy flash:old_running.cfg startup-config Step 2 To set the mode to single mode, enter the following command in the system execution space: hostname(config)# mode single The security appliance reboots.3-12 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 3 Enabling Multiple Context Mode Enabling or Disabling Multiple Context ModeC H A P T E R 4-1 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance This chapter describes how to configure the switch ports and VLAN interfaces of the ASA 5505 adaptive security appliance. Note To configure interfaces of other models, see Chapter 5, “Configuring Ethernet Settings and Subinterfaces,” and Chapter 7, “Configuring Interface Parameters.” This chapter includes the following sections: • Interface Overview, page 4-1 • Configuring VLAN Interfaces, page 4-5 • Configuring Switch Ports as Access Ports, page 4-9 • Configuring a Switch Port as a Trunk Port, page 4-11 • Allowing Communication Between VLAN Interfaces on the Same Security Level, page 4-13 Interface Overview This section describes the ports and interfaces of the ASA 5505 adaptive security appliance, and includes the following topics: • Understanding ASA 5505 Ports and Interfaces, page 4-2 • Maximum Active VLAN Interfaces for Your License, page 4-2 • Default Interface Configuration, page 4-4 • VLAN MAC Addresses, page 4-4 • Power Over Ethernet, page 4-4 • Security Level Overview, page 4-54-2 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Interface Overview Understanding ASA 5505 Ports and Interfaces The ASA 5505 adaptive security appliance supports a built-in switch. There are two kinds of ports and interfaces that you need to configure: • Physical switch ports—The adaptive security appliance has eight Fast Ethernet switch ports that forward traffic at Layer 2, using the switching function in hardware. Two of these ports are PoE ports. See the “Power Over Ethernet” section on page 4-4 for more information. You can connect these interfaces directly to user equipment such as PCs, IP phones, or a DSL modem. Or you can connect to another switch. • Logical VLAN interfaces—In routed mode, these interfaces forward traffic between VLAN networks at Layer 3, using the configured security policy to apply firewall and VPN services. In transparent mode, these interfaces forward traffic between the VLANs on the same network at Layer 2, using the configured security policy to apply firewall services. See the “Maximum Active VLAN Interfaces for Your License” section for more information about the maximum VLAN interfaces. VLAN interfaces let you divide your equipment into separate VLANs, for example, home, business, and Internet VLANs. To segregate the switch ports into separate VLANs, you assign each switch port to a VLAN interface. Switch ports on the same VLAN can communicate with each other using hardware switching. But when a switch port on VLAN 1 wants to communicate with a switch port on VLAN 2, then the adaptive security appliance applies the security policy to the traffic and routes or bridges between the two VLANs. Note Subinterfaces are not available for the ASA 5505 adaptive security appliance. Maximum Active VLAN Interfaces for Your License In transparent firewall mode, you can configure two active VLANs in the Base license and three active VLANs in the Security Plus license, one of which must be for failover. In routed mode, you can configure up to three active VLANs with the Base license, and up to 20 active VLANs with the Security Plus license. An active VLAN is a VLAN with a nameif command configured.4-3 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Interface Overview With the Base license, the third VLAN can only be configured to initiate traffic to one other VLAN. See Figure 4-1 for an example network where the Home VLAN can communicate with the Internet, but cannot initiate contact with Business. Figure 4-1 ASA 5505 Adaptive Security Appliance with Base License With the Security Plus license, you can configure 20 VLAN interfaces. You can configure trunk ports to accomodate multiple VLANs per port. Note The ASA 5505 adaptive security appliance supports Active/Standby failover, but not Stateful failover. See Figure 4-2 for an example network. Figure 4-2 ASA 5505 Adaptive Security Appliance with Security Plus License ASA 5505 with Base License Business Internet Home 153364 ASA 5505 with Security Plus License Failover ASA 5505 Inside Backup ISP Primary ISP DMZ Failover Link 1533654-4 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Interface Overview Default Interface Configuration If your adaptive security appliance includes the default factory configuration, your interfaces are configured as follows: • The outside interface (security level 0) is VLAN 2. Ethernet0/0 is assigned to VLAN 2 and is enabled. The VLAN 2 IP address is obtained from the DHCP server. • The inside interface (security level 100) is VLAN 1 Ethernet 0/1 through Ethernet 0/7 are assigned to VLAN 1 and is enabled. VLAN 1 has IP address 192.168.1.1. Restore the default factory configuration using the configure factory-default command. Use the procedures in this chapter to modify the default configuration, for example, to add VLAN interfaces. If you do not have a factory default configuration, all switch ports are in VLAN 1, but no other parameters are configured. VLAN MAC Addresses In routed firewall mode, all VLAN interfaces share a MAC address. Ensure that any connected switches can support this scenario. If the connected switches require unique MAC addresses, you can manually assign MAC addresses. In transparent firewall mode, each VLAN has a unique MAC address. You can override the generated MAC addresses if desired by manually assigning MAC addresses. Power Over Ethernet Ethernet 0/6 and Ethernet 0/7 support PoE for devices such as IP phones or wireless access points. If you install a non-PoE device or do not connect to these switch ports, the adaptive security appliance does not supply power to the switch ports. If you shut down the switch port using the shutdown command, you disable power to the device. Power is restored when you enter no shutdown. See the “Configuring Switch Ports as Access Ports” section on page 4-9 for more information about shutting down a switch port. To view the status of PoE switch ports, including the type of device connected (Cisco or IEEE 802.3af), use the show power inline command. Monitoring Traffic Using SPAN If you want to monitor traffic that enters or exits one or more switch ports, you can enable SPAN, also known as switch port monitoring. The port for which you enable SPAN (called the destination port) receives a copy of every packet transmitted or received on a specified source port. The SPAN feature lets you attach a sniffer to the destination port so you can monitor all traffic; without SPAN, you would have to attach a sniffer to every port you want to monitor. You can only enable SPAN for one destination port. 4-5 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring VLAN Interfaces See the switchport monitor command in the Cisco Security Appliance Command Reference for more information. Security Level Overview Each VLAN interface must have a security level in the range 0 to 100 (from lowest to highest). For example, you should assign your most secure network, such as the inside business network, to level 100. The outside network connected to the Internet can be level 0. Other networks, such as a home network can be in-between. You can assign interfaces to the same security level. The level controls the following behavior: • Network access—By default, there is an implicit permit from a higher security interface to a lower security interface (outbound). Hosts on the higher security interface can access any host on a lower security interface. You can limit access by applying an access list to the interface. • If you enable communication for same security interfaces, there is an implicit permit for interfaces to access other interfaces on the same security level or lower. See the “Allowing Communication Between VLAN Interfaces on the Same Security Level” section on page 4-13 for more information. • Inspection engines—Some application inspection engines are dependent on the security level. For same security interfaces, inspection engines apply to traffic in either direction. – NetBIOS inspection engine—Applied only for outbound connections. – SQL*Net inspection engine—If a control connection for the SQL*Net (formerly OraServ) port exists between a pair of hosts, then only an inbound data connection is permitted through the adaptive security appliance. • Filtering—HTTP(S) and FTP filtering applies only for outbound connections (from a higher level to a lower level). For same security interfaces, you can filter traffic in either direction. • NAT control—When you enable NAT control, you must configure NAT for hosts on a higher security interface (inside) when they access hosts on a lower security interface (outside). Without NAT control, or for same security interfaces, you can choose to use NAT between any interface, or you can choose not to use NAT. Keep in mind that configuring NAT for an outside interface might require a special keyword. • established command—This command allows return connections from a lower security host to a higher security host if there is already an established connection from the higher level host to the lower level host. For same security interfaces, you can configure established commands for both directions. Configuring VLAN Interfaces For each VLAN to pass traffic, you need to configure an interface name (the nameif command), and for routed mode, an IP address. You should also change the security level from the default, which is 0. If you name an interface “inside” and you do not set the security level explicitly, then the adaptive security appliance sets the security level to 100. For information about how many VLANs you can configure, see the “Maximum Active VLAN Interfaces for Your License” section on page 4-2.4-6 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring VLAN Interfaces Note If you are using failover, do not use this procedure to name interfaces that you are reserving for failover communications. See Chapter 14, “Configuring Failover,” to configure the failover link. If you change the security level of an interface, and you do not want to wait for existing connections to time out before the new security information is used, you can clear the connections using the clear local-host command. To configure a VLAN interface, perform the following steps: Step 1 To specify the VLAN ID, enter the following command: hostname(config)# interface vlan number Where the number is between 1 and 4090. For example, enter the following command: hostname(config)# interface vlan 100 To remove this VLAN interface and all associated configuration, enter the no interface vlan command. Because this interface also includes the interface name configuration, and the name is used in other commands, those commands are also removed. Step 2 (Optional) For the Base license, allow this interface to be the third VLAN by limiting it from initiating contact to one other VLAN using the following command: hostname(config-if)# no forward interface vlan number Where number specifies the VLAN ID to which this VLAN interface cannot initiate traffic. With the Base license, you can only configure a third VLAN if you use this command to limit it. For example, you have one VLAN assigned to the outside for Internet access, one VLAN assigned to an inside business network, and a third VLAN assigned to your home network. The home network does not need to access the business network, so you can use the no forward interface command on the home VLAN; the business network can access the home network, but the home network cannot access the business network. If you already have two VLAN interfaces configured with a nameif command, be sure to enter the no forward interface command before the nameif command on the third interface; the adaptive security appliance does not allow three fully functioning VLAN interfaces with the Base license on the ASA 5505 adaptive security appliance. Note If you upgrade to the Security Plus license, you can remove this command and achieve full functionality for this interface. If you leave this command in place, this interface continues to be limited even after upgrading. Step 3 To name the interface, enter the following command: hostname(config-if)# nameif name The name is a text string up to 48 characters, and is not case-sensitive. You can change the name by reentering this command with a new value. Do not enter the no form, because that command causes all commands that refer to that name to be deleted. Step 4 To set the security level, enter the following command: hostname(config-if)# security-level number4-7 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring VLAN Interfaces Where number is an integer between 0 (lowest) and 100 (highest). Step 5 (Routed mode only) To set the IP address, enter one of the following commands. Note To set an IPv6 address, see the “Configuring IPv6 on an Interface” section on page 12-3. To set the management IP address for transparent firewall mode, see the “Setting the Management IP Address for a Transparent Firewall” section on page 8-5. In transparent mode, you do not set the IP address for each interface, but rather for the whole adaptive security appliance or context. For failover, you must set the IP address an standby address manually; DHCP and PPPoE are not supported. • To set the IP address manually, enter the following command: hostname(config-if)# ip address ip_address [mask] [standby ip_address] The standby keyword and address is used for failover. See Chapter 14, “Configuring Failover,” for more information. • To obtain an IP address from a DHCP server, enter the following command: hostname(config-if)# ip address dhcp [setroute] Reenter this command to reset the DHCP lease and request a new lease. If you do not enable the interface using the no shutdown command before you enter the ip address dhcp command, some DHCP requests might not be sent. • To obtain an IP address from a PPPoE server, see Chapter 35, “Configuring the PPPoE Client.” Step 6 (Optional) To assign a private MAC address to this interface, enter the following command: hostname(config-if)# mac-address mac_address [standby mac_address] By default in routed mode, all VLANs use the same MAC address. In transparent mode, the VLANs use unique MAC addresses. You might want to set unique VLANs or change the generated VLANs if your switch requires it, or for access control purposes. Step 7 (Optional) To set an interface to management-only mode, so that it does not allow through traffic, enter the following command: hostname(config-if)# management-only Step 8 By default, VLAN interfaces are enabled. To enable the interface, if it is not already enabled, enter the following command: hostname(config-if)# no shutdown To disable the interface, enter the shutdown command. The following example configures seven VLAN interfaces, including the failover interface which is configured separately using the failover lan command: hostname(config)# interface vlan 100 hostname(config-if)# nameif outside hostname(config-if)# security-level 0 hostname(config-if)# ip address 10.1.1.1 255.255.255.04-8 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring VLAN Interfaces hostname(config-if)# no shutdown hostname(config-if)# interface vlan 200 hostname(config-if)# nameif inside hostname(config-if)# security-level 100 hostname(config-if)# ip address 10.2.1.1 255.255.255.0 hostname(config-if)# no shutdown hostname(config-if)# interface vlan 201 hostname(config-if)# nameif dept1 hostname(config-if)# security-level 90 hostname(config-if)# ip address 10.2.2.1 255.255.255.0 hostname(config-if)# no shutdown hostname(config-if)# interface vlan 202 hostname(config-if)# nameif dept2 hostname(config-if)# security-level 90 hostname(config-if)# ip address 10.2.3.1 255.255.255.0 hostname(config-if)# no shutdown hostname(config-if)# interface vlan 300 hostname(config-if)# nameif dmz hostname(config-if)# security-level 50 hostname(config-if)# ip address 10.3.1.1 255.255.255.0 hostname(config-if)# no shutdown hostname(config-if)# interface vlan 400 hostname(config-if)# nameif backup-isp hostname(config-if)# security-level 50 hostname(config-if)# ip address 10.1.2.1 255.255.255.0 hostname(config-if)# no shutdown hostname(config-if)# failover lan faillink vlan500 hostname(config)# failover interface ip faillink 10.4.1.1 255.255.255.0 standby 10.4.1.2 255.255.255.0 The following example configures three VLAN interfaces for the Base license. The third home interface cannot forward traffic to the business interface. hostname(config)# interface vlan 100 hostname(config-if)# nameif outside hostname(config-if)# security-level 0 hostname(config-if)# ip address dhcp hostname(config-if)# no shutdown hostname(config-if)# interface vlan 200 hostname(config-if)# nameif business hostname(config-if)# security-level 100 hostname(config-if)# ip address 10.1.1.1 255.255.255.0 hostname(config-if)# no shutdown hostname(config-if)# interface vlan 300 hostname(config-if)# no forward interface vlan 200 hostname(config-if)# nameif home hostname(config-if)# security-level 50 hostname(config-if)# ip address 10.2.1.1 255.255.255.0 hostname(config-if)# no shutdown4-9 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring Switch Ports as Access Ports Configuring Switch Ports as Access Ports By default, all switch ports are shut down. To assign a switch port to one VLAN, configure it as an access port. To create a trunk port to carry multiple VLANs, see the “Configuring a Switch Port as a Trunk Port” section on page 4-11. By default, the speed and duplex for switch ports are set to auto-negotiate. The default auto-negotiation setting also includes the Auto-MDI/MDIX feature. Auto-MDI/MDIX eliminates the need for crossover cabling by performing an internal crossover when a straight cable is detected during the auto-negotiation phase. Either the speed or duplex must be set to auto-negotiate to enable Auto-MDI/MDIX for the interface. If you explicitly set both the speed and duplex to a fixed value, thus disabling auto-negotiation for both settings, then Auto-MDI/MDIX is also disabled. Caution The ASA 5505 adaptive security appliance does not support Spanning Tree Protocol for loop detection in the network. Therefore you must ensure that any connection with the adaptive security appliance does not end up in a network loop. To configure a switch port, perform the following steps: Step 1 To specify the switch port you want to configure, enter the following command: hostname(config)# interface ethernet0/port Where port is 0 through 7. For example, enter the following command: hostname(config)# interface ethernet0/1 Step 2 To assign this switch port to a VLAN, enter the following command: hostname(config-if)# switchport access vlan number Where number is the VLAN ID, between 1 and 4090. Note You might assign multiple switch ports to the primary or backup VLANs if the Internet access device includes Layer 2 redundancy. Step 3 (Optional) To prevent the switch port from communicating with other protected switch ports on the same VLAN, enter the following command: hostname(config-if)# switchport protected You might want to prevent switch ports from communicating with each other if the devices on those switch ports are primarily accessed from other VLANs, you do not need to allow intra-VLAN access, and you want to isolate the devices from each other in case of infection or other security breach. For example, if you have a DMZ that hosts three web servers, you can isolate the web servers from each other if you apply the switchport protected command to each switch port. The inside and outside networks can both communicate with all three web servers, and vice versa, but the web servers cannot communicate with each other. Step 4 (Optional) To set the speed, enter the following command: hostname(config-if)# speed {auto | 10 | 100}4-10 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring Switch Ports as Access Ports The auto setting is the default. If you set the speed to anything other than auto on PoE ports Ethernet 0/6 or 0/7, then Cisco IP phones and Cisco wireless access points that do not support IEEE 802.3af will not be detected and supplied with power. Step 5 (Optional) To set the duplex, enter the following command: hostname(config-if)# duplex {auto | full | half} The auto setting is the default. If you set the duplex to anything other than auto on PoE ports Ethernet 0/6 or 0/7, then Cisco IP phones and Cisco wireless access points that do not support IEEE 802.3af will not be detected and supplied with power. Step 6 To enable the switch port, if it is not already enabled, enter the following command: hostname(config-if)# no shutdown To disable the switch port, enter the shutdown command. The following example configures five VLAN interfaces, including the failover interface which is configured using the failover lan command: hostname(config)# interface vlan 100 hostname(config-if)# nameif outside hostname(config-if)# security-level 0 hostname(config-if)# ip address 10.1.1.1 255.255.255.0 hostname(config-if)# no shutdown hostname(config-if)# interface vlan 200 hostname(config-if)# nameif inside hostname(config-if)# security-level 100 hostname(config-if)# ip address 10.2.1.1 255.255.255.0 hostname(config-if)# no shutdown hostname(config-if)# interface vlan 300 hostname(config-if)# nameif dmz hostname(config-if)# security-level 50 hostname(config-if)# ip address 10.3.1.1 255.255.255.0 hostname(config-if)# no shutdown hostname(config-if)# interface vlan 400 hostname(config-if)# nameif backup-isp hostname(config-if)# security-level 50 hostname(config-if)# ip address 10.1.2.1 255.255.255.0 hostname(config-if)# no shutdown hostname(config-if)# failover lan faillink vlan500 hostname(config)# failover interface ip faillink 10.4.1.1 255.255.255.0 standby 10.4.1.2 255.255.255.0 hostname(config)# interface ethernet 0/0 hostname(config-if)# switchport access vlan 100 hostname(config-if)# no shutdown hostname(config-if)# interface ethernet 0/1 hostname(config-if)# switchport access vlan 200 hostname(config-if)# no shutdown hostname(config-if)# interface ethernet 0/2 hostname(config-if)# switchport access vlan 300 hostname(config-if)# no shutdown hostname(config-if)# interface ethernet 0/34-11 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring a Switch Port as a Trunk Port hostname(config-if)# switchport access vlan 400 hostname(config-if)# no shutdown hostname(config-if)# interface ethernet 0/4 hostname(config-if)# switchport access vlan 500 hostname(config-if)# no shutdown Configuring a Switch Port as a Trunk Port By default, all switch ports are shut down. This procedure tells how to create a trunk port that can carry multiple VLANs using 802.1Q tagging. Trunk mode is available only with the Security Plus license. To create an access port, where an interface is assigned to only one VLAN, see the “Configuring Switch Ports as Access Ports” section on page 4-9. By default, the speed and duplex for switch ports are set to auto-negotiate. The default auto-negotiation setting also includes the Auto-MDI/MDIX feature. Auto-MDI/MDIX eliminates the need for crossover cabling by performing an internal crossover when a straight cable is detected during the auto-negotiation phase. Either the speed or duplex must be set to auto-negotiate to enable Auto-MDI/MDIX for the interface. If you explicitly set both the speed and duplex to a fixed value, thus disabling auto-negotiation for both settings, then Auto-MDI/MDIX is also disabled. To configure a trunk port, perform the following steps: Step 1 To specify the switch port you want to configure, enter the following command: hostname(config)# interface ethernet0/port Where port is 0 through 7. For example, enter the following command: hostname(config)# interface ethernet0/1 Step 2 To assign VLANs to this trunk, enter one or more of the following commands. • To assign native VLANs, enter the following command: hostname(config-if)# switchport trunk native vlan vlan_id where the vlan_id is a single VLAN ID between 1 and 4090. Packets on the native VLAN are not modified when sent over the trunk. For example, if a port has VLANs 2, 3 and 4 assigned to it, and VLAN 2 is the native VLAN, then packets on VLAN 2 that egress the port are not modified with an 802.1Q header. Frames which ingress (enter) this port and have no 802.1Q header are put into VLAN 2. Each port can only have one native VLAN, but every port can have either the same or a different native VLAN. • To assign VLANs, enter the following command: hostname(config-if)# switchport trunk allowed vlan vlan_range where the vlan_range (with VLANs between 1 and 4090) can be identified in one of the following ways: A single number (n) A range (n-x) Separate numbers and ranges by commas, for example:4-12 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring a Switch Port as a Trunk Port 5,7-10,13,45-100 You can enter spaces instead of commas, but the command is saved to the configuration with commas. You can include the native VLAN in this command, but it is not required; the native VLAN is passed whether it is included in this command or not. This switch port cannot pass traffic until you assign at least one VLAN to it, native or non-native. Step 3 To make this switch port a trunk port, enter the following command: hostname(config-if)# switchport mode trunk To restore this port to access mode, enter the switchport mode access command. Step 4 (Optional) To prevent the switch port from communicating with other protected switch ports on the same VLAN, enter the following command: hostname(config-if)# switchport protected You might want to prevent switch ports from communicating with each other if the devices on those switch ports are primarily accessed from other VLANs, you do not need to allow intra-VLAN access, and you want to isolate the devices from each other in case of infection or other security breach. For example, if you have a DMZ that hosts three web servers, you can isolate the web servers from each other if you apply the switchport protected command to each switch port. The inside and outside networks can both communicate with all three web servers, and vice versa, but the web servers cannot communicate with each other. Step 5 (Optional) To set the speed, enter the following command: hostname(config-if)# speed {auto | 10 | 100} The auto setting is the default. Step 6 (Optional) To set the duplex, enter the following command: hostname(config-if)# duplex {auto | full | half} The auto setting is the default. Step 7 To enable the switch port, if it is not already enabled, enter the following command: hostname(config-if)# no shutdown To disable the switch port, enter the shutdown command. The following example configures seven VLAN interfaces, including the failover interface which is configured using the failover lan command. VLANs 200, 201, and 202 are trunked on Ethernet 0/1. hostname(config)# interface vlan 100 hostname(config-if)# nameif outside hostname(config-if)# security-level 0 hostname(config-if)# ip address 10.1.1.1 255.255.255.0 hostname(config-if)# no shutdown hostname(config-if)# interface vlan 200 hostname(config-if)# nameif inside hostname(config-if)# security-level 100 hostname(config-if)# ip address 10.2.1.1 255.255.255.0 hostname(config-if)# no shutdown hostname(config-if)# interface vlan 201 hostname(config-if)# nameif dept14-13 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Allowing Communication Between VLAN Interfaces on the Same Security Level hostname(config-if)# security-level 90 hostname(config-if)# ip address 10.2.2.1 255.255.255.0 hostname(config-if)# no shutdown hostname(config-if)# interface vlan 202 hostname(config-if)# nameif dept2 hostname(config-if)# security-level 90 hostname(config-if)# ip address 10.2.3.1 255.255.255.0 hostname(config-if)# no shutdown hostname(config-if)# interface vlan 300 hostname(config-if)# nameif dmz hostname(config-if)# security-level 50 hostname(config-if)# ip address 10.3.1.1 255.255.255.0 hostname(config-if)# no shutdown hostname(config-if)# interface vlan 400 hostname(config-if)# nameif backup-isp hostname(config-if)# security-level 50 hostname(config-if)# ip address 10.1.2.1 255.255.255.0 hostname(config-if)# no shutdown hostname(config-if)# failover lan faillink vlan500 hostname(config)# failover interface ip faillink 10.4.1.1 255.255.255.0 standby 10.4.1.2 255.255.255.0 hostname(config)# interface ethernet 0/0 hostname(config-if)# switchport access vlan 100 hostname(config-if)# no shutdown hostname(config-if)# interface ethernet 0/1 hostname(config-if)# switchport mode trunk hostname(config-if)# switchport trunk allowed vlan 200-202 hostname(config-if)# switchport trunk native vlan 5 hostname(config-if)# no shutdown hostname(config-if)# interface ethernet 0/2 hostname(config-if)# switchport access vlan 300 hostname(config-if)# no shutdown hostname(config-if)# interface ethernet 0/3 hostname(config-if)# switchport access vlan 400 hostname(config-if)# no shutdown hostname(config-if)# interface ethernet 0/4 hostname(config-if)# switchport access vlan 500 hostname(config-if)# no shutdown Allowing Communication Between VLAN Interfaces on the Same Security Level By default, interfaces on the same security level cannot communicate with each other. Allowing communication between same security interfaces lets traffic flow freely between all same security interfaces without access lists.4-14 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Allowing Communication Between VLAN Interfaces on the Same Security Level Note If you enable NAT control, you do not need to configure NAT between same security level interfaces. See the “NAT and Same Security Level Interfaces” section on page 17-13 for more information on NAT and same security level interfaces. If you enable same security interface communication, you can still configure interfaces at different security levels as usual. To enable interfaces on the same security level so that they can communicate with each other, enter the following command: hostname(config)# same-security-traffic permit inter-interface To disable this setting, use the no form of this command.C H A P T E R 5-1 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 5 Configuring Ethernet Settings and Subinterfaces This chapter describes how to configure and enable physical Ethernet interfaces and how to add subinterfaces. If you have both fiber and copper Ethernet ports (for example, on the 4GE SSM for the ASA 5510 and higher series adaptive security appliance), this chapter describes how to configure the inteface media type. In single context mode, complete the procedures in this chapter and then continue your interface configuration in Chapter 7, “Configuring Interface Parameters.” In multiple context mode, complete the procedures in this chapter in the system execution space, then assign interfaces and subinterfaces to contexts according to Chapter 6, “Adding and Managing Security Contexts,” and finally configure the interface parameters within each context according to Chapter 7, “Configuring Interface Parameters.” Note To configure interfaces for the ASA 5505 adaptive security appliance, see Chapter 4, “Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance.” This chapter includes the following sections: • Configuring and Enabling RJ-45 Interfaces, page 5-1 • Configuring and Enabling Fiber Interfaces, page 5-3 • Configuring and Enabling VLAN Subinterfaces and 802.1Q Trunking, page 5-3 Configuring and Enabling RJ-45 Interfaces This section describes how to configure Ethernet settings for physical interfaces, and how to enable the interface. By default, all physical interfaces are shut down. You must enable the physical interface before any traffic can pass through it or through a subinterface. For multiple context mode, if you allocate a physical interface or subinterface to a context, the interfaces are enabled by default in the context. However, before traffic can pass through the context interface, you must also enable the interface in the system configuration according to this procedure. By default, the speed and duplex for copper (RJ-45) interfaces are set to auto-negotiate. The ASA 5550 adaptive security appliance and the 4GE SSM for the ASA 5510 and higher adaptive security appliance includes two connector types: copper RJ-45 and fiber SFP. RJ-45 is the default. If you want to configure the security appliance to use the fiber SFP connectors, see the “Configuring and Enabling Fiber Interfaces” section on page 5-3. For RJ-45 interfaces on the ASA 5500 series adaptive security appliance, the default auto-negotiation setting also includes the Auto-MDI/MDIX feature. Auto-MDI/MDIX eliminates the need for crossover cabling by performing an internal crossover when a straight cable is detected during the auto-negotiation 5-2 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 5 Configuring Ethernet Settings and Subinterfaces Configuring and Enabling RJ-45 Interfaces phase. Either the speed or duplex must be set to auto-negotiate to enable Auto-MDI/MDIX for the interface. If you explicitly set both the speed and duplex to a fixed value, thus disabling auto-negotiation for both settings, then Auto-MDI/MDIX is also disabled. For Gigabit Ethernet, when the speed and duplex are set to 1000 and full, then the interface always auto-negotiates; therefore Auto-MDI/MDIX is always enabled and you cannot disable it. To enable the interface, or to set a specific speed and duplex, perform the following steps: Step 1 To specify the interface you want to configure, enter the following command: hostname(config)# interface physical_interface The physical_interface ID includes the type, slot, and port number as type[slot/]port. The physical interface types include the following: • ethernet • gigabitethernet For the PIX 500 series security appliance, enter the type followed by the port number, for example, ethernet0. For the ASA 5500 series adaptive security appliance, enter the type followed by slot/port, for example, gigabitethernet0/1. Interfaces that are built into the chassis are assigned to slot 0, while interfaces on the 4GE SSM are assigned to slot 1. The ASA 5500 series adaptive security appliance also includes the following type: • management The management interface is a Fast Ethernet interface designed for management traffic only, and is specified as management0/0. You can, however, use it for through traffic if desired (see the management-only command). In transparent firewall mode, you can use the management interface in addition to the two interfaces allowed for through traffic. You can also add subinterfaces to the management interface to provide management in each security context for multiple context mode. Step 2 (Optional) To set the speed, enter the following command: hostname(config-if)# speed {auto | 10 | 100 | 1000 | nonegotiate} The auto setting is the default. The speed nonegotiate command disables link negotiation. Step 3 (Optional) To set the duplex, enter the following command: hostname(config-if)# duplex {auto | full | half} The auto setting is the default. Step 4 To enable the interface, enter the following command: hostname(config-if)# no shutdown To disable the interface, enter the shutdown command. If you enter the shutdown command for a physical interface, you also shut down all subinterfaces. If you shut down an interface in the system execution space, then that interface is shut down in all contexts that share it.5-3 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 5 Configuring Ethernet Settings and Subinterfaces Configuring and Enabling Fiber Interfaces Configuring and Enabling Fiber Interfaces This section describes how to configure Ethernet settings for physical interfaces, and how to enable the interface. By default, all physical interfaces are shut down. You must enable the physical interface before any traffic can pass through it or through a subinterface. For multiple context mode, if you allocate a physical interface or subinterface to a context, the interfaces are enabled by default in the context. However, before traffic can pass through the context interface, you must also enable the interface in the system configuration according to this procedure. By default, the connectors used on the 4GE SSM or for built-in interfaces in slot 1 on the ASA 5550 adaptive security appliance are the RJ-45 connectors. To use the fiber SFP connectors, you must set the media type to SFP. The fiber interface has a fixed speed and does not support duplex, but you can set the interface to negotiate link parameters (the default) or not to negotiate. To enable the interface, set the media type, or to set negotiation settings, perform the following steps: Step 1 To specify the interface you want to configure, enter the following command: hostname(config)# interface gigabitethernet 1/port The 4GE SSM interfaces are assigned to slot 1, as shown in the interface ID in the syntax (the interfaces built into the chassis are assigned to slot 0). Step 2 To set the media type to SFP, enter the following command: hostname(config-if)# media-type sfp To restore the defaukt RJ-45, enter the media-type rj45 command. Step 3 (Optional) To disable link negotiation, enter the following command: hostname(config-if)# speed nonegotiate For fiber Gigabit Ethernet interfaces, the default is no speed nonegotiate, which sets the speed to 1000 Mbps and enables link negotiation for flow-control parameters and remote fault information. The speed nonegotiate command disables link negotiation. Step 4 To enable the interface, enter the following command: hostname(config-if)# no shutdown To disable the interface, enter the shutdown command. If you enter the shutdown command for a physical interface, you also shut down all subinterfaces. If you shut down an interface in the system execution space, then that interface is shut down in all contexts that share it. Configuring and Enabling VLAN Subinterfaces and 802.1Q Trunking This section describes how to configure and enable a VLAN subinterface. An interface with one or more VLAN subinterfaces is automatically configured as an 802.1Q trunk.5-4 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 5 Configuring Ethernet Settings and Subinterfaces Configuring and Enabling VLAN Subinterfaces and 802.1Q Trunking You must enable the physical interface before any traffic can pass through an enabled subinterface (see the “Configuring and Enabling RJ-45 Interfaces” section on page 5-1 or the “Configuring and Enabling Fiber Interfaces” section on page 5-3). For multiple context mode, if you allocate a subinterface to a context, the interfaces are enabled by default in the context. However, before traffic can pass through the context interface, you must also enable the interface in the system configuration with this procedure. Subinterfaces let you divide a physical interface into multiple logical interfaces that are tagged with different VLAN IDs. Because VLANs allow you to keep traffic separate on a given physical interface, you can increase the number of interfaces available to your network without adding additional physical interfaces or security appliances. This feature is particularly useful in multiple context mode so you can assign unique interfaces to each context. To determine how many subinterfaces are allowed for your platform, see Appendix A, “Feature Licenses and Specifications.” Note If you use subinterfaces, you typically do not also want the physical interface to pass traffic, because the physical interface passes untagged packets. Because the physical interface must be enabled for the subinterface to pass traffic, ensure that the physical interface does not pass traffic by leaving out the nameif command. If you want to let the physical interface pass untagged packets, you can configure the nameif command as usual. See the “Configuring Interface Parameters” section on page 7-1 for more information about completing the interface configuration. To add a subinterface and assign a VLAN to it, perform the following steps: Step 1 To specify the new subinterface, enter the following command: hostname(config)# interface physical_interface.subinterface See the “Configuring and Enabling RJ-45 Interfaces” section for a description of the physical interface ID. The subinterface ID is an integer between 1 and 4294967293. For example, enter the following command: hostname(config)# interface gigabitethernet0/1.100 Step 2 To specify the VLAN for the subinterface, enter the following command: hostname(config-subif)# vlan vlan_id The vlan_id is an integer between 1 and 4094. Some VLAN IDs might be reserved on connected switches, so check the switch documentation for more information. You can only assign a single VLAN to a subinterface, and not to the physical interface. Each subinterface must have a VLAN ID before it can pass traffic. To change a VLAN ID, you do not need to remove the old VLAN ID with the no option; you can enter the vlan command with a different VLAN ID, and the security appliance changes the old ID. Step 3 To enable the subinterface, enter the following command: hostname(config-subif)# no shutdown To disable the interface, enter the shutdown command. If you shut down an interface in the system execution space, then that interface is shut down in all contexts that share it.C H A P T E R 6-1 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 6 Adding and Managing Security Contexts This chapter describes how to configure multiple security contexts on the security appliance, and includes the following sections: • Configuring Resource Management, page 6-1 • Configuring a Security Context, page 6-7 • Automatically Assigning MAC Addresses to Context Interfaces, page 6-11 • Changing Between Contexts and the System Execution Space, page 6-11 • Managing Security Contexts, page 6-12 For information about how contexts work and how to enable multiple context mode, see Chapter 3, “Enabling Multiple Context Mode.” Configuring Resource Management By default, all security contexts have unlimited access to the resources of the security appliance, except where maximum limits per context are enforced. However, if you find that one or more contexts use too many resources, and they cause other contexts to be denied connections, for example, then you can configure resource management to limit the use of resources per context. This section includes the following topics: • Classes and Class Members Overview, page 6-1 • Configuring a Class, page 6-4 Classes and Class Members Overview The security appliance manages resources by assigning contexts to resource classes. Each context uses the resource limits set by the class. This section includes the following topics: • Resource Limits, page 6-2 • Default Class, page 6-3 • Class Members, page 6-46-2 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 6 Adding and Managing Security Contexts Configuring Resource Management Resource Limits When you create a class, the security appliance does not set aside a portion of the resources for each context assigned to the class; rather, the security appliance sets the maximum limit for a context. If you oversubscribe resources, or allow some resources to be unlimited, a few contexts can “use up” those resources, potentially affecting service to other contexts. You can set the limit for individual resources, as a percentage (if there is a hard system limit) or as an absolute value. You can oversubscribe the security appliance by assigning more than 100 percent of a resource across all contexts. For example, you can set the Bronze class to limit connections to 20 percent per context, and then assign 10 contexts to the class for a total of 200 percent. If contexts concurrently use more than the system limit, then each context gets less than the 20 percent you intended. (See Figure 6-1.) Figure 6-1 Resource Oversubscription If you assign an absolute value to a resource across all contexts that exceeds the practical limit of the security appliance, then the performance of the security appliance might be impaired. The security appliance lets you assign unlimited access to one or more resources in a class, instead of a percentage or absolute number. When a resource is unlimited, contexts can use as much of the resource as the system has available or that is practically available. For example, Context A, B, and C are in the Silver Class, which limits each class member to 1 percent of the connections, for a total of 3 percent; but the three contexts are currently only using 2 percent combined. Gold Class has unlimited access to connections. The contexts in the Gold Class can use more than the 97 percent of “unassigned” connections; they can also use the 1 percent of connections not currently in use by Context A, B, and C, even if that means that Context A, B, and C are unable to reach their 3 percent combined limit. (See Figure 6-2.) Setting unlimited access is similar to oversubscribing the security appliance, except that you have less control over how much you oversubscribe the system. Total Number of System Connections = 999,900 Maximum connections allowed. Connections denied because system limit was reached. Connections in use. 1 2 3 4 5 6 7 8 9 10 Max. 20% (199,800) 16% (159,984) 12% (119,988) 8% (79,992) 4% (39,996) Contexts in Class 1048956-3 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 6 Adding and Managing Security Contexts Configuring Resource Management Figure 6-2 Unlimited Resources Default Class All contexts belong to the default class if they are not assigned to another class; you do not have to actively assign a context to the default class. If a context belongs to a class other than the default class, those class settings always override the default class settings. However, if the other class has any settings that are not defined, then the member context uses the default class for those limits. For example, if you create a class with a 2 percent limit for all concurrent connections, but no other limits, then all other limits are inherited from the default class. Conversely, if you create a class with a limit for all resources, the class uses no settings from the default class. By default, the default class provides unlimited access to resources for all contexts, except for the following limits, which are by default set to the maximum allowed per context: • Telnet sessions—5 sessions. • SSH sessions—5 sessions. • IPSec sessions—5 sessions. • MAC addresses—65,535 entries. Maximum connections allowed. Connections denied because system limit was reached. Connections in use. A B C 1 2 3 1% 2% 3% 5% 4% Contexts Silver Class Contexts Gold Class 50% 43% 1532116-4 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 6 Adding and Managing Security Contexts Configuring Resource Management Figure 6-3 shows the relationship between the default class and other classes. Contexts A and C belong to classes with some limits set; other limits are inherited from the default class. Context B inherits no limits from default because all limits are set in its class, the Gold class. Context D was not assigned to a class, and is by default a member of the default class. Figure 6-3 Resource Classes Class Members To use the settings of a class, assign the context to the class when you define the context. All contexts belong to the default class if they are not assigned to another class; you do not have to actively assign a context to default. You can only assign a context to one resource class. The exception to this rule is that limits that are undefined in the member class are inherited from the default class; so in effect, a context could be a member of default plus another class. Configuring a Class To configure a class in the system configuration, perform the following steps. You can change the value of a particular resource limit by reentering the command with a new value. Step 1 To specify the class name and enter the class configuration mode, enter the following command in the system execution space: hostname(config)# class name The name is a string up to 20 characters long. To set the limits for the default class, enter default for the name. Step 2 To set the resource limits, see the following options: • To set all resource limits (shown in Table 6-1) to be unlimited, enter the following command: hostname(config-resmgmt)# limit-resource all 0 Default Class Class Gold (All Limits Set) Class Silver (Some Limits Set) Class Bronze (Some Limits Set) Context A Context B Context C Context D 1046896-5 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 6 Adding and Managing Security Contexts Configuring Resource Management For example, you might want to create a class that includes the admin context that has no limitations. The default class has all resources set to unlimited by default. • To set a particular resource limit, enter the following command: hostname(config-resmgmt)# limit-resource [rate] resource_name number[%] For this particular resource, the limit overrides the limit set for all. Enter the rate argument to set the rate per second for certain resources. For resources that do not have a system limit, you cannot set the percentage (%) between 1 and 100; you can only set an absolute value. See Table 6-1 for resources for which you can set the rate per second and which to not have a system limit. Table 6-1 lists the resource types and the limits. See also the show resource types command.6-6 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 6 Adding and Managing Security Contexts Configuring Resource Management For example, to set the default class limit for conns to 10 percent instead of unlimited, enter the following commands: hostname(config)# class default hostname(config-class)# limit-resource conns 10% All other resources remain at unlimited. To add a class called gold, enter the following commands: hostname(config)# class gold Table 6-1 Resource Names and Limits Resource Name Rate or Concurrent Minimum and Maximum Number per Context System Limit 1 1. If this column value is N/A, then you cannot set a percentage of the resource because there is no hard system limit for the resource. Description mac-addresses Concurrent N/A 65,535 For transparent firewall mode, the number of MAC addresses allowed in the MAC address table. conns Concurrent or Rate N/A Concurrent connections: See the “Supported Platforms and Feature Licenses” section on page A-1 for the connection limit for your platform. Rate: N/A TCP or UDP connections between any two hosts, including connections between one host and multiple other hosts. inspects Rate N/A N/A Application inspections. hosts Concurrent N/A N/A Hosts that can connect through the security appliance. asdm Concurrent 1 minimum 5 maximum 32 ASDM management sessions. Note ASDM sessions use two HTTPS connections: one for monitoring that is always present, and one for making configuration changes that is present only when you make changes. For example, the system limit of 32 ASDM sessions represents a limit of 64 HTTPS sessions. ssh Concurrent 1 minimum 5 maximum 100 SSH sessions. syslogs Rate N/A N/A System log messages. telnet Concurrent 1 minimum 5 maximum 100 Telnet sessions. xlates Concurrent N/A N/A Address translations.6-7 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 6 Adding and Managing Security Contexts Configuring a Security Context hostname(config-class)# limit-resource mac-addresses 10000 hostname(config-class)# limit-resource conns 15% hostname(config-class)# limit-resource rate conns 1000 hostname(config-class)# limit-resource rate inspects 500 hostname(config-class)# limit-resource hosts 9000 hostname(config-class)# limit-resource asdm 5 hostname(config-class)# limit-resource ssh 5 hostname(config-class)# limit-resource rate syslogs 5000 hostname(config-class)# limit-resource telnet 5 hostname(config-class)# limit-resource xlates 36000 Configuring a Security Context The security context definition in the system configuration identifies the context name, configuration file URL, and interfaces that a context can use. Note If you do not have an admin context (for example, if you clear the configuration) then you must first specify the admin context name by entering the following command: hostname(config)# admin-context name Although this context name does not exist yet in your configuration, you can subsequently enter the context name command to match the specified name to continue the admin context configuration. To add or change a context in the system configuration, perform the following steps: Step 1 To add or modify a context, enter the following command in the system execution space: hostname(config)# context name The name is a string up to 32 characters long. This name is case sensitive, so you can have two contexts named “customerA” and “CustomerA,” for example. You can use letters, digits, or hyphens, but you cannot start or end the name with a hyphen. “System” or “Null” (in upper or lower case letters) are reserved names, and cannot be used. Step 2 (Optional) To add a description for this context, enter the following command: hostname(config-ctx)# description text Step 3 To specify the interfaces you can use in the context, enter the command appropriate for a physical interface or for one or more subinterfaces. • To allocate a physical interface, enter the following command: hostname(config-ctx)# allocate-interface physical_interface [map_name] [visible | invisible] • To allocate one or more subinterfaces, enter the following command: hostname(config-ctx)# allocate-interface physical_interface.subinterface[-physical_interface.subinterface] [map_name[-map_name]] [visible | invisible]6-8 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 6 Adding and Managing Security Contexts Configuring a Security Context You can enter these commands multiple times to specify different ranges. If you remove an allocation with the no form of this command, then any context commands that include this interface are removed from the running configuration. Transparent firewall mode allows only two interfaces to pass through traffic; however, on the ASA adaptive security appliance, you can use the dedicated management interface, Management 0/0, (either the physical interface or a subinterface) as a third interface for management traffic. Note The management interface for transparent mode does not flood a packet out the interface when that packet is not in the MAC address table. You can assign the same interfaces to multiple contexts in routed mode, if desired. Transparent mode does not allow shared interfaces. The map_name is an alphanumeric alias for the interface that can be used within the context instead of the interface ID. If you do not specify a mapped name, the interface ID is used within the context. For security purposes, you might not want the context administrator to know which interfaces are being used by the context. A mapped name must start with a letter, end with a letter or digit, and have as interior characters only letters, digits, or an underscore. For example, you can use the following names: int0 inta int_0 For subinterfaces, you can specify a range of mapped names. If you specify a range of subinterfaces, you can specify a matching range of mapped names. Follow these guidelines for ranges: • The mapped name must consist of an alphabetic portion followed by a numeric portion. The alphabetic portion of the mapped name must match for both ends of the range. For example, enter the following range: int0-int10 If you enter gigabitethernet0/1.1-gigabitethernet0/1.5 happy1-sad5, for example, the command fails. • The numeric portion of the mapped name must include the same quantity of numbers as the subinterface range. For example, both ranges include 100 interfaces: gigabitethernet0/0.100-gigabitethernet0/0.199 int1-int100 If you enter gigabitethernet0/0.100-gigabitethernet0/0.199 int1-int15, for example, the command fails. Specify visible to see physical interface properties in the show interface command even if you set a mapped name. The default invisible keyword specifies to only show the mapped name. The following example shows gigabitethernet0/1.100, gigabitethernet0/1.200, and gigabitethernet0/2.300 through gigabitethernet0/1.305 assigned to the context. The mapped names are int1 through int8. hostname(config-ctx)# allocate-interface gigabitethernet0/1.100 int1 hostname(config-ctx)# allocate-interface gigabitethernet0/1.200 int2 hostname(config-ctx)# allocate-interface gigabitethernet0/2.300-gigabitethernet0/2.305 int3-int86-9 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 6 Adding and Managing Security Contexts Configuring a Security Context Step 4 To identify the URL from which the system downloads the context configuration, enter the following command: hostname(config-ctx)# config-url url When you add a context URL, the system immediately loads the context so that it is running, if the configuration is available. Note Enter the allocate-interface command(s) before you enter the config-url command. The security appliance must assign interfaces to the context before it loads the context configuration; the context configuration might include commands that refer to interfaces (interface, nat, global...). If you enter the config-url command first, the security appliance loads the context configuration immediately. If the context contains any commands that refer to interfaces, those commands fail. See the following URL syntax: • disk:/[path/]filename This URL indicates the internal Flash memory. The filename does not require a file extension, although we recommend using “.cfg”. If the configuration file is not available, you see the following message: WARNING: Could not fetch the URL disk:/url INFO: Creating context with default config You can then change to the context, configure it at the CLI, and enter the write memory command to write the file to Flash memory. Note The admin context file must be stored on the internal Flash memory. • ftp://[user[:password]@]server[:port]/[path/]filename[;type=xx] The type can be one of the following keywords: – ap—ASCII passive mode – an—ASCII normal mode – ip—(Default) Binary passive mode – in—Binary normal mode The server must be accessible from the admin context. The filename does not require a file extension, although we recommend using “.cfg”. If the configuration file is not available, you see the following message: WARNING: Could not fetch the URL ftp://url INFO: Creating context with default config You can then change to the context, configure it at the CLI, and enter the write memory command to write the file to the FTP server. • http[s]://[user[:password]@]server[:port]/[path/]filename The server must be accessible from the admin context. The filename does not require a file extension, although we recommend using “.cfg”. If the configuration file is not available, you see the following message: WARNING: Could not fetch the URL http://url INFO: Creating context with default config6-10 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 6 Adding and Managing Security Contexts Configuring a Security Context If you change to the context and configure the context at the CLI, you cannot save changes back to HTTP or HTTPS servers using the write memory command. You can, however, use the copy tftp command to copy the running configuration to a TFTP server. • tftp://[user[:password]@]server[:port]/[path/]filename[;int=interface_name] The server must be accessible from the admin context. Specify the interface name if you want to override the route to the server address. The filename does not require a file extension, although we recommend using “.cfg”. If the configuration file is not available, you see the following message: WARNING: Could not fetch the URL tftp://url INFO: Creating context with default config You can then change to the context, configure it at the CLI, and enter the write memory command to write the file to the TFTP server. To change the URL, reenter the config-url command with a new URL. See the “Changing the Security Context URL” section on page 6-13 for more information about changing the URL. For example, enter the following command: hostname(config-ctx)# config-url ftp://joe:passw0rd1@10.1.1.1/configlets/test.cfg Step 5 (Optional) To assign the context to a resource class, enter the following command: hostname(config-ctx)# member class_name If you do not specify a class, the context belongs to the default class. You can only assign a context to one resource class. For example, to assign the context to the gold class, enter the following command: hostname(config-ctx)# member gold Step 6 To view context information, see the show context command in the Cisco Security Appliance Command Reference. The following example sets the admin context to be “administrator,” creates a context called “administrator” on the internal Flash memory, and then adds two contexts from an FTP server: hostname(config)# admin-context administrator hostname(config)# context administrator hostname(config-ctx)# allocate-interface gigabitethernet0/0.1 hostname(config-ctx)# allocate-interface gigabitethernet0/1.1 hostname(config-ctx)# config-url flash:/admin.cfg hostname(config-ctx)# context test hostname(config-ctx)# allocate-interface gigabitethernet0/0.100 int1 hostname(config-ctx)# allocate-interface gigabitethernet0/0.102 int2 hostname(config-ctx)# allocate-interface gigabitethernet0/0.110-gigabitethernet0/0.115 int3-int8 hostname(config-ctx)# config-url ftp://user1:passw0rd@10.1.1.1/configlets/test.cfg hostname(config-ctx)# member gold hostname(config-ctx)# context sample hostname(config-ctx)# allocate-interface gigabitethernet0/1.200 int1 hostname(config-ctx)# allocate-interface gigabitethernet0/1.212 int2 hostname(config-ctx)# allocate-interface gigabitethernet0/1.230-gigabitethernet0/1.235 int3-int86-11 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 6 Adding and Managing Security Contexts Automatically Assigning MAC Addresses to Context Interfaces hostname(config-ctx)# config-url ftp://user1:passw0rd@10.1.1.1/configlets/sample.cfg hostname(config-ctx)# member silver Automatically Assigning MAC Addresses to Context Interfaces To allow contexts to share interfaces, we suggest that you assign unique MAC addresses to each context interface. The MAC address is used to classify packets within a context. If you share an interface, but do not have unique MAC addresses for the interface in each context, then the destination IP address is used to classify packets. The destination address is matched with the context NAT configuration, and this method has some limitations compared to the MAC address method. See the “How the Security Appliance Classifies Packets” section on page 3-3 for information about classifying packets. By default, the physical interface uses the burned-in MAC address, and all subinterfaces of a physical interface use the same burned-in MAC address. You can automatically assign private MAC addresses to each shared context interface by entering the following command in the system configuration: hostname(config)# mac-address auto For use with failover, the security appliance generates both an active and standby MAC address for each interface. If the active unit fails over and the standby unit becomes active, the new active unit starts using the active MAC addresses to minimize network disruption. When you assign an interface to a context, the new MAC address is generated immediately. If you enable this command after you create context interfaces, then MAC addresses are generated for all interfaces immediately after you enter the command. If you use the no mac-address auto command, the MAC address for each interface reverts to the default MAC address. For example, subinterfaces of GigabitEthernet 0/1 revert to using the MAC address of GigabitEthernet 0/1. The MAC address is generated using the following format: • Active unit MAC address: 12_slot.port_subid.contextid. • Standby unit MAC address: 02_slot.port_subid.contextid. For platforms with no interface slots, the slot is always 0. The port is the interface port. The subid is an internal ID for the subinterface, which is not viewable. The contextid is an internal ID for the context, viewable with the show context detail command. For example, the interface GigabitEthernet 0/1.200 in the context with the ID 1 has the following generated MAC addresses, where the internal ID for subinterface 200 is 31: • Active: 1200.0131.0001 • Standby: 0200.0131.0001 In the rare circumstance that the generated MAC address conflicts with another private MAC address in your network, you can manually set the MAC address for the interface within the context. See the “Configuring the Interface” section on page 7-2 to manually set the MAC address. Changing Between Contexts and the System Execution Space If you log in to the system execution space (or the admin context using Telnet or SSH), you can change between contexts and perform configuration and monitoring tasks within each context. The running configuration that you edit in a configuration mode, or that is used in the copy or write commands, 6-12 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 6 Adding and Managing Security Contexts Managing Security Contexts depends on your location. When you are in the system execution space, the running configuration consists only of the system configuration; when you are in a context, the running configuration consists only of that context. For example, you cannot view all running configurations (system plus all contexts) by entering the show running-config command. Only the current configuration displays. To change between the system execution space and a context, or between contexts, see the following commands: • To change to a context, enter the following command: hostname# changeto context name The prompt changes to the following: hostname/name# • To change to the system execution space, enter the following command: hostname/admin# changeto system The prompt changes to the following: hostname# Managing Security Contexts This section describes how to manage security contexts, and includes the following topics: • Removing a Security Context, page 6-12 • Changing the Admin Context, page 6-13 • Changing the Security Context URL, page 6-13 • Reloading a Security Context, page 6-14 • Monitoring Security Contexts, page 6-15 Removing a Security Context You can only remove a context by editing the system configuration. You cannot remove the current admin context, unless you remove all contexts using the clear context command. Note If you use failover, there is a delay between when you remove the context on the active unit and when the context is removed on the standby unit. You might see an error message indicating that the number of interfaces on the active and standby units are not consistent; this error is temporary and can be ignored. Use the following commands for removing contexts: • To remove a single context, enter the following command in the system execution space: hostname(config)# no context name All context commands are also removed. • To remove all contexts (including the admin context), enter the following command in the system execution space:6-13 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 6 Adding and Managing Security Contexts Managing Security Contexts hostname(config)# clear context Changing the Admin Context The system configuration does not include any network interfaces or network settings for itself; rather, when the system needs to access network resources (such as downloading the contexts from the server), it uses one of the contexts that is designated as the admin context. The admin context is just like any other context, except that when a user logs in to the admin context, then that user has system administrator rights and can access the system and all other contexts. The admin context is not restricted in any way, and can be used as a regular context. However, because logging into the admin context grants you administrator privileges over all contexts, you might need to restrict access to the admin context to appropriate users. You can set any context to be the admin context, as long as the configuration file is stored in the internal Flash memory. To set the admin context, enter the following command in the system execution space: hostname(config)# admin-context context_name Any remote management sessions, such as Telnet, SSH, or HTTPS, that are connected to the admin context are terminated. You must reconnect to the new admin context. Note A few system commands, including ntp server, identify an interface name that belongs to the admin context. If you change the admin context, and that interface name does not exist in the new admin context, be sure to update any system commands that refer to the interface. Changing the Security Context URL You cannot change the security context URL without reloading the configuration from the new URL. The security appliance merges the new configuration with the current running configuration. Reentering the same URL also merges the saved configuration with the running configuration. A merge adds any new commands from the new configuration to the running configuration. If the configurations are the same, no changes occur. If commands conflict or if commands affect the running of the context, then the effect of the merge depends on the command. You might get errors, or you might have unexpected results. If the running configuration is blank (for example, if the server was unavailable and the configuration was never downloaded), then the new configuration is used. If you do not want to merge the configurations, you can clear the running configuration, which disrupts any communications through the context, and then reload the configuration from the new URL. To change the URL for a context, perform the following steps: Step 1 If you do not want to merge the configuration, change to the context and clear its configuration by entering the following commands. If you want to perform a merge, skip to Step 2. hostname# changeto context name hostname/name# configure terminal hostname/name(config)# clear configure all Step 2 If required, change to the system execution space by entering the following command: hostname/name(config)# changeto system6-14 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 6 Adding and Managing Security Contexts Managing Security Contexts Step 3 To enter the context configuration mode for the context you want to change, enter the following command: hostname(config)# context name Step 4 To enter the new URL, enter the following command: hostname(config)# config-url new_url The system immediately loads the context so that it is running. Reloading a Security Context You can reload the context in two ways: • Clear the running configuration and then import the startup configuration. This action clears most attributes associated with the context, such as connections and NAT tables. • Remove the context from the system configuration. This action clears additional attributes, such as memory allocation, which might be useful for troubleshooting. However, to add the context back to the system requires you to respecify the URL and interfaces. This section includes the following topics: • Reloading by Clearing the Configuration, page 6-14 • Reloading by Removing and Re-adding the Context, page 6-15 Reloading by Clearing the Configuration To reload the context by clearing the context configuration, and reloading the configuration from the URL, perform the following steps: Step 1 To change to the context that you want to reload, enter the following command: hostname# changeto context name Step 2 To access configuration mode, enter the following command: hostname/name# configure terminal Step 3 To clear the running configuration, enter the following command: hostname/name(config)# clear configure all This command clears all connections. Step 4 To reload the configuration, enter the following command: hostname/name(config)# copy startup-config running-config The security appliance copies the configuration from the URL specified in the system configuration. You cannot change the URL from within a context.6-15 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 6 Adding and Managing Security Contexts Managing Security Contexts Reloading by Removing and Re-adding the Context To reload the context by removing the context and then re-adding it, perform the steps in the following sections: 1. “Automatically Assigning MAC Addresses to Context Interfaces” section on page 6-11 2. “Configuring a Security Context” section on page 6-7 Monitoring Security Contexts This section describes how to view and monitor context information, and includes the following topics: • Viewing Context Information, page 6-15 • Viewing Resource Allocation, page 6-16 • Viewing Resource Usage, page 6-19 • Monitoring SYN Attacks in Contexts, page 6-20 Viewing Context Information From the system execution space, you can view a list of contexts including the name, allocated interfaces, and configuration file URL. From the system execution space, view all contexts by entering the following command: hostname# show context [name | detail| count] The detail option shows additional information. See the following sample displays below for more information. If you want to show information for a particular context, specify the name. The count option shows the total number of contexts. The following is sample output from the show context command. The following sample display shows three contexts: hostname# show context Context Name Interfaces URL *admin GigabitEthernet0/1.100 disk0:/admin.cfg GigabitEthernet0/1.101 contexta GigabitEthernet0/1.200 disk0:/contexta.cfg GigabitEthernet0/1.201 contextb GigabitEthernet0/1.300 disk0:/contextb.cfg GigabitEthernet0/1.301 Total active Security Contexts: 3 Table 6-2 shows each field description. Table 6-2 show context Fields Field Description Context Name Lists all context names. The context name with the asterisk (*) is the admin context. Interfaces The interfaces assigned to the context. URL The URL from which the security appliance loads the context configuration.6-16 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 6 Adding and Managing Security Contexts Managing Security Contexts The following is sample output from the show context detail command: hostname# show context detail Context "admin", has been created, but initial ACL rules not complete Config URL: disk0:/admin.cfg Real Interfaces: Management0/0 Mapped Interfaces: Management0/0 Flags: 0x00000013, ID: 1 Context "ctx", has been created, but initial ACL rules not complete Config URL: ctx.cfg Real Interfaces: GigabitEthernet0/0.10, GigabitEthernet0/1.20, GigabitEthernet0/2.30 Mapped Interfaces: int1, int2, int3 Flags: 0x00000011, ID: 2 Context "system", is a system resource Config URL: startup-config Real Interfaces: Mapped Interfaces: Control0/0, GigabitEthernet0/0, GigabitEthernet0/0.10, GigabitEthernet0/1, GigabitEthernet0/1.10, GigabitEthernet0/1.20, GigabitEthernet0/2, GigabitEthernet0/2.30, GigabitEthernet0/3, Management0/0, Management0/0.1 Flags: 0x00000019, ID: 257 Context "null", is a system resource Config URL: ... null ... Real Interfaces: Mapped Interfaces: Flags: 0x00000009, ID: 258 See the Cisco Security Appliance Command Reference for more information about the detail output. The following is sample output from the show context count command: hostname# show context count Total active contexts: 2 Viewing Resource Allocation From the system execution space, you can view the allocation for each resource across all classes and class members. To view the resource allocation, enter the following command: hostname# show resource allocation [detail] This command shows the resource allocation, but does not show the actual resources being used. See the “Viewing Resource Usage” section on page 6-19 for more information about actual resource usage. The detail argument shows additional information. See the following sample displays for more information. The following sample display shows the total allocation of each resource as an absolute value and as a percentage of the available system resources: hostname# show resource allocation Resource Total % of Avail Conns [rate] 35000 N/A Inspects [rate] 35000 N/A Syslogs [rate] 10500 N/A Conns 305000 30.50% Hosts 78842 N/A6-17 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 6 Adding and Managing Security Contexts Managing Security Contexts SSH 35 35.00% Telnet 35 35.00% Xlates 91749 N/A All unlimited Table 6-3 shows each field description. The following is sample output from the show resource allocation detail command: hostname# show resource allocation detail Resource Origin: A Value was derived from the resource 'all' C Value set in the definition of this class D Value set in default class Resource Class Mmbrs Origin Limit Total Total % Conns [rate] default all CA unlimited gold 1 C 34000 34000 N/A silver 1 CA 17000 17000 N/A bronze 0 CA 8500 All Contexts: 3 51000 N/A Inspects [rate] default all CA unlimited gold 1 DA unlimited silver 1 CA 10000 10000 N/A bronze 0 CA 5000 All Contexts: 3 10000 N/A Syslogs [rate] default all CA unlimited gold 1 C 6000 6000 N/A silver 1 CA 3000 3000 N/A bronze 0 CA 1500 All Contexts: 3 9000 N/A Conns default all CA unlimited gold 1 C 200000 200000 20.00% silver 1 CA 100000 100000 10.00% bronze 0 CA 50000 All Contexts: 3 300000 30.00% Hosts default all CA unlimited gold 1 DA unlimited silver 1 CA 26214 26214 N/A bronze 0 CA 13107 All Contexts: 3 26214 N/A SSH default all C 5 gold 1 D 5 5 5.00% Table 6-3 show resource allocation Fields Field Description Resource The name of the resource that you can limit. Total The total amount of the resource that is allocated across all contexts. The amount is an absolute number of concurrent instances or instances per second. If you specified a percentage in the class definition, the security appliance converts the percentage to an absolute number for this display. % of Avail The percentage of the total system resources that is allocated across all contexts, if the resource has a hard system limit. If a resource does not have a system limit, this column shows N/A.6-18 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 6 Adding and Managing Security Contexts Managing Security Contexts silver 1 CA 10 10 10.00% bronze 0 CA 5 All Contexts: 3 20 20.00% Telnet default all C 5 gold 1 D 5 5 5.00% silver 1 CA 10 10 10.00% bronze 0 CA 5 All Contexts: 3 20 20.00% Xlates default all CA unlimited gold 1 DA unlimited silver 1 CA 23040 23040 N/A bronze 0 CA 11520 All Contexts: 3 23040 N/A mac-addresses default all C 65535 gold 1 D 65535 65535 100.00% silver 1 CA 6553 6553 9.99% bronze 0 CA 3276 All Contexts: 3 137623 209.99% Table 6-4 shows each field description. Table 6-4 show resource allocation detail Fields Field Description Resource The name of the resource that you can limit. Class The name of each class, including the default class. The All contexts field shows the total values across all classes. Mmbrs The number of contexts assigned to each class. Origin The origin of the resource limit, as follows: • A—You set this limit with the all option, instead of as an individual resource. • C—This limit is derived from the member class. • D—This limit was not defined in the member class, but was derived from the default class. For a context assigned to the default class, the value will be “C” instead of “D.” The security appliance can combine “A” with “C” or “D.” Limit The limit of the resource per context, as an absolute number. If you specified a percentage in the class definition, the security appliance converts the percentage to an absolute number for this display. Total The total amount of the resource that is allocated across all contexts in the class. The amount is an absolute number of concurrent instances or instances per second. If the resource is unlimited, this display is blank. % of Avail The percentage of the total system resources that is allocated across all contexts in the class. If the resource is unlimited, this display is blank. If the resource does not have a system limit, then this column shows N/A.6-19 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 6 Adding and Managing Security Contexts Managing Security Contexts Viewing Resource Usage From the system execution space, you can view the resource usage for each context and display the system resource usage. From the system execution space, view the resource usage for each context by entering the following command: hostname# show resource usage [context context_name | top n | all | summary | system] [resource {resource_name | all} | detail] [counter counter_name [count_threshold]] By default, all context usage is displayed; each context is listed separately. Enter the top n keyword to show the contexts that are the top n users of the specified resource. You must specify a single resource type, and not resource all, with this option. The summary option shows all context usage combined. The system option shows all context usage combined, but shows the system limits for resources instead of the combined context limits. For the resource resource_name, see Table 6- 1 for available resource names. See also the show resource type command. Specify all (the default) for all types. The detail option shows the resource usage of all resources, including those you cannot manage. For example, you can view the number of TCP intercepts. The counter counter_name is one of the following keywords: • current—Shows the active concurrent instances or the current rate of the resource. • denied—Shows the number of instances that were denied because they exceeded the resource limit shown in the Limit column. • peak—Shows the peak concurrent instances, or the peak rate of the resource since the statistics were last cleared, either using the clear resource usage command or because the device rebooted. • all—(Default) Shows all statistics. The count_threshold sets the number above which resources are shown. The default is 1. If the usage of the resource is below the number you set, then the resource is not shown. If you specify all for the counter name, then the count_threshold applies to the current usage. Note To show all resources, set the count_threshold to 0. The following is sample output from the show resource usage context command, which shows the resource usage for the admin context: hostname# show resource usage context admin Resource Current Peak Limit Denied Context Telnet 1 1 5 0 admin Conns 44 55 N/A 0 admin Hosts 45 56 N/A 0 admin The following is sample output from the show resource usage summary command, which shows the resource usage for all contexts and all resources. This sample shows the limits for 6 contexts. hostname# show resource usage summary Resource Current Peak Limit Denied Context Syslogs [rate] 1743 2132 N/A 0 Summary Conns 584 763 280000(S) 0 Summary6-20 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 6 Adding and Managing Security Contexts Managing Security Contexts Xlates 8526 8966 N/A 0 Summary Hosts 254 254 N/A 0 Summary Conns [rate] 270 535 N/A 1704 Summary Inspects [rate] 270 535 N/A 0 Summary S = System: Combined context limits exceed the system limit; the system limit is shown. The following is sample output from the show resource usage summary command, which shows the limits for 25 contexts. Because the context limit for Telnet and SSH connections is 5 per context, then the combined limit is 125. The system limit is only 100, so the system limit is shown. hostname# show resource usage summary Resource Current Peak Limit Denied Context Telnet 1 1 100[S] 0 Summary SSH 2 2 100[S] 0 Summary Conns 56 90 N/A 0 Summary Hosts 89 102 N/A 0 Summary S = System: Combined context limits exceed the system limit; the system limit is shown. The following is sample output from the show resource usage system command, which shows the resource usage for all contexts, but it shows the system limit instead of the combined context limits. The counter all 0 option is used to show resources that are not currently in use. The Denied statistics indicate how many times the resource was denied due to the system limit, if available. hostname# show resource usage system counter all 0 Resource Current Peak Limit Denied Context Telnet 0 0 100 0 System SSH 0 0 100 0 System ASDM 0 0 32 0 System Syslogs [rate] 1 18 N/A 0 System Conns 0 1 280000 0 System Xlates 0 0 N/A 0 System Hosts 0 2 N/A 0 System Conns [rate] 1 1 N/A 0 System Inspects [rate] 0 0 N/A 0 System Monitoring SYN Attacks in Contexts The security appliance prevents SYN attacks using TCP Intercept. TCP Intercept uses the SYN cookies algorithm to prevent TCP SYN-flooding attacks. A SYN-flooding attack consists of a series of SYN packets usually originating from spoofed IP addresses. The constant flood of SYN packets keeps the server SYN queue full, which prevents it from servicing connection requests. When the embryonic connection threshold of a connection is crossed, the security appliance acts as a proxy for the server and generates a SYN-ACK response to the client SYN request. When the security appliance receives an ACK back from the client, it can then authenticate the client and allow the connection to the server. You can monitor the rate of attacks for individual contexts using the show perfmon command; you can monitor the amount of resources being used by TCP intercept for individual contexts using the show resource usage detail command; you can monitor the resources being used by TCP intercept for the entire system using the show resource usage summary detail command. The following is sample output from the show perfmon command that shows the rate of TCP intercepts for a context called admin. hostname/admin# show perfmon Context:admin PERFMON STATS: Current Average Xlates 0/s 0/s6-21 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 6 Adding and Managing Security Contexts Managing Security Contexts Connections 0/s 0/s TCP Conns 0/s 0/s UDP Conns 0/s 0/s URL Access 0/s 0/s URL Server Req 0/s 0/s WebSns Req 0/s 0/s TCP Fixup 0/s 0/s HTTP Fixup 0/s 0/s FTP Fixup 0/s 0/s AAA Authen 0/s 0/s AAA Author 0/s 0/s AAA Account 0/s 0/s TCP Intercept 322779/s 322779/s The following is sample output from the show resource usage detail command that shows the amount of resources being used by TCP Intercept for individual contexts. (Sample text in italics shows the TCP intercept information.) hostname(config)# show resource usage detail Resource Current Peak Limit Denied Context memory 843732 847288 unlimited 0 admin chunk:channels 14 15 unlimited 0 admin chunk:fixup 15 15 unlimited 0 admin chunk:hole 1 1 unlimited 0 admin chunk:ip-users 10 10 unlimited 0 admin chunk:list-elem 21 21 unlimited 0 admin chunk:list-hdr 3 4 unlimited 0 admin chunk:route 2 2 unlimited 0 admin chunk:static 1 1 unlimited 0 admin tcp-intercepts 328787 803610 unlimited 0 admin np-statics 3 3 unlimited 0 admin statics 1 1 unlimited 0 admin ace-rules 1 1 unlimited 0 admin console-access-rul 2 2 unlimited 0 admin fixup-rules 14 15 unlimited 0 admin memory 959872 960000 unlimited 0 c1 chunk:channels 15 16 unlimited 0 c1 chunk:dbgtrace 1 1 unlimited 0 c1 chunk:fixup 15 15 unlimited 0 c1 chunk:global 1 1 unlimited 0 c1 chunk:hole 2 2 unlimited 0 c1 chunk:ip-users 10 10 unlimited 0 c1 chunk:udp-ctrl-blk 1 1 unlimited 0 c1 chunk:list-elem 24 24 unlimited 0 c1 chunk:list-hdr 5 6 unlimited 0 c1 chunk:nat 1 1 unlimited 0 c1 chunk:route 2 2 unlimited 0 c1 chunk:static 1 1 unlimited 0 c1 tcp-intercept-rate 16056 16254 unlimited 0 c1 globals 1 1 unlimited 0 c1 np-statics 3 3 unlimited 0 c1 statics 1 1 unlimited 0 c1 nats 1 1 unlimited 0 c1 ace-rules 2 2 unlimited 0 c1 console-access-rul 2 2 unlimited 0 c1 fixup-rules 14 15 unlimited 0 c1 memory 232695716 232020648 unlimited 0 system chunk:channels 17 20 unlimited 0 system chunk:dbgtrace 3 3 unlimited 0 system chunk:fixup 15 15 unlimited 0 system chunk:ip-users 4 4 unlimited 0 system chunk:list-elem 1014 1014 unlimited 0 system chunk:list-hdr 1 1 unlimited 0 system chunk:route 1 1 unlimited 0 system6-22 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 6 Adding and Managing Security Contexts Managing Security Contexts block:16384 510 885 unlimited 0 system block:2048 32 34 unlimited 0 system The following sample output shows the resources being used by TCP intercept for the entire system. (Sample text in italics shows the TCP intercept information.) hostname(config)# show resource usage summary detail Resource Current Peak Limit Denied Context memory 238421312 238434336 unlimited 0 Summary chunk:channels 46 48 unlimited 0 Summary chunk:dbgtrace 4 4 unlimited 0 Summary chunk:fixup 45 45 unlimited 0 Summary chunk:global 1 1 unlimited 0 Summary chunk:hole 3 3 unlimited 0 Summary chunk:ip-users 24 24 unlimited 0 Summary chunk:udp-ctrl-blk 1 1 unlimited 0 Summary chunk:list-elem 1059 1059 unlimited 0 Summary chunk:list-hdr 10 11 unlimited 0 Summary chunk:nat 1 1 unlimited 0 Summary chunk:route 5 5 unlimited 0 Summary chunk:static 2 2 unlimited 0 Summary block:16384 510 885 unlimited 0 Summary block:2048 32 35 unlimited 0 Summary tcp-intercept-rate 341306 811579 unlimited 0 Summary globals 1 1 unlimited 0 Summary np-statics 6 6 unlimited 0 Summary statics 2 2 N/A 0 Summary nats 1 1 N/A 0 Summary ace-rules 3 3 N/A 0 Summary console-access-rul 4 4 N/A 0 Summary fixup-rules 43 44 N/A 0 SummaryC H A P T E R 7-1 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 7 Configuring Interface Parameters This chapter describes how to configure each interface and subinterface for a name, security level, and IP address. For single context mode, the procedures in this chapter continue the interface configuration started in Chapter 5, “Configuring Ethernet Settings and Subinterfaces.” For multiple context mode, the procedures in Chapter 5, “Configuring Ethernet Settings and Subinterfaces,” are performed in the system execution space, while the procedures in this chapter are performed within each security context. Note To configure interfaces for the ASA 5505 adaptive security appliance, see Chapter 4, “Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance.” This chapter includes the following sections: • Security Level Overview, page 7-1 • Configuring the Interface, page 7-2 • Allowing Communication Between Interfaces on the Same Security Level, page 7-6 Security Level Overview Each interface must have a security level from 0 (lowest) to 100 (highest). For example, you should assign your most secure network, such as the inside host network, to level 100. While the outside network connected to the Internet can be level 0. Other networks, such as DMZs can be in between. You can assign interfaces to the same security level. See the “Allowing Communication Between Interfaces on the Same Security Level” section on page 7-6 for more information. The level controls the following behavior: • Network access—By default, there is an implicit permit from a higher security interface to a lower security interface (outbound). Hosts on the higher security interface can access any host on a lower security interface. You can limit access by applying an access list to the interface. If you enable communication for same security interfaces (see the “Allowing Communication Between Interfaces on the Same Security Level” section on page 7-6), there is an implicit permit for interfaces to access other interfaces on the same security level or lower. • Inspection engines—Some application inspection engines are dependent on the security level. For same security interfaces, inspection engines apply to traffic in either direction. – NetBIOS inspection engine—Applied only for outbound connections.7-2 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 7 Configuring Interface Parameters Configuring the Interface – SQL*Net inspection engine—If a control connection for the SQL*Net (formerly OraServ) port exists between a pair of hosts, then only an inbound data connection is permitted through the security appliance. • Filtering—HTTP(S) and FTP filtering applies only for outbound connections (from a higher level to a lower level). For same security interfaces, you can filter traffic in either direction. • NAT control—When you enable NAT control, you must configure NAT for hosts on a higher security interface (inside) when they access hosts on a lower security interface (outside). Without NAT control, or for same security interfaces, you can choose to use NAT between any interface, or you can choose not to use NAT. Keep in mind that configuring NAT for an outside interface might require a special keyword. • established command—This command allows return connections from a lower security host to a higher security host if there is already an established connection from the higher level host to the lower level host. For same security interfaces, you can configure established commands for both directions. Configuring the Interface By default, all physical interfaces are shut down. You must enable the physical interface before any traffic can pass through an enabled subinterface. For multiple context mode, if you allocate a physical interface or subinterface to a context, the interfaces are enabled by default in the context. However, before traffic can pass through the context interface, you must also enable the interface in the system configuration. If you shut down an interface in the system execution space, then that interface is down in all contexts that share it. Before you can complete your configuration and allow traffic through the security appliance, you need to configure an interface name, and for routed mode, an IP address. You should also change the security level from the default, which is 0. If you name an interface “inside” and you do not set the security level explicitly, then the security appliance sets the security level to 100. Note If you are using failover, do not use this procedure to name interfaces that you are reserving for failover and Stateful Failover communications. See Chapter 14, “Configuring Failover.” to configure the failover and state links. For multiple context mode, follow these guidelines: • Configure the context interfaces from within each context. • You can only configure context interfaces that you already assigned to the context in the system configuration. • The system configuration only lets you configure Ethernet settings and VLANs. The exception is for failover interfaces; do not configure failover interfaces with this procedure. See the Failover chapter for more information. Note If you change the security level of an interface, and you do not want to wait for existing connections to time out before the new security information is used, you can clear the connections using the clear local-host command.7-3 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 7 Configuring Interface Parameters Configuring the Interface To configure an interface or subinterface, perform the following steps: Step 1 To specify the interface you want to configure, enter the following command: hostname(config)# interface {physical_interface[.subinterface] | mapped_name} The physical_interface ID includes the type, slot, and port number as type[slot/]port. The physical interface types include the following: • ethernet • gigabitethernet For the PIX 500 series security appliance, enter the type followed by the port number, for example, ethernet0. For the ASA 5500 series adaptive security appliance, enter the type followed by slot/port, for example, gigabitethernet0/1. Interfaces that are built into the chassis are assigned to slot 0, while interfaces on the 4GE SSM are assigned to slot 1. For the ASA 5550 adaptive security appliance, for maximum throughput, be sure to balance your traffic over the two interface slots; for example, assign the inside interface to slot 1 and the outside interface to slot 0. The ASA 5510 and higher adaptive security appliance also includes the following type: • management The management interface is a Fast Ethernet interface designed for management traffic only, and is specified as management0/0. You can, however, use it for through traffic if desired (see the management-only command). In transparent firewall mode, you can use the management interface in addition to the two interfaces allowed for through traffic. You can also add subinterfaces to the management interface to provide management in each security context for multiple context mode. Append the subinterface ID to the physical interface ID separated by a period (.). In multiple context mode, enter the mapped name if one was assigned using the allocate-interface command. For example, enter the following command: hostname(config)# interface gigabitethernet0/1.1 Step 2 To name the interface, enter the following command: hostname(config-if)# nameif name The name is a text string up to 48 characters, and is not case-sensitive. You can change the name by reentering this command with a new value. Do not enter the no form, because that command causes all commands that refer to that name to be deleted. Step 3 To set the security level, enter the following command: hostname(config-if)# security-level number Where number is an integer between 0 (lowest) and 100 (highest). Step 4 (Optional) To set an interface to management-only mode, enter the following command: hostname(config-if)# management-only The ASA 5510 and higher adaptive security appliance includes a dedicated management interface called Management 0/0, which is meant to support traffic to the security appliance. However, you can configure any interface to be a management-only interface using the management-only command. Also, for Management 0/0, you can disable management-only mode so the interface can pass through traffic just like any other interface.7-4 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 7 Configuring Interface Parameters Configuring the Interface Note Transparent firewall mode allows only two interfaces to pass through traffic; however, on the The ASA 5510 and higher adaptive security appliance, you can use the Management 0/0 interface (either the physical interface or a subinterface) as a third interface for management traffic. The mode is not configurable in this case and must always be management-only. Step 5 To set the IP address, enter one of the following commands. In routed firewall mode, you set the IP address for all interfaces. In transparent firewall mode, you do not set the IP address for each interface, but rather for the whole security appliance or context. The exception is for the Management 0/0 management-only interface, which does not pass through traffic. To set the management IP address for transparent firewall mode, see the “Setting the Management IP Address for a Transparent Firewall” section on page 8-5. To set the IP address of the Management 0/0 interface or subinterface, use one of the following commands. To set an IPv6 address, see the “Configuring IPv6 on an Interface” section on page 12-3. For failover, you must set the IP address an standby address manually; DHCP and PPPoE are not supported. • To set the IP address manually, enter the following command: hostname(config-if)# ip address ip_address [mask] [standby ip_address] The standby keyword and address is used for failover. See Chapter 14, “Configuring Failover,” for more information. • To obtain an IP address from a DHCP server, enter the following command: hostname(config-if)# ip address dhcp [setroute] Reenter this command to reset the DHCP lease and request a new lease. If you do not enable the interface using the no shutdown command before you enter the ip address dhcp command, some DHCP requests might not be sent. • To obtain an IP address from a PPPoE server, see Chapter 35, “Configuring the PPPoE Client.” Step 6 (Optional) To assign a private MAC address to this interface, enter the following command: hostname(config-if)# mac-address mac_address [standby mac_address] The mac_address is in H.H.H format, where H is a 16-bit hexadecimal digit. For example, the MAC address 00-0C-F1-42-4C-DE would be entered as 000C.F142.4CDE. By default, the physical interface uses the burned-in MAC address, and all subinterfaces of a physical interface use the same burned-in MAC address. For use with failover, set the standby MAC address. If the active unit fails over and the standby unit becomes active, the new active unit starts using the active MAC addresses to minimize network disruption, while the old active unit uses the standby address. In multiple context mode, if you share an interface between contexts, you can assign a unique MAC address to the interface in each context. This feature lets the security appliance easily classify packets into the appropriate context. Using a shared interface without unique MAC addresses is possible, but has some limitations. See the “How the Security Appliance Classifies Packets” section on page 3-3 for more information. You can assign each MAC address manually, or you can automatically generate MAC addresses for shared interfaces in contexts. See the “Automatically Assigning MAC Addresses to Context Interfaces” section on page 6-11 to automatically generate MAC addresses. If you automatically generate MAC addresses, you can use the mac-address command to override the generated address.7-5 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 7 Configuring Interface Parameters Configuring the Interface For single context mode, or for interfaces that are not shared in multiple context mode, you might want to assign unique MAC addresses to subinterfaces. For example, your service provider might perform access control based on the MAC address. Step 7 To enable the interface, if it is not already enabled, enter the following command: hostname(config-if)# no shutdown To disable the interface, enter the shutdown command. If you enter the shutdown command for a physical interface, you also shut down all subinterfaces. If you shut down an interface in the system execution space, then that interface is shut down in all contexts that share it, even though the context configurations show the interface as enabled. The following example configures parameters for the physical interface in single mode: hostname(config)# interface gigabitethernet0/1 hostname(config-if)# speed 1000 hostname(config-if)# duplex full hostname(config-if)# nameif inside hostname(config-if)# security-level 100 hostname(config-if)# ip address 10.1.1.1 255.255.255.0 hostname(config-if)# no shutdown The following example configures parameters for a subinterface in single mode: hostname(config)# interface gigabitethernet0/1.1 hostname(config-subif)# vlan 101 hostname(config-subif)# nameif dmz1 hostname(config-subif)# security-level 50 hostname(config-subif)# ip address 10.1.2.1 255.255.255.0 hostname(config-subif)# mac-address 000C.F142.4CDE standby 020C.F142.4CDE hostname(config-subif)# no shutdown The following example configures interface parameters in multiple context mode for the system configuration, and allocates the gigabitethernet 0/1.1 subinterface to contextA: hostname(config)# interface gigabitethernet0/1 hostname(config-if)# speed 1000 hostname(config-if)# duplex full hostname(config-if)# no shutdown hostname(config-if)# interface gigabitethernet0/1.1 hostname(config-subif)# vlan 101 hostname(config-subif)# no shutdown hostname(config-subif)# context contextA hostname(config-ctx)# ... hostname(config-ctx)# allocate-interface gigabitethernet0/1.1 The following example configures parameters in multiple context mode for the context configuration: hostname/contextA(config)# interface gigabitethernet0/1.1 hostname/contextA(config-if)# nameif inside hostname/contextA(config-if)# security-level 100 hostname/contextA(config-if)# ip address 10.1.2.1 255.255.255.0 hostname/contextA(config-if)# mac-address 030C.F142.4CDE standby 040C.F142.4CDE hostname/contextA(config-if)# no shutdown7-6 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 7 Configuring Interface Parameters Allowing Communication Between Interfaces on the Same Security Level Allowing Communication Between Interfaces on the Same Security Level By default, interfaces on the same security level cannot communicate with each other. Allowing communication between same security interfaces provides the following benefits: • You can configure more than 101 communicating interfaces. If you use different levels for each interface and do not assign any interfaces to the same security level, you can configure only one interface per level (0 to 100). • You want traffic to flow freely between all same security interfaces without access lists. Note If you enable NAT control, you do not need to configure NAT between same security level interfaces. See the “NAT and Same Security Level Interfaces” section on page 17-13 for more information on NAT and same security level interfaces. If you enable same security interface communication, you can still configure interfaces at different security levels as usual. To enable interfaces on the same security level so that they can communicate with each other, enter the following command: hostname(config)# same-security-traffic permit inter-interface To disable this setting, use the no form of this command.C H A P T E R 8-1 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 8 Configuring Basic Settings This chapter describes how to configure basic settings on your security appliance that are typically required for a functioning configuration. This chapter includes the following sections: • Changing the Login Password, page 8-1 • Changing the Enable Password, page 8-1 • Setting the Hostname, page 8-2 • Setting the Domain Name, page 8-2 • Setting the Date and Time, page 8-2 • Setting the Management IP Address for a Transparent Firewall, page 8-5 Changing the Login Password The login password is used for Telnet and SSH connections. By default, the login password is “cisco.” To change the password, enter the following command: hostname(config)# {passwd | password} password You can enter passwd or password. The password is a case-sensitive password of up to 16 alphanumeric and special characters. You can use any character in the password except a question mark or a space. The password is saved in the configuration in encrypted form, so you cannot view the original password after you enter it. Use the no password command to restore the password to the default setting. Changing the Enable Password The enable password lets you enter privileged EXEC mode. By default, the enable password is blank. To change the enable password, enter the following command: hostname(config)# enable password password The password is a case-sensitive password of up to 16 alphanumeric and special characters. You can use any character in the password except a question mark or a space. This command changes the password for the highest privilege level. If you configure local command authorization, you can set enable passwords for each privilege level from 0 to 15.8-2 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 8 Configuring Basic Settings Setting the Hostname The password is saved in the configuration in encrypted form, so you cannot view the original password after you enter it. Enter the enable password command without a password to set the password to the default, which is blank. Setting the Hostname When you set a hostname for the security appliance, that name appears in the command line prompt. If you establish sessions to multiple devices, the hostname helps you keep track of where you enter commands. The default hostname depends on your platform. For multiple context mode, the hostname that you set in the system execution space appears in the command line prompt for all contexts. The hostname that you optionally set within a context does not appear in the command line, but can be used by the banner command $(hostname) token. To specify the hostname for the security appliance or for a context, enter the following command: hostname(config)# hostname name This name can be up to 63 characters. A hostname must start and end with a letter or digit, and have as interior characters only letters, digits, or a hyphen. This name appears in the command line prompt. For example: hostname(config)# hostname farscape farscape(config)# Setting the Domain Name The security appliance appends the domain name as a suffix to unqualified names. For example, if you set the domain name to “example.com,” and specify a syslog server by the unqualified name of “jupiter,” then the security appliance qualifies the name to “jupiter.example.com.” The default domain name is default.domain.invalid. For multiple context mode, you can set the domain name for each context, as well as within the system execution space. To specify the domain name for the security appliance, enter the following command: hostname(config)# domain-name name For example, to set the domain as example.com, enter the following command: hostname(config)# domain-name example.com Setting the Date and Time This section describes how to set the date and time, either manually or dynamically using an NTP server. Time derived from an NTP server overrides any time set manually. This section also describes how to set the time zone and daylight saving time date range. Note In multiple context mode, set the time in the system configuration only.8-3 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 8 Configuring Basic Settings Setting the Date and Time This section includes the following topics: • Setting the Time Zone and Daylight Saving Time Date Range, page 8-3 • Setting the Date and Time Using an NTP Server, page 8-4 • Setting the Date and Time Manually, page 8-5 Setting the Time Zone and Daylight Saving Time Date Range By default, the time zone is UTC and the daylight saving time date range is from 2:00 a.m. on the first Sunday in April to 2:00 a.m. on the last Sunday in October. To change the time zone and daylight saving time date range, perform the following steps: Step 1 To set the time zone, enter the following command in global configuration mode: hostname(config)# clock timezone zone [-]hours [minutes] Where zone specifies the time zone as a string, for example, PST for Pacific Standard Time. The [-]hours value sets the number of hours of offset from UTC. For example, PST is -8 hours. The minutes value sets the number of minutes of offset from UTC. Step 2 To change the date range for daylight saving time from the default, enter one of the following commands. The default recurring date range is from 2:00 a.m. on the first Sunday in April to 2:00 a.m. on the last Sunday in October. • To set the start and end dates for daylight saving time as a specific date in a specific year, enter the following command: hostname(config)# clock summer-time zone date {day month | month day} year hh:mm {day month | month day} year hh:mm [offset] If you use this command, you need to reset the dates every year. The zone value specifies the time zone as a string, for example, PDT for Pacific Daylight Time. The day value sets the day of the month, from 1 to 31. You can enter the day and month as April 1 or as 1 April, for example, depending on your standard date format. The month value sets the month as a string. You can enter the day and month as April 1 or as 1 April, for example, depending on your standard date format. The year value sets the year using four digits, for example, 2004. The year range is 1993 to 2035. The hh:mm value sets the hour and minutes in 24-hour time. The offset value sets the number of minutes to change the time for daylight saving time. By default, the value is 60 minutes. • To specify the start and end dates for daylight saving time, in the form of a day and time of the month, and not a specific date in a year, enter the following command. hostname(config)# clock summer-time zone recurring [week weekday month hh:mm week weekday month hh:mm] [offset] This command lets you set a recurring date range that you do not need to alter yearly. The zone value specifies the time zone as a string, for example, PDT for Pacific Daylight Time. The week value specifies the week of the month as an integer between 1 and 4 or as the words first or last. For example, if the day might fall in the partial fifth week, then specify last.8-4 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 8 Configuring Basic Settings Setting the Date and Time The weekday value specifies the day of the week: Monday, Tuesday, Wednesday, and so on. The month value sets the month as a string. The hh:mm value sets the hour and minutes in 24-hour time. The offset value sets the number of minutes to change the time for daylight saving time. By default, the value is 60 minutes. Setting the Date and Time Using an NTP Server To obtain the date and time from an NTP server, perform the following steps: Step 1 To configure authentication with an NTP server, perform the following steps: a. To enable authentication, enter the following command: hostname(config)# ntp authenticate b. To specify an authentication key ID to be a trusted key, which is required for authentication with an NTP server, enter the following command: hostname(config)# ntp trusted-key key_id Where the key_id is between 1 and 4294967295. You can enter multiple trusted keys for use with multiple servers. c. To set a key to authenticate with an NTP server, enter the following command: hostname(config)# ntp authentication-key key_id md5 key Where key_id is the ID you set in Step 1b using the ntp trusted-key command, and key is a string up to 32 characters in length. Step 2 To identify an NTP server, enter the following command: hostname(config)# ntp server ip_address [key key_id] [source interface_name] [prefer] Where the key_id is the ID you set in Step 1b using the ntp trusted-key command. The source interface_name identifies the outgoing interface for NTP packets if you do not want to use the default interface in the routing table. Because the system does not include any interfaces in multiple context mode, specify an interface name defined in the admin context. The prefer keyword sets this NTP server as the preferred server if multiple servers have similar accuracy. NTP uses an algorithm to determine which server is the most accurate and synchronizes to that one. If servers are of similar accuracy, then the prefer keyword specifies which of those servers to use. However, if a server is significantly more accurate than the preferred one, the security appliance uses the more accurate one. For example, the security appliance uses a server of stratum 2 over a server of stratum 3 that is preferred. You can identify multiple servers; the security appliance uses the most accurate server. Note SNTP is not supported; only NTP is supported.8-5 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 8 Configuring Basic Settings Setting the Management IP Address for a Transparent Firewall Setting the Date and Time Manually To set the date time manually, enter the following command: hostname# clock set hh:mm:ss {month day | day month} year Where hh:mm:ss sets the hour, minutes, and seconds in 24-hour time. For example, set 20:54:00 for 8:54 pm. The day value sets the day of the month, from 1 to 31. You can enter the day and month as april 1 or as 1 april, for example, depending on your standard date format. The month value sets the month. Depending on your standard date format, you can enter the day and month as april 1 or as 1 april. The year value sets the year using four digits, for example, 2004. The year range is 1993 to 2035. The default time zone is UTC. If you change the time zone after you enter the clock set command using the clock timezone command, the time automatically adjusts to the new time zone. This command sets the time in the hardware chip, and does not save the time in the configuration file. This time endures reboots. Unlike the other clock commands, this command is a privileged EXEC command. To reset the clock, you need to set a new time for the clock set command. Setting the Management IP Address for a Transparent Firewall Transparent firewall mode only A transparent firewall does not participate in IP routing. The only IP configuration required for the security appliance is to set the management IP address. This address is required because the security appliance uses this address as the source address for traffic originating on the security appliance, such as system messages or communications with AAA servers. You can also use this address for remote management access. For multiple context mode, set the management IP address within each context. To set the management IP address, enter the following command: hostname(config)# ip address ip_address [mask] [standby ip_address] This address must be on the same subnet as the upstream and downstream routers. You cannot set the subnet to a host subnet (255.255.255.255). This address must be IPv4; the transparent firewall does not support IPv6. The standby keyword and address is used for failover. See Chapter 14, “Configuring Failover,” for more information.8-6 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 8 Configuring Basic Settings Setting the Management IP Address for a Transparent FirewallC H A P T E R 9-1 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 9 Configuring IP Routing This chapter describes how to configure IP routing on the security appliance. This chapter includes the following sections: • How Routing Behaves Within the ASA Security Appliance, page 9-1 • Configuring Static and Default Routes, page 9-2 • Defining Route Maps, page 9-7 • Configuring OSPF, page 9-8 • Configuring RIP, page 9-20 • The Routing Table, page 9-24 • Dynamic Routing and Failover, page 9-26 How Routing Behaves Within the ASA Security Appliance The ASA security appliance uses both routing table and XLATE tables for routing decisions. To handle destination IP translated traffic, that is, untranslated traffic, ASA searches for existing XLATE, or static translation to select the egress interface. The selection process is as follows: Egress Interface Selection Process 1. If destination IP translating XLATE already exists, the egress interface for the packet is determined from the XLATE table, but not from the routing table. 2. If destination IP translating XLATE does not exist, but a matching static translation exists, then the egress interface is determined from the static route and an XLATE is created, and the routing table is not used. 3. If destination IP translating XLATE does not exist and no matching static translation exists, the packet is not destination IP translated. The security appliance processes this packet by looking up the route to select egress interface, then source IP translation is performed (if necessary). For regular dynamic outbound NAT, initial outgoing packets are routed using the route table and then creating the XLATE. Incoming return packets are forwarded using existing XLATE only. For static NAT, destination translated incoming packets are always forwarded using existing XLATE or static translation rules.9-2 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 9 Configuring IP Routing Configuring Static and Default Routes Next Hop Selection Process After selecting egress interface using any method described above, an additional route lookup is performed to find out suitable next hop(s) that belong to previously selected egress interface. If there are no routes in routing table that explicitly belong to selected interface, the packet is dropped with level 6 error message 110001 "no route to host", even if there is another route for a given destination network that belongs to different egress interface. If the route that belongs to selected egress interface is found, the packet is forwarded to corresponding next hop. Load sharing on the security appliance is possible only for multiple next-hops available using single egress interface. Load sharing cannot share multiple egress interfaces. If dynamic routing is in use on security appliance and route table changes after XLATE creation, for example route flap, then destination translated traffic is still forwarded using old XLATE, not via route table, until XLATE times out. It may be either forwarded to wrong interface or dropped with message 110001 "no route to host" if old route was removed from the old interface and attached to another one by routing process. The same problem may happen when there is no route flaps on the security appliance itself, but some routing process is flapping around it, sending source translated packets that belong to the same flow through the security appliance using different interfaces. Destination translated return packets may be forwarded back using the wrong egress interface. This issue has a high probability in same security traffic configuration, where virtually any traffic may be either source-translated or destination-translated, depending on direction of initial packet in the flow. When this issue occurs after a route flap, it can be resolved manually by using the clear xlate command, or automatically resolved by an XLATE timeout. XLATE timeout may be decreased if necessary. To ensure that this rarely happens, make sure that there is no route flaps on security appliance and around it. That is, ensure that destination translated packets that belong to the same flow are always forwarded the same way through the security appliance. Configuring Static and Default Routes This section describes how to configure static and default routes on the security appliance. Multiple context mode does not support dynamic routing, so you must use static routes for any networks to which the security appliance is not directly connected; for example, when there is a router between a network and the security appliance. You might want to use static routes in single context mode in the following cases: • Your networks use a different router discovery protocol from RIP or OSPF. • Your network is small and you can easily manage static routes. • You do not want the traffic or CPU overhead associated with routing protocols. The simplest option is to configure a default route to send all traffic to an upstream router, relying on the router to route the traffic for you. However, in some cases the default gateway might not be able to reach the destination network, so you must also configure more specific static routes. For example, if the default gateway is outside, then the default route cannot direct traffic to any inside networks that are not directly connected to the security appliance. In transparent firewall mode, for traffic that originates on the security appliance and is destined for a non-directly connected network, you need to configure either a default route or static routes so the security appliance knows out of which interface to send traffic. Traffic that originates on the security 9-3 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 9 Configuring IP Routing Configuring Static and Default Routes appliance might include communications to a syslog server, Websense or N2H2 server, or AAA server. If you have servers that cannot all be reached through a single default route, then you must configure static routes. The security appliance supports up to three equal cost routes on the same interface for load balancing. This section includes the following topics: • Configuring a Static Route, page 9-3 • Configuring a Default Route, page 9-4 • Configuring Static Route Tracking, page 9-5 For information about configuring IPv6 static and default routes, see the “Configuring IPv6 Default and Static Routes” section on page 12-5. Configuring a Static Route To add a static route, enter the following command: hostname(config)# route if_name dest_ip mask gateway_ip [distance] The dest_ip and mask is the IP address for the destination network and the gateway_ip is the address of the next-hop router.The addresses you specify for the static route are the addresses that are in the packet before entering the security appliance and performing NAT. The distance is the administrative distance for the route. The default is 1 if you do not specify a value. Administrative distance is a parameter used to compare routes among different routing protocols. The default administrative distance for static routes is 1, giving it precedence over routes discovered by dynamic routing protocols but not directly connect routes. The default administrative distance for routes discovered by OSPF is 110. If a static route has the same administrative distance as a dynamic route, the static routes take precedence. Connected routes always take precedence over static or dynamically discovered routes. Static routes remain in the routing table even if the specified gateway becomes unavailable. If the specified gateway becomes unavailable, you need to remove the static route from the routing table manually. However, static routes are removed from the routing table if the specified interface goes down. They are reinstated when the interface comes back up. Note If you create a static route with an administrative distance greater than the administrative distance of the routing protocol running on the security appliance, then a route to the specified destination discovered by the routing protocol takes precedence over the static route. The static route is used only if the dynamically discovered route is removed from the routing table. The following example creates a static route that sends all traffic destined for 10.1.1.0/24 to the router (10.1.2.45) connected to the inside interface: hostname(config)# route inside 10.1.1.0 255.255.255.0 10.1.2.45 1 You can define up to three equal cost routes to the same destination per interface. ECMP is not supported across multiple interfaces. With ECMP, the traffic is not necessarily divided evenly between the routes; traffic is distributed among the specified gateways based on an algorithm that hashes the source and destination IP addresses. The following example shows static routes that are equal cost routes that direct traffic to three different gateways on the outside interface. The security appliance distributes the traffic among the specified gateways.9-4 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 9 Configuring IP Routing Configuring Static and Default Routes hostname(config)# route outside 10.10.10.0 255.255.255.0 192.168.1.1 hostname(config)# route outside 10.10.10.0 255.255.255.0 192.168.1.2 hostname(config)# route outside 10.10.10.0 255.255.255.0 192.168.1.3 Configuring a Default Route A default route identifies the gateway IP address to which the security appliance sends all IP packets for which it does not have a learned or static route. A default route is simply a static route with 0.0.0.0/0 as the destination IP address. Routes that identify a specific destination take precedence over the default route. Note In ASA software Versions 7.0 and later, if you have two default routes configured on different interfaces that have different metrics, the connection to the ASA firewall that is made from the higher metric interface fails, but connections to the ASA firewall from the lower metric interface succeed as expected. PIX software Version 6.3 supports connections from both the the higher and the lower metric interfaces. You can define up to three equal cost default route entries per device. Defining more than one equal cost default route entry causes the traffic sent to the default route to be distributed among the specified gateways. When defining more than one default route, you must specify the same interface for each entry. If you attempt to define more than three equal cost default routes, or if you attempt to define a default route with a different interface than a previously defined default route, you receive the message “ERROR: Cannot add route entry, possible conflict with existing routes.” You can define a separate default route for tunneled traffic along with the standard default route. When you create a default route with the tunneled option, all traffic from a tunnel terminating on the security appliance that cannot be routed using learned or static routes, is sent to this route. For traffic emerging from a tunnel, this route overrides over any other configured or learned default routes. The following restrictions apply to default routes with the tunneled option: • Do not enable unicast RPF (ip verify reverse-path) on the egress interface of tunneled route. Enabling uRPF on the egress interface of a tunneled route causes the session to fail. • Do not enable TCP intercept on the egress interface of the tunneled route. Doing so causes the session to fail. • Do not use the VoIP inspection engines (CTIQBE, H.323, GTP, MGCP, RTSP, SIP, SKINNY), the DNS inspect engine, or the DCE RPC inspection engine with tunneled routes. These inspection engines ignore the tunneled route. You cannot define more than one default route with the tunneled option; ECMP for tunneled traffic is not supported. To define the default route, enter the following command: hostname(config)# route if_name 0.0.0.0 0.0.0.0 gateway_ip [distance | tunneled] Tip You can enter 0 0 instead of 0.0.0.0 0.0.0.0 for the destination network address and mask, for example: hostname(config)# route outside 0 0 192.168.1 19-5 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 9 Configuring IP Routing Configuring Static and Default Routes The following example shows a security appliance configured with three equal cost default routes and a default route for tunneled traffic. Unencrypted traffic received by the security appliance for which there is no static or learned route is distributed among the gateways with the IP addresses 192.168.2.1, 192.168.2.2, 192.168.2.3. Encrypted traffic receive by the security appliance for which there is no static or learned route is passed to the gateway with the IP address 192.168.2.4. hostname(config)# route outside 0 0 192.168.2.1 hostname(config)# route outside 0 0 192.168.2.2 hostname(config)# route outside 0 0 192.168.2.3 hostname(config)# route outside 0 0 192.168.2.4 tunneled Configuring Static Route Tracking One of the problems with static routes is that there is no inherent mechanism for determining if the route is up or down. They remain in the routing table even if the next hop gateway becomes unavailable. Static routes are only removed from the routing table if the associated interface on the security appliance goes down. The static route tracking feature provides a method for tracking the availability of a static route and installing a backup route if the primary route should fail. This allows you to, for example, define a default route to an ISP gateway and a backup default route to a secondary ISP in case the primary ISP becomes unavailable. The security appliance does this by associating a static route with a monitoring target that you define. It monitors the target using ICMP echo requests. If an echo reply is not received within a specified time period, the object is considered down and the associated route is removed from the routing table. A previously configured backup route is used in place of the removed route. When selecting a monitoring target, you need to make sure it can respond to ICMP echo requests. The target can be any network object that you choose, but you should consider using: • the ISP gateway (for dual ISP support) address • the next hop gateway address (if you are concerned about the availability of the gateway) • a server on the target network, such as a AAA server, that the security appliance needs to communicate with • a persistent network object on the destination network (a desktop or notebook computer that may be shut down at night is not a good choice) You can configure static route tracking for statically defined routes or default routes obtained through DHCP or PPPoE. You can only enable PPPoE clients on multiple interface with route tracking. To configure static route tracking, perform the following steps: Step 1 Configure the tracked object monitoring parameters: a. Define the monitoring process: hostname(config)# sla monitor sla_id If you are configuring a new monitoring process, you are taken to SLA monitor configuration mode. If you are changing the monitoring parameters for an unscheduled monitoring process that already has a type defined, you are taken directly to the SLA protocol configuration mode. b. Specify the monitoring protocol. If you are changing the monitoring parameters for an unscheduled monitoring process that already has a type defined, you are taken directly to SLA protocol configuration mode and cannot change this setting.9-6 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 9 Configuring IP Routing Configuring Static and Default Routes hostname(config-sla-monitor)# type echo protocol ipIcmpEcho target_ip interface if_name The target_ip is the IP address of the network object whose availability the tracking process monitors. While this object is available, the tracking process route is installed in the routing table. When this object becomes unavailable, the tracking process removed the route and the backup route is used in its place. c. Schedule the monitoring process: hostname(config)# sla monitor schedule sla_id [life {forever | seconds}] [start-time {hh:mm[:ss] [month day | day month] | pending | now | after hh:mm:ss}] [ageout seconds] [recurring] Typically, you will use sla monitor schedule sla_id life forever start-time now for the monitoring schedule, and allow the monitoring configuration determine how often the testing occurs. However, you can schedule this monitoring process to begin in the future and to only occur at specified times. Step 2 Associate a tracked static route with the SLA monitoring process by entering the following command: hostname(config)# track track_id rtr sla_id reachability The track_id is a tracking number you assign with this command. The sla_id is the ID number of the SLA process you defined in Step 1. Step 3 Define the static route to be installed in the routing table while the tracked object is reachable using one of the following options: • To track a static route, enter the following command: hostname(config)# route if_name dest_ip mask gateway_ip [admin_distance] track track_id You cannot use the tunneled option with the route command with static route tracking. • To track a default route obtained through DHCP, enter the following commands: hostname(config)# interface phy_if hostname(config-if)# dhcp client route track track_id hostname(config-if)# ip addresss dhcp setroute hostname(config-if)# exit Note You must use the setroute argument with the ip address dhcp command to obtain the default route using DHCP. • To track a default route obtained through PPPoE, enter the following commands: hostname(config)# interface phy_if hostname(config-if)# pppoe client route track track_id hostname(config-if)# ip addresss pppoe setroute hostname(config-if)# exit Note You must use the setroute argument with the ip address pppoe command to obtain the default route using PPPoE. Step 4 Define the backup route to use when the tracked object is unavailable using one of the following options. The administrative distance of the backup route must be greater than the administrative distance of the tracked route. If it is not, the backup route will be installed in the routing table instead of the tracked route.9-7 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 9 Configuring IP Routing Defining Route Maps • To use a static route, enter the following command: hostname(config)# route if_name dest_ip mask gateway_ip [admin_distance] The static route must have the same destination and mask as the tracked route. If you are tracking a default route obtained through DHCP or PPPoE, then the address and mask would be 0.0.0.0 0.0.0.0. • To use a default route obtained through DHCP, enter the following commands: hostname(config)# interface phy_if hostname(config-if)# dhcp client route track track_id hostname(config-if)# dhcp client route distance admin_distance hostname(config-if)# ip addresss dhcp setroute hostname(config-if)# exit You must use the setroute argument with the ip address dhcp command to obtain the default route using DHCP. Make sure the administrative distance is greater than the administrative distance of the tracked route. • To use a default route obtained through PPPoE, enter the following commands: hostname(config)# interface phy_if hostname(config-if)# pppoe client route track track_id hostname(config-if)# pppoe client route distance admin_distance hostname(config-if)# ip addresss pppoe setroute hostname(config-if)# exit You must use the setroute argument with the ip address pppoe command to obtain the default route using PPPoE. Make sure the administrative distance is greater than the administrative distance of the tracked route. Defining Route Maps Route maps are used when redistributing routes into an OSPF or RIP routing process. They are also used when generating a default route into an OSPF routing process. A route map defines which of the routes from the specified routing protocol are allowed to be redistributed into the target routing process. To define a route map, perform the following steps: Step 1 To create a route map entry, enter the following command: hostname(config)# route-map name {permit | deny} [sequence_number] Route map entries are read in order. You can identify the order using the sequence_number option, or the security appliance uses the order in which you add the entries. Step 2 Enter one or more match commands: • To match any routes that have a destination network that matches a standard ACL, enter the following command: hostname(config-route-map)# match ip address acl_id [acl_id] [...] If you specify more than one ACL, then the route can match any of the ACLs. • To match any routes that have a specified metric, enter the following command: hostname(config-route-map)# match metric metric_value9-8 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 9 Configuring IP Routing Configuring OSPF The metric_value can be from 0 to 4294967295. • To match any routes that have a next hop router address that matches a standard ACL, enter the following command: hostname(config-route-map)# match ip next-hop acl_id [acl_id] [...] If you specify more than one ACL, then the route can match any of the ACLs. • To match any routes with the specified next hop interface, enter the following command: hostname(config-route-map)# match interface if_name If you specify more than one interface, then the route can match either interface. • To match any routes that have been advertised by routers that match a standard ACL, enter the following command: hostname(config-route-map)# match ip route-source acl_id [acl_id] [...] If you specify more than one ACL, then the route can match any of the ACLs. • To match the route type, enter the following command: hostname(config-route-map)# match route-type {internal | external [type-1 | type-2]} Step 3 Enter one or more set commands. If a route matches the match commands, then the following set commands determine the action to perform on the route before redistributing it. • To set the metric, enter the following command: hostname(config-route-map)# set metric metric_value The metric_value can be a value between 0 and 294967295 • To set the metric type, enter the following command: hostname(config-route-map)# set metric-type {type-1 | type-2} The following example shows how to redistribute routes with a hop count equal to 1 into OSPF. The security appliance redistributes these routes as external LSAs with a metric of 5, metric type of Type 1. hostname(config)# route-map 1-to-2 permit hostname(config-route-map)# match metric 1 hostname(config-route-map)# set metric 5 hostname(config-route-map)# set metric-type type-1 Configuring OSPF This section describes how to configure OSPF. This section includes the following topics: • OSPF Overview, page 9-9 • Enabling OSPF, page 9-10 • Redistributing Routes Into OSPF, page 9-10 • Configuring OSPF Interface Parameters, page 9-11 • Configuring OSPF Area Parameters, page 9-139-9 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 9 Configuring IP Routing Configuring OSPF • Configuring OSPF NSSA, page 9-14 • Defining Static OSPF Neighbors, page 9-16 • Configuring Route Summarization Between OSPF Areas, page 9-15 • Configuring Route Summarization When Redistributing Routes into OSPF, page 9-16 • Generating a Default Route, page 9-17 • Configuring Route Calculation Timers, page 9-17 • Logging Neighbors Going Up or Down, page 9-18 • Displaying OSPF Update Packet Pacing, page 9-19 • Monitoring OSPF, page 9-19 • Restarting the OSPF Process, page 9-20 OSPF Overview OSPF uses a link-state algorithm to build and calculate the shortest path to all known destinations. Each router in an OSPF area contains an identical link-state database, which is a list of each of the router usable interfaces and reachable neighbors. The advantages of OSPF over RIP include the following: • OSPF link-state database updates are sent less frequently than RIP updates, and the link-state database is updated instantly rather than gradually as stale information is timed out. • Routing decisions are based on cost, which is an indication of the overhead required to send packets across a certain interface. The security appliance calculates the cost of an interface based on link bandwidth rather than the number of hops to the destination. The cost can be configured to specify preferred paths. The disadvantage of shortest path first algorithms is that they require a lot of CPU cycles and memory. The security appliance can run two processes of OSPF protocol simultaneously, on different sets of interfaces. You might want to run two processes if you have interfaces that use the same IP addresses (NAT allows these interfaces to coexist, but OSPF does not allow overlapping addresses). Or you might want to run one process on the inside, and another on the outside, and redistribute a subset of routes between the two processes. Similarly, you might need to segregate private addresses from public addresses. You can redistribute routes into an OSPF routing process from another OSPF routing process, a RIP routing process, or from static and connected routes configured on OSPF-enabled interfaces. The security appliance supports the following OSPF features: • Support of intra-area, interarea, and external (Type I and Type II) routes. • Support of a virtual link. • OSPF LSA flooding. • Authentication to OSPF packets (both password and MD5 authentication). • Support for configuring the security appliance as a designated router or a designated backup router. The security appliance also can be set up as an ABR; however, the ability to configure the security appliance as an ASBR is limited to default information only (for example, injecting a default route). • Support for stub areas and not-so-stubby-areas.9-10 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 9 Configuring IP Routing Configuring OSPF • Area boundary router type-3 LSA filtering. • Advertisement of static and global address translations. Enabling OSPF To enable OSPF, you need to create an OSPF routing process, specify the range of IP addresses associated with the routing process, then assign area IDs associated with that range of IP addresses. To enable OSPF, perform the following steps: Step 1 To create an OSPF routing process, enter the following command: hostname(config)# router ospf process_id This command enters the router configuration mode for this OSPF process. The process_id is an internally used identifier for this routing process. It can be any positive integer. This ID does not have to match the ID on any other device; it is for internal use only. You can use a maximum of two processes. Step 2 To define the IP addresses on which OSPF runs and to define the area ID for that interface, enter the following command: hostname(config-router)# network ip_address mask area area_id The following example shows how to enable OSPF: hostname(config)# router ospf 2 hostname(config-router)# network 10.0.0.0 255.0.0.0 area 0 Redistributing Routes Into OSPF The security appliance can control the redistribution of routes between OSPF routing processes. The security appliance matches and changes routes according to settings in the redistribute command or by using a route map. See also the “Generating a Default Route” section on page 9-17 for another use for route maps. To redistribute static, connected, RIP, or OSPF routes into an OSPF process, perform the following steps: Step 1 (Optional) Create a route-map to further define which routes from the specified routing protocol are redistributed in to the OSPF routing process. See the “Defining Route Maps” section on page 9-7. Step 2 If you have not already done so, enter the router configuration mode for the OSPF process you want to redistribute into by entering the following command: hostname(config)# router ospf process_id Step 3 To specify the routes you want to redistribute, enter the following command: hostname(config-router)# redistribute {ospf process_id [match {internal | external 1 | external 2}] | static | connected | rip} [metric metric-value] [metric-type {type-1 | type-2}] [tag tag_value] [subnets] [route-map map_name]9-11 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 9 Configuring IP Routing Configuring OSPF The ospf process_id, static, connected, and rip keywords specify from where you want to redistribute routes. You can either use the options in this command to match and set route properties, or you can use a route map. The tag and subnets options do not have equivalents in the route-map command. If you use both a route map and options in the redistribute command, then they must match. The following example shows route redistribution from OSPF process 1 into OSPF process 2 by matching routes with a metric equal to 1. The security appliance redistributes these routes as external LSAs with a metric of 5, metric type of Type 1, and a tag equal to 1. hostname(config)# route-map 1-to-2 permit hostname(config-route-map)# match metric 1 hostname(config-route-map)# set metric 5 hostname(config-route-map)# set metric-type type-1 hostname(config-route-map)# set tag 1 hostname(config-route-map)# router ospf 2 hostname(config-router)# redistribute ospf 1 route-map 1-to-2 The following example shows the specified OSPF process routes being redistributed into OSPF process 109. The OSPF metric is remapped to 100. hostname(config)# router ospf 109 hostname(config-router)# redistribute ospf 108 metric 100 subnets The following example shows route redistribution where the link-state cost is specified as 5 and the metric type is set to external, indicating that it has lower priority than internal metrics. hostname(config)# router ospf 1 hostname(config-router)# redistribute ospf 2 metric 5 metric-type external Configuring OSPF Interface Parameters You can alter some interface-specific OSPF parameters as necessary. You are not required to alter any of these parameters, but the following interface parameters must be consistent across all routers in an attached network: ospf hello-interval, ospf dead-interval, and ospf authentication-key. Be sure that if you configure any of these parameters, the configurations for all routers on your network have compatible values. To configure OSPF interface parameters, perform the following steps: Step 1 To enter the interface configuration mode, enter the following command: hostname(config)# interface interface_name Step 2 Enter any of the following commands: • To specify the authentication type for an interface, enter the following command: hostname(config-interface)# ospf authentication [message-digest | null] • To assign a password to be used by neighboring OSPF routers on a network segment that is using the OSPF simple password authentication, enter the following command: hostname(config-interface)# ospf authentication-key key The key can be any continuous string of characters up to 8 bytes in length.9-12 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 9 Configuring IP Routing Configuring OSPF The password created by this command is used as a key that is inserted directly into the OSPF header when the security appliance software originates routing protocol packets. A separate password can be assigned to each network on a per-interface basis. All neighboring routers on the same network must have the same password to be able to exchange OSPF information. • To explicitly specify the cost of sending a packet on an OSPF interface, enter the following command: hostname(config-interface)# ospf cost cost The cost is an integer from 1 to 65535. • To set the number of seconds that a device must wait before it declares a neighbor OSPF router down because it has not received a hello packet, enter the following command: hostname(config-interface)# ospf dead-interval seconds The value must be the same for all nodes on the network. • To specify the length of time between the hello packets that the security appliance sends on an OSPF interface, enter the following command: hostname(config-interface)# ospf hello-interval seconds The value must be the same for all nodes on the network. • To enable OSPF MD5 authentication, enter the following command: hostname(config-interface)# ospf message-digest-key key_id md5 key Set the following values: – key_id—An identifier in the range from 1 to 255. – key—Alphanumeric password of up to 16 bytes. Usually, one key per interface is used to generate authentication information when sending packets and to authenticate incoming packets. The same key identifier on the neighbor router must have the same key value. We recommend that you not keep more than one key per interface. Every time you add a new key, you should remove the old key to prevent the local system from continuing to communicate with a hostile system that knows the old key. Removing the old key also reduces overhead during rollover. • To set the priority to help determine the OSPF designated router for a network, enter the following command: hostname(config-interface)# ospf priority number_value The number_value is between 0 to 255. • To specify the number of seconds between LSA retransmissions for adjacencies belonging to an OSPF interface, enter the following command: hostname(config-interface)# ospf retransmit-interval seconds The seconds must be greater than the expected round-trip delay between any two routers on the attached network. The range is from 1 to 65535 seconds. The default is 5 seconds. • To set the estimated number of seconds required to send a link-state update packet on an OSPF interface, enter the following command: hostname(config-interface)# ospf transmit-delay seconds9-13 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 9 Configuring IP Routing Configuring OSPF The seconds is from 1 to 65535 seconds. The default is 1 second. The following example shows how to configure the OSPF interfaces: hostname(config)# router ospf 2 hostname(config-router)# network 2.0.0.0 255.0.0.0 area 0 hostname(config-router)# interface inside hostname(config-interface)# ospf cost 20 hostname(config-interface)# ospf retransmit-interval 15 hostname(config-interface)# ospf transmit-delay 10 hostname(config-interface)# ospf priority 20 hostname(config-interface)# ospf hello-interval 10 hostname(config-interface)# ospf dead-interval 40 hostname(config-interface)# ospf authentication-key cisco hostname(config-interface)# ospf message-digest-key 1 md5 cisco hostname(config-interface)# ospf authentication message-digest The following is sample output from the show ospf command: hostname(config)# show ospf Routing Process "ospf 2" with ID 20.1.89.2 and Domain ID 0.0.0.2 Supports only single TOS(TOS0) routes Supports opaque LSA SPF schedule delay 5 secs, Hold time between two SPFs 10 secs Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs Number of external LSA 5. Checksum Sum 0x 26da6 Number of opaque AS LSA 0. Checksum Sum 0x 0 Number of DCbitless external and opaque AS LSA 0 Number of DoNotAge external and opaque AS LSA 0 Number of areas in this router is 1. 1 normal 0 stub 0 nssa External flood list length 0 Area BACKBONE(0) Number of interfaces in this area is 1 Area has no authentication SPF algorithm executed 2 times Area ranges are Number of LSA 5. Checksum Sum 0x 209a3 Number of opaque link LSA 0. Checksum Sum 0x 0 Number of DCbitless LSA 0 Number of indication LSA 0 Number of DoNotAge LSA 0 Flood list length 0 Configuring OSPF Area Parameters You can configure several area parameters. These area parameters (shown in the following task table) include setting authentication, defining stub areas, and assigning specific costs to the default summary route. Authentication provides password-based protection against unauthorized access to an area. Stub areas are areas into which information on external routes is not sent. Instead, there is a default external route generated by the ABR, into the stub area for destinations outside the autonomous system. To take advantage of the OSPF stub area support, default routing must be used in the stub area. To further reduce the number of LSAs sent into a stub area, you can configure the no-summary keyword of the area stub command on the ABR to prevent it from sending summary link advertisement (LSA type 3) into the stub area. To specify area parameters for your network, perform the following steps:9-14 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 9 Configuring IP Routing Configuring OSPF Step 1 If you have not already done so, enter the router configuration mode for the OSPF process you want to configure by entering the following command: hostname(config)# router ospf process_id Step 2 Enter any of the following commands: • To enable authentication for an OSPF area, enter the following command: hostname(config-router)# area area-id authentication • To enable MD5 authentication for an OSPF area, enter the following command: hostname(config-router)# area area-id authentication message-digest • To define an area to be a stub area, enter the following command: hostname(config-router)# area area-id stub [no-summary] • To assign a specific cost to the default summary route used for the stub area, enter the following command: hostname(config-router)# area area-id default-cost cost The cost is an integer from 1 to 65535. The default is 1. The following example shows how to configure the OSPF area parameters: hostname(config)# router ospf 2 hostname(config-router)# area 0 authentication hostname(config-router)# area 0 authentication message-digest hostname(config-router)# area 17 stub hostname(config-router)# area 17 default-cost 20 Configuring OSPF NSSA The OSPF implementation of an NSSA is similar to an OSPF stub area. NSSA does not flood type 5 external LSAs from the core into the area, but it can import autonomous system external routes in a limited way within the area. NSSA imports type 7 autonomous system external routes within an NSSA area by redistribution. These type 7 LSAs are translated into type 5 LSAs by NSSA ABRs, which are flooded throughout the whole routing domain. Summarization and filtering are supported during the translation. You can simplify administration if you are an ISP or a network administrator that must connect a central site using OSPF to a remote site that is using a different routing protocol using NSSA. Before the implementation of NSSA, the connection between the corporate site border router and the remote router could not be run as an OSPF stub area because routes for the remote site could not be redistributed into the stub area, and two routing protocols needed to be maintained. A simple protocol such as RIP was usually run and handled the redistribution. With NSSA, you can extend OSPF to cover the remote connection by defining the area between the corporate router and the remote router as an NSSA.9-15 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 9 Configuring IP Routing Configuring OSPF To specify area parameters for your network as needed to configure OSPF NSSA, perform the following steps: Step 1 If you have not already done so, enter the router configuration mode for the OSPF process you want to configure by entering the following command: hostname(config)# router ospf process_id Step 2 Enter any of the following commands: • To define an NSSA area, enter the following command: hostname(config-router)# area area-id nssa [no-redistribution] [default-information-originate] • To summarize groups of addresses, enter the following command: hostname(config-router)# summary address ip_address mask [not-advertise] [tag tag] This command helps reduce the size of the routing table. Using this command for OSPF causes an OSPF ASBR to advertise one external route as an aggregate for all redistributed routes that are covered by the address. OSPF does not support summary-address 0.0.0.0 0.0.0.0. In the following example, the summary address 10.1.0.0 includes address 10.1.1.0, 10.1.2.0, 10.1.3.0, and so on. Only the address 10.1.0.0 is advertised in an external link-state advertisement: hostname(config-router)# summary-address 10.1.1.0 255.255.0.0 Before you use this feature, consider these guidelines: – You can set a type 7 default route that can be used to reach external destinations. When configured, the router generates a type 7 default into the NSSA or the NSSA area boundary router. – Every router within the same area must agree that the area is NSSA; otherwise, the routers will not be able to communicate. Configuring Route Summarization Between OSPF Areas Route summarization is the consolidation of advertised addresses. This feature causes a single summary route to be advertised to other areas by an area boundary router. In OSPF, an area boundary router advertises networks in one area into another area. If the network numbers in an area are assigned in a way such that they are contiguous, you can configure the area boundary router to advertise a summary route that covers all the individual networks within the area that fall into the specified range. To define an address range for route summarization, perform the following steps: Step 1 If you have not already done so, enter the router configuration mode for the OSPF process you want to configure by entering the following command: hostname(config)# router ospf process_id9-16 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 9 Configuring IP Routing Configuring OSPF Step 2 To set the address range, enter the following command: hostname(config-router)# area area-id range ip-address mask [advertise | not-advertise] The following example shows how to configure route summarization between OSPF areas: hostname(config)# router ospf 1 hostname(config-router)# area 17 range 12.1.0.0 255.255.0.0 Configuring Route Summarization When Redistributing Routes into OSPF When routes from other protocols are redistributed into OSPF, each route is advertised individually in an external LSA. However, you can configure the security appliance to advertise a single route for all the redistributed routes that are covered by a specified network address and mask. This configuration decreases the size of the OSPF link-state database. To configure the software advertisement on one summary route for all redistributed routes covered by a network address and mask, perform the following steps: Step 1 If you have not already done so, enter the router configuration mode for the OSPF process you want to configure by entering the following command: hostname(config)# router ospf process_id Step 2 To set the summary address, enter the following command: hostname(config-router)# summary-address ip_address mask [not-advertise] [tag tag] Note OSPF does not support summary-address 0.0.0.0 0.0.0.0. The following example shows how to configure route summarization. The summary address 10.1.0.0 includes address 10.1.1.0, 10.1.2.0, 10.1.3.0, and so on. Only the address 10.1.0.0 is advertised in an external link-state advertisement: hostname(config)# router ospf 1 hostname(config-router)# summary-address 10.1.0.0 255.255.0.0 Defining Static OSPF Neighbors You need to define static OSPF neighbors to advertise OSPF routes over a point-to-point, non-broadcast network. This lets you broadcast OSPF advertisements across an existing VPN connection without having to encapsulate the advertisements in a GRE tunnel. To define a static OSPF neighbor, perform the following tasks: Step 1 Create a static route to the OSPF neighbor. See the “Configuring Static and Default Routes” section on page 9-2 for more information about creating static routes.9-17 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 9 Configuring IP Routing Configuring OSPF Step 2 Define the OSPF neighbor by performing the following tasks: a. Enter router configuration mode for the OSPF process. Enter the following command: hostname(config)# router ospf pid b. Define the OSPF neighbor by entering the following command: hostname(config-router)# neighbor addr [interface if_name] The addr argument is the IP address of the OSPF neighbor. The if_name is the interface used to communicate with the neighbor. If the OSPF neighbor is not on the same network as any of the directly-connected interfaces, you must specify the interface. Generating a Default Route You can force an autonomous system boundary router to generate a default route into an OSPF routing domain. Whenever you specifically configure redistribution of routes into an OSPF routing domain, the router automatically becomes an autonomous system boundary router. However, an autonomous system boundary router does not by default generate a default route into the OSPF routing domain. To generate a default route, perform the following steps: Step 1 If you have not already done so, enter the router configuration mode for the OSPF process you want to configure by entering the following command: hostname(config)# router ospf process_id Step 2 To force the autonomous system boundary router to generate a default route, enter the following command: hostname(config-router)# default-information originate [always] [metric metric-value] [metric-type {1 | 2}] [route-map map-name] The following example shows how to generate a default route: hostname(config)# router ospf 2 hostname(config-router)# default-information originate always Configuring Route Calculation Timers You can configure the delay time between when OSPF receives a topology change and when it starts an SPF calculation. You also can configure the hold time between two consecutive SPF calculations. To configure route calculation timers, perform the following steps: Step 1 If you have not already done so, enter the router configuration mode for the OSPF process you want to configure by entering the following command: hostname(config)# router ospf process_id9-18 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 9 Configuring IP Routing Configuring OSPF Step 2 To configure the route calculation time, enter the following command: hostname(config-router)# timers spf spf-delay spf-holdtime The spf-delay is the delay time (in seconds) between when OSPF receives a topology change and when it starts an SPF calculation. It can be an integer from 0 to 65535. The default time is 5 seconds. A value of 0 means that there is no delay; that is, the SPF calculation is started immediately. The spf-holdtime is the minimum time (in seconds) between two consecutive SPF calculations. It can be an integer from 0 to 65535. The default time is 10 seconds. A value of 0 means that there is no delay; that is, two SPF calculations can be done, one immediately after the other. The following example shows how to configure route calculation timers: hostname(config)# router ospf 1 hostname(config-router)# timers spf 10 120 Logging Neighbors Going Up or Down By default, the system sends a system message when an OSPF neighbor goes up or down. Configure this command if you want to know about OSPF neighbors going up or down without turning on the debug ospf adjacency command. The log-adj-changes router configuration command provides a higher level view of the peer relationship with less output. Configure log-adj-changes detail if you want to see messages for each state change. To log neighbors going up or down, perform the following steps: Step 1 If you have not already done so, enter the router configuration mode for the OSPF process you want to configure by entering the following command: hostname(config)# router ospf process_id Step 2 To configure logging for neighbors going up or down, enter the following command: hostname(config-router)# log-adj-changes [detail] Note Logging must be enabled for the the neighbor up/down messages to be sent. The following example shows how to log neighbors up/down messages: hostname(config)# router ospf 1 hostname(config-router)# log-adj-changes detail9-19 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 9 Configuring IP Routing Configuring OSPF Displaying OSPF Update Packet Pacing OSPF update packets are automatically paced so they are not sent less than 33 milliseconds apart. Without pacing, some update packets could get lost in situations where the link is slow, a neighbor could not receive the updates quickly enough, or the router could run out of buffer space. For example, without pacing packets might be dropped if either of the following topologies exist: • A fast router is connected to a slower router over a point-to-point link. • During flooding, several neighbors send updates to a single router at the same time. Pacing is also used between resends to increase efficiency and minimize lost retransmissions. You also can display the LSAs waiting to be sent out an interface. The benefit of the pacing is that OSPF update and retransmission packets are sent more efficiently. There are no configuration tasks for this feature; it occurs automatically. To observe OSPF packet pacing by displaying a list of LSAs waiting to be flooded over a specified interface, enter the following command: hostname# show ospf flood-list if_name Monitoring OSPF You can display specific statistics such as the contents of IP routing tables, caches, and databases. You can use the information provided to determine resource utilization and solve network problems. You can also display information about node reachability and discover the routing path that your device packets are taking through the network. To display various OSPF routing statistics, perform one of the following tasks, as needed: • To display general information about OSPF routing processes, enter the following command: hostname# show ospf [process-id [area-id]] • To display the internal OSPF routing table entries to the ABR and ASBR, enter the following command: hostname# show ospf border-routers • To display lists of information related to the OSPF database for a specific router, enter the following command: hostname# show ospf [process-id [area-id]] database • To display a list of LSAs waiting to be flooded over an interface (to observe OSPF packet pacing), enter the following command: hostname# show ospf flood-list if-name • To display OSPF-related interface information, enter the following command: hostname# show ospf interface [if_name] • To display OSPF neighbor information on a per-interface basis, enter the following command: hostname# show ospf neighbor [interface-name] [neighbor-id] [detail] • To display a list of all LSAs requested by a router, enter the following command: hostname# show ospf request-list neighbor if_name9-20 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 9 Configuring IP Routing Configuring RIP • To display a list of all LSAs waiting to be resent, enter the following command: hostname# show ospf retransmission-list neighbor if_name • To display a list of all summary address redistribution information configured under an OSPF process, enter the following command: hostname# show ospf [process-id] summary-address • To display OSPF-related virtual links information, enter the following command: hostname# show ospf [process-id] virtual-links Restarting the OSPF Process To restart an OSPF process, clear redistribution, or counters, enter the following command: hostname(config)# clear ospf pid {process | redistribution | counters [neighbor [neighbor-interface] [neighbor-id]]} Configuring RIP Devices that support RIP send routing-update messages at regular intervals and when the network topology changes. These RIP packets contain information about the networks that the devices can reach, as well as the number of routers or gateways that a packet must travel through to reach the destination address. RIP generates more traffic than OSPF, but is easier to configure. RIP has advantages over static routes because the initial configuration is simple, and you do not need to update the configuration when the topology changes. The disadvantage to RIP is that there is more network and processing overhead than static routing. The security appliance supports RIP Version 1 and RIP Version 2. This section describes how to configure RIP. This section includes the following topics: • Enabling and Configuring RIP, page 9-20 • Redistributing Routes into the RIP Routing Process, page 9-22 • Configuring RIP Send/Receive Version on an Interface, page 9-22 • Enabling RIP Authentication, page 9-23 • Monitoring RIP, page 9-23 Enabling and Configuring RIP You can only enable one RIP routing process on the security appliance. After you enable the RIP routing process, you must define the interfaces that will participate in that routing process using the network command. By default, the security appliance sends RIP Version 1 updates and accepts RIP Version 1 and Version 2 updates.9-21 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 9 Configuring IP Routing Configuring RIP To enable and configure the RIP routing process, perform the following steps: Step 1 Start the RIP routing process by entering the following command in global configuration mode: hostname(config): router rip You enter router configuration mode for the RIP routing process. Step 2 Specify the interfaces that will participate in the RIP routing process. Enter the following command for each interface that will participate in the RIP routing process: hostname(config-router): network network_address If an interface belongs to a network defined by this command, the interface will participate in the RIP routing process. If an interface does not belong to a network defined by this command, it will not send or receive RIP updates. Step 3 (Optional) Specify the version of RIP used by the security appliance by entering the following command: hostname(config-router): version [1 | 2] You can override this setting on a per-interface basis. Step 4 (Optional) To generate a default route into RIP, enter the following command: hostname(config-router): default-information originate Step 5 (Optional) To specify an interface to operate in passive mode, enter the following command: hostname(config-router): passive-interface [default | if_name] Using the default keyword causes all interfaces to operate in passive mode. Specifying an interface name sets only that interface to passive RIP mode. In passive mode, RIP routing updates are accepted by but not sent out of the specified interface. You can enter this command for each interface you want to set to passive mode. Step 6 (Optional) Disable automatic route summarization by entering the following command: hostname(config-router): no auto-summarize RIP Version 1 always uses automatic route summarization; you cannot disable it for RIP Version 1. RIP Version 2 uses route summarization by default; you can disable it using this command. Step 7 (Optional) To filter the networks received in updates, perform the following steps: a. Create a standard access list permitting the networks you want the RIP process to allow in the routing table and denying the networks you want the RIP process to discard. b. Enter the following command to apply the filter. You can specify an interface to apply the filter to only those updates received by that interface. hostname(config-router): distribute-list acl in [interface if_name] You can enter this command for each interface you want to apply a filter to. If you do not specify an interface name, the filter is applied to all RIP updates. Step 8 (Optional) To filter the networks sent in updates, perform the following steps: a. Create a standard access list permitting the networks you want the RIP process to advertise and denying the networks you do not want the RIP process to advertise. b. Enter the following command to apply the filter. You can specify an interface to apply the filter to only those updates sent by that interface. hostname(config-router): distribute-list acl out [interface if_name]9-22 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 9 Configuring IP Routing Configuring RIP You can enter this command for each interface you want to apply a filter to. If you do not specify an interface name, the filter is applied to all RIP updates. Redistributing Routes into the RIP Routing Process You can redistribute routes from the OSPF, static, and connected routing processes into the RIP routing process. To redistribute a routes into the RIP routing process, perform the following steps: Step 1 (Optional) Create a route-map to further define which routes from the specified routing protocol are redistributed in to the RIP routing process. See the “Defining Route Maps” section on page 9-7 for more information about creating a route map. Step 2 Choose one of the following options to redistribute the selected route type into the RIP routing process. • To redistribute connected routes into the RIP routing process, enter the following command: hostname(config-router): redistribute connected [metric {metric_value | transparent}] [route-map map_name] • To redistribute static routes into the RIP routing process, enter the following command: hostname(config-router): redistribute static [metric {metric_value | transparent}] [route-map map_name] • To redistribute routes from an OSPF routing process into the RIP routing process, enter the following command: hostname(config-router): redistribute ospf pid [match {internal | external [1 | 2] | nssa-external [1 | 2]}] [metric {metric_value | transparent}] [route-map map_name] Configuring RIP Send/Receive Version on an Interface You can override the globally-set version of RIP the security appliance uses to send and receive RIP updates on a per-interface basis. To configure the RIP send and receive Step 1 (Optional) To specify the version of RIP advertisements sent from an interface, perform the following steps: a. Enter interface configuration mode for the interface you are configuring by entering the following command: hostname(config)# interface phy_if b. Specify the version of RIP to use when sending RIP updates out of the interface by entering the following command: hostname(config-if)# rip send version {[1] [2]}9-23 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 9 Configuring IP Routing Configuring RIP Step 2 (Optional) To specify the version of RIP advertisements permitted to be received by an interface, perform the following steps: a. Enter interface configuration mode for the interface you are configuring by entering the following command: hostname(config)# interface phy_if b. Specify the version of RIP to allow when receiving RIP updates on the interface by entering the following command: hostname(config-if)# rip receive version {[1] [2]} RIP updates received on the interface that do not match the allowed version are dropped. Enabling RIP Authentication The security appliance supports RIP message authentication for RIP Version 2 messages. To enable RIP message authentication, perform the following steps: Step 1 Enter interface configuration mode for the interface you are configuring by entering the following command: hostname(config)# interface phy_if Step 2 (Optional) Set the authentication mode by entering the following command. By default, text authentication is used. MD5 authentication is recommended. hostname(config-if)# rip authentication mode {text | md5} Step 3 Enable authentication and configure the authentication key by entering the following command: hostname(config-if)# rip authentication key key key_id key-id Monitoring RIP To display various RIP routing statistics, perform one of the following tasks, as needed: • To display the contents of the RIP routing database, enter the following command: hostname# show rip database • To display the RIP commands in the running configuration, enter the following command: hostname# show running-config router rip Use the following debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco TAC. Debugging output is assigned high priority in the CPU process and can render the system unusable. It is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system performance. • To display RIP processing events, enter the following command: hostname# debug rip events9-24 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 9 Configuring IP Routing The Routing Table • To display RIP database events, enter the following command: hostname# debug rip database The Routing Table This section contains the following topics: • Displaying the Routing Table, page 9-24 • How the Routing Table is Populated, page 9-24 • How Forwarding Decisions are Made, page 9-26 Displaying the Routing Table To view the entries in the routing table, enter the following command: hostname# show route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is 10.86.194.1 to network 0.0.0.0 S 10.1.1.0 255.255.255.0 [3/0] via 10.86.194.1, outside C 10.86.194.0 255.255.254.0 is directly connected, outside S* 0.0.0.0 0.0.0.0 [1/0] via 10.86.194.1, outside On the ASA 5505 adaptive security appliance, the following route is also shown. It is the internal loopback interface, which is used by the VPN Hardware Client feature for individual user authentication. C 127.1.0.0 255.255.0.0 is directly connected, _internal_loopback How the Routing Table is Populated The security appliance routing table can be populated by statically defined routes, directly connected routes, and routes discovered by the RIP and OSPF routing protocols. Because the security appliance can run multiple routing protocols in addition to having static and connected routed in the routing table, it is possible that the same route is discovered or entered in more than one manner. When two routes to the same destination are put into the routing table, the one that remains in the routing table is determined as follows: • If the two routes have different network prefix lengths (network masks), then both routes are considered unique and are entered in to the routing table. The packet forwarding logic then determines which of the two to use. For example, if the RIP and OSPF processes discovered the following routes: – RIP: 192.168.32.0/249-25 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 9 Configuring IP Routing The Routing Table – OSPF: 192.168.32.0/19 Even though OSPF routes have the better administrative distance, both routes are installed in the routing table because each of these routes has a different prefix length (subnet mask). They are considered different destinations and the packet forwarding logic determine which route to use. • If the security appliance learns about multiple paths to the same destination from a single routing protocol, such as RIP, the route with the better metric (as determined by the routing protocol) is entered into the routing table. Metrics are values associated with specific routes, ranking them from most preferred to least preferred. The parameters used to determine the metrics differ for different routing protocols. The path with the lowest metric is selected as the optimal path and installed in the routing table. If there are multiple paths to the same destination with equal metrics, load balancing is done on these equal cost paths. • If the security appliance learns about a destination from more than one routing protocol, the administrative distances of the routes are compared and the routes with lower administrative distance is entered into the routing table. Administrative distance is a route parameter that security appliance uses to select the best path when there are two or more different routes to the same destination from two different routing protocols. Because the routing protocols have metrics based on algorithms that are different from the other protocols, it is not always possible to determine the “best path” for two routes to the same destination that were generated by different routing protocols. Each routing protocol is prioritized using an administrative distance value. Table 9-1 shows the default administrative distance values for the routing protocols supported by the security appliance. The smaller the administrative distance value, the more preference is given to the protocol. For example, if the security appliance receives a route to a certain network from both an OSPF routing process (default administrative distance - 110) and a RIP routing process (default administrative distance - 100), the security appliance chooses the OSPF route because OSPF has a higher preference. This means the router adds the OSPF version of the route to the routing table. In the above example, if the source of the OSPF-derived route was lost (for example, due to a power shutdown), the security appliance would then use the RIP-derived route until the OSPF-derived route reappears. The administrative distance is a local setting. For example, if you use the distance-ospf command to change the administrative distance of routes obtained through OSPF, that change would only affect the routing table for the security appliance the command was entered on. The administrative distance is not advertised in routing updates. Administrative distance does not affect the routing process. The OSPF and RIP routing processes only advertise the routes that have been discovered by the routing process or redistributed into the routing process. For example, the RIP routing process advertises RIP routes, even if routes discovered by the OSPF routing process are used in the security appliance routing table. Table 9-1 Default Administrative Distance for Supported Routing Protocols Route Source Default Administrative Distance Connected interface 0 Static route 1 OSPF 110 RIP 1209-26 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 9 Configuring IP Routing Dynamic Routing and Failover Backup Routes A backup route is registered when the initial attempt to install the route in the routing table fails because another route was installed instead. If the route that was installed in the routing table fails, the routing table maintenance process calls each routing protocol process that has registered a backup route and requests them to reinstall the route in the routing table. If there are multiple protocols with registered backup routes for the failed route, the preferred route is chosen based on administrative distance. Because of this process, you can create “floating” static routes that are installed in the routing table when the route discovered by a dynamic routing protocol fails. A floating static route is simply a static route configured with a greater administrative distance than the dynamic routing protocols running on the security appliance. When the corresponding route discover by a dynamic routing process fails, the static route is installed in the routing table. How Forwarding Decisions are Made Forwarding decisions are made as follows: • If the destination does not match an entry in the routing table, the packet is forwarded through the interface specified for the default route. If a default route has not been configured, the packet is discarded. • If the destination matches a single entry in the routing table, the packet is forwarded through the interface associated with that route. • If the destination matches more than one entry in the routing table, and the entries all have the same network prefix length, the packets for that destination are distributed among the interfaces associated with that route. • If the destination matches more than one entry in the routing table, and the entries have different network prefix lengths, then the packet is forwarded out of the interface associated with the route that has the longer network prefix length. For example, a packet destined for 192.168.32.1 arrives on an interface of a security appliance with the following routes in the routing table: hostname# show route .... R 192.168.32.0/24 [120/4] via 10.1.1.2 O 192.168.32.0/19 [110/229840] via 10.1.1.3 .... In this case, a packet destined to 192.168.32.1 is directed toward 10.1.1.2, because 192.168.32.1 falls within the 192.168.32.0/24 network. It also falls within the other route in the routing table, but the 192.168.32.0/24 has the longest prefix within the routing table (24 bits verses 19 bits). Longer prefixes are always preferred over shorter ones when forwarding a packet. Dynamic Routing and Failover Dynamic routes are not replicated to the standby unit or failover group in a failover configuration. Therefore, immediately after a failover occurs, some packets received by the security appliance may be dropped because of a lack of routing information or routed to a default static route while the routing table is repopulated by the configured dynamic routing protocols.C H A P T E R 10-1 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 10 Configuring DHCP, DDNS, and WCCP Services This chapter describes how to configure the DHCP server, dynamic DNS (DDNS) update methods, and WCCP on the security appliance. DHCP provides network configuration parameters, such as IP addresses, to DHCP clients. The security appliance can provide a DHCP server or DHCP relay services to DHCP clients attached to security appliance interfaces. The DHCP server provides network configuration parameters directly to DHCP clients. DHCP relay passes DHCP requests received on one interface to an external DHCP server located behind a different interface. DDNS update integrates DNS with DHCP. The two protocols are complementary: DHCP centralizes and automates IP address allocation; DDNS update automatically records the association between assigned addresses and hostnames at pre-defined intervals. DDNS allows frequently changing address-hostname associations to be updated frequently. Mobile hosts, for example, can then move freely on a network without user or administrator intervention. DDNS provides the necessary dynamic updating and synchronizing of the name to address and address to name mappings on the DNS server. WCCP specifies interactions between one or more routers, Layer 3 switches, or security appliances and one or more web caches. The feature transparently redirects selected types of traffic to a group of web cache engines to optimize resource usage and lower response times. This chapter includes the following sections: • Configuring a DHCP Server, page 10-1 • Configuring DHCP Relay Services, page 10-5 • Configuring Dynamic DNS, page 10-6 • Configuring Web Cache Services Using WCCP, page 10-9 Configuring a DHCP Server This section describes how to configure DHCP server provided by the security appliance. This section includes the following topics: • Enabling the DHCP Server, page 10-2 • Configuring DHCP Options, page 10-3 • Using Cisco IP Phones with a DHCP Server, page 10-410-2 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 10 Configuring DHCP, DDNS, and WCCP Services Configuring a DHCP Server Enabling the DHCP Server The security appliance can act as a DHCP server. DHCP is a protocol that supplies network settings to hosts including the host IP address, the default gateway, and a DNS server. Note The security appliance DHCP server does not support BOOTP requests. In multiple context mode, you cannot enable the DHCP server or DHCP relay on an interface that is used by more than one context. You can configure a DHCP server on each interface of the security appliance. Each interface can have its own pool of addresses to draw from. However the other DHCP settings, such as DNS servers, domain name, options, ping timeout, and WINS servers, are configured globally and used by the DHCP server on all interfaces. You cannot configure a DHCP client or DHCP Relay services on an interface on which the server is enabled. Additionally, DHCP clients must be directly connected to the interface on which the server is enabled. To enable the DHCP server on a given security appliance interface, perform the following steps: Step 1 Create a DHCP address pool. Enter the following command to define the address pool: hostname(config)# dhcpd address ip_address-ip_address interface_name The security appliance assigns a client one of the addresses from this pool to use for a given length of time. These addresses are the local, untranslated addresses for the directly connected network. The address pool must be on the same subnet as the security appliance interface. Step 2 (Optional) To specify the IP address(es) of the DNS server(s) the client will use, enter the following command: hostname(config)# dhcpd dns dns1 [dns2] You can specify up to two DNS servers. Step 3 (Optional) To specify the IP address(es) of the WINS server(s) the client will use, enter the following command: hostname(config)# dhcpd wins wins1 [wins2] You can specify up to two WINS servers. Step 4 (Optional) To change the lease length to be granted to the client, enter the following command: hostname(config)# dhcpd lease lease_length This lease equals the amount of time (in seconds) the client can use its allocated IP address before the lease expires. Enter a value between 300 to 1,048,575. The default value is 3600 seconds. Step 5 (Optional) To configure the domain name the client uses, enter the following command: hostname(config)# dhcpd domain domain_name Step 6 (Optional) To configure the DHCP ping timeout value, enter the following command: hostname(config)# dhcpd ping_timeout milliseconds To avoid address conflicts, the security appliance sends two ICMP ping packets to an address before assigning that address to a DHCP client. This command specifies the timeout value for those packets.10-3 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 10 Configuring DHCP, DDNS, and WCCP Services Configuring a DHCP Server Step 7 (Transparent Firewall Mode) Define a default gateway. To define the default gateway that is sent to DHCP clients, enter the following command. hostname(config)# dhcpd option 3 ip gateway_ip If you do not use the DHCP option 3 to define the default gateway, DHCP clients use the IP address of the management interface. The management interface does not route traffic. Step 8 To enable the DHCP daemon within the security appliance to listen for DHCP client requests on the enabled interface, enter the following command: hostname(config)# dhcpd enable interface_name For example, to assign the range 10.0.1.101 to 10.0.1.110 to hosts connected to the inside interface, enter the following commands: hostname(config)# dhcpd address 10.0.1.101-10.0.1.110 inside hostname(config)# dhcpd dns 209.165.201.2 209.165.202.129 hostname(config)# dhcpd wins 209.165.201.5 hostname(config)# dhcpd lease 3000 hostname(config)# dhcpd domain example.com hostname(config)# dhcpd enable inside Configuring DHCP Options You can configure the security appliance to send information for the DHCP options listed in RFC 2132. The DHCP options fall into one of three categories: • Options that return an IP address. • Options that return a text string. • Options that return a hexadecimal value. The security appliance supports all three categories of DHCP options. To configure a DHCP option, do one of the following: • To configure a DHCP option that returns one or two IP addresses, enter the following command: hostname(config)# dhcpd option code ip addr_1 [addr_2] • To configure a DHCP option that returns a text string, enter the following command: hostname(config)# dhcpd option code ascii text • To configure a DHCP option that returns a hexadecimal value, enter the following command: hostname(config)# dhcpd option code hex value Note The security appliance does not verify that the option type and value that you provide match the expected type and value for the option code as defined in RFC 2132. For example, you can enter the dhcpd option 46 ascii hello command and the security appliance accepts the configuration although option 46 is defined in RFC 2132 as expecting a single-digit, hexadecimal value. For more information about the option codes and their associated types and expected values, refer to RFC 2132. Table 10-1 shows the DHCP options that are not supported by the dhcpd option command.10-4 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 10 Configuring DHCP, DDNS, and WCCP Services Configuring a DHCP Server Specific options, DHCP option 3, 66, and 150, are used to configure Cisco IP Phones. See the “Using Cisco IP Phones with a DHCP Server” section on page 10-4 topic for more information about configuring those options. Using Cisco IP Phones with a DHCP Server Enterprises with small branch offices that implement a Cisco IP Telephony Voice over IP solution typically implement Cisco CallManager at a central office to control Cisco IP Phones at small branch offices. This implementation allows centralized call processing, reduces the equipment required, and eliminates the administration of additional Cisco CallManager and other servers at branch offices. Cisco IP Phones download their configuration from a TFTP server. When a Cisco IP Phone starts, if it does not have both the IP address and TFTP server IP address preconfigured, it sends a request with option 150 or 66 to the DHCP server to obtain this information. • DHCP option 150 provides the IP addresses of a list of TFTP servers. • DHCP option 66 gives the IP address or the hostname of a single TFTP server. Cisco IP Phones might also include DHCP option 3 in their requests, which sets the default route. Cisco IP Phones might include both option 150 and 66 in a single request. In this case, the security appliance DHCP server provides values for both options in the response if they are configured on the security appliance. You can configure the security appliance to send information for most options listed in RFC 2132. The following example shows the syntax for any option number, as well as the syntax for commonly-used options 66, 150, and 3: • To provide information for DHCP requests that include an option number as specified in RFC-2132, enter the following command: Table 10-1 Unsupported DHCP Options Option Code Description 0 DHCPOPT_PAD 1 HCPOPT_SUBNET_MASK 12 DHCPOPT_HOST_NAME 50 DHCPOPT_REQUESTED_ADDRESS 51 DHCPOPT_LEASE_TIME 52 DHCPOPT_OPTION_OVERLOAD 53 DHCPOPT_MESSAGE_TYPE 54 DHCPOPT_SERVER_IDENTIFIER 58 DHCPOPT_RENEWAL_TIME 59 DHCPOPT_REBINDING_TIME 61 DHCPOPT_CLIENT_IDENTIFIER 67 DHCPOPT_BOOT_FILE_NAME 82 DHCPOPT_RELAY_INFORMATION 255 DHCPOPT_END10-5 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 10 Configuring DHCP, DDNS, and WCCP Services Configuring DHCP Relay Services hostname(config)# dhcpd option number value • To provide the IP address or name of a TFTP server for option 66, enter the following command: hostname(config)# dhcpd option 66 ascii server_name • To provide the IP address or names of one or two TFTP servers for option 150, enter the following command: hostname(config)# dhcpd option 150 ip server_ip1 [server_ip2] The server_ip1 is the IP address or name of the primary TFTP server while server_ip2 is the IP address or name of the secondary TFTP server. A maximum of two TFTP servers can be identified using option 150. • To set the default route, enter the following command: hostname(config)# dhcpd option 3 ip router_ip1 Configuring DHCP Relay Services A DHCP relay agent allows the security appliance to forward DHCP requests from clients to a router connected to a different interface. The following restrictions apply to the use of the DHCP relay agent: • The relay agent cannot be enabled if the DHCP server feature is also enabled. • Clients must be directly connected to the security appliance and cannot send requests through another relay agent or a router. • For multiple context mode, you cannot enable DHCP relay on an interface that is used by more than one context. Note DHCP Relay services are not available in transparent firewall mode. A security appliance in transparent firewall mode only allows ARP traffic through; all other traffic requires an access list. To allow DHCP requests and replies through the security appliance in transparent mode, you need to configure two access lists, one that allows DCHP requests from the inside interface to the outside, and one that allows the replies from the server in the other direction. Note When DHCP relay is enabled and more than one DHCP relay server is defined, the security appliance forwards client requests to each defined DHCP relay server. Replies from the servers are also forwarded to the client until the client DHCP relay binding is removed. The binding is removed when the security appliance receives any of the following DHCP messages: ACK, NACK, or decline. To enable DHCP relay, perform the following steps: Step 1 To set the IP address of a DHCP server on a different interface from the DHCP client, enter the following command: hostname(config)# dhcprelay server ip_address if_name You can use this command up to 4 times to identify up to 4 servers. Step 2 To enable DHCP relay on the interface connected to the clients, enter the following command:10-6 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 10 Configuring DHCP, DDNS, and WCCP Services Configuring Dynamic DNS hostname(config)# dhcprelay enable interface Step 3 (Optional) To set the number of seconds allowed for relay address negotiation, enter the following command: hostname(config)# dhcprelay timeout seconds Step 4 (Optional) To change the first default router address in the packet sent from the DHCP server to the address of the security appliance interface, enter the following command: hostname(config)# dhcprelay setroute interface_name This action allows the client to set its default route to point to the security appliance even if the DHCP server specifies a different router. If there is no default router option in the packet, the security appliance adds one containing the interface address. The following example enables the security appliance to forward DHCP requests from clients connected to the inside interface to a DHCP server on the outside interface: hostname(config)# dhcprelay server 201.168.200.4 hostname(config)# dhcprelay enable inside hostname(config)# dhcprelay setroute inside Configuring Dynamic DNS This section describes examples for configuring the security appliance to support Dynamic DNS. DDNS update integrates DNS with DHCP. The two protocols are complementary—DHCP centralizes and automates IP address allocation, while dynamic DNS update automatically records the association between assigned addresses and hostnames. When you use DHCP and dynamic DNS update, this configures a host automatically for network access whenever it attaches to the IP network. You can locate and reach the host using its permanent, unique DNS hostname. Mobile hosts, for example, can move freely without user or administrator intervention. DDNS provides address and domain name mappings so hosts can find each other even though their DHCP-assigned IP addresses change frequently. The DDNS name and address mappings are held on the DHCP server in two resource records: the A RR contains the name to IP address mapping while the PTR RR maps addresses to names. Of the two methods for performing DDNS updates—the IETF standard defined by RFC 2136 and a generic HTTP method—the security appliance supports the IETF method in this release. The two most common DDNS update configurations are: • The DHCP client updates the A RR while the DHCP server updates PTR RR. • The DHCP server updates both the A and PTR RRs. In general, the DHCP server maintains DNS PTR RRs on behalf of clients. Clients may be configured to perform all desired DNS updates. The server may be configured to honor these updates or not. To update the PTR RR, the DHCP server must know the Fully Qualified Domain Name of the client. The client provides an FQDN to the server using a DHCP option called Client FQDN. The following examples present these common scenarios: • Example 1: Client Updates Both A and PTR RRs for Static IP Addresses, page 10-710-7 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 10 Configuring DHCP, DDNS, and WCCP Services Configuring Dynamic DNS • Example 2: Client Updates Both A and PTR RRs; DHCP Server Honors Client Update Request; FQDN Provided Through Configuration, page 10-7 • Example 3: Client Includes FQDN Option Instructing Server Not to Update Either RR; Server Overrides Client and Updates Both RRs., page 10-8 • Example 4: Client Asks Server To Perform Both Updates; Server Configured to Update PTR RR Only; Honors Client Request and Updates Both A and PTR RR, page 10-8 • Example 5: Client Updates A RR; Server Updates PTR RR, page 10-9 Example 1: Client Updates Both A and PTR RRs for Static IP Addresses The following example configures the client to request that it update both A and PTR resource records for static IP addresses. To configure this example, perform the following steps: Step 1 To define a DDNS update method called ddns-2 that requests that the client update both the A and PTR RRs, enter the following commands: hostname(config)# ddns update method ddns-2 hostname(DDNS-update-method)# ddns both Step 2 To associate the method ddns-2 with the eth1 interface, enter the following commands: hostname(DDNS-update-method)# interface eth1 hostname(config-if)# ddns update ddns-2 hostname(config-if)# ddns update hostname asa.example.com Step 3 To configure a static IP address for eth1, enter the following commands: hostname(config-if)# ip address 10.0.0.40 255.255.255.0 Example 2: Client Updates Both A and PTR RRs; DHCP Server Honors Client Update Request; FQDN Provided Through Configuration The following example configures 1) the DHCP client to request that it update both the A and PTR RRs, and 2) the DHCP server to honor the requests. To configure this example, perform the following steps: Step 1 To configure the DHCP client to request that the DHCP server perform no updates, enter the following command: hostname(config)# dhcp-client update dns server none Step 2 To create a DDNS update method named ddns-2 on the DHCP client that requests that the client perform both A and PTR updates, enter the following commands: hostname(config)# ddns update method ddns-2 hostname(DDNS-update-method)# ddns both Step 3 To associate the method named ddns-2 with the security appliance interface named Ethernet0, and enable DHCP on the interface, enter the following commands: hostname(DDNS-update-method)# interface Ethernet0 hostname(if-config)# ddns update ddns-2 hostname(if-config)# ddns update hostname asa.example.com hostname(if-config)# ip address dhcp10-8 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 10 Configuring DHCP, DDNS, and WCCP Services Configuring Dynamic DNS Step 4 To configure the DHCP server, enter the following command: hostname(if-config)# dhcpd update dns Example 3: Client Includes FQDN Option Instructing Server Not to Update Either RR; Server Overrides Client and Updates Both RRs. The following example configures the DHCP client to include the FQDN option instructing the DHCP server not to update either the A or PTR updates. The example also configures the server to override the client request. As a result, the client backs off without performing any updates. To configure this scenario, perform the following steps: Step 1 To configure the update method named ddns-2 to request that it make both A and PTR RR updates, enter the following commands: hostname(config)# ddns update method ddns-2 hostname(DDNS-update-method)# ddns both Step 2 To assign the DDNS update method named ddns-2 on interface Ethernet0 and provide the client hostname (asa), enter the following commands: hostname(DDNS-update-method)# interface Ethernet0 hostname(if-config)# ddns update ddns-2 hostname(if-config)# ddns update hostname asa.example.com Step 3 To enable the DHCP client feature on the interface, enter the following commands: hostname(if-config)# dhcp client update dns server none hostname(if-config)# ip address dhcp Step 4 To configure the DHCP server to override the client update requests, enter the following command: hostname(if-config)# dhcpd update dns both override Example 4: Client Asks Server To Perform Both Updates; Server Configured to Update PTR RR Only; Honors Client Request and Updates Both A and PTR RR The following example configures the server to perform only PTR RR updates by default. However, the server honors the client request that it perform both A and PTR updates. The server also forms the FQDN by appending the domain name (example.com) to the hostname provided by the client (asa). To configure this scenario, perform the following steps: Step 1 To configure the DHCP client on interface Ethernet0, enter the following commands: hostname(config)# interface Ethernet0 hostname(config-if)# dhcp client update dns both hostname(config-if)# ddns update hostname asa Step 2 To configure the DHCP server, enter the following commands: hostname(config-if)# dhcpd update dns10-9 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 10 Configuring DHCP, DDNS, and WCCP Services Configuring Web Cache Services Using WCCP hostname(config-if)# dhcpd domain example.com Example 5: Client Updates A RR; Server Updates PTR RR The following example configures the client to update the A resource record and the server to update the PTR records. Also, the client uses the domain name from the DHCP server to form the FQDN. To configure this scenario, perform the following steps: Step 1 To define the DDNS update method named ddns-2, enter the following commands: hostname(config)# ddns update method ddns-2 hostname(DDNS-update-method)# ddns Step 2 To configure the DHCP client for interface Ethernet0 and assign the update method to the interface, enter the following commands: hostname(DDNS-update-method)# interface Ethernet0 hostname(config-if)# dhcp client update dns hostname(config-if)# ddns update ddns-2 hostname(config-if)# ddns update hostname asa Step 3 To configure the DHCP server, enter the following commands: hostname(config-if)# dhcpd update dns hostname(config-if)# dhcpd domain example.com Configuring Web Cache Services Using WCCP The purpose of web caching is to reduce latency and network traffic. Previously-accessed web pages are stored in a cache buffer, so if a user needs the page again, they can retrieve it from the cache instead of the web server. WCCP specifies interactions between the security appliance and external web caches. The feature transparently redirects selected types of traffic to a group of web cache engines to optimize resource usage and lower response times. The security appliance only supports WCCP version 2. Using a security appliance as an intermediary eliminates the need for a separate router to do the WCCP redirect because the security appliance takes care of redirecting requests to cache engines. When the security appliance knows when a packet needs redirection, it skips TCP state tracking, TCP sequence number randomization, and NAT on these traffic flows. This section includes the following topics: • WCCP Feature Support, page 10-9 • WCCP Interaction With Other Features, page 10-10 • Enabling WCCP Redirection, page 10-10 WCCP Feature Support The following WCCPv2 features are supported with the security appliance:10-10 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 10 Configuring DHCP, DDNS, and WCCP Services Configuring Web Cache Services Using WCCP • Redirection of multiple TCP/UDP port-destined traffic. • Authentication for cache engines in a service group. The following WCCPv2 features are not supported with the security appliance: • Multiple routers in a service group is not supported. Multiple Cache Engines in a service group is still supported. • Multicast WCCP is not supported. • The Layer 2 redirect method is not supported; only GRE encapsulation is supported. • WCCP source address spoofing. WCCP Interaction With Other Features In the security appliance implementation of WCCP, the following applies as to how the protocol interacts with other configurable features: • An ingress access list entry always takes higher priority over WCCP. For example, if an access list does not permit a client to communicate with a server then traffic will not be redirected to a cache engine. Both ingress interface access lists and egress interface access lists will be applied. • TCP intercept, authorization, URL filtering, inspect engines, and IPS features are not applied to a redirected flow of traffic. • When a cache engine cannot service a request and packet is returned, or when a cache miss happens on a cache engine and it requests data from a web server, then the contents of the traffic flow will be subject to all the other configured features of the security appliance. • In failover, WCCP redirect tables are not replicated to standby units. After a failover, packets will not be redirected until the tables are rebuilt. Sessions redirected prior to failover will likely be reset by the web server. Enabling WCCP Redirection There are two steps to configuring WCCP redirection on the security appliance. The first involves identifying the service to be redirected with the wccp command, and the second is defining on which interface the redirection occurs with the wccp redirect command. The wccp command can optionally also define which cache engines can participate in the service group, and what traffic should be redirected to the cache engine. WCCP redirect is supported only on the ingress of an interface. The only topology that the security appliance supports is when client and cache engine are behind the same interface of the security appliance and the cache engine can directly communicate with the client without going through the security appliance. The following configuration tasks assume you have already installed and configured the cache engines you wish to include in your network. To configure WCCP redirection, perform the following steps: Step 1 To enable a WCCP service group, enter the following command: hostname(config)# wccp {web-cache | service_number} [redirect-list access_list] [group-list access_list] [password password]10-11 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 10 Configuring DHCP, DDNS, and WCCP Services Configuring Web Cache Services Using WCCP The standard service is web-cache, which intercepts TCP port 80 (HTTP) traffic and redirects that traffic to the cache engines, but you can identify a service number if desired between 0 and 254. For example, to transparently redirect native FTP traffic to a cache engine, use WCCP service 60. You can enter this command multiple times for each service group you want to enable. The redirect-list access_list argument controls traffic redirected to this service group. The group-list access_list argument determines which web cache IP addresses are allowed to participate in the service group. The password password argument specifies MD5 authentication for messages received from the service group. Messages that are not accepted by the authentication are discarded. Step 2 To enable WCCP redirection on an interface, enter the following command: hostname(config)# wccp interface interface_name {web-cache | service_number} redirect in The standard service is web-cache, which intercepts TCP port 80 (HTTP) traffic and redirects that traffic to the cache engines, but you can identify a service number if desired between 0 and 254. For example, to transparently redirect native FTP traffic to a cache engine, use WCCP service 60. You can enter this command multiple times for each service group you want to participate in. For example, to enable the standard web-cache service and redirect HTTP traffic that enters the inside interface to a web cache, enter the following commands: hostname(config)# wccp web-cache hostname(config)# wccp interface inside web-cache redirect in10-12 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 10 Configuring DHCP, DDNS, and WCCP Services Configuring Web Cache Services Using WCCPC H A P T E R 11-13 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 11 Configuring Multicast Routing This chapter describes how to configure multicast routing. This section includes the following topics: • Multicast Routing Overview, page 11-13 • Enabling Multicast Routing, page 11-14 • Configuring IGMP Features, page 11-14 • Configuring Stub Multicast Routing, page 11-17 • Configuring a Static Multicast Route, page 11-17 • Configuring PIM Features, page 11-18 • For More Information about Multicast Routing, page 11-22 Multicast Routing Overview The security appliance supports both stub multicast routing and PIM multicast routing. However, you cannot configure both concurrently on a single security appliance. Stub multicast routing provides dynamic host registration and facilitates multicast routing. When configured for stub multicast routing, the security appliance acts as an IGMP proxy agent. Instead of fully participating in multicast routing, the security appliance forwards IGMP messages to an upstream multicast router, which sets up delivery of the multicast data. When configured for stub multicast routing, the security appliance cannot be configured for PIM. The security appliance supports both PIM-SM and bi-directional PIM. PIM-SM is a multicast routing protocol that uses the underlying unicast routing information base or a separate multicast-capable routing information base. It builds unidirectional shared trees rooted at a single Rendezvous Point per multicast group and optionally creates shortest-path trees per multicast source. Bi-directional PIM is a variant of PIM-SM that builds bi-directional shared trees connecting multicast sources and receivers. Bi-directional trees are built using a DF election process operating on each link of the multicast topology. With the assistance of the DF, multicast data is forwarded from sources to the Rendezvous Point, and therefore along the shared tree to receivers, without requiring source-specific state. The DF election takes place during Rendezvous Point discovery and provides a default route to the Rendezvous Point. Note If the security appliance is the PIM RP, use the untranslated outside address of the security appliance as the RP address.11-14 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 11 Configuring Multicast Routing Enabling Multicast Routing Enabling Multicast Routing Enabling multicast routing lets the security appliance forward multicast packets. Enabling multicast routing automatically enables PIM and IGMP on all interfaces. To enable multicast routing, enter the following command: hostname(config)# multicast-routing The number of entries in the multicast routing tables are limited by the amount of RAM on the system. Table 11-1 lists the maximum number of entries for specific multicast tables based on the amount of RAM on the security appliance. Once these limits are reached, any new entries are discarded. Configuring IGMP Features IP hosts use IGMP to report their group memberships to directly connected multicast routers. IGMP uses group addresses (Class D IP address) as group identifiers. Host group address can be in the range 224.0.0.0 to 239.255.255.255. The address 224.0.0.0 is never assigned to any group. The address 224.0.0.1 is assigned to all systems on a subnet. The address 224.0.0.2 is assigned to all routers on a subnet. When you enable multicast routing on the security appliance, IGMP Version 2 is automatically enabled on all interfaces. Note Only the no igmp command appears in the interface configuration when you use the show run command. If the multicast-routing command appears in the device configuration, then IGMP is automatically enabled on all interfaces. This section describes how to configure optional IGMP setting on a per-interface basis. This section includes the following topics: • Disabling IGMP on an Interface, page 11-15 • Configuring Group Membership, page 11-15 • Configuring a Statically Joined Group, page 11-15 • Controlling Access to Multicast Groups, page 11-15 • Limiting the Number of IGMP States on an Interface, page 11-16 • Modifying the Query Interval and Query Timeout, page 11-16 • Changing the Query Response Time, page 11-17 • Changing the IGMP Version, page 11-17 Table 11-1 Entry Limits for Multicast Tables Table 16 MB 128 MB 128+ MB MFIB 1000 3000 5000 IGMP Groups 1000 3000 5000 PIM Routes 3000 7000 1200011-15 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 11 Configuring Multicast Routing Configuring IGMP Features Disabling IGMP on an Interface You can disable IGMP on specific interfaces. This is useful if you know that you do not have any multicast hosts on a specific interface and you want to prevent the security appliance from sending host query messages on that interface. To disable IGMP on an interface, enter the following command: hostname(config-if)# no igmp To reenable IGMP on an interface, enter the following command: hostname(config-if)# igmp Note Only the no igmp command appears in the interface configuration. Configuring Group Membership You can configure the security appliance to be a member of a multicast group. Configuring the security appliance to join a multicast group causes upstream routers to maintain multicast routing table information for that group and keep the paths for that group active. To have the security appliance join a multicast group, enter the following command: hostname(config-if)# igmp join-group group-address Configuring a Statically Joined Group Sometimes a group member cannot report its membership in the group, or there may be no members of a group on the network segment, but you still want multicast traffic for that group to be sent to that network segment. You can have multicast traffic for that group sent to the segment in one of two ways: • Using the igmp join-group command (see Configuring Group Membership, page 11-15). This causes the security appliance to accept and to forward the multicast packets. • Using the igmp static-group command. The security appliance does not accept the multicast packets but rather forwards them to the specified interface. To configure a statically joined multicast group on an interface, enter the following command: hostname(config-if)# igmp static-group group-address Controlling Access to Multicast Groups To control the multicast groups that hosts on the security appliance interface can join, perform the following steps: Step 1 Create an access list for the multicast traffic. You can create more than one entry for a single access list. You can use extended or standard access lists. • To create a standard access list, enter the following command:11-16 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 11 Configuring Multicast Routing Configuring IGMP Features hostname(config)# access-list name standard [permit | deny] ip_addr mask The ip_addr argument is the IP address of the multicast group being permitted or denied. • To create an extended access list, enter the following command: hostname(config)# access-list name extended [permit | deny] protocol src_ip_addr src_mask dst_ip_addr dst_mask The dst_ip_addr argument is the IP address of the multicast group being permitted or denied. Step 2 Apply the access list to an interface by entering the following command: hostname(config-if)# igmp access-group acl The acl argument is the name of a standard or extended IP access list. Limiting the Number of IGMP States on an Interface You can limit the number of IGMP states resulting from IGMP membership reports on a per-interface basis. Membership reports exceeding the configured limits are not entered in the IGMP cache and traffic for the excess membership reports is not forwarded. To limit the number of IGMP states on an interface, enter the following command: hostname(config-if)# igmp limit number Valid values range from 0 to 500, with 500 being the default value. Setting this value to 0 prevents learned groups from being added, but manually defined memberships (using the igmp join-group and igmp static-group commands) are still permitted. The no form of this command restores the default value. Modifying the Query Interval and Query Timeout The security appliance sends query messages to discover which multicast groups have members on the networks attached to the interfaces. Members respond with IGMP report messages indicating that they want to receive multicast packets for specific groups. Query messages are addressed to the all-systems multicast group, which has an address of 224.0.0.1, with a time-to-live value of 1. These messages are sent periodically to refresh the membership information stored on the security appliance. If the security appliance discovers that there are no local members of a multicast group still attached to an interface, it stops forwarding multicast packet for that group to the attached network and it sends a prune message back to the source of the packets. By default, the PIM designated router on the subnet is responsible for sending the query messages. By default, they are sent once every 125 seconds. To change this interval, enter the following command: hostname(config-if)# igmp query-interval seconds If the security appliance does not hear a query message on an interface for the specified timeout value (by default, 255 seconds), then the security appliance becomes the designated router and starts sending the query messages. To change this timeout value, enter the following command: hostname(config-if)# igmp query-timeout seconds11-17 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 11 Configuring Multicast Routing Configuring Stub Multicast Routing Note The igmp query-timeout and igmp query-interval commands require IGMP Version 2. Changing the Query Response Time By default, the maximum query response time advertised in IGMP queries is 10 seconds. If the security appliance does not receive a response to a host query within this amount of time, it deletes the group. To change the maximum query response time, enter the following command: hostname(config-if)# igmp query-max-response-time seconds Changing the IGMP Version By default, the security appliance runs IGMP Version 2, which enables several additional features such as the igmp query-timeout and igmp query-interval commands. All multicast routers on a subnet must support the same version of IGMP. The security appliance does not automatically detect version 1 routers and switch to version 1. However, a mix of IGMP Version 1 and 2 hosts on the subnet works; the security appliance running IGMP Version 2 works correctly when IGMP Version 1 hosts are present. To control which version of IGMP is running on an interface, enter the following command: hostname(config-if)# igmp version {1 | 2} Configuring Stub Multicast Routing A security appliance acting as the gateway to the stub area does not need to participate in PIM. Instead, you can configure it to act as an IGMP proxy agent and forward IGMP messages from hosts connected on one interface to an upstream multicast router on another. To configure the security appliance as an IGMP proxy agent, forward the host join and leave messages from the stub area interface to an upstream interface. To forward the host join and leave messages, enter the following command from the interface attached to the stub area: hostname(config-if)# igmp forward interface if_name Note Stub Multicast Routing and PIM are not supported concurrently. Configuring a Static Multicast Route When using PIM, the security appliance expects to receive packets on the same interface where it sends unicast packets back to the source. In some cases, such as bypassing a route that does not support multicast routing, you may want unicast packets to take one path and multicast packets to take another. Static multicast routes are not advertised or redistributed.11-18 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 11 Configuring Multicast Routing Configuring PIM Features To configure a static multicast route for PIM, enter the following command: hostname(config)# mroute src_ip src_mask {input_if_name | rpf_addr) [distance] To configure a static multicast route for a stub area, enter the following command: hostname(config)# mroute src_ip src_mask input_if_name [dense output_if_name] [distance] Note The dense output_if_name keyword and argument pair is only supported for stub multicast routing. Configuring PIM Features Routers use PIM to maintain forwarding tables for forwarding multicast diagrams. When you enable multicast routing on the security appliance, PIM and IGMP are automatically enabled on all interfaces. Note PIM is not supported with PAT. The PIM protocol does not use ports and PAT only works with protocols that use ports. This section describes how to configure optional PIM settings. This section includes the following topics: • Disabling PIM on an Interface, page 11-18 • Configuring a Static Rendezvous Point Address, page 11-19 • Configuring the Designated Router Priority, page 11-19 • Filtering PIM Register Messages, page 11-19 • Configuring PIM Message Intervals, page 11-20 • Configuring a Multicast Boundary, page 11-20 • Filtering PIM Neighbors, page 11-20 • Supporting Mixed Bidirectional/Sparse-Mode PIM Networks, page 11-21 Disabling PIM on an Interface You can disable PIM on specific interfaces. To disable PIM on an interface, enter the following command: hostname(config-if)# no pim To reenable PIM on an interface, enter the following command: hostname(config-if)# pim Note Only the no pim command appears in the interface configuration.11-19 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 11 Configuring Multicast Routing Configuring PIM Features Configuring a Static Rendezvous Point Address All routers within a common PIM sparse mode or bidir domain require knowledge of the PIM RP address. The address is statically configured using the pim rp-address command. Note The security appliance does not support Auto-RP or PIM BSR; you must use the pim rp-address command to specify the RP address. You can configure the security appliance to serve as RP to more than one group. The group range specified in the access list determines the PIM RP group mapping. If an access list is not specified, then the RP for the group is applied to the entire multicast group range (224.0.0.0/4). To configure the address of the PIM PR, enter the following command: hostname(config)# pim rp-address ip_address [acl] [bidir] The ip_address argument is the unicast IP address of the router to be a PIM RP. The acl argument is the name or number of a standard access list that defines which multicast groups the RP should be used with. Do not use a host ACL with this command. Excluding the bidir keyword causes the groups to operate in PIM sparse mode. Note The security appliance always advertises the bidir capability in the PIM hello messages regardless of the actual bidir configuration. Configuring the Designated Router Priority The DR is responsible for sending PIM register, join, and prune messaged to the RP. When there is more than one multicast router on a network segment, there is an election process to select the DR based on DR priority. If multiple devices have the same DR priority, then the device with the highest IP address becomes the DR. By default, the security appliance has a DR priority of 1. You can change this value by entering the following command: hostname(config-if)# pim dr-priority num The num argument can be any number from 1 to 4294967294. Filtering PIM Register Messages You can configure the security appliance to filter PIM register messages. To filter PIM register messages, enter the following command: hostname(config)# pim accept-register {list acl | route-map map-name}11-20 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 11 Configuring Multicast Routing Configuring PIM Features Configuring PIM Message Intervals Router query messages are used to elect the PIM DR. The PIM DR is responsible for sending router query messages. By default, router query messages are sent every 30 seconds. You can change this value by entering the following command: hostname(config-if)# pim hello-interval seconds Valid values for the seconds argument range from 1 to 3600 seconds. Every 60 seconds, the security appliance sends PIM join/prune messages. To change this value, enter the following command: hostname(config-if)# pim join-prune-interval seconds Valid values for the seconds argument range from 10 to 600 seconds. Configuring a Multicast Boundary Address scoping defines domain boundaries so that domains with RPs that have the same IP address do not leak into each other. Scoping is performed on the subnet boundaries within large domains and on the boundaries between the domain and the Internet. You can set up an administratively scoped boundary on an interface for multicast group addresses using the multicast boundary command. IANA has designated the multicast address range 239.0.0.0 to 239.255.255.255 as the administratively scoped addresses. This range of addresses can be reused in domains administered by different organizations. They would be considered local, not globally unique. To configure a multicast boundary, enter the following command: hostname(config-if)# multicast boundary acl [filter-autorp] A standard ACL defines the range of addresses affected. When a boundary is set up, no multicast data packets are allowed to flow across the boundary from either direction. The boundary allows the same multicast group address to be reused in different administrative domains. You can configure the filter-autorp keyword to examine and filter Auto-RP discovery and announcement messages at the administratively scoped boundary. Any Auto-RP group range announcements from the Auto-RP packets that are denied by the boundary access control list (ACL) are removed. An Auto-RP group range announcement is permitted and passed by the boundary only if all addresses in the Auto-RP group range are permitted by the boundary ACL. If any address is not permitted, the entire group range is filtered and removed from the Auto-RP message before the Auto-RP message is forwarded. Filtering PIM Neighbors You can define the routers that can become PIM neighbors with the pim neighbor-filter command. By filtering the routers that can become PIM neighbors, you can: • Prevent unauthorized routers from becoming PIM neighbors. • Prevent attached stub routers from participating in PIM. To define the neighbors that can become a PIM neighbor, perform the following steps:11-21 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 11 Configuring Multicast Routing Configuring PIM Features Step 1 Use the access-list command to define a standard access list defines the routers you want to participate in PIM. For example the following access list, when used with the pim neighbor-filter command, prevents the 10.1.1.1 router from becoming a PIM neighbor: hostname(config)# access-list pim_nbr deny 10.1.1.1 255.255.255.255 Step 2 Use the pim neighbor-filter command on an interface to filter the neighbor routers. For example, the following commands prevent the 10.1.1.1 router from becoming a PIM neighbor on interface GigabitEthernet0/3: hostname(config)# interface GigabitEthernet0/3 hostname(config-if)# pim neighbor-filter pim_nbr Supporting Mixed Bidirectional/Sparse-Mode PIM Networks Bidirectional PIM allows multicast routers to keep reduced state information. All of the multicast routers in a segment must be bidirectionally enabled in order for bidir to elect a DF. The pim bidir-neighbor-filter command enables the transition from a sparse-mode-only network to a bidir network by letting you specify the routers that should participate in DF election while still allowing all routers to participate in the sparse-mode domain. The bidir-enabled routers can elect a DF from among themselves, even when there are non-bidir routers on the segment. Multicast boundaries on the non-bidir routers prevent PIM messages and data from the bidir groups from leaking in or out of the bidir subset cloud. When the pim bidir-neighbor-filter command is enabled, the routers that are permitted by the ACL are considered to be bidir-capable. Therefore: • If a permitted neighbor does not support bidir, the DF election does not occur. • If a denied neighbor supports bidir, then DF election does not occur. • If a denied neighbor des not support bidir, the DF election occurs. To control which neighbors can participate in the DF election, perform the following steps: Step 1 Use the access-list command to define a standard access list that permits the routers you want to participate in the DF election and denies all others. For example, the following access list permits the routers at 10.1.1.1 and 10.2.2.2 to participate in the DF election and denies all others: hostname(config)# access-list pim_bidir permit 10.1.1.1 255.255.255.255 hostname(config)# access-list pim_bidir permit 10.1.1.2 255.255.255.255 hostname(config)# access-list pim_bidir deny any Step 2 Enable the pim bidir-neighbor-filter command on an interface. The following example applies the access list created previous step to the interface GigabitEthernet0/3. hostname(config)# interface GigabitEthernet0/3 hostname(config-if)# pim bidir-neighbor-filter pim_bidir11-22 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 11 Configuring Multicast Routing For More Information about Multicast Routing For More Information about Multicast Routing The following RFCs from the IETF provide technical details about the IGMP and multicast routing standards used for implementing the SMR feature: • RFC 2236 IGMPv2 • RFC 2362 PIM-SM • RFC 2588 IP Multicast and Firewalls • RFC 2113 IP Router Alert Option • IETF draft-ietf-idmr-igmp-proxy-01.txtC H A P T E R 12-1 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 12 Configuring IPv6 This chapter describes how to enable and configure IPv6 on the security appliance. IPv6 is available in Routed firewall mode only. This chapter includes the following sections: • IPv6-enabled Commands, page 12-1 • Configuring IPv6, page 12-2 • Verifying the IPv6 Configuration, page 12-11 For an sample IPv6 configuration, see Appendix B, “Sample Configurations.” IPv6-enabled Commands The following security appliance commands can accept and display IPv6 addresses: • capture • configure • copy • http • name • object-group • ping • show conn • show local-host • show tcpstat • ssh • telnet • tftp-server • who • write12-2 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 12 Configuring IPv6 Configuring IPv6 Note Failover does not support IPv6. The ipv6 address command does not support setting standby addresses for failover configurations. The failover interface ip command does not support using IPv6 addresses on the failover and Stateful Failover interfaces. When entering IPv6 addresses in commands that support them, simply enter the IPv6 address using standard IPv6 notation, for example ping fe80::2e0:b6ff:fe01:3b7a. The security appliance correctly recognizes and processes the IPv6 address. However, you must enclose the IPv6 address in square brackets ([ ]) in the following situations: • You need to specify a port number with the address, for example [fe80::2e0:b6ff:fe01:3b7a]:8080. • The command uses a colon as a separator, such as the write net and config net commands, for example configure net [fe80::2e0:b6ff:fe01:3b7a]:/tftp/config/pixconfig. The following commands were modified to work for IPv6: • debug • fragment • ip verify • mtu • icmp (entered as ipv6 icmp) The following inspection engines support IPv6: • FTP • HTTP • ICMP • SMTP • TCP • UDP Configuring IPv6 This section contains the following topics: • Configuring IPv6 on an Interface, page 12-3 • Configuring a Dual IP Stack on an Interface, page 12-4 • Enforcing the Use of Modified EUI-64 Interface IDs in IPv6 Addresses, page 12-4 • Configuring IPv6 Duplicate Address Detection, page 12-4 • Configuring IPv6 Default and Static Routes, page 12-5 • Configuring IPv6 Access Lists, page 12-6 • Configuring IPv6 Neighbor Discovery, page 12-7 • Configuring a Static IPv6 Neighbor, page 12-1112-3 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 12 Configuring IPv6 Configuring IPv6 Configuring IPv6 on an Interface At a minimum, each interface needs to be configured with an IPv6 link-local address. Additionally, you can add a site-local and global address to the interface. Note The security appliance does not support IPv6 anycast addresses. You can configure both IPv6 and IPv4 addresses on an interface. To configure IPv6 on an interface, perform the following steps: Step 1 Enter interface configuration mode for the interface on which you are configuring the IPv6 addresses: hostname(config)# interface if Step 2 Configure an IPv6 address on the interface. You can assign several IPv6 addresses to an interface, such as an IPv6 link-local, site-local, and global address. However, at a minimum, you must configure a link-local address. There are several methods for configuring IPv6 addresses. Pick the method that suits your needs from the following: • The simplest method is to enable stateless autoconfiguration on the interface. Enabling stateless autoconfiguration on the interface configures IPv6 addresses based on prefixes received in Router Advertisement messages. A link-local address, based on the Modified EUI-64 interface ID, is automatically generated for the interface when stateless autoconfiguration is enabled. To enable stateless autoconfiguration, enter the following command: hostname(config-if)# ipv6 address autoconfig • If you only need to configure a link-local address on the interface and are not going to assign any other IPv6 addresses to the interface, you have the option of manually defining the link-local address or generating one based on the interface MAC address (Modified EUI-64 format): – Enter the following command to manually specify the link-local address: hostname(config-if)# ipv6 address ipv6-address link-local – Enter the following command to enable IPv6 on the interface and automatically generate the link-local address using the Modified EUI-64 interface ID based on the interface MAC address: hostname(config-if)# ipv6 enable Note You do not need to use the ipv6 enable command if you enter any other ipv6 address commands on an interface; IPv6 support is automatically enabled as soon as you assign an IPv6 address to the interface. • Assign a site-local or global address to the interface. When you assign a site-local or global address, a link-local address is automatically created. Enter the following command to add a global or site-local address to the interface. Use the optional eui-64 keyword to use the Modified EUI-64 interface ID in the low order 64 bits of the address. hostname(config-if)# ipv6 address ipv6-address [eui-64]12-4 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 12 Configuring IPv6 Configuring IPv6 Step 3 (Optional) Suppress Router Advertisement messages on an interface. By default, Router Advertisement messages are automatically sent in response to router solicitation messages. You may want to disable these messages on any interface for which you do not want the security appliance to supply the IPv6 prefix (for example, the outside interface). Enter the following command to suppress Router Advertisement messages on an interface: hostname(config-if)# ipv6 nd suppress-ra Configuring a Dual IP Stack on an Interface The security appliance supports the configuration of both IPv6 and IPv4 on an interface. You do not need to enter any special commands to do so; simply enter the IPv4 configuration commands and IPv6 configuration commands as you normally would. Make sure you configure a default route for both IPv4 and IPv6. Enforcing the Use of Modified EUI-64 Interface IDs in IPv6 Addresses RFC 3513: Internet Protocol Version 6 (IPv6) Addressing Architecture requires that the interface identifier portion of all unicast IPv6 addresses, except those that start with binary value 000, be 64 bits long and be constructed in Modified EUI-64 format. The security appliance can enforce this requirement for hosts attached to the local link. To enforce the use of Modified EUI-64 format interface identifiers in IPv6 addresses on a local link, enter the following command: hostname(config)# ipv6 enforce-eui64 if_name The if_name argument is the name of the interface, as specified by the namif command, on which you are enabling the address format enforcement. When this command is enabled on an interface, the source addresses of IPv6 packets received on that interface are verified against the source MAC addresses to ensure that the interface identifiers use the Modified EUI-64 format. If the IPv6 packets do not use the Modified EUI-64 format for the interface identifier, the packets are dropped and the following system log message is generated: %PIX|ASA-3-325003: EUI-64 source address check failed. The address format verification is only performed when a flow is created. Packets from an existing flow are not checked. Additionally, the address verification can only be performed for hosts on the local link. Packets received from hosts behind a router will fail the address format verification, and be dropped, because their source MAC address will be the router MAC address and not the host MAC address. Configuring IPv6 Duplicate Address Detection During the stateless autoconfiguration process, duplicate address detection verifies the uniqueness of new unicast IPv6 addresses before the addresses are assigned to interfaces (the new addresses remain in a tentative state while duplicate address detection is performed). Duplicate address detection is performed first on the new link-local address. When the link local address is verified as unique, then duplicate address detection is performed all the other IPv6 unicast addresses on the interface. 12-5 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 12 Configuring IPv6 Configuring IPv6 Duplicate address detection is suspended on interfaces that are administratively down. While an interface is administratively down, the unicast IPv6 addresses assigned to the interface are set to a pending state. An interface returning to an administratively up state restarts duplicate address detection for all of the unicast IPv6 addresses on the interface. When a duplicate address is identified, the state of the address is set to DUPLICATE, the address is not used, and the following error message is generated: %PIX|ASA-4-325002: Duplicate address ipv6_address/MAC_address on interface If the duplicate address is the link-local address of the interface, the processing of IPv6 packets is disabled on the interface. If the duplicate address is a global address, the address is not used. However, all configuration commands associated with the duplicate address remain as configured while the state of the address is set to DUPLICATE. If the link-local address for an interface changes, duplicate address detection is performed on the new link-local address and all of the other IPv6 address associated with the interface are regenerated (duplicate address detection is performed only on the new link-local address). The security appliance uses neighbor solicitation messages to perform duplicate address detection. By default, the number of times an interface performs duplicate address detection is 1. To change the number of duplicate address detection attempts, enter the following command: hostname(config-if)# ipv6 nd dad attempts value The value argument can be any value from 0 to 600. Setting the value argument to 0 disables duplicate address detection on the interface. When you configure an interface to send out more than one duplicate address detection attempt, you can also use the ipv6 nd ns-interval command to configure the interval at which the neighbor solicitation messages are sent out. By default, they are sent out once every 1000 milliseconds. To change the neighbor solicitation message interval, enter the following command: hostname(config-if)# ipv6 nd ns-interval value The value argument can be from 1000 to 3600000 milliseconds. Note Changing this value changes it for all neighbor solicitation messages sent out on the interface, not just those used for duplicate address detection. Configuring IPv6 Default and Static Routes The security appliance automatically routes IPv6 traffic between directly connected hosts if the interfaces to which the hosts are attached are enabled for IPv6 and the IPv6 ACLs allow the traffic. The security appliance does not support dynamic routing protocols. Therefore, to route IPv6 traffic to a non-connected host or network, you need to define a static route to the host or network or, at a minimum, a default route. Without a static or default route defined, traffic to non-connected hosts or networks generate the following error message: %PIX|ASA-6-110001: No route to dest_address from source_address You can add a default route and static routes using the ipv6 route command. To configure an IPv6 default route and static routes, perform the following steps:12-6 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 12 Configuring IPv6 Configuring IPv6 Step 1 To add the default route, use the following command: hostname(config)# ipv6 route if_name ::/0 next_hop_ipv6_addr The address ::/0 is the IPv6 equivalent of “any.” Step 2 (Optional) Define IPv6 static routes. Use the following command to add an IPv6 static route to the IPv6 routing table: hostname(config)# ipv6 route if_name destination next_hop_ipv6_addr [admin_distance] Note The ipv6 route command works like the route command used to define IPv4 static routes. Configuring IPv6 Access Lists Configuring an IPv6 access list is similar configuring an IPv4 access, but with IPv6 addresses. To configure an IPv6 access list, perform the following steps: Step 1 Create an access entry. To create an access list, use the ipv6 access-list command to create entries for the access list. There are two main forms of this command to choose from, one for creating access list entries specifically for ICMP traffic, and one to create access list entries for all other types of IP traffic. • To create an IPv6 access list entry specifically for ICMP traffic, enter the following command: hostname(config)# ipv6 access-list id [line num] {permit | deny} icmp source destination [icmp_type] • To create an IPv6 access list entry, enter the following command: hostname(config)# ipv6 access-list id [line num] {permit | deny} protocol source [src_port] destination [dst_port] The following describes the arguments for the ipv6 access-list command: • id—The name of the access list. Use the same id in each command when you are entering multiple entries for an access list. • line num—When adding an entry to an access list, you can specify the line number in the list where the entry should appear. • permit | deny—Determines whether the specified traffic is blocked or allowed to pass. • icmp—Indicates that the access list entry applies to ICMP traffic. • protocol—Specifies the traffic being controlled by the access list entry. This can be the name (ip, tcp, or udp) or number (1-254) of an IP protocol. Alternatively, you can specify a protocol object group using object-group grp_id. • source and destination—Specifies the source or destination of the traffic. The source or destination can be an IPv6 prefix, in the format prefix/length, to indicate a range of addresses, the keyword any, to specify any address, or a specific host designated by host host_ipv6_addr. 12-7 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 12 Configuring IPv6 Configuring IPv6 • src_port and dst_port—The source and destination port (or service) argument. Enter an operator (lt for less than, gt for greater than, eq for equal to, neq for not equal to, or range for an inclusive range) followed by a space and a port number (or two port numbers separated by a space for the range keyword). • icmp_type—Specifies the ICMP message type being filtered by the access rule. The value can be a valid ICMP type number (from 0 to 155) or one of the ICMP type literals as shown in Appendix D, “Addresses, Protocols, and Ports”. Alternatively, you can specify an ICMP object group using object-group id. Step 2 To apply the access list to an interface, enter the following command: hostname(config)# access-group access_list_name {in | out} interface if_name Configuring IPv6 Neighbor Discovery The IPv6 neighbor discovery process uses ICMPv6 messages and solicited-node multicast addresses to determine the link-layer address of a neighbor on the same network (local link), verify the reachability of a neighbor, and keep track of neighboring routers. This section contains the following topics: • Configuring Neighbor Solicitation Messages, page 12-7 • Configuring Router Advertisement Messages, page 12-9 • Multicast Listener Discovery Support, page 12-11 Configuring Neighbor Solicitation Messages Neighbor solicitation messages (ICMPv6 Type 135) are sent on the local link by nodes attempting to discover the link-layer addresses of other nodes on the local link. The neighbor solicitation message is sent to the solicited-node multicast address.The source address in the neighbor solicitation message is the IPv6 address of the node sending the neighbor solicitation message. The neighbor solicitation message also includes the link-layer address of the source node. After receiving a neighbor solicitation message, the destination node replies by sending a neighbor advertisement message (ICPMv6 Type 136) on the local link. The source address in the neighbor advertisement message is the IPv6 address of the node sending the neighbor advertisement message; the destination address is the IPv6 address of the node that sent the neighbor solicitation message. The data portion of the neighbor advertisement message includes the link-layer address of the node sending the neighbor advertisement message. After the source node receives the neighbor advertisement, the source node and destination node can communicate. Figure 12-1 shows the neighbor solicitation and response process.12-8 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 12 Configuring IPv6 Configuring IPv6 Figure 12-1 IPv6 Neighbor Discovery—Neighbor Solicitation Message Neighbor solicitation messages are also used to verify the reachability of a neighbor after the link-layer address of a neighbor is identified. When a node wants to verifying the reachability of a neighbor, the destination address in a neighbor solicitation message is the unicast address of the neighbor. Neighbor advertisement messages are also sent when there is a change in the link-layer address of a node on a local link. When there is such a change, the destination address for the neighbor advertisement is the all-nodes multicast address. You can configure the neighbor solicitation message interval and neighbor reachable time on a per-interface basis. See the following topics for more information: • Configuring the Neighbor Solicitation Message Interval, page 12-8 • Configuring the Neighbor Reachable Time, page 12-8 Configuring the Neighbor Solicitation Message Interval To configure the interval between IPv6 neighbor solicitation retransmissions on an interface, enter the following command: hostname(config-if)# ipv6 nd ns-interval value Valid values for the value argument range from 1000 to 3600000 milliseconds. The default value is 1000 milliseconds. This setting is also sent in router advertisement messages. Configuring the Neighbor Reachable Time The neighbor reachable time enables detecting unavailable neighbors. Shorter configured times enable detecting unavailable neighbors more quickly; however, shorter times consume more IPv6 network bandwidth and processing resources in all IPv6 network devices. Very short configured times are not recommended in normal IPv6 operation. To configure the amount of time that a remote IPv6 node is considered reachable after a reachability confirmation event has occurred, enter the following command: hostname(config-if)# ipv6 nd reachable-time value 132958 A and B can now exchange packets on this link ICMPv6 Type = 135 Src = A Dst = solicited-node multicast of B Data = link-layer address of A Query = what is your link address? ICMPv6 Type = 136 Src = B Dst = A Data = link-layer address of B12-9 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 12 Configuring IPv6 Configuring IPv6 Valid values for the value argument range from 0 to 3600000 milliseconds. The default is 0. This information is also sent in router advertisement messages. When 0 is used for the value, the reachable time is sent as undetermined. It is up to the receiving devices to set and track the reachable time value. To see the time used by the security appliance when this value is set to 0, use the show ipv6 interface command to display information about the IPv6 interface, including the ND reachable time being used. Configuring Router Advertisement Messages Router advertisement messages (ICMPv6 Type 134) are periodically sent out each IPv6 configured interface of security appliance. The router advertisement messages are sent to the all-nodes multicast address. Figure 12-2 IPv6 Neighbor Discovery—Router Advertisement Message Router advertisement messages typically include the following information: • One or more IPv6 prefix that nodes on the local link can use to automatically configure their IPv6 addresses. • Lifetime information for each prefix included in the advertisement. • Sets of flags that indicate the type of autoconfiguration (stateless or stateful) that can be completed. • Default router information (whether the router sending the advertisement should be used as a default router and, if so, the amount of time (in seconds) the router should be used as a default router). • Additional information for hosts, such as the hop limit and MTU a host should use in packets that it originates. • The amount of time between neighbor solicitation message retransmissions on a given link. • The amount of time a node considers a neighbor reachable. Router advertisements are also sent in response to router solicitation messages (ICMPv6 Type 133). Router solicitation messages are sent by hosts at system startup so that the host can immediately autoconfigure without needing to wait for the next scheduled router advertisement message. Because router solicitation messages are usually sent by hosts at system startup, and the host does not have a configured unicast address, the source address in router solicitation messages is usually the unspecified IPv6 address (0:0:0:0:0:0:0:0). If the host has a configured unicast address, the unicast address of the interface sending the router solicitation message is used as the source address in the message. The destination address in router solicitation messages is the all-routers multicast address with a scope of the link. When a router advertisement is sent in response to a router solicitation, the destination address in the router advertisement message is the unicast address of the source of the router solicitation message. 132917 Router advertisement packet definitions: ICMPv6 Type = 134 Src = router link-local address Dst = all-nodes multicast address Data = options, prefix, lifetime, autoconfig flag Router advertisement Router advertisement12-10 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 12 Configuring IPv6 Configuring IPv6 You can configure the following settings for router advertisement messages: • The time interval between periodic router advertisement messages. • The router lifetime value, which indicates the amount of time IPv6 nodes should consider security appliance to be the default router. • The IPv6 network prefixes in use on the link. • Whether or not an interface transmits router advertisement messages. Unless otherwise noted, the router advertisement message settings are specific to an interface and are entered in interface configuration mode. See the following topics for information about changing these settings: • Configuring the Router Advertisement Transmission Interval, page 12-10 • Configuring the Router Lifetime Value, page 12-10 • Configuring the IPv6 Prefix, page 12-10 • Suppressing Router Advertisement Messages, page 12-11 Configuring the Router Advertisement Transmission Interval By default, router advertisements are sent out every 200 seconds. To change the interval between router advertisement transmissions on an interface, enter the following command: ipv6 nd ra-interval [msec] value Valid values range from 3 to 1800 seconds (or 500 to 1800000 milliseconds if the msec keyword is used). The interval between transmissions should be less than or equal to the IPv6 router advertisement lifetime if security appliance is configured as a default router by using the ipv6 nd ra-lifetime command. To prevent synchronization with other IPv6 nodes, randomly adjust the actual value used to within 20 percent of the desired value. Configuring the Router Lifetime Value The router lifetime value specifies how long nodes on the local link should consider security appliance as the default router on the link. To configure the router lifetime value in IPv6 router advertisements on an interface, enter the following command: hostname(config-if)# ipv6 nd ra-lifetime seconds Valid values range from 0 to 9000 seconds. The default is 1800 seconds. Entering 0 indicates that security appliance should not be considered a default router on the selected interface. Configuring the IPv6 Prefix Stateless autoconfiguration uses IPv6 prefixes provided in router advertisement messages to create the global unicast address from the link-local address. To configure which IPv6 prefixes are included in IPv6 router advertisements, enter the following command: hostname(config-if)# ipv6 nd prefix ipv6-prefix/prefix-length Note For stateless autoconfiguration to work properly, the advertised prefix length in router advertisement messages must always be 64 bits. 12-11 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 12 Configuring IPv6 Verifying the IPv6 Configuration Suppressing Router Advertisement Messages By default, Router Advertisement messages are automatically sent in response to router solicitation messages. You may want to disable these messages on any interface for which you do not want security appliance to supply the IPv6 prefix (for example, the outside interface). To suppress IPv6 router advertisement transmissions on an interface, enter the following command: hostname(config-if)# ipv6 nd suppress-ra Entering this command causes the security appliance to appear as a regular IPv6 neighbor on the link and not as an IPv6 router. Multicast Listener Discovery Support Multicast Listener Discovery Protocol (MLD) Version 2 is supported to discover the presence of multicast address listeners on their directly attached links, and to discover specifically which multicast addresses are of interest to those neighboring nodes. ASA becomes a multicast address listener, or a host, but not a multicast router, and responds to Multicast Listener Queries and sends Multicast Listener Reports only. The following commands were added or enhanced to support MLD: • clear ipv6 mld traffic Command • show ipv6 mld Command Configuring a Static IPv6 Neighbor You can manually define a neighbor in the IPv6 neighbor cache. If an entry for the specified IPv6 address already exists in the neighbor discovery cache—learned through the IPv6 neighbor discovery process—the entry is automatically converted to a static entry. Static entries in the IPv6 neighbor discovery cache are not modified by the neighbor discovery process. To configure a static entry in the IPv6 neighbor discovery cache, enter the following command: hostname(config-if)# ipv6 neighbor ipv6_address if_name mac_address The ipv6_address argument is the link-local IPv6 address of the neighbor, the if_name argument is the interface through which the neighbor is available, and the mac_address argument is the MAC address of the neighbor interface. Note The clear ipv6 neighbors command does not remove static entries from the IPv6 neighbor discovery cache; it only clears the dynamic entries. Verifying the IPv6 Configuration This section describes how to verify your IPv6 configuration. You can use various clear, and show commands to verify your IPv6 settings. This section includes the following topics: • The show ipv6 interface Command, page 12-1212-12 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 12 Configuring IPv6 Verifying the IPv6 Configuration • The show ipv6 route Command, page 12-12 • The show ipv6 mld traffic Command, page 12-13 The show ipv6 interface Command To display the IPv6 interface settings, enter the following command: hostname# show ipv6 interface [if_name] Including the interface name, such as “outside”, displays the settings for the specified interface. Excluding the name from the command displays the setting for all interfaces that have IPv6 enabled on them. The output for the command shows the following: • The name and status of the interface. • The link-local and global unicast addresses. • The multicast groups the interface belongs to. • ICMP redirect and error message settings. • Neighbor discovery settings. The following is sample output from the show ipv6 interface command: hostname# show ipv6 interface ipv6interface is down, line protocol is down IPv6 is enabled, link-local address is fe80::20d:88ff:feee:6a82 [TENTATIVE] No global unicast address is configured Joined group address(es): ff02::1 ff02::1:ffee:6a82 ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds Note The show interface command only displays the IPv4 settings for an interface. To see the IPv6 configuration on an interface, you need to use the show ipv6 interface command. The show ipv6 interface command does not display any IPv4 settings for the interface (if both types of addresses are configured on the interface). The show ipv6 route Command To display the routes in the IPv6 routing table, enter the following command: hostname# show ipv6 route The output from the show ipv6 route command is similar to the IPv4 show route command. It displays the following information: • The protocol that derived the route. • The IPv6 prefix of the remote network. • The administrative distance and metric for the route. • The address of the next-hop router.12-13 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 12 Configuring IPv6 Verifying the IPv6 Configuration • The interface through which the next hop router to the specified network is reached. The following is sample output from the show ipv6 route command: hostname# show ipv6 route IPv6 Routing Table - 7 entries Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP U - Per-user Static route I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 L fe80::/10 [0/0] via ::, inside L fec0::a:0:0:a0a:a70/128 [0/0] via ::, inside C fec0:0:0:a::/64 [0/0] via ::, inside L ff00::/8 [0/0] via ::, inside The show ipv6 mld traffic Command To display the MLD traffic counters in the IPv6 routing table, enter the following command: hostname# show ipv6 mld traffic The output from the show ipv6 mld traffic command displays whether the expected number of MLD protocol messages have been received and sent. The following is sample output from the show ipv6 mld traffic command: hostname# show ipv6 mld traffic show ipv6 mld traffic MLD Traffic Counters Elapsed time since counters cleared: 00:01:19 Received Sent Valid MLD Packets 1 3 Queries 1 0 Reports 0 3 Leaves 0 0 Mtrace packets 0 0 Errors: Malformed Packets 0 Martian source 0 Non link-local source 0 Hop limit is not equal to 1 012-14 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 12 Configuring IPv6 Verifying the IPv6 ConfigurationC H A P T E R 13-1 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 13 Configuring AAA Servers and the Local Database This chapter describes support for AAA (pronounced “triple A”) and how to configure AAA servers and the local database. This chapter contains the following sections: • AAA Overview, page 13-1 • AAA Server and Local Database Support, page 13-2 • Configuring the Local Database, page 13-10 • Identifying AAA Server Groups and Servers, page 13-12 • Using Certificates and User Login Credentials, page 13-15 • Supporting a Zone Labs Integrity Server, page 13-16 AAA Overview AAA enables the security appliance to determine who the user is (authentication), what the user can do (authorization), and what the user did (accounting). AAA provides an extra level of protection and control for user access than using access lists alone. For example, you can create an access list allowing all outside users to access Telnet on a server on the DMZ network. If you want only some users to access the server and you might not always know IP addresses of these users, you can enable AAA to allow only authenticated and/or authorized users to make it through the security appliance. (The Telnet server enforces authentication, too; the security appliance prevents unauthorized users from attempting to access the server.) You can use authentication alone or with authorization and accounting. Authorization always requires a user to be authenticated first. You can use accounting alone, or with authentication and authorization. This section includes the following topics: • About Authentication, page 13-1 • About Authorization, page 13-2 • About Accounting, page 13-2 About Authentication Authentication controls access by requiring valid user credentials, which are typically a username and password. You can configure the security appliance to authenticate the following items:13-2 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 13 Configuring AAA Servers and the Local Database AAA Server and Local Database Support • All administrative connections to the security appliance including the following sessions: – Telnet – SSH – Serial console – ASDM (using HTTPS) – VPN management access • The enable command • Network access • VPN access About Authorization Authorization controls access per user after users authenticate. You can configure the security appliance to authorize the following items: • Management commands • Network access • VPN access Authorization controls the services and commands available to each authenticated user. Were you not to enable authorization, authentication alone would provide the same access to services for all authenticated users. If you need the control that authorization provides, you can configure a broad authentication rule, and then have a detailed authorization configuration. For example, you authenticate inside users who attempt to access any server on the outside network and then limit the outside servers that a particular user can access using authorization. The security appliance caches the first 16 authorization requests per user, so if the user accesses the same services during the current authentication session, the security appliance does not resend the request to the authorization server. About Accounting Accounting tracks traffic that passes through the security appliance, enabling you to have a record of user activity. If you enable authentication for that traffic, you can account for traffic per user. If you do not authenticate the traffic, you can account for traffic per IP address. Accounting information includes when sessions start and stop, username, the number of bytes that pass through the security appliance for the session, the service used, and the duration of each session. AAA Server and Local Database Support The security appliance supports a variety of AAA server types and a local database that is stored on the security appliance. This section describes support for each AAA server type and the local database. This section contains the following topics: • Summary of Support, page 13-313-3 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 13 Configuring AAA Servers and the Local Database AAA Server and Local Database Support • RADIUS Server Support, page 13-3 • TACACS+ Server Support, page 13-4 • SDI Server Support, page 13-4 • NT Server Support, page 13-5 • Kerberos Server Support, page 13-5 • LDAP Server Support, page 13-6 • SSO Support for WebVPN with HTTP Forms, page 13-9 • Local Database Support, page 13-9 Summary of Support Table 13-1 summarizes the support for each AAA service by each AAA server type, including the local database. For more information about support for a specific AAA server type, refer to the topics following the table. RADIUS Server Support The security appliance supports RADIUS servers. Table 13-1 Summary of AAA Support AAA Service Database Type Local RADIUS TACACS+ SDI NT Kerberos LDAP HTTP Form Authentication of... VPN u s er s Yes Yes Yes Yes Yes Yes Yes Yes 1 1. HTTP Form protocol supports single sign-on authentication for WebVPN users only. Fir ewall s es s ion s Yes Yes Yes Yes Yes Yes Yes No Administrators Yes Yes Yes Yes 2 2. SDI is not supported for HTTP administrative access. Yes Yes Yes No Authorization of... VPN users Yes Yes No No No No Yes No Firewall sessions No Yes 3 3. For firewall sessions, RADIUS authorization is supported with user-specific access lists only, which are received or specified in a RADIUS authentication response. Yes No No No No No Administrators Yes 4 4. Local command authorization is supported by privilege level only. No Yes No No No No No Accounting of... VPN connections No Yes Yes No No No No No Firewall sessions No Yes Yes No No No No No Administrators No Yes 5 5. Command accounting is available for TACACS+ only. Yes No No No No No13-4 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 13 Configuring AAA Servers and the Local Database AAA Server and Local Database Support This section contains the following topics: • Authentication Methods, page 13-4 • Attribute Support, page 13-4 • RADIUS Authorization Functions, page 13-4 Authentication Methods The security appliance supports the following authentication methods with RADIUS: • PAP—For all connection types. • CHAP—For L2TP-over-IPSec. • MS-CHAPv1—For L2TP-over-IPSec. • MS-CHAPv2—For L2TP-over-IPSec, and for regular IPSec remote access connections when the password management feature is enabled. Attribute Support The security appliance supports the following sets of RADIUS attributes: • Authentication attributes defined in RFC 2138. • Accounting attributes defined in RFC 2139. • RADIUS attributes for tunneled protocol support, defined in RFC 2868. • Cisco IOS VSAs, identified by RADIUS vendor ID 9. • Cisco VPN-related VSAs, identified by RADIUS vendor ID 3076. • Microsoft VSAs, defined in RFC 2548. RADIUS Authorization Functions The security appliance can use RADIUS servers for user authorization for network access using dynamic access lists or access list names per user. To implement dynamic access lists, you must configure the RADIUS server to support it. When the user authenticates, the RADIUS server sends a downloadable access list or access list name to the security appliance. Access to a given service is either permitted or denied by the access list. The security appliance deletes the access list when the authentication session expires. TACACS+ Server Support The security appliance supports TACACS+ authentication with ASCII, PAP, CHAP, and MS-CHAPv1. SDI Server Support The RSA SecureID servers are also known as SDI servers. This section contains the following topics: • SDI Version Support, page 13-513-5 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 13 Configuring AAA Servers and the Local Database AAA Server and Local Database Support • Two-step Authentication Process, page 13-5 • SDI Primary and Replica Servers, page 13-5 SDI Version Support The security appliance supports SDI Version 5.0 and 6.0. SDI uses the concepts of an SDI primary and SDI replica servers. Each primary and its replicas share a single node secret file. The node secret file has its name based on the hexadecimal value of the ACE/Server IP address with .sdi appended. A version 5.0 or 6.0 SDI server that you configure on the security appliance can be either the primary or any one of the replicas. See the “SDI Primary and Replica Servers” section on page 13-5 for information about how the SDI agent selects servers to authenticate users. Two-step Authentication Process SDI version 5.0 and 6.0 uses a two-step process to prevent an intruder from capturing information from an RSA SecurID authentication request and using it to authenticate to another server. The Agent first sends a lock request to the SecurID server before sending the user authentication request. The server locks the username, preventing another (replica) server from accepting it. This means that the same user cannot authenticate to two security appliances using the same authentication servers simultaneously. After a successful username lock, the security appliance sends the passcode. SDI Primary and Replica Servers The security appliance obtains the server list when the first user authenticates to the configured server, which can be either a primary or a replica. The security appliance then assigns priorities to each of the servers on the list, and subsequent server selection derives at random from those assigned priorities. The highest priority servers have a higher likelihood of being selected. NT Server Support The security appliance supports Microsoft Windows server operating systems that support NTLM version 1, collectively referred to as NT servers. Note NT servers have a maximum length of 14 characters for user passwords. Longer passwords are truncated. This is a limitation of NTLM version 1. Kerberos Server Support The security appliance supports 3DES, DES, and RC4 encryption types. Note The security appliance does not support changing user passwords during tunnel negotiation. To avoid this situation happening inadvertently, disable password expiration on the Kerberos/Active Directory server for users connecting to the security appliance. For a simple Kerberos server configuration example, see Example 13-2.13-6 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 13 Configuring AAA Servers and the Local Database AAA Server and Local Database Support LDAP Server Support This section describes using an LDAP directory with the security appliance for user authentication and VPN authorization. This section includes the following topics: • Authentication with LDAP, page 13-6 • Authorization with LDAP for VPN, page 13-7 • LDAP Attribute Mapping, page 13-8 For example configuration procedures used to set up LDAP authentication or authorization, see Appendix E, “Configuring an External Server for Authorization and Authentication”. Authentication with LDAP During authentication, the security appliance acts as a client proxy to the LDAP server for the user, and authenticates to the LDAP server in either plain text or using the Simple Authentication and Security Layer (SASL) protocol. By default, the security appliance passes authentication parameters, usually a username and password, to the LDAP server in plain text. Whether using SASL or plain text, you can secure the communications between the security appliance and the LDAP server with SSL using the ldap-over-ssl command. Note If you do not configure SASL, we strongly recommend that you secure LDAP communications with SSL. See the ldap-over-ssl command in the Cisco Security Appliance Command Reference. When user LDAP authentication has succeeded, the LDAP server returns the attributes for the authenticated user. For VPN authentication, these attributes generally include authorization data which is applied to the VPN session. Thus, using LDAP accomplishes authentication and authorization in a single step. Securing LDAP Authentication with SASL The security appliance supports the following SASL mechanisms, listed in order of increasing strength: • Digest-MD5 — The security appliance responds to the LDAP server with an MD5 value computed from the username and password. • Kerberos — The security appliance responds to the LDAP server by sending the username and realm using the GSSAPI (Generic Security Services Application Programming Interface) Kerberos mechanism. You can configure the security appliance and LDAP server to support any combination of these SASL mechanisms. If you configure multiple mechanisms, the security appliance retrieves the list of SASL mechanisms configured on the server and sets the authentication mechanism to the strongest mechanism configured on both the security appliance and the server. For example, if both the LDAP server and the security appliance support both mechanisms, the security appliance selects Kerberos, the stronger of the mechanisms. The following example configures the security appliance for authentication to an LDAP directory server named ldap_dir_1 using the digest-MD5 SASL mechanism, and communicating over an SSL-secured connection: hostname(config)# aaa-server ldap_dir_1 protocol ldap hostname(config-aaa-server-group)# aaa-server ldap_dir_1 host 10.1.1.4 hostname(config-aaa-server-host)# sasl-mechanism digest-md5 hostname(config-aaa-server-host)# ldap-over-ssl enable13-7 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 13 Configuring AAA Servers and the Local Database AAA Server and Local Database Support hostname(config-aaa-server-host)# Setting the LDAP Server Type The security appliance supports LDAP Version 3. In the current release, it is compatible only with the Sun Microsystems JAVA System Directory Server (formerly named the Sun ONE Directory Server) and the Microsoft Active Directory. In later releases, the security appliance will support other OpenLDAP servers. By default, the security appliance auto-detects whether it is connected to a Microsoft or a Sun LDAP directory server. However, if auto-detection fails to determine the LDAP server type, and you know the server is either a Microsoft or Sun server, you can manually configure the server type. The following example sets the LDAP directory server ldap_dir_1 to the Sun Microsystems type: hostname(config)# aaa-server ldap_dir_1 protocol ldap hostname(config-aaa-server-group)# aaa-server ldap_dir_1 host 10.1.1.4 hostname(config-aaa-server-host)# server-type sun hostname(config-aaa-server-host)# Note • Sun—The DN configured on the security appliance to access a Sun directory server must be able to access the default password policy on that server. We recommend using the directory administrator, or a user with directory administrator privileges, as the DN. Alternatively, you can place an ACI on the default password policy. • Microsoft—You must configure LDAP over SSL to enable password management with Microsoft Active Directory. Authorization with LDAP for VPN When user LDAP authentication for VPN access has succeeded, the security appliance queries the LDAP server which returns LDAP attributes. These attributes generally include authorization data that applies to the VPN session. Thus, using LDAP accomplishes authentication and authorization in a single step. There may be cases, however, where you require authorization from an LDAP directory server that is separate and distinct from the authentication mechanism. For example, if you use an SDI or certificate server for authentication, no authorization information is passed back. For user authorizations in this case, you can query an LDAP directory after successful authentication, accomplishing authentication and authorization in two steps. To set up VPN user authorization using LDAP, you must first create a AAA server group and a tunnel group. You then associate the server and tunnel groups using the tunnel-group general-attributes command. While there are other authorization-related commands and options available for specific requirements, the following example shows fundamental commands for enabling user authorization with LDAP. This example then creates an IPSec remote access tunnel group named remote-1, and assigns that new tunnel group to the previously created ldap_dir_1 AAA server for authorization. hostname(config)# tunnel-group remote-1 type ipsec-ra hostname(config)# tunnel-group remote-1 general-attributes hostname(config-general)# authorization-server-group ldap_dir_1 hostname(config-general)#13-8 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 13 Configuring AAA Servers and the Local Database AAA Server and Local Database Support After you complete this fundamental configuration work, you can configure additional LDAP authorization parameters such as a directory password, a starting point for searching a directory, and the scope of a directory search: hostname(config)# aaa-server ldap_dir_1 protocol ldap hostname(config-aaa-server-group)# aaa-server ldap_dir_1 host 10.1.1.4 hostname(config-aaa-server-host)# ldap-login-dn obscurepassword hostname(config-aaa-server-host)# ldap-base-dn starthere hostname(config-aaa-server-host)# ldap-scope subtree hostname(config-aaa-server-host)# See LDAP commands in the Cisco Security Appliance Command Reference for more information. LDAP Attribute Mapping If you are introducing a security appliance to an existing LDAP directory, your existing LDAP attribute names and values are probably different from the existing ones. You must create LDAP attribute maps that map your existing user-defined attribute names and values to Cisco attribute names and values that are compatible with the security appliance. You can then bind these attribute maps to LDAP servers or remove them as needed. You can also show or clear attribute maps. Note To use the attribute mapping features correctly, you need to understand the Cisco LDAP attribute names and values as well as the user-defined attribute names and values. The following command, entered in global configuration mode, creates an unpopulated LDAP attribute map table named att_map_1: hostname(config)# ldap attribute-map att_map_1 hostname(config-ldap-attribute-map)# The following commands map the user-defined attribute name department to the Cisco attribute name cVPN3000-IETF-Radius-Class. The second command maps the user-defined attribute value Engineering to the user-defined attribute department and the Cisco-defined attribute value group1. hostname(config)# ldap attribute-map att_map_1 hostname(config-ldap-attribute-map)# map-name department cVPN3000-IETF-Radius-Class hostname(config-ldap-attribute-map)# map-value department Engineering group1 hostname(config-ldap-attribute-map)# The following commands bind the attribute map att_map_1 to the LDAP server ldap_dir_1: hostname(config)# aaa-server ldap_dir_1 host 10.1.1.4 hostname(config-aaa-server-host)# ldap-attribute-map att_map_1 hostname(config-aaa-server-host)# Note The command to create an attribute map (ldap attribute-map) and the command to bind it to an LDAP server (ldap-attribute-map) differ only by a hyphen and the mode. The following commands display or clear all LDAP attribute maps in the running configuration: hostname# show running-config all ldap attribute-map hostname(config)# clear configuration ldap attribute-map hostname(config)# The names of frequently mapped Cisco LDAP attributes and the type of user-defined attributes they would commonly be mapped to include:13-9 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 13 Configuring AAA Servers and the Local Database AAA Server and Local Database Support cVPN3000-IETF-Radius-Class — Department or user group cVPN3000-IETF-Radius-Filter-Id — Access control list cVPN3000-IETF-Radius-Framed-IP-Address — A static IP address cVPN3000-IPSec-Banner1 — A organization title cVPN3000-Tunneling-Protocols — Allow or deny dial-in For a list of Cisco LDAP attribute names and values, see Appendix E, “Configuring an External Server for Authorization and Authentication”. Alternatively, you can enter “?” within ldap-attribute-map mode to display the complete list of Cisco LDAP attribute names, as shown in the following example: hostname(config)# ldap attribute-map att_map_1 hostname(config-ldap-attribute-map)# map-name att_map_1 ? ldap mode commands/options: cisco-attribute-names: cVPN3000-Access-Hours cVPN3000-Allow-Network-Extension-Mode cVPN3000-Auth-Service-Type cVPN3000-Authenticated-User-Idle-Timeout cVPN3000-Authorization-Required cVPN3000-Authorization-Type : : cVPN3000-X509-Cert-Data hostname(config-ldap-attribute-map)# SSO Support for WebVPN with HTTP Forms The security appliance can use the HTTP Form protocol for single sign-on (SSO) authentication of WebVPN users only. Single sign-on support lets WebVPN users enter a username and password only once to access multiple protected services and Web servers. The WebVPN server running on the security appliance acts as a proxy for the user to the authenticating server. When a user logs in, the WebVPN server sends an SSO authentication request, including username and password, to the authenticating server using HTTPS. If the server approves the authentication request, it returns an SSO authentication cookie to the WebVPN server. The security appliance keeps this cookie on behalf of the user and uses it to authenticate the user to secure websites within the domain protected by the SSO server. In addition to the HTTP Form protocol, WebVPN administrators can choose to configure SSO with the HTTP Basic and NTLM authentication protocols (the auto-signon command), or with Computer Associates eTrust SiteMinder SSO server (formerly Netegrity SiteMinder) as well. For an in-depth discussion of configuring SSO with either HTTP Forms, auto-signon or SiteMinder, see the Configuring WebVPN chapter. Local Database Support The security appliance maintains a local database that you can populate with user profiles. This section contains the following topics: • User Profiles, page 13-10 • Fallback Support, page 13-1013-10 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 13 Configuring AAA Servers and the Local Database Configuring the Local Database User Profiles User profiles contain, at a minimum, a username. Typically, a password is assigned to each username, although passwords are optional. The username attributes command lets you enter the username mode. In this mode, you can add other information to a specific user profile. The information you can add includes VPN-related attributes, such as a VPN session timeout value. Fallback Support The local database can act as a fallback method for several functions. This behavior is designed to help you prevent accidental lockout from the security appliance. For users who need fallback support, we recommend that their usernames and passwords in the local database match their usernames and passwords in the AAA servers. This provides transparent fallback support. Because the user cannot determine whether a AAA server or the local database is providing the service, using usernames and passwords on AAA servers that are different than the usernames and passwords in the local database means that the user cannot be certain which username and password should be given. The local database supports the following fallback functions: • Console and enable password authentication—When you use the aaa authentication console command, you can add the LOCAL keyword after the AAA server group tag. If the servers in the group all are unavailable, the security appliance uses the local database to authenticate administrative access. This can include enable password authentication, too. • Command authorization—When you use the aaa authorization command command, you can add the LOCAL keyword after the AAA server group tag. If the TACACS+ servers in the group all are unavailable, the local database is used to authorize commands based on privilege levels. • VPN authentication and authorization—VPN authentication and authorization are supported to enable remote access to the security appliance if AAA servers that normally support these VPN services are unavailable. The authentication-server-group command, available in tunnel-group general attributes mode, lets you specify the LOCAL keyword when you are configuring attributes of a tunnel group. When VPN client of an administrator specifies a tunnel group configured to fallback to the local database, the VPN tunnel can be established even if the AAA server group is unavailable, provided that the local database is configured with the necessary attributes. Configuring the Local Database This section describes how to manage users in the local database. You can use the local database for CLI access authentication, privileged mode authentication, command authorization, network access authentication, and VPN authentication and authorization. You cannot use the local database for network access authorization. The local database does not support accounting. For multiple context mode, you can configure usernames in the system execution space to provide individual logins using the login command; however, you cannot configure any aaa commands in the system execution space. Caution If you add to the local database users who can gain access to the CLI but who should not be allowed to enter privileged mode, enable command authorization. (See the “Configuring Local Command Authorization” section on page 40-8.) Without command authorization, users can access privileged 13-11 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 13 Configuring AAA Servers and the Local Database Configuring the Local Database mode (and all commands) at the CLI using their own password if their privilege level is 2 or greater (2 is the default). Alternatively, you can use RADIUS or TACACS+ authentication so that the user cannot use the login command, or you can set all local users to level 1 so you can control who can use the system enable password to access privileged mode. To define a user account in the local database, perform the following steps: Step 1 Create the user account. To do so, enter the following command: hostname(config)# username name {nopassword | password password [mschap]} [privilege priv_level] where the options are as follows: • username—A string from 4 to 64 characters long. • password password—A string from 3 to 16 characters long. • mschap—Specifies that the password will be converted to unicode and hashed using MD4 after you enter it. Use this keyword if users are authenticated using MSCHAPv1 or MSCHAPv2. • privilege level—The privilege level that you want to assign to the new user account (from 0 to 15). The default is 2. This privilege level is used with command authorization. • nopassword—Creates a user account with no password. The encrypted and nt-encrypted keywords are typically for display only. When you define a password in the username command, the security appliance encrypts it when it saves it to the configuration for security purposes. When you enter the show running-config command, the username command does not show the actual password; it shows the encrypted password followed by the encrypted or nt-encrypted keyword (when you specify mschap). For example, if you enter the password “test,” the show running-config display would appear to be something like the following: username pat password DLaUiAX3l78qgoB5c7iVNw== nt-encrypted The only time you would actually enter the encrypted or nt-encrypted keyword at the CLI is if you are cutting and pasting a configuration to another security appliance and you are using the same password. Step 2 To configure a local user account with VPN attributes, follow these steps: a. Enter the following command: hostname(config)# username username attributes When you enter a username attributes command, you enter username mode. The commands available in this mode are as follows: • group-lock • password-storage • vpn-access-hours • vpn-filter • vpn-framed-ip-address • vpn-group-policy • vpn-idle-timeout • vpn-session-timeout • vpn-simultaneous-logins • vpn-tunnel-protocol13-12 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 13 Configuring AAA Servers and the Local Database Identifying AAA Server Groups and Servers • webvpn Use these commands as needed to configure the user profile. For more information about these commands, see the Cisco Security Appliance Command Reference. b. When you have finished configuring the user profiles, enter exit to return to config mode. For example, the following command assigns a privilege level of 15 to the admin user account: hostname(config)# username admin password passw0rd privilege 15 The following command creates a user account with no password: hostname(config)# username bcham34 nopassword The following commands creates a user account with a password, enters username mode, and specifies a few VPN attributes: hostname(config)# username rwilliams password gOgeOus hostname(config)# username rwilliams attributes hostname(config-username)# vpn-tunnel-protocol IPSec hostname(config-username)# vpn-simultaneous-logins 6 hostname(config-username)# exit Identifying AAA Server Groups and Servers If you want to use an external AAA server for authentication, authorization, or accounting, you must first create at least one AAA server group per AAA protocol and add one or more servers to each group. You identify AAA server groups by name. Each server group is specific to one type of server: Kerberos, LDAP, NT, RADIUS, SDI, or TACACS+. The security appliance contacts the first server in the group. If that server is unavailable, the security appliance contacts the next server in the group, if configured. If all servers in the group are unavailable, the security appliance tries the local database if you configured it as a fallback method (management authentication and authorization only). If you do not have a fallback method, the security appliance continues to try the AAA servers. To create a server group and add AAA servers to it, follow these steps: Step 1 For each AAA server group you need to create, follow these steps: a. Identify the server group name and the protocol. To do so, enter the following command: hostname(config)# aaa-server server_group protocol {kerberos | ldap | nt | radius | sdi | tacacs+} For example, to use RADIUS to authenticate network access and TACACS+ to authenticate CLI access, you need to create at least two server groups, one for RADIUS servers and one for TACACS+ servers. You can have up to 15 single-mode server groups or 4 multi-mode server groups. Each server group can have up to 16 servers in single mode or up to 4 servers in multi-mode. When you enter a aaa-server protocol command, you enter group mode. b. If you want to specify the maximum number of requests sent to a AAA server in the group before trying the next server, enter the following command:13-13 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 13 Configuring AAA Servers and the Local Database Identifying AAA Server Groups and Servers hostname(config-aaa-server-group)# max-failed-attempts number The number can be between 1 and 5. The default is 3. If you configured a fallback method using the local database (for management access only; see the “Configuring AAA for System Administrators” section on page 40-5 and the “Configuring TACACS+ Command Authorization” section on page 40-11 to configure the fallback mechanism), and all the servers in the group fail to respond, then the group is considered to be unresponsive, and the fallback method is tried. The server group remains marked as unresponsive for a period of 10 minutes (by default) so that additional AAA requests within that period do not attempt to contact the server group, and the fallback method is used immediately. To change the unresponsive period from the default, see the reactivation-mode command in the following step. If you do not have a fallback method, the security appliance continues to retry the servers in the group. c. If you want to specify the method (reactivation policy) by which failed servers in a group are reactivated, enter the following command: hostname(config-aaa-server-group)# # reactivation-mode {depletion [deadtime minutes] | timed} Where the depletion keyword reactivates failed servers only after all of the servers in the group are inactive. The deadtime minutes argument specifies the amount of time in minutes, between 0 and 1440, that elapses between the disabling of the last server in the group and the subsequent re-enabling of all servers. The default is 10 minutes. The timed keyword reactivates failed servers after 30 seconds of down time. d. If you want to send accounting messages to all servers in the group (RADIUS or TACACS+ only), enter the following command: hostname(config-aaa-server-group)# accounting-mode simultaneous To restore the default of sending messages only to the active server, enter the accounting-mode single command. Step 2 For each AAA server on your network, follow these steps: a. Identify the server, including the AAA server group it belongs to. To do so, enter the following command: hostname(config)# aaa-server server_group (interface_name) host server_ip When you enter a aaa-server host command, you enter host mode. b. As needed, use host mode commands to further configure the AAA server. The commands in host mode do not apply to all AAA server types. Table 13-2 lists the available commands, the server types they apply to, and whether a new AAA server definition has a default value for that command. Where a command is applicable to the server type you specified and no default value is provided (indicated by “—”), use the command to specify the value. For more information about these commands, see the Cisco Security Appliance Command Reference.13-14 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 13 Configuring AAA Servers and the Local Database Identifying AAA Server Groups and Servers Example 13-1 shows commands that add one TACACS+ group with one primary and one backup server, one RADIUS group with a single server, and an NT domain server. Example 13-1 Multiple AAA Server Groups and Servers hostname(config)# aaa-server AuthInbound protocol tacacs+ hostname(config-aaa-server-group)# max-failed-attempts 2 hostname(config-aaa-server-group)# reactivation-mode depletion deadtime 20 hostname(config-aaa-server-group)# exit hostname(config)# aaa-server AuthInbound (inside) host 10.1.1.1 hostname(config-aaa-server-host)# key TACPlusUauthKey Table 13-2 Host Mode Commands, Server Types, and Defaults Command Applicable AAA Server Types Default Value accounting-port RADIUS 1646 acl-netmask-convert RADIUS standard authentication-port RADIUS 1645 kerberos-realm Kerberos — key RADIUS — TACACS+ — ldap-attribute-map LDAP — ldap-base-dn LDAP — ldap-login-dn LDAP — ldap-login-password LDAP — ldap-naming-attribute LDAP — ldap-over-ssl LDAP — ldap-scope LDAP — nt-auth-domain-controller NT — radius-common-pw RADIUS — retry-interval Kerberos 10 seconds RADIUS 10 seconds SDI 10 seconds sasl-mechanism LDAP — server-port Kerberos 88 LDAP 389 NT 139 SDI 5500 TACACS+ 49 server-type LDAP auto-discovery timeout All 10 seconds13-15 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 13 Configuring AAA Servers and the Local Database Using Certificates and User Login Credentials hostname(config-aaa-server-host)# exit hostname(config)# aaa-server AuthInbound (inside) host 10.1.1.2 hostname(config-aaa-server-host)# key TACPlusUauthKey2 hostname(config-aaa-server-host)# exit hostname(config)# aaa-server AuthOutbound protocol radius hostname(config-aaa-server-group)# exit hostname(config)# aaa-server AuthOutbound (inside) host 10.1.1.3 hostname(config-aaa-server-host)# key RadUauthKey hostname(config-aaa-server-host)# exit hostname(config)# aaa-server NTAuth protocol nt hostname(config-aaa-server-group)# exit hostname(config)# aaa-server NTAuth (inside) host 10.1.1.4 hostname(config-aaa-server-host)# nt-auth-domain-controller primary1 hostname(config-aaa-server-host)# exit Example 13-2 shows commands that configure a Kerberos AAA server group named watchdogs, add a AAA server to the group, and define the Kerberos realm for the server. Because Example 13-2 does not define a retry interval or the port that the Kerberos server listens to, the security appliance uses the default values for these two server-specific parameters. Table 13-2 lists the default values for all AAA server host mode commands. Note Kerberos realm names use numbers and upper-case letters only. Although the security appliance accepts lower-case letters for a realm name, it does not translate lower-case letters to upper-case letters. Be sure to use upper-case letters only. Example 13-2 Kerberos Server Group and Server hostname(config)# aaa-server watchdogs protocol kerberos hostname(config-aaa-server-group)# aaa-server watchdogs host 192.168.3.4 hostname(config-aaa-server-host)# kerberos-realm EXAMPLE.COM hostname(config-aaa-server-host)# exit hostname(config)# Using Certificates and User Login Credentials The following section describes the different methods of using certificates and user login credentials (username and password) for authentication and authorization. This applies to both IPSec and WebVPN. In all cases, LDAP authorization does not use the password as a credential. RADIUS authorization uses either a common password for all users or the username as a password. Using User Login Credentials The default method for authentication and authorization uses the user login credentials. • Authentication – Enabled by authentication server group setting – Uses the username and password as credentials • Authorization – Enabled by authorization server group setting – Uses the username as a credential13-16 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 13 Configuring AAA Servers and the Local Database Supporting a Zone Labs Integrity Server Using certificates If user digital certificates are configured, the security appliance first validates the certificate. It does not, however, use any of the DNs from the certificates as a username for the authentication. If both authentication and authorization are enabled, the security appliance uses the user login credentials for both user authentication and authorization. • Authentication – Enabled by authentication server group setting – Uses the username and password as credentials • Authorization – Enabled by authorization server group setting – Uses the username as a credential If authentication is disabled and authorization is enabled, the security appliance uses the primary DN field for authorization. • Authentication – DISABLED (set to None) by authentication server group setting – No credentials used • Authorization – Enabled by authorization server group setting – Uses the username value of the certificate primary DN field as a credential Note If the primary DN field is not present in the certificate, the security appliance uses the secondary DN field value as the username for the authorization request. For example, consider a user certificate that contains the following Subject DN fields and values: Cn=anyuser,OU=sales;O=XYZCorporation;L=boston;S=mass;C=us;ea=anyuser@example.com. If the Primary DN = EA (E-mail Address) and the Secondary DN = CN (Common Name), then the username used in the authorization request would be anyuser@example.com. Supporting a Zone Labs Integrity Server This section introduces the Zone Labs Integrity Server, also called Check Point Integrity Server, and presents an example procedure for configuring the security appliance to support the Zone Labs Integrity Server. The Integrity server is a central management station for configuring and enforcing security policies on remote PCs. If a remote PC does not conform to the security policy dictated by the Integrity Server, it will not be granted access to the private network protected by the Integrity Server and security appliance. This section includes the following topics: • Overview of Integrity Server and Security Appliance Interaction, page 13-17 • Configuring Integrity Server Support, page 13-1713-17 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 13 Configuring AAA Servers and the Local Database Supporting a Zone Labs Integrity Server Overview of Integrity Server and Security Appliance Interaction The VPN client software and the Integrity client software are co-resident on a remote PC. The following steps summarize the actions of the remote PC, security appliance, and Integrity server in the establishment of a session between the PC and the enterprise private network: 1. The VPN client software (residing on the same remote PC as the Integrity client software) connects to the security appliance and tells the security appliance what type of firewall client it is. 2. Once it approves the client firewall type, the security appliance passes Integrity server address information back to the Integrity client. 3. With the security appliance acting as a proxy, the Integrity client establishes a restricted connection with the Integrity server. A restricted connection is only between the Integrity client and server. 4. The Integrity server determines if the Integrity client is in compliance with the mandated security policies. If the client is in compliance with security policies, the Integrity server instructs the security appliance to open the connection and provide the client with connection details. 5. On the remote PC, the VPN client passes connection details to the Integrity client and signals that policy enforcement should begin immediately and the client can no enter the private network. 6. Once the connection is established, the server continues to monitor the state of the client using client heartbeat messages. Note The current release of the security appliance supports one Integrity Server at a time even though the user interfaces support the configuration of up to five Integrity Servers. If the active Server fails, configure another Integrity Server on the security appliance and then reestablish the client VPN session. Configuring Integrity Server Support This section describes an example procedure for configuring the security appliance to support the Zone Labs Integrity Servers. The procedure involves configuring address, port, connection fail timeout and fail states, and SSL certificate parameters. First, you must configure the hostname or IP address of the Integrity server. The following example commands, entered in global configuration mode, configure an Integrity server using the IP address 10.0.0.5. They also specify port 300 (the default port is 5054) and the inside interface for communications with the Integrity server. hostname(config)# zonelabs-integrity server-address 10.0.0.5 hostname(config)# zonelabs-integrity port 300 hostname(config)# zonelabs-integrity interface inside hostname(config)# If the connection between the security appliance and the Integrity server fails, the VPN client connections remain open by default so that the enterprise VPN is not disrupted by the failure of an Integrity server. However, you may want to close the VPN connections if the Zone Labs Integrity Server fails. The following commands ensure that the security appliance waits 12 seconds for a response from either the active or standby Integrity servers before declaring an the Integrity server as failed and closing the VPN client connections: hostname(config)# zonelabs-integrity fail-timeout 12 hostname(config)# zonelabs-integrity fail-close hostname(config)# 13-18 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 13 Configuring AAA Servers and the Local Database Supporting a Zone Labs Integrity Server The following command returns the configured VPN client connection fail state to the default and ensures the client connections remain open: hostname(config)# zonelabs-integrity fail-open hostname(config)# The following example commands specify that the Integrity server connects to port 300 (default is port 80) on the security appliance to request the server SSL certificate. While the server SSL certificate is always authenticated, these commands also specify that the client SSL certificate of the Integrity server be authenticated. hostname(config)# zonelabs-integrity ssl-certificate-port 300 hostname(config)# zonelabs-integrity ssl-client-authentication hostname(config)# To set the firewall client type to the Zone Labs Integrity type, use the client-firewall command as described in the “Configuring Firewall Policies” section on page 30-55. The command arguments that specify firewall policies are not used when the firewall type is zonelabs-integrity because the Integrity server determines the policies.C H A P T E R 14-1 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 14 Configuring Failover This chapter describes the security appliance failover feature, which lets you configure two security appliances so that one takes over operation if the other one fails. Note The ASA 5505 series adaptive security appliance does not support Stateful Failover or Active/Active failover. This chapter includes the following sections: • Understanding Failover, page 14-1 • Configuring Failover, page 14-19 • Controlling and Monitoring Failover, page 14-49 For failover configuration examples, see Appendix B, “Sample Configurations.” Understanding Failover The failover configuration requires two identical security appliances connected to each other through a dedicated failover link and, optionally, a Stateful Failover link. The health of the active interfaces and units is monitored to determine if specific failover conditions are met. If those conditions are met, failover occurs. The security appliance supports two failover configurations, Active/Active failover and Active/Standby failover. Each failover configuration has its own method for determining and performing failover. With Active/Active failover, both units can pass network traffic. This lets you configure load balancing on your network. Active/Active failover is only available on units running in multiple context mode. With Active/Standby failover, only one unit passes traffic while the other unit waits in a standby state. Active/Standby failover is available on units running in either single or multiple context mode. Both failover configurations support stateful or stateless (regular) failover. Note VPN failover is not supported on units running in multiple context mode. VPN failover available for Active/Standby failover configurations only. 14-2 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 14 Configuring Failover Understanding Failover This section includes the following topics: • Failover System Requirements, page 14-2 • The Failover and Stateful Failover Links, page 14-3 • Active/Active and Active/Standby Failover, page 14-6 • Regular and Stateful Failover, page 14-15 • Failover Health Monitoring, page 14-16 • Failover Feature/Platform Matrix, page 14-18 • Failover Times by Platform, page 14-18 Failover System Requirements This section describes the hardware, software, and license requirements for security appliances in a failover configuration. This section contains the following topics: • Hardware Requirements, page 14-2 • Software Requirements, page 14-2 • License Requirements, page 14-2 Hardware Requirements The two units in a failover configuration must have the same hardware configuration. They must be the same model, have the same number and types of interfaces, and the same amount of RAM. Note The two units do not have to have the same size Flash memory. If using units with different Flash memory sizes in your failover configuration, make sure the unit with the smaller Flash memory has enough space to accommodate the software image files and the configuration files. If it does not, configuration synchronization from the unit with the larger Flash memory to the unit with the smaller Flash memory will fail. Software Requirements The two units in a failover configuration must be in the operating modes (routed or transparent, single or multiple context). They have the same major (first number) and minor (second number) software version. However, you can use different versions of the software during an upgrade process; for example, you can upgrade one unit from Version 7.0(1) to Version 7.0(2) and have failover remain active. We recommend upgrading both units to the same version to ensure long-term compatibility. See “Performing Zero Downtime Upgrades for Failover Pairs” section on page 41-6 for more information about upgrading the software on a failover pair. License Requirements On the PIX 500 series security appliance, at least one of the units must have an unrestricted (UR) license. The other unit can have a Failover Only (FO) license, a Failover Only Active-Active (FO_AA) license, or another UR license. Units with a Restricted license cannot be used for failover, and two units with FO or FO_AA licenses cannot be used together as a failover pair.14-3 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 14 Configuring Failover Understanding Failover Note The FO license does not support Active/Active failover. The FO and FO_AA licenses are intended to be used solely for units in a failover configuration and not for units in standalone mode. If a failover unit with one of these licenses is used in standalone mode, the unit reboots at least once every 24 hours until the unit is returned to failover duty. A unit with an FO or FO_AA license operates in standalone mode if it is booted without being connected to a failover peer with a UR license. If the unit with a UR license in a failover pair fails and is removed from the configuration, the unit with the FO or FO_AA license does not automatically reboot every 24 hours; it operates uninterrupted unless the it is manually rebooted. When the unit automatically reboots, the following message displays on the console: =========================NOTICE========================= This machine is running in secondary mode without a connection to an active primary PIX. Please check your connection to the primary system. REBOOTING.... ======================================================== The ASA 5500 series adaptive security appliance platform does not have this restriction. The Failover and Stateful Failover Links This section describes the failover and the Stateful Failover links, which are dedicated connections between the two units in a failover configuration. This section includes the following topics: • Failover Link, page 14-3 • Stateful Failover Link, page 14-5 Failover Link The two units in a failover pair constantly communicate over a failover link to determine the operating status of each unit. The following information is communicated over the failover link: • The unit state (active or standby). • Power status (cable-based failover only—available only on the PIX 500 series security appliance). • Hello messages (keep-alives). • Network link status. • MAC address exchange. • Configuration replication and synchronization. Caution All information sent over the failover and Stateful Failover links is sent in clear text unless you secure the communication with a failover key. If the security appliance is used to terminate VPN tunnels, this information includes any usernames, passwords and preshared keys used for establishing the tunnels. Transmitting this sensitive data in clear text could pose a significant security risk. We recommend securing the failover communication with a failover key if you are using the security appliance to terminate VPN tunnels.14-4 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 14 Configuring Failover Understanding Failover On the PIX 500 series security appliance, the failover link can be either a LAN-based connection or a dedicated serial Failover cable. On the ASA 5500 series adaptive security appliance, the failover link can only be a LAN-based connection. This section includes the following topics: • LAN-Based Failover Link, page 14-4 • Serial Cable Failover Link (PIX Security Appliance Only), page 14-4 LAN-Based Failover Link You can use any unused Ethernet interface on the device as the failover link; however, you cannot specify an interface that is currently configured with a name. The LAN failover link interface is not configured as a normal networking interface. It exists for failover communication only. This interface should only be used for the LAN failover link (and optionally for the stateful failover link). Connect the LAN failover link in one of the following two ways: • Using a switch, with no other device on the same network segment (broadcast domain or VLAN) as the LAN failover interfaces of the ASA. • Using a crossover Ethernet cable to connect the appliances directly, without the need for an external switch. Note When you use a crossover cable for the LAN failover link, if the LAN interface fails, the link is brought down on both peers. This condition may hamper troubleshooting efforts because you cannot easily determine which interface failed and caused the link to come down. Note The ASA supports Auto-MDI/MDIX on its copper Ethernet ports, so you can either use a crossover cable or a straight-through cable. If you use a straight-through cable, the interface automatically detects the cable and swaps one of the transmit/receive pairs to MDIX. Serial Cable Failover Link (PIX Security Appliance Only) The serial Failover cable, or “cable-based failover,” is only available on the PIX 500 series security appliance. If the two units are within six feet of each other, then we recommend that you use the serial Failover cable. The cable that connects the two units is a modified RS-232 serial link cable that transfers data at 117,760 bps (115 Kbps). One end of the cable is labeled “Primary”. The unit attached to this end of the cable automatically becomes the primary unit. The other end of the cable is labeled “Secondary”. The unit attached to this end of the cable automatically becomes the secondary unit. You cannot override these designations in the PIX 500 series security appliance software. If you purchased a PIX 500 series security appliance failover bundle, this cable is included. To order a spare, use part number PIX-FO=. The benefits of using cable-based failover include: • The PIX 500 series security appliance can immediately detect a power loss on the peer unit and differentiate between a power loss from an unplugged cable. • The standby unit can communicate with the active unit and can receive the entire configuration without having to be bootstrapped for failover. In LAN-based failover you need to configure the failover link on the standby unit before it can communicate with the active unit. • The switch between the two units in LAN-based failover can be another point of hardware failure; cable-based failover eliminates this potential point of failure.14-5 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 14 Configuring Failover Understanding Failover • You do not have to dedicate an Ethernet interface (and switch) to the failover link. • The cable determines which unit is primary and which is secondary, eliminating the need to manually enter that information in the unit configurations. The disadvantages include: • Distance limitation—the units cannot be separated by more than 6 feet. • Slower configuration replication. Stateful Failover Link To use Stateful Failover, you must configure a Stateful Failover link to pass all state information. You have three options for configuring a Stateful Failover link: • You can use a dedicated Ethernet interface for the Stateful Failover link. • If you are using LAN-based failover, you can share the failover link. • You can share a regular data interface, such as the inside interface. However, this option is not recommended. If you are using a dedicated Ethernet interface for the Stateful Failover link, you can use either a switch or a crossover cable to directly connect the units. If you use a switch, no other hosts or routers should be on this link. Note Enable the PortFast option on Cisco switch ports that connect directly to the security appliance. If you use a data interface as the Stateful Failover link, you receive the following warning when you specify that interface as the Stateful Failover link: ******* WARNING ***** WARNING ******* WARNING ****** WARNING ********* Sharing Stateful failover interface with regular data interface is not a recommended configuration due to performance and security concerns. ******* WARNING ***** WARNING ******* WARNING ****** WARNING ********* Sharing a data interface with the Stateful Failover interface can leave you vulnerable to replay attacks. Additionally, large amounts of Stateful Failover traffic may be sent on the interface, causing performance problems on that network segment. Note Using a data interface as the Stateful Failover interface is only supported in single context, routed mode. In multiple context mode, the Stateful Failover link resides in the system context. This interface and the failover interface are the only interfaces in the system context. All other interfaces are allocated to and configured from within security contexts. Note The IP address and MAC address for the Stateful Failover link does not change at failover unless the Stateful Failover link is configured on a regular data interface. Caution All information sent over the failover and Stateful Failover links is sent in clear text unless you secure the communication with a failover key. If the security appliance is used to terminate VPN tunnels, this information includes any usernames, passwords and preshared keys used for establishing the tunnels. 14-6 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 14 Configuring Failover Understanding Failover Transmitting this sensitive data in clear text could pose a significant security risk. We recommend securing the failover communication with a failover key if you are using the security appliance to terminate VPN tunnels. Failover Interface Speed for Stateful Links If you use the failover link as the Stateful Failover link, you should use the fastest Ethernet interface available. If you experience performance problems on that interface, consider dedicating a separate interface for the Stateful Failover interface. Use the following failover interface speed guidelines for Cisco PIX security appliances and Cisco ASA adaptive security appliances: • Cisco ASA 5520/5540/5550 and PIX 515E/535 – The stateful link speed should match the fastest data link • Cisco ASA 5510 and PIX 525 – Stateful link speed can be 100 Mbps, even though the data interface can operate at 1 Gigabit due to the CPU speed limitation. For optimum performance when using long distance LAN failover, the latency for the failover link should be less than 10 milliseconds and no more than 250 milliseconds. If latency is less than 10 milliseconds, some performance degradation occurs due to retransmission of failover messages. All platforms support sharing of failover heartbeat and stateful link, but we recommend using a separate heartbeat link on systems with high Stateful Failover traffic. Active/Active and Active/Standby Failover This section describes each failover configuration in detail. This section includes the following topics: • Active/Standby Failover, page 14-6 • Active/Active Failover, page 14-10 • Determining Which Type of Failover to Use, page 14-15 Active/Standby Failover This section describes Active/Standby failover and includes the following topics: • Active/Standby Failover Overview, page 14-6 • Primary/Secondary Status and Active/Standby Status, page 14-7 • Device Initialization and Configuration Synchronization, page 14-7 • Command Replication, page 14-8 • Failover Triggers, page 14-9 • Failover Actions, page 14-9 Active/Standby Failover Overview Active/Standby failover lets you use a standby security appliance to take over the functionality of a failed unit. When the active unit fails, it changes to the standby state while the standby unit changes to the active state. The unit that becomes active assumes the IP addresses (or, for transparent firewall, the 14-7 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 14 Configuring Failover Understanding Failover management IP address) and MAC addresses of the failed unit and begins passing traffic. The unit that is now in standby state takes over the standby IP addresses and MAC addresses. Because network devices see no change in the MAC to IP address pairing, no ARP entries change or time out anywhere on the network. Note For multiple context mode, the security appliance can fail over the entire unit (including all contexts) but cannot fail over individual contexts separately. Primary/Secondary Status and Active/Standby Status The main differences between the two units in a failover pair are related to which unit is active and which unit is standby, namely which IP addresses to use and which unit actively passes traffic. However, a few differences exist between the units based on which unit is primary (as specified in the configuration) and which unit is secondary: • The primary unit always becomes the active unit if both units start up at the same time (and are of equal operational health). • The primary unit MAC addresses are always coupled with the active IP addresses. The exception to this rule occurs when the secondary unit is active, and cannot obtain the primary unit MAC addresses over the failover link. In this case, the secondary unit MAC addresses are used. Device Initialization and Configuration Synchronization Configuration synchronization occurs when one or both devices in the failover pair boot. Configurations are always synchronized from the active unit to the standby unit. When the standby unit completes its initial startup, it clears its running configuration (except for the failover commands needed to communicate with the active unit), and the active unit sends its entire configuration to the standby unit. The active unit is determined by the following: • If a unit boots and detects a peer already running as active, it becomes the standby unit. • If a unit boots and does not detect a peer, it becomes the active unit. • If both units boot simultaneously, then the primary unit becomes the active unit and the secondary unit becomes the standby unit. Note If the secondary unit boots without detecting the primary unit, it becomes the active unit. It uses its own MAC addresses for the active IP addresses. However, when the primary unit becomes available, the secondary unit changes the MAC addresses to those of the primary unit, which can cause an interruption in your network traffic. To avoid this, configure the failover pair with virtual MAC addresses. See the “Configuring Virtual MAC Addresses” section on page 14-26 for more information. When the replication starts, the security appliance console on the active unit displays the message “Beginning configuration replication: Sending to mate,” and when it is complete, the security appliance displays the message “End Configuration Replication to mate.” During replication, commands entered on the active unit may not replicate properly to the standby unit, and commands entered on the standby unit may be overwritten by the configuration being replicated from the active unit. Avoid entering commands on either unit in the failover pair during the configuration replication process. Depending upon the size of the configuration, replication can take from a few seconds to several minutes. On the standby unit, the configuration exists only in running memory. To save the configuration to Flash memory after synchronization:14-8 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 14 Configuring Failover Understanding Failover • For single context mode, enter the write memory command on the active unit. The command is replicated to the standby unit, which proceeds to write its configuration to Flash memory. • For multiple context mode, enter the write memory all command on the active unit from the system execution space. The command is replicated to the standby unit, which proceeds to write its configuration to Flash memory. Using the all keyword with this command causes the system and all context configurations to be saved. Note Startup configurations saved on external servers are accessible from either unit over the network and do not need to be saved separately for each unit. Alternatively, you can copy the contexts on disk from the active unit to an external server, and then copy them to disk on the standby unit, where they become available when the unit reloads. Command Replication Command replication always flows from the active unit to the standby unit. As commands are entered on the active unit, they are sent across the failover link to the standby unit. You do not have to save the active configuration to Flash memory to replicate the commands. The following commands are replicated to the standby unit: • all configuration commands except for the mode, firewall, and failover lan unit commands • copy running-config startup-config • delete • mkdir • rename • rmdir • write memory The following commands are not replicated to the standby unit: • all forms of the copy command except for copy running-config startup-config • all forms of the write command except for write memory • debug • failover lan unit • firewall • mode • show Note Changes made on the standby unit are not replicated to the active unit. If you enter a command on the standby unit, the security appliance displays the message **** WARNING **** Configuration Replication is NOT performed from Standby unit to Active unit. Configurations are no longer synchronized. This message displays even when you enter many commands that do not affect the configuration. If you enter the write standby command on the active unit, the standby unit clears its running configuration (except for the failover commands used to communicate with the active unit), and the active unit sends its entire configuration to the standby unit.14-9 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 14 Configuring Failover Understanding Failover For multiple context mode, when you enter the write standby command in the system execution space, all contexts are replicated. If you enter the write standby command within a context, the command replicates only the context configuration. Replicated commands are stored in the running configuration. To save the replicated commands to the Flash memory on the standby unit: • For single context mode, enter the copy running-config startup-config command on the active unit. The command is replicated to the standby unit, which proceeds to write its configuration to Flash memory. • For multiple context mode, enter the copy running-config startup-config command on the active unit from the system execution space and within each context on disk. The command is replicated to the standby unit, which proceeds to write its configuration to Flash memory. Contexts with startup configurations on external servers are accessible from either unit over the network and do not need to be saved separately for each unit. Alternatively, you can copy the contexts on disk from the active unit to an external server, and then copy them to disk on the standby unit. Failover Triggers The unit can fail if one of the following events occurs: • The unit has a hardware failure or a power failure. • The unit has a software failure. • Too many monitored interfaces fail. • The no failover active command is entered on the active unit or the failover active command is entered on the standby unit. Failover Actions In Active/Standby failover, failover occurs on a unit basis. Even on systems running in multiple context mode, you cannot fail over individual or groups of contexts. Table 14-1 shows the failover action for each failure event. For each failure event, the table shows the failover policy (failover or no failover), the action taken by the active unit, the action taken by the standby unit, and any special notes about the failover condition and actions. Table 14-1 Failover Behavior Failure Event Policy Active Action Standby Action Notes Active unit failed (power or hardware) Failover n/a Become active Mark active as failed No hello messages are received on any monitored interface or the failover link. Formerly active unit recovers No failover Become standby No action None. Standby unit failed (power or hardware) No failover Mark standby as failed n/a When the standby unit is marked as failed, then the active unit does not attempt to fail over, even if the interface failure threshold is surpassed. Failover link failed during operation No failover Mark failover interface as failed Mark failover interface as failed You should restore the failover link as soon as possible because the unit cannot fail over to the standby unit while the failover link is down.14-10 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 14 Configuring Failover Understanding Failover Active/Active Failover This section describes Active/Active failover. This section includes the following topics: • Active/Active Failover Overview, page 14-10 • Primary/Secondary Status and Active/Standby Status, page 14-11 • Device Initialization and Configuration Synchronization, page 14-11 • Command Replication, page 14-12 • Failover Triggers, page 14-13 • Failover Actions, page 14-14 Active/Active Failover Overview Active/Active failover is only available to security appliances in multiple context mode. In an Active/Active failover configuration, both security appliances can pass network traffic. In Active/Active failover, you divide the security contexts on the security appliance into failover groups. A failover group is simply a logical group of one or more security contexts. You can create a maximum of two failover groups on the security appliance. The admin context is always a member of failover group 1. Any unassigned security contexts are also members of failover group 1 by default. The failover group forms the base unit for failover in Active/Active failover. Interface failure monitoring, failover, and active/standby status are all attributes of a failover group rather than the unit. When an active failover group fails, it changes to the standby state while the standby failover group becomes active. The interfaces in the failover group that becomes active assume the MAC and IP addresses of the interfaces in the failover group that failed. The interfaces in the failover group that is now in the standby state take over the standby MAC and IP addresses. Note A failover group failing on a unit does not mean that the unit has failed. The unit may still have another failover group passing traffic on it. When creating the failover groups, you should create them on the unit that will have failover group 1 in the active state. Failover link failed at startup No failover Mark failover interface as failed Become active If the failover link is down at startup, both units become active. Stateful Failover link failed No failover No action No action State information becomes out of date, and sessions are terminated if a failover occurs. Interface failure on active unit above threshold Failover Mark active as failed Become active None. Interface failure on standby unit above threshold No failover No action Mark standby as failed When the standby unit is marked as failed, then the active unit does not attempt to fail over even if the interface failure threshold is surpassed. Table 14-1 Failover Behavior (continued) Failure Event Policy Active Action Standby Action Notes14-11 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 14 Configuring Failover Understanding Failover Note Active/Active failover generates virtual MAC addresses for the interfaces in each failover group. If you have more than one Active/Active failover pair on the same network, it is possible to have the same default virtual MAC addresses assigned to the interfaces on one pair as are assigned to the interfaces of the other pairs because of the way the default virtual MAC addresses are determined. To avoid having duplicate MAC addresses on your network, make sure you assign each physical interface a virtual active and standby MAC address. Primary/Secondary Status and Active/Standby Status As in Active/Standby failover, one unit in an Active/Active failover pair is designated the primary unit, and the other unit the secondary unit. Unlike Active/Standby failover, this designation does not indicate which unit becomes active when both units start simultaneously. Instead, the primary/secondary designation does two things: • Determines which unit provides the running configuration to the pair when they boot simultaneously. • Determines on which unit each failover group appears in the active state when the units boot simultaneously. Each failover group in the configuration is configured with a primary or secondary unit preference. You can configure both failover groups be in the active state on a single unit in the pair, with the other unit containing the failover groups in the standby state. However, a more typical configuration is to assign each failover group a different role preference to make each one active on a different unit, distributing the traffic across the devices. Note The security appliance does not provide load balancing services. Load balancing must be handled by a router passing traffic to the security appliance. Which unit each failover group becomes active on is determined as follows: • When a unit boots while the peer unit is not available, both failover groups become active on the unit. • When a unit boots while the peer unit is active (with both failover groups in the active state), the failover groups remain in the active state on the active unit regardless of the primary or secondary preference of the failover group until one of the following: – A failover occurs. – You manually force the failover group to the other unit with the no failover active command. – You configured the failover group with the preempt command, which causes the failover group to automatically become active on the preferred unit when the unit becomes available. • When both units boot at the same time, each failover group becomes active on its preferred unit after the configurations have been synchronized. Device Initialization and Configuration Synchronization Configuration synchronization occurs when one or both units in a failover pair boot. The configurations are synchronized as follows: • When a unit boots while the peer unit is active (with both failover groups active on it), the booting unit contacts the active unit to obtain the running configuration regardless of the primary or secondary designation of the booting unit. 14-12 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 14 Configuring Failover Understanding Failover • When both units boot simultaneously, the secondary unit obtains the running configuration from the primary unit. When the replication starts, the security appliance console on the unit sending the configuration displays the message “Beginning configuration replication: Sending to mate,” and when it is complete, the security appliance displays the message “End Configuration Replication to mate.” During replication, commands entered on the unit sending the configuration may not replicate properly to the peer unit, and commands entered on the unit receiving the configuration may be overwritten by the configuration being received. Avoid entering commands on either unit in the failover pair during the configuration replication process. Depending upon the size of the configuration, replication can take from a few seconds to several minutes. On the unit receiving the configuration, the configuration exists only in running memory. To save the configuration to Flash memory after synchronization enter the write memory all command in the system execution space on the unit that has failover group 1 in the active state. The command is replicated to the peer unit, which proceeds to write its configuration to Flash memory. Using the all keyword with this command causes the system and all context configurations to be saved. Note Startup configurations saved on external servers are accessible from either unit over the network and do not need to be saved separately for each unit. Alternatively, you can copy the contexts configuration files from the disk on the primary unit to an external server, and then copy them to disk on the secondary unit, where they become available when the unit reloads. Command Replication After both units are running, commands are replicated from one unit to the other as follows: • Commands entered within a security context are replicated from the unit on which the security context appears in the active state to the peer unit. Note A context is considered in the active state on a unit if the failover group to which it belongs is in the active state on that unit. • Commands entered in the system execution space are replicated from the unit on which failover group 1 is in the active state to the unit on which failover group 1 is in the standby state. • Commands entered in the admin context are replicated from the unit on which failover group 1 is in the active state to the unit on which failover group 1 is in the standby state. All configuration and file commands (copy, rename, delete, mkdir, rmdir, and so on) are replicated, with the following exceptions. The show, debug, mode, firewall, and failover lan unit commands are not replicated. Failure to enter the commands on the appropriate unit for command replication to occur causes the configurations to be out of synchronization. Those changes may be lost the next time the initial configuration synchronization occurs. The following commands are replicated to the standby unit: • all configuration commands except for the mode, firewall, and failover lan unit commands • copy running-config startup-config • delete • mkdir • rename14-13 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 14 Configuring Failover Understanding Failover • rmdir • write memory The following commands are not replicated to the standby unit: • all forms of the copy command except for copy running-config startup-config • all forms of the write command except for write memory • debug • failover lan unit • firewall • mode • show You can use the write standby command to resynchronize configurations that have become out of sync. For Active/Active failover, the write standby command behaves as follows: • If you enter the write standby command in the system execution space, the system configuration and the configurations for all of the security contexts on the security appliance is written to the peer unit. This includes configuration information for security contexts that are in the standby state. You must enter the command in the system execution space on the unit that has failover group 1 in the active state. Note If there are security contexts in the active state on the peer unit, the write standby command causes active connections through those contexts to be terminated. Use the failover active command on the unit providing the configuration to make sure all contexts are active on that unit before entering the write standby command. • If you enter the write standby command in a security context, only the configuration for the security context is written to the peer unit. You must enter the command in the security context on the unit where the security context appears in the active state. Replicated commands are not saved to the Flash memory when replicated to the peer unit. They are added to the running configuration. To save replicated commands to Flash memory on both units, use the write memory or copy running-config startup-config command on the unit that you made the changes on. The command is replicated to the peer unit and cause the configuration to be saved to Flash memory on the peer unit. Failover Triggers In Active/Active failover, failover can be triggered at the unit level if one of the following events occurs: • The unit has a hardware failure. • The unit has a power failure. • The unit has a software failure. • The no failover active or the failover active command is entered in the system execution space. Failover is triggered at the failover group level when one of the following events occurs: • Too many monitored interfaces in the group fail. • The no failover active group group_id or failover active group group_id command is entered. 14-14 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 14 Configuring Failover Understanding Failover You configure the failover threshold for each failover group by specifying the number or percentage of interfaces within the failover group that must fail before the group fails. Because a failover group can contain multiple contexts, and each context can contain multiple interfaces, it is possible for all interfaces in a single context to fail without causing the associated failover group to fail. See the “Failover Health Monitoring” section on page 14-16 for more information about interface and unit monitoring. Failover Actions In an Active/Active failover configuration, failover occurs on a failover group basis, not a system basis. For example, if you designate both failover groups as active on the primary unit, and failover group 1 fails, then failover group 2 remains active on the primary unit while failover group 1 becomes active on the secondary unit. Note When configuring Active/Active failover, make sure that the combined traffic for both units is within the capacity of each unit. Table 14-2 shows the failover action for each failure event. For each failure event, the policy (whether or not failover occurs), actions for the active failover group, and actions for the standby failover group are given. Table 14-2 Failover Behavior for Active/Active Failover Failure Event Policy Active Group Action Standby Group Action Notes A unit experiences a power or software failure Failover Become standby Mark as failed Become active Mark active as failed When a unit in a failover pair fails, any active failover groups on that unit are marked as failed and become active on the peer unit. Interface failure on active failover group above threshold Failover Mark active group as failed Become active None. Interface failure on standby failover group above threshold No failover No action Mark standby group as failed When the standby failover group is marked as failed, the active failover group does not attempt to fail over, even if the interface failure threshold is surpassed. Formerly active failover group recovers No failover No action No action Unless configured with the preempt command, the failover groups remain active on their current unit. Failover link failed at startup No failover Become active Become active If the failover link is down at startup, both failover groups on both units become active.14-15 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 14 Configuring Failover Understanding Failover Determining Which Type of Failover to Use The type of failover you choose depends upon your security appliance configuration and how you plan to use the security appliances. If you are running the security appliance in single mode, then you can only use Active/Standby failover. Active/Active failover is only available to security appliances running in multiple context mode. If you are running the security appliance in multiple context mode, then you can configure either Active/Active failover or Active/Standby failover. • To provide load balancing, use Active/Active failover. • If you do not want to provide load balancing, use Active/Standby or Active/Active failover. Table 14-3 provides a comparison of some of the features supported by each type of failover configuration: Regular and Stateful Failover The security appliance supports two types of failover, regular and stateful. This section includes the following topics: • Regular Failover, page 14-16 • Stateful Failover, page 14-16 Stateful Failover link failed No failover No action No action State information becomes out of date, and sessions are terminated if a failover occurs. Failover link failed during operation No failover n/a n/a Each unit marks the failover interface as failed. You should restore the failover link as soon as possible because the unit cannot fail over to the standby unit while the failover link is down. Table 14-2 Failover Behavior for Active/Active Failover (continued) Failure Event Policy Active Group Action Standby Group Action Notes Table 14-3 Failover Configuration Feature Support Feature Active/Active Active/Standby Single Context Mode No Yes Multiple Context Mode Yes Yes Load Balancing Network Configurations Yes No Unit Failover Yes Yes Failover of Groups of Contexts Yes No Failover of Individual Contexts No No14-16 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 14 Configuring Failover Understanding Failover Regular Failover When a failover occurs, all active connections are dropped. Clients need to reestablish connections when the new active unit takes over. Stateful Failover When Stateful Failover is enabled, the active unit continually passes per-connection state information to the standby unit. After a failover occurs, the same connection information is available at the new active unit. Supported end-user applications are not required to reconnect to keep the same communication session. The state information passed to the standby unit includes the following: • NAT translation table. • TCP connection states. • UDP connection states. • The ARP table. • The Layer 2 bridge table (when running in transparent firewall mode). • The HTTP connection states (if HTTP replication is enabled). • The ISAKMP and IPSec SA table. • GTP PDP connection database. The information that is not passed to the standby unit when Stateful Failover is enabled includes the following: • The HTTP connection table (unless HTTP replication is enabled). • The user authentication (uauth) table. • The routing tables. After a failover occurs, some packets may be lost our routed out of the wrong interface (the default route) while the dynamic routing protocols rediscover routes. • State information for Security Service Modules. • DHCP server address leases. • L2TP over IPSec sessions. Note If failover occurs during an active Cisco IP SoftPhone session, the call remains active because the call session state information is replicated to the standby unit. When the call is terminated, the IP SoftPhone client loses connection with the Call Manager. This occurs because there is no session information for the CTIQBE hangup message on the standby unit. When the IP SoftPhone client does not receive a response back from the Call Manager within a certain time period, it considers the Call Manager unreachable and unregisters itself. Failover Health Monitoring The security appliance monitors each unit for overall health and for interface health. See the following sections for more information about how the security appliance performs tests to determine the state of each unit: • Unit Health Monitoring, page 14-1714-17 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 14 Configuring Failover Understanding Failover • Interface Monitoring, page 14-17 Unit Health Monitoring The security appliance determines the health of the other unit by monitoring the failover link. When a unit does not receive three consecutive hello messages on the failover link, the unit sends an ARP request on all interfaces, including the failover interface. The action the security appliance takes depends on the response from the other unit. See the following possible actions: • If the security appliance receives a response on the failover interface, then it does not fail over. • If the security appliance does not receive a response on the failover link, but receives a response on another interface, then the unit does not failover. The failover link is marked as failed. You should restore the failover link as soon as possible because the unit cannot fail over to the standby while the failover link is down. • If the security appliance does not receive a response on any interface, then the standby unit switches to active mode and classifies the other unit as failed. Note If a failed unit does not recover and you believe it should not be failed, you can reset the state by entering the failover reset command. If the failover condition persists, however, the unit will fail again. You can configure the frequency of the hello messages and the hold time before failover occurs. A faster poll time and shorter hold time speed the detection of unit failures and make failover occur more quickly, but it can also cause “false” failures due to network congestion delaying the keepalive packets. See Configuring Unit Health Monitoring, page 14-39 for more information about configuring unit health monitoring. Interface Monitoring You can monitor up to 250 interfaces divided between all contexts. You should monitor important interfaces, for example, you might configure one context to monitor a shared interface (because the interface is shared, all contexts benefit from the monitoring). When a unit does not receive hello messages on a monitored interface for half of the configured hold time, it runs the following tests: 1. Link Up/Down test—A test of the interface status. If the Link Up/Down test indicates that the interface is operational, then the security appliance performs network tests. The purpose of these tests is to generate network traffic to determine which (if either) unit has failed. At the start of each test, each unit clears its received packet count for its interfaces. At the conclusion of each test, each unit looks to see if it has received any traffic. If it has, the interface is considered operational. If one unit receives traffic for a test and the other unit does not, the unit that received no traffic is considered failed. If neither unit has received traffic, then the next test is used. 2. Network Activity test—A received network activity test. The unit counts all received packets for up to 5 seconds. If any packets are received at any time during this interval, the interface is considered operational and testing stops. If no traffic is received, the ARP test begins. 3. ARP test—A reading of the unit ARP cache for the 2 most recently acquired entries. One at a time, the unit sends ARP requests to these machines, attempting to stimulate network traffic. After each request, the unit counts all received traffic for up to 5 seconds. If traffic is received, the interface is considered operational. If no traffic is received, an ARP request is sent to the next machine. If at the end of the list no traffic has been received, the ping test begins.14-18 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 14 Configuring Failover Understanding Failover 4. Broadcast Ping test—A ping test that consists of sending out a broadcast ping request. The unit then counts all received packets for up to 5 seconds. If any packets are received at any time during this interval, the interface is considered operational and testing stops. If all network tests fail for an interface, but this interface on the other unit continues to successfully pass traffic, then the interface is considered to be failed. If the threshold for failed interfaces is met, then a failover occurs. If the other unit interface also fails all the network tests, then both interfaces go into the “Unknown” state and do not count towards the failover limit. An interface becomes operational again if it receives any traffic. A failed security appliance returns to standby mode if the interface failure threshold is no longer met. Note If a failed unit does not recover and you believe it should not be failed, you can reset the state by entering the failover reset command. If the failover condition persists, however, the unit will fail again. Failover Feature/Platform Matrix Table 14-4 shows the failover features supported by each hardware platform. Failover Times by Platform Table 14-5 shows the minimum, default, and maximum failover times for the PIX 500 series security appliance. Table 14-6 shows the minimum, default, and maximum failover times for the ASA 5500 series adaptive security appliance. Table 14-4 Failover Feature Support by Platform Platform Cable-Base Failover LAN-Based Failover Stateful Failover ASA 5505 series adaptive security appliance No Yes No ASA 5500 series adaptive security appliance (other than the ASA 5505) No Yes Yes PIX 500 series security appliance Yes Yes Yes Table 14-5 PIX 500 series security appliance failover times. Failover Condition Minimum Default Maximum Active unit loses power or stops normal operation. 800 milliseconds 45 seconds 45 seconds Active unit interface link down. 500 milliseconds 5 seconds 15 seconds Active unit interface up, but connection problem causes interface testing. 5 seconds 25 seconds 75 seconds14-19 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 14 Configuring Failover Configuring Failover Configuring Failover This section describes how to configure failover and includes the following topics: • Failover Configuration Limitations, page 14-19 • Configuring Active/Standby Failover, page 14-19 • Configuring Active/Active Failover, page 14-27 • Configuring Unit Health Monitoring, page 14-39 • Configuring Failover Communication Authentication/Encryption, page 14-39 • Verifying the Failover Configuration, page 14-40 Failover Configuration Limitations You cannot configure failover with the following type of IP addresses: • IP addresses obtained through DHCP • IP addresses obtained through PPPoE • IPv6 addresses Additionally, the following restrictions apply: • Stateful Failover is not supported on the ASA 5505 adaptive security appliance. • Active/Active failover is not supported on the ASA 5505 adaptive security appliance. • You cannot configure failover when Easy VPN Remote is enabled on the ASA 5505 adaptive security appliance. • VPN failover is not supported in multiple context mode. Configuring Active/Standby Failover This section provides step-by-step procedures for configuring Active/Standby failover. This section includes the following topics: • Prerequisites, page 14-20 • Configuring Cable-Based Active/Standby Failover (PIX Security Appliance Only), page 14-20 Table 14-6 ASA 5500 series adaptive security appliance failover times. Failover Condition Minimum Default Maximum Active unit loses power or stops normal operation. 800 milliseconds 15 seconds 45 seconds Active unit main board interface link down. 500 milliseconds 5 seconds 15 seconds Active unit 4GE card interface link down. 2 seconds 5 seconds 15 seconds Active unit IPS or CSC card fails. 2 seconds 2 seconds 2 seconds Active unit interface up, but connection problem causes interface testing. 5 seconds 25 seconds 75 seconds14-20 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 14 Configuring Failover Configuring Failover • Configuring LAN-Based Active/Standby Failover, page 14-21 • Configuring Optional Active/Standby Failover Settings, page 14-25 Prerequisites Before you begin, verify the following: • Both units have the same hardware, software configuration, and proper license. • Both units are in the same mode (single or multiple, transparent or routed). Configuring Cable-Based Active/Standby Failover (PIX Security Appliance Only) Follow these steps to configure Active/Standby failover using a serial cable as the failover link. The commands in this task are entered on the primary unit in the failover pair. The primary unit is the unit that has the end of the cable labeled “Primary” plugged into it. For devices in multiple context mode, the commands are entered in the system execution space unless otherwise noted. You do not need to bootstrap the secondary unit in the failover pair when you use cable-based failover. Leave the secondary unit powered off until instructed to power it on. Cable-based failover is only available on the PIX 500 series security appliance. To configure cable-based Active/Standby failover, perform the following steps: Step 1 Connect the Failover cable to the PIX 500 series security appliances. Make sure that you attach the end of the cable marked “Primary” to the unit you use as the primary unit, and that you attach the end of the cable marked “Secondary” to the other unit. Step 2 Power on the primary unit. Step 3 If you have not done so already, configure the active and standby IP addresses for each data interface (routed mode), for the management IP address (transparent mode), or for the management-only interface. To receive packets from both units in a failover pair, standby IP addresses need to be configured on all interfaces. The standby IP address is used on the security appliance that is currently the standby unit, and it must be in the same subnet as the active IP address. Note Do not configure an IP address for the Stateful Failover link if you are going to use a dedicated Stateful Failover interface. You use the failover interface ip command to configure a dedicated Stateful Failover interface in a later step. hostname(config-if)# ip address active_addr netmask standby standby_addr In routed firewall mode and for the management-only interface, this command is entered in interface configuration mode for each interface. In transparent firewall mode, the command is entered in global configuration mode. In multiple context mode, you must configure the interface addresses from within each context. Use the changeto context command to switch between contexts. The command prompt changes to hostname/context(config-if)#, where context is the name of the current context. You must enter a management IP address for each context in transparent firewall multiple context mode. Step 4 (Optional) To enable Stateful Failover, configure the Stateful Failover link. 14-21 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 14 Configuring Failover Configuring Failover Note Stateful Failover is not available on the ASA 5505 series adaptive security appliance. a. Specify the interface to be used as the Stateful Failover link: hostname(config)# failover link if_name phy_if The if_name argument assigns a logical name to the interface specified by the phy_if argument. The phy_if argument can be the physical port name, such as Ethernet1, or a previously created subinterface, such as Ethernet0/2.3. This interface should not be used for any other purpose. b. Assign an active and standby IP address to the Stateful Failover link: hostname(config)# failover interface ip if_name ip_addr mask standby ip_addr Note If the Stateful Failover link uses a data interface, skip this step. You have already defined the active and standby IP addresses for the interface. The standby IP address must be in the same subnet as the active IP address. You do not need to identify the standby IP address subnet mask. The Stateful Failover link IP address and MAC address do not change at failover unless it uses a data interface. The active IP address always stays with the primary unit, while the standby IP address stays with the secondary unit. c. Enable the interface: hostname(config)# interface phy_if hostname(config-if)# no shutdown Step 5 Enable failover: hostname(config)# failover Step 6 Power on the secondary unit and enable failover on the unit if it is not already enabled: hostname(config)# failover The active unit sends the configuration in running memory to the standby unit. As the configuration synchronizes, the messages “Beginning configuration replication: sending to mate.” and “End Configuration Replication to mate” appear on the primary console. Step 7 Save the configuration to Flash memory on the primary unit. Because the commands entered on the primary unit are replicated to the secondary unit, the secondary unit also saves its configuration to Flash memory. hostname(config)# copy running-config startup-config Configuring LAN-Based Active/Standby Failover This section describes how to configure Active/Standby failover using an Ethernet failover link. When configuring LAN-based failover, you must bootstrap the secondary device to recognize the failover link before the secondary device can obtain the running configuration from the primary device.14-22 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 14 Configuring Failover Configuring Failover Note If you are changing from cable-based failover to LAN-based failover, you can skip any steps, such as assigning the active and standby IP addresses for each interface, that you completed for the cable-based failover configuration. This section includes the following topics: • Configuring the Primary Unit, page 14-22 • Configuring the Secondary Unit, page 14-24 Configuring the Primary Unit Follow these steps to configure the primary unit in a LAN-based, Active/Standby failover configuration. These steps provide the minimum configuration needed to enable failover on the primary unit. For multiple context mode, all steps are performed in the system execution space unless otherwise noted. To configure the primary unit in an Active/Standby failover pair, perform the following steps: Step 1 If you have not done so already, configure the active and standby IP addresses for each data interface (routed mode), for the management IP address (transparent mode), or for the management-only interface. To receive packets from both units in a failover pair, standby IP addresses need to be configured on all interfaces. The standby IP address is used on the security appliance that is currently the standby unit, and it must be in the same subnet as the active IP address. Note Do not configure an IP address for the Stateful Failover link if you are going to use a dedicated Stateful Failover interface. You use the failover interface ip command to configure a dedicated Stateful Failover interface in a later step. hostname(config-if)# ip address active_addr netmask standby standby_addr In routed firewall mode and for the management-only interface, this command is entered in interface configuration mode for each interface. In transparent firewall mode, the command is entered in global configuration mode. In multiple context mode, you must configure the interface addresses from within each context. Use the changeto context command to switch between contexts. The command prompt changes to hostname/context(config-if)#, where context is the name of the current context. You must enter a management IP address for each context in transparent firewall multiple context mode. Step 2 (PIX security appliance only) Enable LAN-based failover: hostname(config)# failover lan enable Step 3 Designate the unit as the primary unit: hostname(config)# failover lan unit primary Step 4 Define the failover interface: a. Specify the interface to be used as the failover interface: hostname(config)# failover lan interface if_name phy_if The if_name argument assigns a name to the interface specified by the phy_if argument. The phy_if argument can be the physical port name, such as Ethernet1, or a previously created subinterface, such as Ethernet0/2.3. On the ASA 5505 adaptive security appliance, the phy_if specifies a VLAN.14-23 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 14 Configuring Failover Configuring Failover b. Assign the active and standby IP address to the failover link: hostname(config)# failover interface ip if_name ip_addr mask standby ip_addr The standby IP address must be in the same subnet as the active IP address. You do not need to identify the standby address subnet mask. The failover link IP address and MAC address do not change at failover. The active IP address for the failover link always stays with the primary unit, while the standby IP address stays with the secondary unit. c. Enable the interface: hostname(config)# interface phy_if hostname(config-if)# no shutdown Step 5 (Optional) To enable Stateful Failover, configure the Stateful Failover link. Note Stateful Failover is not available on the ASA 5505 series adaptive security appliance. a. Specify the interface to be used as Stateful Failover link: hostname(config)# failover link if_name phy_if Note If the Stateful Failover link uses the failover link or a data interface, then you only need to supply the if_name argument. The if_name argument assigns a logical name to the interface specified by the phy_if argument. The phy_if argument can be the physical port name, such as Ethernet1, or a previously created subinterface, such as Ethernet0/2.3. This interface should not be used for any other purpose (except, optionally, the failover link). b. Assign an active and standby IP address to the Stateful Failover link. Note If the Stateful Failover link uses the failover link or data interface, skip this step. You have already defined the active and standby IP addresses for the interface. hostname(config)# failover interface ip if_name ip_addr mask standby ip_addr The standby IP address must be in the same subnet as the active IP address. You do not need to identify the standby address subnet mask. The Stateful Failover link IP address and MAC address do not change at failover unless it uses a data interface. The active IP address always stays with the primary unit, while the standby IP address stays with the secondary unit. c. Enable the interface. Note If the Stateful Failover link uses the failover link or data interface, skip this step. You have already enabled the interface. hostname(config)# interface phy_if hostname(config-if)# no shutdown Step 6 Enable failover:14-24 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 14 Configuring Failover Configuring Failover hostname(config)# failover Step 7 Save the system configuration to Flash memory: hostname(config)# copy running-config startup-config Configuring the Secondary Unit The only configuration required on the secondary unit is for the failover interface. The secondary unit requires these commands to initially communicate with the primary unit. After the primary unit sends its configuration to the secondary unit, the only permanent difference between the two configurations is the failover lan unit command, which identifies each unit as primary or secondary. For multiple context mode, all steps are performed in the system execution space unless noted otherwise. To configure the secondary unit, perform the following steps: Step 1 (PIX security appliance only) Enable LAN-based failover: hostname(config)# failover lan enable Step 2 Define the failover interface. Use the same settings as you used for the primary unit. a. Specify the interface to be used as the failover interface: hostname(config)# failover lan interface if_name phy_if The if_name argument assigns a name to the interface specified by the phy_if argument. b. Assign the active and standby IP address to the failover link. To receive packets from both units in a failover pair, standby IP addresses need to be configured on all interfaces. hostname(config)# failover interface ip if_name ip_addr mask standby ip_addr Note Enter this command exactly as you entered it on the primary unit when you configured the failover interface on the primary unit. c. Enable the interface: hostname(config)# interface phy_if hostname(config-if)# no shutdown Step 3 (Optional) Designate this unit as the secondary unit: hostname(config)# failover lan unit secondary Note This step is optional because by default units are designated as secondary unless previously configured. Step 4 Enable failover: hostname(config)# failover After you enable failover, the active unit sends the configuration in running memory to the standby unit. As the configuration synchronizes, the messages “Beginning configuration replication: Sending to mate” and “End Configuration Replication to mate” appear on the active unit console.14-25 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 14 Configuring Failover Configuring Failover Step 5 After the running configuration has completed replication, save the configuration to Flash memory: hostname(config)# copy running-config startup-config Configuring Optional Active/Standby Failover Settings You can configure the following optional Active/Standby failover setting when you are initially configuring failover or after failover has already been configured. Unless otherwise noted, the commands should be entered on the active unit. This section includes the following topics: • Enabling HTTP Replication with Stateful Failover, page 14-25 • Disabling and Enabling Interface Monitoring, page 14-25 • Configuring Interface Health Monitoring, page 14-26 • Configuring Failover Criteria, page 14-26 • Configuring Virtual MAC Addresses, page 14-26 Enabling HTTP Replication with Stateful Failover To allow HTTP connections to be included in the state information replication, you need to enable HTTP replication. Because HTTP connections are typically short-lived, and because HTTP clients typically retry failed connection attempts, HTTP connections are not automatically included in the replicated state information. Enter the following command in global configuration mode to enable HTTP state replication when Stateful Failover is enabled: hostname(config)# failover replication http Disabling and Enabling Interface Monitoring By default, monitoring physical interfaces is enabled and monitoring subinterfaces is disabled. You can monitor up to 250 interfaces on a unit. You can control which interfaces affect your failover policy by disabling the monitoring of specific interfaces and enabling the monitoring of others. This lets you exclude interfaces attached to less critical networks from affecting your failover policy. For units in multiple configuration mode, use the following commands to enable or disable health monitoring for specific interfaces: • To disable health monitoring for an interface, enter the following command within a context: hostname/context(config)# no monitor-interface if_name • To enable health monitoring for an interface, enter the following command within a context: hostname/context(config)# monitor-interface if_name For units in single configuration mode, use the following commands to enable or disable health monitoring for specific interfaces: • To disable health monitoring for an interface, enter the following command in global configuration mode: hostname(config)# no monitor-interface if_name14-26 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 14 Configuring Failover Configuring Failover • To enable health monitoring for an interface, enter the following command in global configuration mode: hostname(config)# monitor-interface if_name Configuring Interface Health Monitoring The security appliance sends hello packets out of each data interface to monitor interface health. If the security appliance does not receive a hello packet from the corresponding interface on the peer unit for over half of the hold time, then the additional interface testing begins. If a hello packet or a successful test result is not received within the specified hold time, the interface is marked as failed. Failover occurs if the number of failed interfaces meets the failover criteria. Decreasing the poll and hold times enables the security appliance to detect and respond to interface failures more quickly, but may consume more system resources. To change the interface poll time, enter the following command in global configuration mode: hostname(config)# failover polltime interface [msec] time [holdtime time] Valid values for the poll time are from 1 to 15 seconds or, if the optional msec keyword is used, from 500 to 999 milliseconds. The hold time determines how long it takes from the time a hello packet is missed to when the interface is marked as failed. Valid values for the hold time are from 5 to 75 seconds. You cannot enter a hold time that is less than 5 times the poll time. Note If the interface link is down, interface testing is not conducted and the standby unit could become active in just one interface polling period if the number of failed interface meets or exceeds the configured failover criteria. Configuring Failover Criteria By default, a single interface failure causes failover. You can specify a specific number of interfaces or a percentage of monitored interfaces that must fail before a failover occurs. To change the default failover criteria, enter the following command in global configuration mode: hostname(config)# failover interface-policy num[%] When specifying a specific number of interfaces, the num argument can be from 1 to 250. When specifying a percentage of interfaces, the num argument can be from 1 to 100. Configuring Virtual MAC Addresses In Active/Standby failover, the MAC addresses for the primary unit are always associated with the active IP addresses. If the secondary unit boots first and becomes active, it uses the burned-in MAC address for its interfaces. When the primary unit comes online, the secondary unit obtains the MAC addresses from the primary unit. The change can disrupt network traffic. You can configure virtual MAC addresses for each interface to ensure that the secondary unit uses the correct MAC addresses when it is the active unit, even if it comes online before the primary unit. If you do not specify virtual MAC addresses the failover pair uses the burned-in NIC addresses as the MAC addresses. Note You cannot configure a virtual MAC address for the failover or Stateful Failover links. The MAC and IP addresses for those links do not change during failover.14-27 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 14 Configuring Failover Configuring Failover Enter the following command on the active unit to configure the virtual MAC addresses for an interface: hostname(config)# failover mac address phy_if active_mac standby_mac The phy_if argument is the physical name of the interface, such as Ethernet1. The active_mac and standby_mac arguments are MAC addresses in H.H.H format, where H is a 16-bit hexadecimal digit. For example, the MAC address 00-0C-F1-42-4C-DE would be entered as 000C.F142.4CDE. The active_mac address is associated with the active IP address for the interface, and the standby_mac is associated with the standby IP address for the interface. There are multiple ways to configure virtual MAC addresses on the security appliance. When more than one method has been used to configure virtual MAC addresses, the security appliance uses the following order of preference to determine which virtual MAC address is assigned to an interface: 1. The mac-address command (in interface configuration mode) address. 2. The failover mac address command address. 3. The mac-address auto command generated address. 4. The burned-in MAC address. Use the show interface command to display the MAC address used by an interface. Configuring Active/Active Failover This section describes how to configure Active/Active failover. Note Active/Active failover is not available on the ASA 5505 series adaptive security appliance. This section includes the following topics: • Prerequisites, page 14-27 • Configuring Cable-Based Active/Active Failover (PIX security appliance), page 14-27 • Configuring LAN-Based Active/Active Failover, page 14-29 • Configuring Optional Active/Active Failover Settings, page 14-33 Prerequisites Before you begin, verify the following: • Both units have the same hardware, software configuration, and proper license. • Both units are in multiple context mode. Configuring Cable-Based Active/Active Failover (PIX security appliance) Follow these steps to configure Active/Active failover using a serial cable as the failover link. The commands in this task are entered on the primary unit in the failover pair. The primary unit is the unit that has the end of the cable labeled “Primary” plugged into it. For devices in multiple context mode, the commands are entered in the system execution space unless otherwise noted. You do not need to bootstrap the secondary unit in the failover pair when you use cable-based failover. Leave the secondary unit powered off until instructed to power it on.14-28 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 14 Configuring Failover Configuring Failover Cable-based failover is only available on the PIX 500 series security appliance. To configure cable-based, Active/Active failover, perform the following steps: Step 1 Connect the failover cable to the PIX 500 series security appliances. Make sure that you attach the end of the cable marked “Primary” to the unit you use as the primary unit, and that you attach the end of the cable marked “Secondary” to the unit you use as the secondary unit. Step 2 Power on the primary unit. Step 3 If you have not done so already, configure the active and standby IP addresses for each data interface (routed mode), for the management IP address (transparent mode), or for the management-only interface. To receive packets from both units in a failover pair, standby IP addresses need to be configured on all interfaces. The standby IP address is used on the security appliance that is currently the standby unit, and it must be in the same subnet as the active IP address. You must configure the interface addresses from within each context. Use the changeto context command to switch between contexts. The command prompt changes to hostname/context(config-if)#, where context is the name of the current context. You must enter a management IP address for each context in transparent firewall multiple context mode. Note Do not configure an IP address for the Stateful Failover link if you are going to use a dedicated Stateful Failover interface. You use the failover interface ip command to configure a dedicated Stateful Failover interface in a later step. hostname/context(config-if)# ip address active_addr netmask standby standby_addr In routed firewall mode and for the management-only interface, this command is entered in interface configuration mode for each interface. In transparent firewall mode, the command is entered in global configuration mode. Step 4 (Optional) To enable Stateful Failover, configure the Stateful Failover link. a. Specify the interface to be used as Stateful Failover link: hostname(config)# failover link if_name phy_if The if_name argument assigns a logical name to the interface specified by the phy_if argument. The phy_if argument can be the physical port name, such as Ethernet1, or a previously created subinterface, such as Ethernet0/2.3. This interface should not be used for any other purpose (except, optionally, the failover link). b. Assign an active and standby IP address to the Stateful Failover link: hostname(config)# failover interface ip if_name ip_addr mask standby ip_addr The standby IP address must be in the same subnet as the active IP address. You do not need to identify the standby IP address subnet mask. The Stateful Failover link IP address and MAC address do not change at failover except for when Stateful Failover uses a regular data interface. The active IP address always stays with the primary unit, while the standby IP address stays with the secondary unit. c. Enable the interface: hostname(config)# interface phy_if hostname(config-if)# no shutdown Step 5 Configure the failover groups. You can have at most two failover groups. The failover group command creates the specified failover group if it does not exist and enters the failover group configuration mode.14-29 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 14 Configuring Failover Configuring Failover For each failover group, you need to specify whether the failover group has primary or secondary preference using the primary or secondary command. You can assign the same preference to both failover groups. For load balancing configurations, you should assign each failover group a different unit preference. The following example assigns failover group 1 a primary preference and failover group 2 a secondary preference: hostname(config)# failover group 1 hostname(config-fover-group)# primary hostname(config-fover-group)# exit hostname(config)# failover group 2 hostname(config-fover-group)# secondary hostname(config-fover-group)# exit Step 6 Assign each user context to a failover group using the join-failover-group command in context configuration mode. Any unassigned contexts are automatically assigned to failover group 1. The admin context is always a member of failover group 1. Enter the following commands to assign each context to a failover group: hostname(config)# context context_name hostname(config-context)# join-failover-group {1 | 2} hostname(config-context)# exit Step 7 Enable failover: hostname(config)# failover Step 8 Power on the secondary unit and enable failover on the unit if it is not already enabled: hostname(config)# failover The active unit sends the configuration in running memory to the standby unit. As the configuration synchronizes, the messages “Beginning configuration replication: Sending to mate” and “End Configuration Replication to mate” appear on the primary console. Step 9 Save the configuration to Flash memory on the Primary unit. Because the commands entered on the primary unit are replicated to the secondary unit, the secondary unit also saves its configuration to Flash memory. hostname(config)# copy running-config startup-config Step 10 If necessary, force any failover group that is active on the primary to the active state on the secondary. To force a failover group to become active on the secondary unit, issue the following command in the system execution space on the primary unit: hostname# no failover active group group_id The group_id argument specifies the group you want to become active on the secondary unit. Configuring LAN-Based Active/Active Failover This section describes how to configure Active/Active failover using an Ethernet failover link. When configuring LAN-based failover, you must bootstrap the secondary device to recognize the failover link before the secondary device can obtain the running configuration from the primary device. This section includes the following topics:14-30 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 14 Configuring Failover Configuring Failover • Configure the Primary Unit, page 14-30 • Configure the Secondary Unit, page 14-32 Configure the Primary Unit To configure the primary unit in an Active/Active failover configuration, perform the following steps: Step 1 If you have not done so already, configure the active and standby IP addresses for each data interface (routed mode), for the management IP address (transparent mode), or for the management-only interface.To receive packets from both units in a failover pair, standby IP addresses need to be configured on all interfaces. The standby IP address is used on the security appliance that is currently the standby unit, and it must be in the same subnet as the active IP address. You must configure the interface addresses from within each context. Use the changeto context command to switch between contexts. The command prompt changes to hostname/context(config-if)#, where context is the name of the current context. In transparent firewall mode, you must enter a management IP address for each context. Note Do not configure an IP address for the Stateful Failover link if you are going to use a dedicated Stateful Failover interface. You use the failover interface ip command to configure a dedicated Stateful Failover interface in a later step. hostname/context(config-if)# ip address active_addr netmask standby standby_addr In routed firewall mode and for the management-only interface, this command is entered in interface configuration mode for each interface. In transparent firewall mode, the command is entered in global configuration mode. Step 2 Configure the basic failover parameters in the system execution space. a. (PIX security appliance only) Enable LAN-based failover: hostname(config)# hostname(config)# failover lan enable b. Designate the unit as the primary unit: hostname(config)# failover lan unit primary c. Specify the failover link: hostname(config)# failover lan interface if_name phy_if The if_name argument assigns a logical name to the interface specified by the phy_if argument. The phy_if argument can be the physical port name, such as Ethernet1, or a previously created subinterface, such as Ethernet0/2.3. On the ASA 5505 adaptive security appliance, the phy_if specifies a VLAN. This interface should not be used for any other purpose (except, optionally, the Stateful Failover link). d. Specify the failover link active and standby IP addresses: hostname(config)# failover interface ip if_name ip_addr mask standby ip_addr The standby IP address must be in the same subnet as the active IP address. You do not need to identify the standby IP address subnet mask. The failover link IP address and MAC address do not change at failover. The active IP address always stays with the primary unit, while the standby IP address stays with the secondary unit. 14-31 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 14 Configuring Failover Configuring Failover Step 3 (Optional) To enable Stateful Failover, configure the Stateful Failover link: a. Specify the interface to be used as Stateful Failover link: hostname(config)# failover link if_name phy_if The if_name argument assigns a logical name to the interface specified by the phy_if argument. The phy_if argument can be the physical port name, such as Ethernet1, or a previously created subinterface, such as Ethernet0/2.3. This interface should not be used for any other purpose (except, optionally, the failover link). Note If the Stateful Failover link uses the failover link or a regular data interface, then you only need to supply the if_name argument. b. Assign an active and standby IP address to the Stateful Failover link. Note If the Stateful Failover link uses the failover link or a regular data interface, skip this step. You have already defined the active and standby IP addresses for the interface. hostname(config)# failover interface ip if_name ip_addr mask standby ip_addr The standby IP address must be in the same subnet as the active IP address. You do not need to identify the standby address subnet mask. The state link IP address and MAC address do not change at failover. The active IP address always stays with the primary unit, while the standby IP address stays with the secondary unit. c. Enable the interface. Note If the Stateful Failover link uses the failover link or regular data interface, skip this step. You have already enabled the interface. hostname(config)# interface phy_if hostname(config-if)# no shutdown Step 4 Configure the failover groups. You can have at most two failover groups. The failover group command creates the specified failover group if it does not exist and enters the failover group configuration mode. For each failover group, specify whether the failover group has primary or secondary preference using the primary or secondary command. You can assign the same preference to both failover groups. For load balancing configurations, you should assign each failover group a different unit preference. The following example assigns failover group 1 a primary preference and failover group 2 a secondary preference: hostname(config)# failover group 1 hostname(config-fover-group)# primary hostname(config-fover-group)# exit hostname(config)# failover group 2 hostname(config-fover-group)# secondary hostname(config-fover-group)# exit Step 5 Assign each user context to a failover group using the join-failover-group command in context configuration mode. Any unassigned contexts are automatically assigned to failover group 1. The admin context is always a member of failover group 1.14-32 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 14 Configuring Failover Configuring Failover Enter the following commands to assign each context to a failover group: hostname(config)# context context_name hostname(config-context)# join-failover-group {1 | 2} hostname(config-context)# exit Step 6 Enable failover: hostname(config)# failover Configure the Secondary Unit When configuring LAN-based Active/Active failover, you need to bootstrap the secondary unit to recognize the failover link. This allows the secondary unit to communicate with and receive the running configuration from the primary unit. To bootstrap the secondary unit in an Active/Active failover configuration, perform the following steps: Step 1 (PIX security appliance only) Enable LAN-based failover: hostname(config)# failover lan enable Step 2 Define the failover interface. Use the same settings as you used for the primary unit: a. Specify the interface to be used as the failover interface: hostname(config)# failover lan interface if_name phy_if The if_name argument assigns a logical name to the interface specified by the phy_if argument. The phy_if argument can be the physical port name, such as Ethernet1, or a previously created subinterface, such as Ethernet0/2.3. On the ASA 5505 adaptive security appliance, the phy_if specifies a VLAN. b. Assign the active and standby IP address to the failover link. To receive packets from both units in a failover pair, standby IP addresses need to be configured on all interfaces. hostname(config)# failover interface ip if_name ip_addr mask standby ip_addr Note Enter this command exactly as you entered it on the primary unit when you configured the failover interface. The standby IP address must be in the same subnet as the active IP address. You do not need to identify the standby address subnet mask. c. Enable the interface: hostname(config)# interface phy_if hostname(config-if)# no shutdown Step 3 (Optional) Designate this unit as the secondary unit: hostname(config)# failover lan unit secondary Note This step is optional because by default units are designated as secondary unless previously configured otherwise.14-33 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 14 Configuring Failover Configuring Failover Step 4 Enable failover: hostname(config)# failover After you enable failover, the active unit sends the configuration in running memory to the standby unit. As the configuration synchronizes, the messages Beginning configuration replication: Sending to mate and End Configuration Replication to mate appear on the active unit console. Step 5 After the running configuration has completed replication, enter the following command to save the configuration to Flash memory: hostname(config)# copy running-config startup-config Step 6 If necessary, force any failover group that is active on the primary to the active state on the secondary unit. To force a failover group to become active on the secondary unit, enter the following command in the system execution space on the primary unit: hostname# no failover active group group_id The group_id argument specifies the group you want to become active on the secondary unit. Configuring Optional Active/Active Failover Settings The following optional Active/Active failover settings can be configured when you are initially configuring failover or after you have already established failover. Unless otherwise noted, the commands should be entered on the unit that has failover group 1 in the active state. This section includes the following topics: • Configuring Failover Group Preemption, page 14-33 • Enabling HTTP Replication with Stateful Failover, page 14-34 • Disabling and Enabling Interface Monitoring, page 14-34 • Configuring Interface Health Monitoring, page 14-34 • Configuring Failover Criteria, page 14-34 • Configuring Virtual MAC Addresses, page 14-35 • Configuring Asymmetric Routing Support, page 14-35 Configuring Failover Group Preemption Assigning a primary or secondary priority to a failover group specifies which unit the failover group becomes active on when both units boot simultaneously. However, if one unit boots before the other, then both failover groups become active on that unit. When the other unit comes online, any failover groups that have the unit as a priority do not become active on that unit unless manually forced over, a failover occurs, or the failover group is configured with the preempt command. The preempt command causes a failover group to become active on the designated unit automatically when that unit becomes available. Enter the following commands to configure preemption for the specified failover group: hostname(config)# failover group {1 | 2} hostname(config-fover-group)# preempt [delay] You can enter an optional delay value, which specifies the number of seconds the failover group remains active on the current unit before automatically becoming active on the designated unit.14-34 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 14 Configuring Failover Configuring Failover Enabling HTTP Replication with Stateful Failover To allow HTTP connections to be included in the state information, you need to enable HTTP replication. Because HTTP connections are typically short-lived, and because HTTP clients typically retry failed connection attempts, HTTP connections are not automatically included in the replicated state information. You can use the replication http command to cause a failover group to replicate HTTP state information when Stateful Failover is enabled. To enable HTTP state replication for a failover group, enter the following command. This command only affects the failover group in which it was configured. To enable HTTP state replication for both failover groups, you must enter this command in each group. This command should be entered in the system execution space. hostname(config)# failover group {1 | 2} hostname(config-fover-group)# replication http Disabling and Enabling Interface Monitoring You can monitor up to 250 interfaces on a unit. By default, monitoring of physical interfaces is enabled and the monitoring of subinterfaces is disabled. You can control which interfaces affect your failover policy by disabling the monitoring of specific interfaces and enabling the monitoring of others. This lets you exclude interfaces attached to less critical networks from affecting your failover policy. To disable health monitoring on an interface, enter the following command within a context: hostname/context(config)# no monitor-interface if_name To enable health monitoring on an interface, enter the following command within a context: hostname/context(config)# monitor-interface if_name Configuring Interface Health Monitoring The security appliance sends hello packets out of each data interface to monitor interface health. If the security appliance does not receive a hello packet from the corresponding interface on the peer unit for over half of the hold time, then the additional interface testing begins. If a hello packet or a successful test result is not received within the specified hold time, the interface is marked as failed. Failover occurs if the number of failed interfaces meets the failover criteria. Decreasing the poll and hold times enables the security appliance to detect and respond to interface failures more quickly, but may consume more system resources. To change the default interface poll time, enter the following commands: hostname(config)# failover group {1 | 2} hostname(config-fover-group)# polltime interface seconds Valid values for the poll time are from 1 to 15 seconds or, if the optional msec keyword is used, from 500 to 999 milliseconds. The hold time determines how long it takes from the time a hello packet is missed to when the interface is marked as failed. Valid values for the hold time are from 5 to 75 seconds. You cannot enter a hold time that is less than 5 times the poll time. Configuring Failover Criteria By default, if a single interface fails failover occurs. You can specify a specific number of interfaces or a percentage of monitored interfaces that must fail before a failover occurs. The failover criteria is specified on a failover group basis.14-35 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 14 Configuring Failover Configuring Failover To change the default failover criteria for the specified failover group, enter the following commands: hostname(config)# failover group {1 | 2} hostname(config-fover-group)# interface-policy num[%] When specifying a specific number of interfaces, the num argument can be from 1 to 250. When specifying a percentage of interfaces, the num argument can be from 1 to 100. Configuring Virtual MAC Addresses Active/Active failover uses virtual MAC addresses on all interfaces. If you do not specify the virtual MAC addresses, then they are computed as follows: • Active unit default MAC address: 00a0.c9physical_port_number.failover_group_id01. • Standby unit default MAC address: 00a0.c9physical_port_number.failover_group_id02. Note If you have more than one Active/Active failover pair on the same network, it is possible to have the same default virtual MAC addresses assigned to the interfaces on one pair as are assigned to the interfaces of the other pairs because of the way the default virtual MAC addresses are determined. To avoid having duplicate MAC addresses on your network, make sure you assign each physical interface a virtual active and standby MAC address for all failover groups. You can configure specific active and standby MAC addresses for an interface by entering the following commands: hostname(config)# failover group {1 | 2} hostname(config-fover-group)# mac address phy_if active_mac standby_mac The phy_if argument is the physical name of the interface, such as Ethernet1. The active_mac and standby_mac arguments are MAC addresses in H.H.H format, where H is a 16-bit hexadecimal digit. For example, the MAC address 00-0C-F1-42-4C-DE would be entered as 000C.F142.4CDE. The active_mac address is associated with the active IP address for the interface, and the standby_mac is associated with the standby IP address for the interface. There are multiple ways to configure virtual MAC addresses on the security appliance. When more than one method has been used to configure virtual MAC addresses, the security appliance uses the following order of preference to determine which virtual MAC address is assigned to an interface: 1. The mac-address command (in interface configuration mode) address. 2. The failover mac address command address. 3. The mac-address auto command generate address. 4. The automatically generated failover MAC address. Use the show interface command to display the MAC address used by an interface. Configuring Asymmetric Routing Support When running in Active/Active failover, a unit may receive a return packet for a connection that originated through its peer unit. Because the security appliance that receives the packet does not have any connection information for the packet, the packet is dropped. This most commonly occurs when the two security appliances in an Active/Active failover pair are connected to different service providers and the outbound connection does not use a NAT address.14-36 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 14 Configuring Failover Configuring Failover You can prevent the return packets from being dropped using the asr-group command on interfaces where this is likely to occur. When an interface configured with the asr-group command receives a packet for which it has no session information, it checks the session information for the other interfaces that are in the same group. If it does not find a match, the packet is dropped. If it finds a match, then one of the following actions occurs: • If the incoming traffic originated on a peer unit, some or all of the layer 2 header is rewritten and the packet is redirected to the other unit. This redirection continues as long as the session is active. • If the incoming traffic originated on a different interface on the same unit, some or all of the layer 2 header is rewritten and the packet is reinjected into the stream. Note Using the asr-group command to configure asymmetric routing support is more secure than using the static command with the nailed option. The asr-group command does not provide asymmetric routing; it restores asymmetrically routed packets to the correct interface. Prerequisites You must have to following configured for asymmetric routing support to function properly: • Active/Active Failover • Stateful Failover—passes state information for sessions on interfaces in the active failover group to the standby failover group. • replication http—HTTP session state information is not passed to the standby failover group, and therefore is not present on the standby interface. For the security appliance to be able re-route asymmetrically routed HTTP packets, you need to replicate the HTTP state information. You can configure the asr-group command on an interface without having failover configured, but it does not have any effect until Stateful Failover is enabled. Configuring Support for Asymmetrically Routed Packets To configure support for asymmetrically routed packets, perform the following steps: Step 1 Configure Active/Active Stateful Failover for the failover pair. See Configuring Active/Active Failover, page 14-27. Step 2 For each interface that you want to participate in asymmetric routing support enter the following command. You must enter the command on the unit where the context is in the active state so that the command is replicated to the standby failover group. For more information about command replication, see Command Replication, page 14-12. hostname/ctx(config)# interface phy_if hostname/ctx(config-if)# asr-group num Valid values for num range from 1 to 32. You need to enter the command for each interface that participates in the asymmetric routing group. You can view the number of ASR packets transmitted, received, or dropped by an interface using the show interface detail command. You can have more than one ASR group configured on the security appliance, but only one per interface. Only members of the same ASR group are checked for session information.14-37 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 14 Configuring Failover Configuring Failover Example Figure 14-1 shows an example of using the asr-group command for asymmetric routing support. Figure 14-1 ASR Example The two units have the following configuration (configurations show only the relevant commands). The device labeled SecAppA in the diagram is the primary unit in the failover pair. Example 14-1 Primary Unit System Configuration hostname primary interface GigabitEthernet0/1 description LAN/STATE Failover Interface interface GigabitEthernet0/2 no shutdown interface GigabitEthernet0/3 no shutdown interface GigabitEthernet0/4 no shutdown interface GigabitEthernet0/5 no shutdown failover failover lan unit primary failover lan interface folink GigabitEthernet0/1 failover link folink failover interface ip folink 10.0.4.1 255.255.255.0 standby 10.0.4.11 failover group 1 primary failover group 2 secondary admin-context admin context admin description admin 250093 192.168.1.1 192.168.2.2 SecAppA SecAppB ISP A Inside network Failover/State link Outbound Traffic Return Traffic ISP B 192.168.2.1 192.168.1.214-38 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 14 Configuring Failover Configuring Failover allocate-interface GigabitEthernet0/2 allocate-interface GigabitEthernet0/3 config-url flash:/admin.cfg join-failover-group 1 context ctx1 description context 1 allocate-interface GigabitEthernet0/4 allocate-interface GigabitEthernet0/5 config-url flash:/ctx1.cfg join-failover-group 2 Example 14-2 admin Context Configuration hostname SecAppA interface GigabitEthernet0/2 nameif outsideISP-A security-level 0 ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2 asr-group 1 interface GigabitEthernet0/3 nameif inside security-level 100 ip address 10.1.0.1 255.255.255.0 standby 10.1.0.11 monitor-interface outside Example 14-3 ctx1 Context Configuration hostname SecAppB interface GigabitEthernet0/4 nameif outsideISP-B security-level 0 ip address 192.168.2.2 255.255.255.0 standby 192.168.2.1 asr-group 1 interface GigabitEthernet0/5 nameif inside security-level 100 ip address 10.2.20.1 255.255.255.0 standby 10.2.20.11 Figure 14-1 on page 14-37 shows the ASR support working as follows: 1. An outbound session passes through security appliance SecAppA. It exits interface outsideISP-A (192.168.1.1). 2. Because of asymmetric routing configured somewhere upstream, the return traffic comes back through the interface outsideISP-B (192.168.2.2) on security appliance SecAppB. 3. Normally the return traffic would be dropped because there is no session information for the traffic on interface 192.168.2.2. However, the interface is configure with the command asr-group 1. The unit looks for the session on any other interface configured with the same ASR group ID. 4. The session information is found on interface outsideISP-A (192.168.1.2), which is in the standby state on the unit SecAppB. Stateful Failover replicated the session information from SecAppA to SecAppB. 5. Instead of being dropped, the layer 2 header is re-written with information for interface 192.168.1.1 and the traffic is redirected out of the interface 192.168.1.2, where it can then return through the interface on the unit from which it originated (192.168.1.1 on SecAppA). This forwarding continues as needed until the session ends.14-39 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 14 Configuring Failover Configuring Failover Configuring Unit Health Monitoring The security appliance sends hello packets over the failover interface to monitor unit health. If the standby unit does not receive a hello packet from the active unit for two consecutive polling periods, it sends additional testing packets through the remaining device interfaces. If a hello packet or a response to the interface test packets is not received within the specified hold time, the standby unit becomes active. You can configure the frequency of hello messages when monitoring unit health. Decreasing the poll time allows a unit failure to be detected more quickly, but consumes more system resources. To change the unit poll time, enter the following command in global configuration mode: hostname(config)# failover polltime [msec] time [holdtime [msec] time] You can configure the polling frequency from 1 to 15 seconds or, if the optional msec keyword is used, from 200 to 999 milliseconds. The hold time determines how long it takes from the time a hello packet is missed to when failover occurs. The hold time must be at least 3 times the poll time. You can configure the hold time from 1 to 45 seconds or, if the optional msec keyword is used, from 800 to 990 milliseconds. Setting the security appliance to use the minimum poll and hold times allows it to detect and respond to unit failures in under a second, but it also increases system resource usage and can cause false failure detection in cases where the networks are congested or where the security appliance is running near full capacity. Configuring Failover Communication Authentication/Encryption You can encrypt and authenticate the communication between failover peers by specifying a shared secret or hexadecimal key. Note On the PIX 500 series security appliance, if you are using the dedicated serial failover cable to connect the units, then communication over the failover link is not encrypted even if a failover key is configured. The failover key only encrypts LAN-based failover communication. Caution All information sent over the failover and Stateful Failover links is sent in clear text unless you secure the communication with a failover key. If the security appliance is used to terminate VPN tunnels, this information includes any usernames, passwords and preshared keys used for establishing the tunnels. Transmitting this sensitive data in clear text could pose a significant security risk. We recommend securing the failover communication with a failover key if you are using the security appliance to terminate VPN tunnels. Enter the following command on the active unit of an Active/Standby failover pair or on the unit that has failover group 1 in the active state of an Active/Active failover pair: hostname(config)# failover key {secret | hex key} The secret argument specifies a shared secret that is used to generate the encryption key. It can be from 1 to 63 characters. The characters can be any combination of numbers, letters, or punctuation. The hex key argument specifies a hexadecimal encryption key. The key must be 32 hexadecimal characters (0-9, a-f).14-40 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 14 Configuring Failover Configuring Failover Note To prevent the failover key from being replicated to the peer unit in clear text for an existing failover configuration, disable failover on the active unit (or in the system execution space on the unit that has failover group 1 in the active state), enter the failover key on both units, and then re-enable failover. When failover is re-enabled, the failover communication is encrypted with the key. For new LAN-based failover configurations, the failover key command should be part of the failover pair bootstrap configuration. Verifying the Failover Configuration This section describes how to verify your failover configuration. This section includes the following topics: • Using the show failover Command, page 14-40 • Viewing Monitored Interfaces, page 14-48 • Displaying the Failover Commands in the Running Configuration, page 14-48 • Testing the Failover Functionality, page 14-49 Using the show failover Command This section describes the show failover command output. On each unit you can verify the failover status by entering the show failover command. The information displayed depends upon whether you are using Active/Standby or Active/Active failover. This section includes the following topics: • show failover—Active/Standby, page 14-40 • Show Failover—Active/Active, page 14-44 show failover—Active/Standby The following is sample output from the show failover command for Active/Standby Failover. Table 14-7 provides descriptions for the information shown. hostname# show failover Failover On Cable status: N/A - LAN-based failover enabled Failover unit Primary Failover LAN Interface: fover Ethernet2 (up) Unit Poll frequency 1 seconds, holdtime 3 seconds Interface Poll frequency 15 seconds Interface Policy 1 Monitored Interfaces 2 of 250 maximum failover replication http Last Failover at: 22:44:03 UTC Dec 8 2004 This host: Primary - Active Active time: 13434 (sec) Interface inside (10.130.9.3): Normal Interface outside (10.132.9.3): Normal Other host: Secondary - Standby Ready Active time: 0 (sec) Interface inside (10.130.9.4): Normal Interface outside (10.132.9.4): Normal 14-41 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 14 Configuring Failover Configuring Failover Stateful Failover Logical Update Statistics Link : fover Ethernet2 (up) Stateful Obj xmit xerr rcv rerr General 1950 0 1733 0 sys cmd 1733 0 1733 0 up time 0 0 0 0 RPC services 0 0 0 0 TCP conn 6 0 0 0 UDP conn 0 0 0 0 ARP tbl 106 0 0 0 Xlate_Timeout 0 0 0 0 VPN IKE upd 15 0 0 0 VPN IPSEC upd 90 0 0 0 VPN CTCP upd 0 0 0 0 VPN SDI upd 0 0 0 0 VPN DHCP upd 0 0 0 0 Logical Update Queue Information Cur Max Total Recv Q: 0 2 1733 Xmit Q: 0 2 15225 In multiple context mode, using the show failover command in a security context displays the failover information for that context. The information is similar to the information shown when using the command in single context mode. Instead of showing the active/standby status of the unit, it displays the active/standby status of the context. Table 14-7 provides descriptions for the information shown. Failover On Last Failover at: 04:03:11 UTC Jan 4 2003 This context: Negotiation Active time: 1222 (sec) Interface outside (192.168.5.121): Normal Interface inside (192.168.0.1): Normal Peer context: Not Detected Active time: 0 (sec) Interface outside (192.168.5.131): Normal Interface inside (192.168.0.11): Normal Stateful Failover Logical Update Statistics Status: Configured. Stateful Obj xmit xerr rcv rerr RPC services 0 0 0 0 TCP conn 99 0 0 0 UDP conn 0 0 0 0 ARP tbl 22 0 0 0 Xlate_Timeout 0 0 0 0 GTP PDP 0 0 0 0 GTP PDPMCB 0 0 0 0 14-42 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 14 Configuring Failover Configuring Failover Table 14-7 Show Failover Display Description Field Options Failover • On • Off Cable status: • Normal—The cable is connected to both units, and they both have power. • My side not connected—The serial cable is not connected to this unit. It is unknown if the cable is connected to the other unit. • Other side is not connected—The serial cable is connected to this unit, but not to the other unit. • Other side powered off—The other unit is turned off. • N/A—LAN-based failover is enabled. Failover Unit Primary or Secondary. Failover LAN Interface Displays the logical and physical name of the failover link. Unit Poll frequency Displays the number of seconds between hello messages sent to the peer unit and the number of seconds during which the unit must receive a hello message on the failover link before declaring the peer failed. Interface Poll frequency n seconds The number of seconds you set with the failover polltime interface command. The default is 15 seconds. Interface Policy Displays the number or percentage of interfaces that must fail to trigger failover. Monitored Interfaces Displays the number of interfaces monitored out of the maximum possible. failover replication http Displays if HTTP state replication is enabled for Stateful Failover. Last Failover at: The date and time of the last failover in the following form: hh:mm:ss UTC DayName Month Day yyyy UTC (Coordinated Universal Time) is equivalent to GMT (Greenwich Mean Time). This host: Other host: For each host, the display shows the following information. Primary or Secondary • Active • Standby Active time: n (sec) The amount of time the unit has been active. This time is cumulative, so the standby unit, if it was active in the past, also shows a value. slot x Information about the module in the slot or empty.14-43 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 14 Configuring Failover Configuring Failover Interface name (n.n.n.n): For each interface, the display shows the IP address currently being used on each unit, as well as one of the following conditions: • Failed—The interface has failed. • No Link—The interface line protocol is down. • Normal—The interface is working correctly. • Link Down—The interface has been administratively shut down. • Unknown—The security appliance cannot determine the status of the interface. • Waiting—Monitoring of the network interface on the other unit has not yet started. Stateful Failover Logical Update Statistics The following fields relate to the Stateful Failover feature. If the Link field shows an interface name, the Stateful Failover statistics are shown. Link • interface_name—The interface used for the Stateful Failover link. • Unconfigured—You are not using Stateful Failover. • up—The interface is up and functioning. • down—The interface is either administratively shutdown or is physically down. • failed—The interface has failed and is not passing stateful data. Stateful Obj For each field type, the following statistics are shown. They are counters for the number of state information packets sent between the two units; the fields do not necessarily show active connections through the unit. • xmit—Number of transmitted packets to the other unit. • xerr—Number of errors that occurred while transmitting packets to the other unit. • rcv—Number of received packets. • rerr—Number of errors that occurred while receiving packets from the other unit. General Sum of all stateful objects. sys cmd Logical update system commands; for example, LOGIN and Stay Alive. up time Up time, which the active unit passes to the standby unit. RPC services Remote Procedure Call connection information. TCP conn TCP connection information. UDP conn Dynamic UDP connection information. ARP tbl Dynamic ARP table information. L2BRIDGE tbl Layer 2 bridge table information (transparent firewall mode only). Xlate_Timeout Indicates connection translation timeout information. VPN IKE upd IKE connection information. Table 14-7 Show Failover Display Description (continued) Field Options14-44 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 14 Configuring Failover Configuring Failover Show Failover—Active/Active The following is sample output from the show failover command for Active/Active Failover. Table 14-8 provides descriptions for the information shown. hostname# show failover Failover On Failover unit Primary Failover LAN Interface: third GigabitEthernet0/2 (up) Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 4 seconds Interface Policy 1 Monitored Interfaces 8 of 250 maximum failover replication http Group 1 last failover at: 13:40:18 UTC Dec 9 2004 Group 2 last failover at: 13:40:06 UTC Dec 9 2004 This host: Primary Group 1 State: Active Active time: 2896 (sec) Group 2 State: Standby Ready Active time: 0 (sec) slot 0: ASA-5530 hw/sw rev (1.0/7.0(0)79) status (Up Sys) slot 1: SSM-IDS-20 hw/sw rev (1.0/5.0(0.11)S91(0.11)) status (Up) admin Interface outside (10.132.8.5): Normal admin Interface third (10.132.9.5): Normal admin Interface inside (10.130.8.5): Normal admin Interface fourth (10.130.9.5): Normal ctx1 Interface outside (10.1.1.1): Normal ctx1 Interface inside (10.2.2.1): Normal ctx2 Interface outside (10.3.3.2): Normal ctx2 Interface inside (10.4.4.2): Normal Other host: Secondary VPN IPSEC upd IPSec connection information. VPN CTCP upd cTCP tunnel connection information. VPN SDI upd SDI AAA connection information. VPN DHCP upd Tunneled DHCP connection information. GTP PDP GTP PDP update information. This information appears only if inspect GTP is enabled. GTP PDPMCB GTP PDPMCB update information. This information appears only if inspect GTP is enabled. Logical Update Queue Information For each field type, the following statistics are used: • Cur—Current number of packets • Max—Maximum number of packets • Total—Total number of packets Recv Q The status of the receive queue. Xmit Q The status of the transmit queue. Table 14-7 Show Failover Display Description (continued) Field Options14-45 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 14 Configuring Failover Configuring Failover Group 1 State: Standby Ready Active time: 190 (sec) Group 2 State: Active Active time: 3322 (sec) slot 0: ASA-5530 hw/sw rev (1.0/7.0(0)79) status (Up Sys) slot 1: SSM-IDS-20 hw/sw rev (1.0/5.0(0.1)S91(0.1)) status (Up) admin Interface outside (10.132.8.6): Normal admin Interface third (10.132.9.6): Normal admin Interface inside (10.130.8.6): Normal admin Interface fourth (10.130.9.6): Normal ctx1 Interface outside (10.1.1.2): Normal ctx1 Interface inside (10.2.2.2): Normal ctx2 Interface outside (10.3.3.1): Normal ctx2 Interface inside (10.4.4.1): Normal Stateful Failover Logical Update Statistics Link : third GigabitEthernet0/2 (up) Stateful Obj xmit xerr rcv rerr General 1973 0 1895 0 sys cmd 380 0 380 0 up time 0 0 0 0 RPC services 0 0 0 0 TCP conn 1435 0 1450 0 UDP conn 0 0 0 0 ARP tbl 124 0 65 0 Xlate_Timeout 0 0 0 0 VPN IKE upd 15 0 0 0 VPN IPSEC upd 90 0 0 0 VPN CTCP upd 0 0 0 0 VPN SDI upd 0 0 0 0 VPN DHCP upd 0 0 0 0 Logical Update Queue Information Cur Max Total Recv Q: 0 1 1895 Xmit Q: 0 0 1940 The following is sample output from the show failover group command for Active/Active Failover. The information displayed is similar to that of the show failover command, but limited to the specified group. Table 14-8 provides descriptions for the information shown. hostname# show failover group 1 Last Failover at: 04:09:59 UTC Jan 4 2005 This host: Secondary State: Active Active time: 186 (sec) admin Interface outside (192.168.5.121): Normal admin Interface inside (192.168.0.1): Normal Other host: Primary State: Standby Active time: 0 (sec) admin Interface outside (192.168.5.131): Normal admin Interface inside (192.168.0.11): Normal Stateful Failover Logical Update Statistics Status: Configured.14-46 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 14 Configuring Failover Configuring Failover RPC services 0 0 0 0 TCP conn 33 0 0 0 UDP conn 0 0 0 0 ARP tbl 12 0 0 0 Xlate_Timeout 0 0 0 0 GTP PDP 0 0 0 0 GTP PDPMCB 0 0 0 0 Table 14-8 Show Failover Display Description Field Options Failover • On • Off Failover Unit Primary or Secondary. Failover LAN Interface Displays the logical and physical name of the failover link. Unit Poll frequency Displays the number of seconds between hello messages sent to the peer unit and the number of seconds during which the unit must receive a hello message on the failover link before declaring the peer failed. Interface Poll frequency n seconds The number of seconds you set with the failover polltime interface command. The default is 15 seconds. Interface Policy Displays the number or percentage of interfaces that must fail before triggering failover. Monitored Interfaces Displays the number of interfaces monitored out of the maximum possible. Group 1 Last Failover at: Group 2 Last Failover at: The date and time of the last failover for each group in the following form: hh:mm:ss UTC DayName Month Day yyyy UTC (Coordinated Universal Time) is equivalent to GMT (Greenwich Mean Time). This host: Other host: For each host, the display shows the following information. Role Primary or Secondary System State • Active or Standby Ready • Active Time in seconds Group 1 State Group 2 State • Active or Standby Ready • Active Time in seconds slot x Information about the module in the slot or empty.14-47 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 14 Configuring Failover Configuring Failover context Interface name (n.n.n.n): For each interface, the display shows the IP address currently being used on each unit, as well as one of the following conditions: • Failed—The interface has failed. • No link—The interface line protocol is down. • Normal—The interface is working correctly. • Link Down—The interface has been administratively shut down. • Unknown—The security appliance cannot determine the status of the interface. • Waiting—Monitoring of the network interface on the other unit has not yet started. Stateful Failover Logical Update Statistics The following fields relate to the Stateful Failover feature. If the Link field shows an interface name, the Stateful Failover statistics are shown. Link • interface_name—The interface used for the Stateful Failover link. • Unconfigured—You are not using Stateful Failover. • up—The interface is up and functioning. • down—The interface is either administratively shutdown or is physically down. • failed—The interface has failed and is not passing stateful data. Stateful Obj For each field type, the following statistics are used. They are counters for the number of state information packets sent between the two units; the fields do not necessarily show active connections through the unit. • xmit—Number of transmitted packets to the other unit • xerr—Number of errors that occurred while transmitting packets to the other unit • rcv—Number of received packets • rerr—Number of errors that occurred while receiving packets from the other unit General Sum of all stateful objects. sys cmd Logical update system commands; for example, LOGIN and Stay Alive. up time Up time, which the active unit passes to the standby unit. RPC services Remote Procedure Call connection information. TCP conn TCP connection information. UDP conn Dynamic UDP connection information. ARP tbl Dynamic ARP table information. L2BRIDGE tbl Layer 2 bridge table information (transparent firewall mode only). Xlate_Timeout Indicates connection translation timeout information. VPN IKE upd IKE connection information. Table 14-8 Show Failover Display Description (continued) Field Options14-48 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 14 Configuring Failover Configuring Failover Viewing Monitored Interfaces To view the status of monitored interfaces, enter the following command. In single context mode, enter this command in global configuration mode. In multiple context mode, enter this command within a context. primary/context(config)# show monitor-interface For example: hostname/context(config)# show monitor-interface This host: Primary - Active Interface outside (192.168.1.2): Normal Interface inside (10.1.1.91): Normal Other host: Secondary - Standby Interface outside (192.168.1.3): Normal Interface inside (10.1.1.100): Normal Displaying the Failover Commands in the Running Configuration To view the failover commands in the running configuration, enter the following command: hostname(config)# show running-config failover All of the failover commands are displayed. On units running multiple context mode, enter this command in the system execution space. Entering show running-config all failover displays the failover commands in the running configuration and includes commands for which you have not changed the default value. VPN IPSEC upd IPSec connection information. VPN CTCP upd cTCP tunnel connection information. VPN SDI upd SDI AAA connection information. VPN DHCP upd Tunneled DHCP connection information. GTP PDP GTP PDP update information. This information appears only if inspect GTP is enabled. GTP PDPMCB GTP PDPMCB update information. This information appears only if inspect GTP is enabled. Logical Update Queue Information For each field type, the following statistics are used: • Cur—Current number of packets • Max—Maximum number of packets • Total—Total number of packets Recv Q The status of the receive queue. Xmit Q The status of the transmit queue. Table 14-8 Show Failover Display Description (continued) Field Options14-49 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 14 Configuring Failover Controlling and Monitoring Failover Testing the Failover Functionality To test failover functionality, perform the following steps: Step 1 Test that your active unit or failover group is passing traffic as expected by using FTP (for example) to send a file between hosts on different interfaces. Step 2 Force a failover to the standby unit by entering the following command: • For Active/Standby failover, enter the following command on the active unit: hostname(config)# no failover active • For Active/Active failover, enter the following command on the unit where the failover group containing the interface connecting your hosts is active: hostname(config)# no failover active group group_id Step 3 Use FTP to send another file between the same two hosts. Step 4 If the test was not successful, enter the show failover command to check the failover status. Step 5 When you are finished, you can restore the unit or failover group to active status by enter the following command: • For Active/Standby failover, enter the following command on the active unit: hostname(config)# failover active • For Active/Active failover, enter the following command on the unit where the failover group containing the interface connecting your hosts is active: hostname(config)# failover active group group_id Controlling and Monitoring Failover This sections describes how to control and monitor failover. This section includes the following topics: • Forcing Failover, page 14-49 • Disabling Failover, page 14-50 • Restoring a Failed Unit or Failover Group, page 14-50 • Monitoring Failover, page 14-50 Forcing Failover To force the standby unit or failover group to become active, enter one of the following commands: • For Active/Standby failover: Enter the following command on the standby unit: hostname# failover active Or, enter the following command on the active unit:14-50 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 14 Configuring Failover Controlling and Monitoring Failover hostname# no failover active • For Active/Active failover: Enter the following command in the system execution space of the unit where the failover group is in the standby state: hostname# failover active group group_id Or, enter the following command in the system execution space of the unit where the failover group is in the active state: hostname# no failover active group group_id Entering the following command in the system execution space causes all failover groups to become active: hostname# failover active Disabling Failover To disable failover, enter the following command: hostname(config)# no failover Disabling failover on an Active/Standby pair causes the active and standby state of each unit to be maintained until you restart. For example, the standby unit remains in standby mode so that both units do not start passing traffic. To make the standby unit active (even with failover disabled), see the “Forcing Failover” section on page 14-49. Disabling failover on an Active/Active pair causes the failover groups to remain in the active state on whichever unit they are currently active on, no matter which unit they are configured to prefer. The no failover command should be entered in the system execution space. Restoring a Failed Unit or Failover Group To restore a failed unit to an unfailed state, enter the following command: hostname(config)# failover reset To restore a failed Active/Active failover group to an unfailed state, enter the following command: hostname(config)# failover reset group group_id Restoring a failed unit or group to an unfailed state does not automatically make it active; restored units or groups remain in the standby state until made active by failover (forced or natural). An exception is a failover group configured with the preempt command. If previously active, a failover group becomes active if it is configured with the preempt command and if the unit on which it failed is the preferred unit. Monitoring Failover When a failover occurs, both security appliances send out system messages. This section includes the following topics: • Failover System Messages, page 14-5114-51 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 14 Configuring Failover Controlling and Monitoring Failover • Debug Messages, page 14-51 • SNMP, page 14-51 Failover System Messages The security appliance issues a number of system messages related to failover at priority level 2, which indicates a critical condition. To view these messages, see the Cisco Security Appliance Logging Configuration and System Log Messages to enable logging and to see descriptions of the system messages. Note During switchover, failover logically shuts down and then bring up interfaces, generating syslog 411001 and 411002 messages. This is normal activity. Debug Messages To see debug messages, enter the debug fover command. See the Cisco Security Appliance Command Reference for more information. Note Because debugging output is assigned high priority in the CPU process, it can drastically affect system performance. For this reason, use the debug fover commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco TAC. SNMP To receive SNMP syslog traps for failover, configure the SNMP agent to send SNMP traps to SNMP management stations, define a syslog host, and compile the Cisco syslog MIB into your SNMP management station. See the snmp-server and logging commands in the Cisco Security Appliance Command Reference for more information. 14-52 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 14 Configuring Failover Controlling and Monitoring FailoverP A R T 2 Configuring the FirewallC H A P T E R 15-1 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 15 Firewall Mode Overview This chapter describes how the firewall works in each firewall mode. To set the firewall mode, see the “Setting Transparent or Routed Firewall Mode” section on page 2-5. Note In multiple context mode, you cannot set the firewall mode separately for each context; you can only set the firewall mode for the entire security appliance. This chapter includes the following sections: • Routed Mode Overview, page 15-1 • Transparent Mode Overview, page 15-8 Routed Mode Overview In routed mode, the security appliance is considered to be a router hop in the network. It can perform NAT between connected networks, and can use OSPF or RIP (in single context mode). Routed mode supports many interfaces. Each interface is on a different subnet. You can share interfaces between contexts. This section includes the following topics: • IP Routing Support, page 15-1 • Network Address Translation, page 15-2 • How Data Moves Through the Security Appliance in Routed Firewall Mode, page 15-3 IP Routing Support The security appliance acts as a router between connected networks, and each interface requires an IP address on a different subnet. In single context mode, the routed firewall supports OSPF and RIP. Multiple context mode supports static routes only. We recommend using the advanced routing capabilities of the upstream and downstream routers instead of relying on the security appliance for extensive routing needs.15-2 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 15 Firewall Mode Overview Routed Mode Overview Network Address Translation NAT substitutes the local address on a packet with a global address that is routable on the destination network. By default, NAT is not required. If you want to enforce a NAT policy that requires hosts on a higher security interface (inside) to use NAT when communicating with a lower security interface (outside), you can enable NAT control (see the nat-control command). Note NAT control was the default behavior for software versions earlier than Version 7.0. If you upgrade a security appliance from an earlier version, then the nat-control command is automatically added to your configuration to maintain the expected behavior. Some of the benefits of NAT include the following: • You can use private addresses on your inside networks. Private addresses are not routable on the Internet. • NAT hides the local addresses from other networks, so attackers cannot learn the real address of a host. • NAT can resolve IP routing problems by supporting overlapping IP addresses. Figure 15-1 shows a typical NAT scenario, with a private network on the inside. When the inside user sends a packet to a web server on the Internet, the local source address of the packet is changed to a routable global address. When the web server responds, it sends the response to the global address, and the security appliance receives the packet. The security appliance then translates the global address to the local address before sending it on to the user. Figure 15-1 NAT Example Web Server www.example.com 209.165.201.2 10.1.2.1 10.1.2.27 Source Addr Translation 10.1.2.27 209.165.201.10 Originating Packet Dest Addr Translation 209.165.201.10 10.1.2.27 Responding Packet Outside Inside 9240515-3 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 15 Firewall Mode Overview Routed Mode Overview How Data Moves Through the Security Appliance in Routed Firewall Mode This section describes how data moves through the security appliance in routed firewall mode, and includes the following topics: • An Inside User Visits a Web Server, page 15-3 • An Outside User Visits a Web Server on the DMZ, page 15-4 • An Inside User Visits a Web Server on the DMZ, page 15-6 • An Outside User Attempts to Access an Inside Host, page 15-7 • A DMZ User Attempts to Access an Inside Host, page 15-8 An Inside User Visits a Web Server Figure 15-2 shows an inside user accessing an outside web server. Figure 15-2 Inside to Outside The following steps describe how data moves through the security appliance (see Figure 15-2): 1. The user on the inside network requests a web page from www.example.com. 2. The security appliance receives the packet and because it is a new session, the security appliance verifies that the packet is allowed according to the terms of the security policy (access lists, filters, AAA). Web Server 10.1.1.3 www.example.com User 10.1.2.27 209.165.201.2 10.1.2.1 10.1.1.1 Source Addr Translation 10.1.2.27 209.165.201.10 Outside Inside DMZ 9240415-4 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 15 Firewall Mode Overview Routed Mode Overview For multiple context mode, the security appliance first classifies the packet according to either a unique interface or a unique destination address associated with a context; the destination address is associated by matching an address translation in a context. In this case, the interface would be unique; the www.example.com IP address does not have a current address translation in a context. 3. The security appliance translates the local source address (10.1.2.27) to the global address 209.165.201.10, which is on the outside interface subnet. The global address could be on any subnet, but routing is simplified when it is on the outside interface subnet. 4. The security appliance then records that a session is established and forwards the packet from the outside interface. 5. When www.example.com responds to the request, the packet goes through the security appliance, and because the session is already established, the packet bypasses the many lookups associated with a new connection. The security appliance performs NAT by translating the global destination address to the local user address, 10.1.2.27. 6. The security appliance forwards the packet to the inside user. An Outside User Visits a Web Server on the DMZ Figure 15-3 shows an outside user accessing the DMZ web server. Figure 15-3 Outside to DMZ Web Server 10.1.1.3 User 209.165.201.2 10.1.2.1 10.1.1.1 Dest Addr Translation 209.165.201.3 10.1.1.13 Outside Inside DMZ 9240615-5 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 15 Firewall Mode Overview Routed Mode Overview The following steps describe how data moves through the security appliance (see Figure 15-3): 1. A user on the outside network requests a web page from the DMZ web server using the global destination address of 209.165.201.3, which is on the outside interface subnet. 2. The security appliance receives the packet and because it is a new session, the security appliance verifies that the packet is allowed according to the terms of the security policy (access lists, filters, AAA). For multiple context mode, the security appliance first classifies the packet according to either a unique interface or a unique destination address associated with a context; the destination address is associated by matching an address translation in a context. In this case, the classifier “knows” that the DMZ web server address belongs to a certain context because of the server address translation. 3. The security appliance translates the destination address to the local address 10.1.1.3. 4. The security appliance then adds a session entry to the fast path and forwards the packet from the DMZ interface. 5. When the DMZ web server responds to the request, the packet goes through the security appliance and because the session is already established, the packet bypasses the many lookups associated with a new connection. The security appliance performs NAT by translating the local source address to 209.165.201.3. 6. The security appliance forwards the packet to the outside user.15-6 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 15 Firewall Mode Overview Routed Mode Overview An Inside User Visits a Web Server on the DMZ Figure 15-4 shows an inside user accessing the DMZ web server. Figure 15-4 Inside to DMZ The following steps describe how data moves through the security appliance (see Figure 15-4): 1. A user on the inside network requests a web page from the DMZ web server using the destination address of 10.1.1.3. 2. The security appliance receives the packet and because it is a new session, the security appliance verifies that the packet is allowed according to the terms of the security policy (access lists, filters, AAA). For multiple context mode, the security appliance first classifies the packet according to either a unique interface or a unique destination address associated with a context; the destination address is associated by matching an address translation in a context. In this case, the interface is unique; the web server IP address does not have a current address translation. 3. The security appliance then records that a session is established and forwards the packet out of the DMZ interface. 4. When the DMZ web server responds to the request, the packet goes through the fast path, which lets the packet bypass the many lookups associated with a new connection. 5. The security appliance forwards the packet to the inside user. Web Server 10.1.1.3 User 10.1.2.27 209.165.201.2 10.1.2.1 10.1.1.1 Inside DMZ Outside 9240315-7 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 15 Firewall Mode Overview Routed Mode Overview An Outside User Attempts to Access an Inside Host Figure 15-5 shows an outside user attempting to access the inside network. Figure 15-5 Outside to Inside The following steps describe how data moves through the security appliance (see Figure 15-5): 1. A user on the outside network attempts to reach an inside host (assuming the host has a routable IP address). If the inside network uses private addresses, no outside user can reach the inside network without NAT. The outside user might attempt to reach an inside user by using an existing NAT session. 2. The security appliance receives the packet and because it is a new session, the security appliance verifies if the packet is allowed according to the security policy (access lists, filters, AAA). 3. The packet is denied, and the security appliance drops the packet and logs the connection attempt. If the outside user is attempting to attack the inside network, the security appliance employs many technologies to determine if a packet is valid for an already established session. www.example.com User 10.1.2.27 209.165.201.2 10.1.2.1 10.1.1.1 Outside Inside DMZ 9240715-8 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 15 Firewall Mode Overview Transparent Mode Overview A DMZ User Attempts to Access an Inside Host Figure 15-6 shows a user in the DMZ attempting to access the inside network. Figure 15-6 DMZ to Inside The following steps describe how data moves through the security appliance (see Figure 15-6): 1. A user on the DMZ network attempts to reach an inside host. Because the DMZ does not have to route the traffic on the internet, the private addressing scheme does not prevent routing. 2. The security appliance receives the packet and because it is a new session, the security appliance verifies if the packet is allowed according to the security policy (access lists, filters, AAA). 3. The packet is denied, and the security appliance drops the packet and logs the connection attempt. Transparent Mode Overview Traditionally, a firewall is a routed hop and acts as a default gateway for hosts that connect to one of its screened subnets. A transparent firewall, on the other hand, is a Layer 2 firewall that acts like a “bump in the wire,” or a “stealth firewall,” and is not seen as a router hop to connected devices. This section describes transparent firewall mode, and includes the following topics: • Transparent Firewall Network, page 15-9 • Allowing Layer 3 Traffic, page 15-9 • Passing Traffic Not Allowed in Routed Mode, page 15-9 • MAC Address Lookups, page 15-10 • Using the Transparent Firewall in Your Network, page 15-10 • Transparent Firewall Guidelines, page 15-10 Web Server 10.1.1.3 User 10.1.2.27 209.165.201.2 10.1.2.1 10.1.1.1 Outside Inside DMZ 9240215-9 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 15 Firewall Mode Overview Transparent Mode Overview • Unsupported Features in Transparent Mode, page 15-11 • How Data Moves Through the Transparent Firewall, page 15-13 Transparent Firewall Network The security appliance connects the same network on its inside and outside interfaces. Because the firewall is not a routed hop, you can easily introduce a transparent firewall into an existing network; IP readdressing is unnecessary. Allowing Layer 3 Traffic IPv4 traffic is allowed through the transparent firewall automatically from a higher security interface to a lower security interface, without an access list. ARPs are allowed through the transparent firewall in both directions without an access list. ARP traffic can be controlled by ARP inspection. For Layer 3 traffic travelling from a low to a high security interface, an extended access list is required. Allowed MAC Addresses The following destination MAC addresses are allowed through the transparent firewall. Any MAC address not on this list is dropped. • TRUE broadcast destination MAC address equal to FFFF.FFFF.FFFF • IPv4 multicast MAC addresses from 0100.5E00.0000 to 0100.5EFE.FFFF • IPv6 multicast MAC addresses from 3333.0000.0000 to 3333.FFFF.FFFF • BPDU multicast address equal to 0100.0CCC.CCCD • Appletalk multicast MAC addresses from 0900.0700.0000 to 0900.07FF.FFFF Passing Traffic Not Allowed in Routed Mode In routed mode, some types of traffic cannot pass through the security appliance even if you allow it in an access list. The transparent firewall, however, can allow almost any traffic through using either an extended access list (for IP traffic) or an EtherType access list (for non-IP traffic). Note The transparent mode security appliance does not pass CDP packets or IPv6 packets, or any packets that do not have a valid EtherType greater than or equal to 0x600. For example, you cannot pass IS-IS packets. An exception is made for BPDUs, which are supported. For example, you can establish routing protocol adjacencies through a transparent firewall; you can allow OSPF, RIP, EIGRP, or BGP traffic through based on an extended access list. Likewise, protocols like HSRP or VRRP can pass through the security appliance. Non-IP traffic (for example AppleTalk, IPX, BPDUs, and MPLS) can be configured to go through using an EtherType access list.15-10 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 15 Firewall Mode Overview Transparent Mode Overview For features that are not directly supported on the transparent firewall, you can allow traffic to pass through so that upstream and downstream routers can support the functionality. For example, by using an extended access list, you can allow DHCP traffic (instead of the unsupported DHCP relay feature) or multicast traffic such as that created by IP/TV. MAC Address Lookups When the security appliance runs in transparent mode, the outgoing interface of a packet is determined by performing a MAC address lookup instead of a route lookup. Route statements can still be configured, but they only apply to security appliance-originated traffic. For example, if your syslog server is located on a remote network, you must use a static route so the security appliance can reach that subnet. Using the Transparent Firewall in Your Network Figure 15-7 shows a typical transparent firewall network where the outside devices are on the same subnet as the inside devices. The inside router and hosts appear to be directly connected to the outside router. Figure 15-7 Transparent Firewall Network Transparent Firewall Guidelines Follow these guidelines when planning your transparent firewall network: 10.1.1.1 10.1.1.2 Management IP 10.1.1.3 192.168.1.2 Network A Network B Internet 9241115-11 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 15 Firewall Mode Overview Transparent Mode Overview • A management IP address is required; for multiple context mode, an IP address is required for each context. Unlike routed mode, which requires an IP address for each interface, a transparent firewall has an IP address assigned to the entire device. The security appliance uses this IP address as the source address for packets originating on the security appliance, such as system messages or AAA communications. The management IP address must be on the same subnet as the connected network. You cannot set the subnet to a host subnet (255.255.255.255). You can configure an IP address for the Management 0/0 management-only interface. This IP address can be on a separate subnet from the main management IP address. Note If the management IP address is not configured, transient traffic does not pass through the transparent firewall. For multiple context mode, transient traffic does not pass through virtual contexts. • The transparent security appliance uses an inside interface and an outside interface only. If your platform includes a dedicated management interface, you can also configure the management interface or subinterface for management traffic only. In single mode, you can only use two data interfaces (and the dedicated management interface, if available) even if your security appliance includes more than two interfaces. • Each directly connected network must be on the same subnet. • Do not specify the security appliance management IP address as the default gateway for connected devices; devices need to specify the router on the other side of the security appliance as the default gateway. • For multiple context mode, each context must use different interfaces; you cannot share an interface across contexts. • For multiple context mode, each context typically uses a different subnet. You can use overlapping subnets, but your network topology requires router and NAT configuration to make it possible from a routing standpoint. Unsupported Features in Transparent Mode Table 15-1 lists the features are not supported in transparent mode. Table 15-1 Unsupported Features in Transparent Mode Feature Description Dynamic DNS — DHCP relay The transparent firewall can act as a DHCP server, but it does not support the DHCP relay commands. DHCP relay is not required because you can allow DHCP traffic to pass through using two extended access lists: one that allows DCHP requests from the inside interface to the outside, and one that allows the replies from the server in the other direction.15-12 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 15 Firewall Mode Overview Transparent Mode Overview Dynamic routing protocols You can, however, add static routes for traffic originating on the security appliance. You can also allow dynamic routing protocols through the security appliance using an extended access list. IPv6 You also cannot allow IPv6 using an EtherType access list. Multicast You can allow multicast traffic through the security appliance by allowing it in an extended access list. NAT NAT is performed on the upstream router. QoS — VPN termination for through traffic The transparent firewall supports site-to-site VPN tunnels for management connections only. It does not terminate VPN connections for traffic through the security appliance. You can pass VPN traffic through the security appliance using an extended access list, but it does not terminate non-management connections. WebVPN is also not supported. Table 15-1 Unsupported Features in Transparent Mode (continued) Feature Description15-13 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 15 Firewall Mode Overview Transparent Mode Overview How Data Moves Through the Transparent Firewall Figure 15-8 shows a typical transparent firewall implementation with an inside network that contains a public web server. The security appliance has an access list so that the inside users can access Internet resources. Another access list lets the outside users access only the web server on the inside network. Figure 15-8 Typical Transparent Firewall Data Path This section describes how data moves through the security appliance, and includes the following topics: • An Inside User Visits a Web Server, page 15-14 • An Outside User Visits a Web Server on the Inside Network, page 15-15 • An Outside User Attempts to Access an Inside Host, page 15-16 www.example.com 209.165.201.2 Management IP 209.165.201.6 209.165.200.230 Web Server 209.165.200.225 Host 209.165.201.3 Internet 9241215-14 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 15 Firewall Mode Overview Transparent Mode Overview An Inside User Visits a Web Server Figure 15-9 shows an inside user accessing an outside web server. Figure 15-9 Inside to Outside The following steps describe how data moves through the security appliance (see Figure 15-9): 1. The user on the inside network requests a web page from www.example.com. 2. The security appliance receives the packet and adds the source MAC address to the MAC address table, if required. Because it is a new session, it verifies that the packet is allowed according to the terms of the security policy (access lists, filters, AAA). For multiple context mode, the security appliance first classifies the packet according to a unique interface. 3. The security appliance records that a session is established. 4. If the destination MAC address is in its table, the security appliance forwards the packet out of the outside interface. The destination MAC address is that of the upstream router, 209.186.201.2. If the destination MAC address is not in the security appliance table, the security appliance attempts to discover the MAC address by sending an ARP request and a ping. The first packet is dropped. 5. The web server responds to the request; because the session is already established, the packet bypasses the many lookups associated with a new connection. 6. The security appliance forwards the packet to the inside user. Management IP 209.165.201.6 www.example.com 209.165.201.2 Host 209.165.201.3 Internet 9240815-15 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 15 Firewall Mode Overview Transparent Mode Overview An Outside User Visits a Web Server on the Inside Network Figure 15-10 shows an outside user accessing the inside web server. Figure 15-10 Outside to Inside The following steps describe how data moves through the security appliance (see Figure 15-10): 1. A user on the outside network requests a web page from the inside web server. 2. The security appliance receives the packet and adds the source MAC address to the MAC address table, if required. Because it is a new session, it verifies that the packet is allowed according to the terms of the security policy (access lists, filters, AAA). For multiple context mode, the security appliance first classifies the packet according to a unique interface. 3. The security appliance records that a session is established. 4. If the destination MAC address is in its table, the security appliance forwards the packet out of the inside interface. The destination MAC address is that of the downstream router, 209.186.201.1. If the destination MAC address is not in the security appliance table, the security appliance attempts to discover the MAC address by sending an ARP request and a ping. The first packet is dropped. 5. The web server responds to the request; because the session is already established, the packet bypasses the many lookups associated with a new connection. Host 209.165.201.2 209.165.201.1 209.165.200.230 Web Server 209.165.200.225 Management IP 209.165.201.6 Internet 9240915-16 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 15 Firewall Mode Overview Transparent Mode Overview 6. The security appliance forwards the packet to the outside user. An Outside User Attempts to Access an Inside Host Figure 15-11 shows an outside user attempting to access a host on the inside network. Figure 15-11 Outside to Inside The following steps describe how data moves through the security appliance (see Figure 15-11): 1. A user on the outside network attempts to reach an inside host. 2. The security appliance receives the packet and adds the source MAC address to the MAC address table, if required. Because it is a new session, it verifies if the packet is allowed according to the terms of the security policy (access lists, filters, AAA). For multiple context mode, the security appliance first classifies the packet according to a unique interface. 3. The packet is denied, and the security appliance drops the packet. 4. If the outside user is attempting to attack the inside network, the security appliance employs many technologies to determine if a packet is valid for an already established session. Management IP 209.165.201.6 Host 209.165.201.2 Host 209.165.201.3 Internet 92410C H A P T E R 16-1 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 16 Identifying Traffic with Access Lists This chapter describes how to identify traffic with access lists. This chapter includes the following topics: • Access List Overview, page 16-1 • Adding an Extended Access List, page 16-5 • Adding an EtherType Access List, page 16-8 • Adding a Standard Access List, page 16-11 • Adding a Webtype Access List, page 16-11 • Simplifying Access Lists with Object Grouping, page 16-11 • Adding Remarks to Access Lists, page 16-18 • Scheduling Extended Access List Activation, page 16-18 • Logging Access List Activity, page 16-20 For information about IPv6 access lists, see the “Configuring IPv6 Access Lists” section on page 12-6. Access List Overview Access lists are made up of one or more Access Control Entries. An ACE is a single entry in an access list that specifies a permit or deny rule, and is applied to a protocol, a source and destination IP address or network, and optionally the source and destination ports. Access lists are used in a variety of features. If your feature uses Modular Policy Framework, you can use an access list to identify traffic within a traffic class map. For more information on Modular Policy Framework, see Chapter 21, “Using Modular Policy Framework.” This section includes the following topics: • Access List Types, page 16-2 • Access Control Entry Order, page 16-2 • Access Control Implicit Deny, page 16-3 • IP Addresses Used for Access Lists When You Use NAT, page 16-316-2 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 16 Identifying Traffic with Access Lists Access List Overview Access List Types Table 16-1 lists the types of access lists and some common uses for them. Access Control Entry Order An access list is made up of one or more Access Control Entries. Depending on the access list type, you can specify the source and destination addresses, the protocol, the ports (for TCP or UDP), the ICMP type (for ICMP), or the EtherType. Each ACE that you enter for a given access list name is appended to the end of the access list. The order of ACEs is important. When the security appliance decides whether to forward or drop a packet, the security appliance tests the packet against each ACE in the order in which the entries are listed. After a match is found, no more ACEs are checked. For example, if you create an ACE at the beginning of an access list that explicitly permits all traffic, no further statements are ever checked. Table 16-1 Access List Types and Common Uses Access List Use Access List Type Description Control network access for IP traffic (routed and transparent mode) Extended The security appliance does not allow any traffic from a lower security interface to a higher security interface unless it is explicitly permitted by an extended access list. Note To access the security appliance interface for management access, you do not also need an access list allowing the host IP address. You only need to configure management access according to Chapter 40, “Managing System Access.” Identify traffic for AAA rules Extended AAA rules use access lists to identify traffic. Control network access for IP traffic for a given user Extended, downloaded from a AAA server per user You can configure the RADIUS server to download a dynamic access list to be applied to the user, or the server can send the name of an access list that you already configured on the security appliance. Identify addresses for NAT (policy NAT and NAT exemption) Extended Policy NAT lets you identify local traffic for address translation by specifying the source and destination addresses in an extended access list. Establish VPN access Extended You can use an extended access list in VPN commands. Identify traffic in a traffic class map for Modular Policy Framework Extended EtherType Access lists can be used to identify traffic in a class map, which is used for features that support Modular Policy Framework. Features that support Modular Policy Framework include TCP and general connection settings, and inspection. For transparent firewall mode, control network access for non-IP traffic EtherType You can configure an access list that controls traffic based on its EtherType. Identify OSPF route redistribution Standard Standard access lists include only the destination address. You can use a standard access list to control the redistribution of OSPF routes. Filtering for WebVPN Webtype You can configure a Webtype access list to filter URLs.16-3 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 16 Identifying Traffic with Access Lists Access List Overview You can disable an ACE by specifying the keyword inactive in the access-list command. Access Control Implicit Deny Access lists have an implicit deny at the end of the list, so unless you explicitly permit it, traffic cannot pass. For example, if you want to allow all users to access a network through the security appliance except for particular addresses, then you need to deny the particular addresses and then permit all others. For EtherType access lists, the implicit deny at the end of the access list does not affect IP traffic or ARPs; for example, if you allow EtherType 8037, the implicit deny at the end of the access list does not now block any IP traffic that you previously allowed with an extended access list (or implicitly allowed from a high security interface to a low security interface). However, if you explicitly deny all traffic with an EtherType ACE, then IP and ARP traffic is denied. IP Addresses Used for Access Lists When You Use NAT When you use NAT, the IP addresses you specify for an access list depend on the interface to which the access list is attached; you need to use addresses that are valid on the network connected to the interface. This guideline applies for both inbound and outbound access lists: the direction does not determine the address used, only the interface does. For example, you want to apply an access list to the inbound direction of the inside interface. You configure the security appliance to perform NAT on the inside source addresses when they access outside addresses. Because the access list is applied to the inside interface, the source addresses are the original untranslated addresses. Because the outside addresses are not translated, the destination address used in the access list is the real address (see Figure 16-1). Figure 16-1 IP Addresses in Access Lists: NAT Used for Source Addresses See the following commands for this example: hostname(config)# access-list INSIDE extended permit ip 10.1.1.0 255.255.255.0 host 209.165.200.225 209.165.200.225 Inside Outside Inbound ACL Permit from 10.1.1.0/24 to 209.165.200.225 10.1.1.0/24 PAT 10.1.1.0/24 209.165.201.4:port 10463416-4 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 16 Identifying Traffic with Access Lists Access List Overview hostname(config)# access-group INSIDE in interface inside If you want to allow an outside host to access an inside host, you can apply an inbound access list on the outside interface. You need to specify the translated address of the inside host in the access list because that address is the address that can be used on the outside network (see Figure 16-2). Figure 16-2 IP Addresses in Access Lists: NAT used for Destination Addresses See the following commands for this example: hostname(config)# access-list OUTSIDE extended permit ip host 209.165.200.225 host 209.165.201.5 hostname(config)# access-group OUTSIDE in interface outside 209.165.200.225 Inside Outside Static NAT 10.1.1.34 209.165.201.5 ACL Permit from 209.165.200.225 to 209.165.201.5 10463616-5 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 16 Identifying Traffic with Access Lists Adding an Extended Access List If you perform NAT on both interfaces, keep in mind the addresses that are visible to a given interface. In Figure 16-3, an outside server uses static NAT so that a translated address appears on the inside network. Figure 16-3 IP Addresses in Access Lists: NAT used for Source and Destination Addresses See the following commands for this example: hostname(config)# access-list INSIDE extended permit ip 10.1.1.0 255.255.255.0 host 10.1.1.56 hostname(config)# access-group INSIDE in interface inside Adding an Extended Access List This section describes how to add an extended access list, and includes the following sections: • Extended Access List Overview, page 16-5 • Allowing Broadcast and Multicast Traffic through the Transparent Firewall, page 16-6 • Adding an Extended ACE, page 16-6 Extended Access List Overview An extended access list is made up of one or more ACEs, in which you can specify the line number to insert the ACE, source and destination addresses, and, depending on the ACE type, the protocol, the ports (for TCP or UDP), or the ICMP type (for ICMP). You can identify all of these parameters within the access-list command, or you can use object groups for each parameter. This section describes how to identify the parameters within the command. To use object groups, see the “Simplifying Access Lists with Object Grouping” section on page 16-11. 209.165.200.225 10.1.1.0/24 Inside Outside Static NAT 10.1.1.56 ACL Permit from 10.1.1.0/24 to 10.1.1.56 PAT 10.1.1.0/24 209.165.201.4:port 10463516-6 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 16 Identifying Traffic with Access Lists Adding an Extended Access List For information about logging options that you can add to the end of the ACE, see the “Logging Access List Activity” section on page 16-20. For information about time range options, see “Scheduling Extended Access List Activation” section on page 16-18. For TCP and UDP connections, you do not need an access list to allow returning traffic, because the FWSM allows all returning traffic for established, bidirectional connections. For connectionless protocols such as ICMP, however, the security appliance establishes unidirectional sessions, so you either need access lists to allow ICMP in both directions (by applying access lists to the source and destination interfaces), or you need to enable the ICMP inspection engine. The ICMP inspection engine treats ICMP sessions as bidirectional connections. You can apply only one access list of each type (extended and EtherType) to each direction of an interface. You can apply the same access lists on multiple interfaces. See Chapter 18, “Permitting or Denying Network Access,” for more information about applying an access list to an interface. Note If you change the access list configuration, and you do not want to wait for existing connections to time out before the new access list information is used, you can clear the connections using the clear local-host command. Allowing Broadcast and Multicast Traffic through the Transparent Firewall In routed firewall mode, broadcast and multicast traffic is blocked even if you allow it in an access list, including unsupported dynamic routing protocols and DHCP (unless you configure DHCP relay). Transparent firewall mode can allow any IP traffic through. This feature is especially useful in multiple context mode, which does not allow dynamic routing, for example. Note Because these special types of traffic are connectionless, you need to apply an extended access list to both interfaces, so returning traffic is allowed through. Table 16-2 lists common traffic types that you can allow through the transparent firewall. Adding an Extended ACE When you enter the access-list command for a given access list name, the ACE is added to the end of the access list unless you specify the line number. Table 16-2 Transparent Firewall Special Traffic Traffic Type Protocol or Port Notes DHCP UDP ports 67 and 68 If you enable the DHCP server, then the security appliance does not pass DHCP packets. EIGRP Protocol 88 — OSPF Protocol 89 — Multicast streams The UDP ports vary depending on the application. Multicast streams are always destined to a Class D address (224.0.0.0 to 239.x.x.x). RIP (v1 or v2) UDP port 520 —16-7 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 16 Identifying Traffic with Access Lists Adding an Extended Access List To add an ACE, enter the following command: hostname(config)# access-list access_list_name [line line_number] [extended] {deny | permit} protocol source_address mask [operator port] dest_address mask [operator port | icmp_type] [inactive] Tip Enter the access list name in upper case letters so the name is easy to see in the configuration. You might want to name the access list for the interface (for example, INSIDE), or for the purpose for which it is created (for example, NO_NAT or VPN). Typically, you identify the ip keyword for the protocol, but other protocols are accepted. For a list of protocol names, see the “Protocols and Applications” section on page D-11. Enter the host keyword before the IP address to specify a single address. In this case, do not enter a mask. Enter the any keyword instead of the address and mask to specify any address. You can specify the source and destination ports only for the tcp or udp protocols. For a list of permitted keywords and well-known port assignments, see the “TCP and UDP Ports” section on page D-11. DNS, Discard, Echo, Ident, NTP, RPC, SUNRPC, and Talk each require one definition for TCP and one for UDP. TACACS+ requires one definition for port 49 on TCP. Use an operator to match port numbers used by the source or destination. The permitted operators are as follows: • lt—less than • gt—greater than • eq—equal to • neq—not equal to • range—an inclusive range of values. When you use this operator, specify two port numbers, for example: range 100 200 You can specify the ICMP type only for the icmp protocol. Because ICMP is a connectionless protocol, you either need access lists to allow ICMP in both directions (by applying access lists to the source and destination interfaces), or you need to enable the ICMP inspection engine (see the “Adding an ICMP Type Object Group” section on page 16-15). The ICMP inspection engine treats ICMP sessions as stateful connections. To control ping, specify echo-reply (0) (security appliance to host) or echo (8) (host to security appliance). See the “Adding an ICMP Type Object Group” section on page 16-15 for a list of ICMP types. When you specify a network mask, the method is different from the Cisco IOS software access-list command. The security appliance uses a network mask (for example, 255.255.255.0 for a Class C mask). The Cisco IOS mask uses wildcard bits (for example, 0.0.0.255). To make an ACE inactive, use the inactive keyword. To reenable it, enter the entire ACE without the inactive keyword. This feature lets you keep a record of an inactive ACE in your configuration to make reenabling easier. To remove an ACE, enter the no access-list command with the entire command syntax string as it appears in the configuration: hostname(config)# no access-list access_list_name [line line_number] [extended] {deny | permit} protocol source_address mask [operator port] dest_address mask [operator port | icmp_type] [inactive] If the entry that you are removing is the only entry in the access list, the entire access list is removed.16-8 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 16 Identifying Traffic with Access Lists Adding an EtherType Access List See the following examples: The following access list allows all hosts (on the interface to which you apply the access list) to go through the security appliance: hostname(config)# access-list ACL_IN extended permit ip any any The following sample access list prevents hosts on 192.168.1.0/24 from accessing the 209.165.201.0/27 network. All other addresses are permitted. hostname(config)# access-list ACL_IN extended deny tcp 192.168.1.0 255.255.255.0 209.165.201.0 255.255.255.224 hostname(config)# access-list ACL_IN extended permit ip any any If you want to restrict access to only some hosts, then enter a limited permit ACE. By default, all other traffic is denied unless explicitly permitted. hostname(config)# access-list ACL_IN extended permit ip 192.168.1.0 255.255.255.0 209.165.201.0 255.255.255.224 The following access list restricts all hosts (on the interface to which you apply the access list) from accessing a website at address 209.165.201.29. All other traffic is allowed. hostname(config)# access-list ACL_IN extended deny tcp any host 209.165.201.29 eq www hostname(config)# access-list ACL_IN extended permit ip any any Adding an EtherType Access List Transparent firewall mode only This section describes how to add an EtherType access list, and includes the following sections: • EtherType Access List Overview, page 16-8 • Adding an EtherType ACE, page 16-10 EtherType Access List Overview An EtherType access list is made up of one or more ACEs that specify an EtherType. This section includes the following topics: • Supported EtherTypes, page 16-8 • Implicit Permit of IP and ARPs Only, page 16-9 • Implicit and Explicit Deny ACE at the End of an Access List, page 16-9 • IPv6 Unsupported, page 16-9 • Using Extended and EtherType Access Lists on the Same Interface, page 16-9 • Allowing MPLS, page 16-9 Supported EtherTypes An EtherType ACE controls any EtherType identified by a 16-bit hexadecimal number. EtherType access lists support Ethernet V2 frames.16-9 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 16 Identifying Traffic with Access Lists Adding an EtherType Access List 802.3-formatted frames are not handled by the access list because they use a length field as opposed to a type field. BPDUs, which are handled by the access list, are the only exception: they are SNAP-encapsulated, and the security appliance is designed to specifically handle BPDUs. The security appliance receives trunk port (Cisco proprietary) BPDUs. Trunk BPDUs have VLAN information inside the payload, so the security appliance modifies the payload with the outgoing VLAN if you allow BPDUs. Note If you use failover, you must allow BPDUs on both interfaces with an EtherType access list to avoid bridging loops. Implicit Permit of IP and ARPs Only IPv4 traffic is allowed through the transparent firewall automatically from a higher security interface to a lower security interface, without an access list. ARPs are allowed through the transparent firewall in both directions without an access list. ARP traffic can be controlled by ARP inspection. However, to allow any traffic with EtherTypes other than IPv4 and ARP, you need to apply an EtherType access list, even from a high security to a low security interface. Because EtherTypes are connectionless, you need to apply the access list to both interfaces if you want traffic to pass in both directions. Implicit and Explicit Deny ACE at the End of an Access List For EtherType access lists, the implicit deny at the end of the access list does not affect IP traffic or ARPs; for example, if you allow EtherType 8037, the implicit deny at the end of the access list does not now block any IP traffic that you previously allowed with an extended access list (or implicitly allowed from a high security interface to a low security interface). However, if you explicitly deny all traffic with an EtherType ACE, then IP and ARP traffic is denied. IPv6 Unsupported EtherType ACEs do not allow IPv6 traffic, even if you specify the IPv6 EtherType. Using Extended and EtherType Access Lists on the Same Interface You can apply only one access list of each type (extended and EtherType) to each direction of an interface. You can also apply the same access lists on multiple interfaces. Allowing MPLS If you allow MPLS, ensure that Label Distribution Protocol and Tag Distribution Protocol TCP connections are established through the security appliance by configuring both MPLS routers connected to the security appliance to use the IP address on the security appliance interface as the router-id for LDP or TDP sessions. (LDP and TDP allow MPLS routers to negotiate the labels (addresses) used to forward packets.) On Cisco IOS routers, enter the appropriate command for your protocol, LDP or TDP. The interface is the interface connected to the security appliance.16-10 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 16 Identifying Traffic with Access Lists Adding an EtherType Access List hostname(config)# mpls ldp router-id interface force Or hostname(config)# tag-switching tdp router-id interface force Adding an EtherType ACE To add an EtherType ACE, enter the following command: hostname(config)# access-list access_list_name ethertype {permit | deny} {ipx | bpdu | mpls-unicast | mpls-multicast | any | hex_number} The hex_number is any EtherType that can be identified by a 16-bit hexadecimal number greater than or equal to 0x600. See RFC 1700, “Assigned Numbers,” at http://www.ietf.org/rfc/rfc1700.txt for a list of EtherTypes. To remove an ACE, enter the no access-list command with the entire command syntax string as it appears in the configuration: hostname(config)# no access-list access_list_name [line line_number] [extended] {deny | permit} protocol source_address mask [operator port] dest_address mask [operator port | icmp_type] [inactive] To remove an EtherType ACE, enter the no access-list command with the entire command syntax string as it appears in the configuration: ehostname(config)# no access-list access_list_name ethertype {permit | deny} {ipx | bpdu | mpls-unicast | mpls-multicast | any | hex_number} Note If an EtherType access list is configured to deny all, all ethernet frames are discarded. Only physical protocol traffic, such as auto-negotiation, is still allowed. When you enter the access-list command for a given access list name, the ACE is added to the end of the access list. Tip Enter the access_list_name in upper case letters so the name is easy to see in the configuration. You might want to name the access list for the interface (for example, INSIDE), or for the purpose (for example, MPLS or IPX). For example, the following sample access list allows common EtherTypes originating on the inside interface: hostname(config)# access-list ETHER ethertype permit ipx hostname(config)# access-list ETHER ethertype permit bpdu hostname(config)# access-list ETHER ethertype permit mpls-unicast hostname(config)# access-group ETHER in interface inside The following access list allows some EtherTypes through the security appliance, but denies IPX: hostname(config)# access-list ETHER ethertype deny ipx hostname(config)# access-list ETHER ethertype permit 0x1234 hostname(config)# access-list ETHER ethertype permit bpdu hostname(config)# access-list ETHER ethertype permit mpls-unicast hostname(config)# access-group ETHER in interface inside hostname(config)# access-group ETHER in interface outside16-11 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 16 Identifying Traffic with Access Lists Adding a Standard Access List The following access list denies traffic with EtherType 0x1256, but allows all others on both interfaces: hostname(config)# access-list nonIP ethertype deny 1256 hostname(config)# access-list nonIP ethertype permit any hostname(config)# access-group ETHER in interface inside hostname(config)# access-group ETHER in interface outside Adding a Standard Access List Single context mode only Standard access lists identify the destination IP addresses of OSPF routes, and can be used in a route map for OSPF redistribution. Standard access lists cannot be applied to interfaces to control traffic. The following command adds a standard ACE. To add another ACE at the end of the access list, enter another access-list command specifying the same access list name. Apply the access list using the “Defining Route Maps” section on page 9-7. To add an ACE, enter the following command: hostname(config)# access-list access_list_name standard {deny | permit} {any | ip_address mask} To remove an ACE, enter the no access-list command with the entire command syntax string as it appears in the configuration: hostname(config)# no access-list access_list_name standard {deny | permit} {any | ip_address mask} The following sample access list identifies routes to 192.168.1.0/24: hostname(config)# access-list OSPF standard permit 192.168.1.0 255.255.255.0 Adding a Webtype Access List To add an access list to the configuration that supports filtering for WebVPN, enter the following command: hostname(config)# access-list access_list_name webtype {deny | permit} url [url_string | any] To remove a Webtype access list, enter the no access-list command with the entire syntax string as it appears in the configuration: hostname(config)# access-list access_list_name webtype {deny | permit} url [url_string | any] For information about logging options that you can add to the end of the ACE, see the “Logging Access List Activity” section on page 16-20. Simplifying Access Lists with Object Grouping This section describes how to use object grouping to simplify access list creation and maintenance. This section includes the following topics: • How Object Grouping Works, page 16-12 • Adding Object Groups, page 16-1216-12 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 16 Identifying Traffic with Access Lists Simplifying Access Lists with Object Grouping • Nesting Object Groups, page 16-15 • Displaying Object Groups, page 16-17 • Removing Object Groups, page 16-17 • Using Object Groups with an Access List, page 16-16 How Object Grouping Works By grouping like-objects together, you can use the object group in an ACE instead of having to enter an ACE for each object separately. You can create the following types of object groups: • Protocol • Network • Service • ICMP type For example, consider the following three object groups: • MyServices—Includes the TCP and UDP port numbers of the service requests that are allowed access to the internal network • TrustedHosts—Includes the host and network addresses allowed access to the greatest range of services and servers • PublicServers—Includes the host addresses of servers to which the greatest access is provided After creating these groups, you could use a single ACE to allow trusted hosts to make specific service requests to a group of public servers. You can also nest object groups in other object groups. Note The ACE system limit applies to expanded access lists. If you use object groups in ACEs, the number of actual ACEs that you enter is fewer, but the number of expanded ACEs is the same as without object groups. In many cases, object groups create more ACEs than if you added them manually, because creating ACEs manually leads you to summarize addresses more than an object group does. To view the number of expanded ACEs in an access list, enter the show access-list access_list_name command. Adding Object Groups This section describes how to add object groups. This section includes the following topics: • Adding a Protocol Object Group, page 16-13 • Adding a Network Object Group, page 16-13 • Adding a Service Object Group, page 16-14 • Adding an ICMP Type Object Group, page 16-1516-13 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 16 Identifying Traffic with Access Lists Simplifying Access Lists with Object Grouping Adding a Protocol Object Group To add or change a protocol object group, follow these steps. After you add the group, you can add more objects as required by following this procedure again for the same group name and specifying additional objects. You do not need to reenter existing objects; the commands you already set remain in place unless you remove them with the no form of the command. To add a protocol group, follow these steps: Step 1 To add a protocol group, enter the following command: hostname(config)# object-group protocol grp_id The grp_id is a text string up to 64 characters in length. The prompt changes to protocol configuration mode. Step 2 (Optional) To add a description, enter the following command: hostname(config-protocol)# description text The description can be up to 200 characters. Step 3 To define the protocols in the group, enter the following command for each protocol: hostname(config-protocol)# protocol-object protocol The protocol is the numeric identifier of the specific IP protocol (1 to 254) or a keyword identifier (for example, icmp, tcp, or udp). To include all IP protocols, use the keyword ip. For a list of protocols you can specify, see the “Protocols and Applications” section on page D-11. For example, to create a protocol group for TCP, UDP, and ICMP, enter the following commands: hostname(config)# object-group protocol tcp_udp_icmp hostname(config-protocol)# protocol-object tcp hostname(config-protocol)# protocol-object udp hostname(config-protocol)# protocol-object icmp Adding a Network Object Group To add or change a network object group, follow these steps. After you add the group, you can add more objects as required by following this procedure again for the same group name and specifying additional objects. You do not need to reenter existing objects; the commands you already set remain in place unless you remove them with the no form of the command. Note A network object group supports IPv4 and IPv6 addresses, depending on the type of access list. For more information about IPv6 access lists, see “Configuring IPv6 Access Lists” section on page 12-6. To add a network group, follow these steps: Step 1 To add a network group, enter the following command: hostname(config)# object-group network grp_id The grp_id is a text string up to 64 characters in length. The prompt changes to network configuration mode.16-14 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 16 Identifying Traffic with Access Lists Simplifying Access Lists with Object Grouping Step 2 (Optional) To add a description, enter the following command: hostname(config-network)# description text The description can be up to 200 characters. Step 3 To define the networks in the group, enter the following command for each network or address: hostname(config-network)# network-object {host ip_address | ip_address mask} For example, to create network group that includes the IP addresses of three administrators, enter the following commands: hostname(config)# object-group network admins hostname(config-network)# description Administrator Addresses hostname(config-network)# network-object host 10.1.1.4 hostname(config-network)# network-object host 10.1.1.78 hostname(config-network)# network-object host 10.1.1.34 Adding a Service Object Group To add or change a service object group, follow these steps. After you add the group, you can add more objects as required by following this procedure again for the same group name and specifying additional objects. You do not need to reenter existing objects; the commands you already set remain in place unless you remove them with the no form of the command. To add a service group, follow these steps: Step 1 To add a service group, enter the following command: hostname(config)# object-group service grp_id {tcp | udp | tcp-udp} The grp_id is a text string up to 64 characters in length. Specify the protocol for the services (ports) you want to add, either tcp, udp, or tcp-udp keywords. Enter tcp-udp keyword if your service uses both TCP and UDP with the same port number, for example, DNS (port 53). The prompt changes to service configuration mode. Step 2 (Optional) To add a description, enter the following command: hostname(config-service)# description text The description can be up to 200 characters. Step 3 To define the ports in the group, enter the following command for each port or range of ports: hostname(config-service)# port-object {eq port | range begin_port end_port} For a list of permitted keywords and well-known port assignments, see the “Protocols and Applications” section on page D-11. For example, to create service groups that include DNS (TCP/UDP), LDAP (TCP), and RADIUS (UDP), enter the following commands: hostname(config)# object-group service services1 tcp-udp hostname(config-service)# description DNS Group hostname(config-service)# port-object eq domain16-15 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 16 Identifying Traffic with Access Lists Simplifying Access Lists with Object Grouping hostname(config-service)# object-group service services2 udp hostname(config-service)# description RADIUS Group hostname(config-service)# port-object eq radius hostname(config-service)# port-object eq radius-acct hostname(config-service)# object-group service services3 tcp hostname(config-service)# description LDAP Group hostname(config-service)# port-object eq ldap Adding an ICMP Type Object Group To add or change an ICMP type object group, follow these steps. After you add the group, you can add more objects as required by following this procedure again for the same group name and specifying additional objects. You do not need to reenter existing objects; the commands you already set remain in place unless you remove them with the no form of the command. To add an ICMP type group, follow these steps: Step 1 To add an ICMP type group, enter the following command: hostname(config)# object-group icmp-type grp_id The grp_id is a text string up to 64 characters in length. The prompt changes to ICMP type configuration mode. Step 2 (Optional) To add a description, enter the following command: hostname(config-icmp-type)# description text The description can be up to 200 characters. Step 3 To define the ICMP types in the group, enter the following command for each type: hostname(config-icmp-type)# icmp-object icmp_type See the “ICMP Types” section on page D-15 for a list of ICMP types. For example, to create an ICMP type group that includes echo-reply and echo (for controlling ping), enter the following commands: hostname(config)# object-group icmp-type ping hostname(config-service)# description Ping Group hostname(config-icmp-type)# icmp-object echo hostname(config-icmp-type)# icmp-object echo-reply Nesting Object Groups To nest an object group within another object group of the same type, first create the group that you want to nest according to the “Adding Object Groups” section on page 16-12. Then follow these steps: Step 1 To add or edit an object group under which you want to nest another object group, enter the following command: hostname(config)# object-group {{protocol | network | icmp-type} grp_id | service grp_id {tcp | udp | tcp-udp}}16-16 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 16 Identifying Traffic with Access Lists Simplifying Access Lists with Object Grouping Step 2 To add the specified group under the object group you specified in Step 1, enter the following command: hostname(config-group_type)# group-object grp_id The nested group must be of the same type. You can mix and match nested group objects and regular objects within an object group. For example, you create network object groups for privileged users from various departments: hostname(config)# object-group network eng hostname(config-network)# network-object host 10.1.1.5 hostname(config-network)# network-object host 10.1.1.9 hostname(config-network)# network-object host 10.1.1.89 hostname(config-network)# object-group network hr hostname(config-network)# network-object host 10.1.2.8 hostname(config-network)# network-object host 10.1.2.12 hostname(config-network)# object-group network finance hostname(config-network)# network-object host 10.1.4.89 hostname(config-network)# network-object host 10.1.4.100 You then nest all three groups together as follows: hostname(config)# object-group network admin hostname(config-network)# group-object eng hostname(config-network)# group-object hr hostname(config-network)# group-object finance You only need to specify the admin object group in your ACE as follows: hostname(config)# access-list ACL_IN extended permit ip object-group admin host 209.165.201.29 Using Object Groups with an Access List To use object groups in an access list, replace the normal protocol (protocol), network (source_address mask, etc.), service (operator port), or ICMP type (icmp_type) parameter with object-group grp_id parameter. For example, to use object groups for all available parameters in the access-list {tcp | udp} command, enter the following command: hostname(config)# access-list access_list_name [line line_number] [extended] {deny | permit} {tcp | udp} object-group nw_grp_id [object-group svc_grp_id] object-group nw_grp_id [object-group svc_grp_id] [log [[level] [interval secs] | disable | default]] [inactive | time-range time_range_name] You do not have to use object groups for all parameters; for example, you can use an object group for the source address, but identify the destination address with an address and mask. The following normal access list that does not use object groups restricts several hosts on the inside network from accessing several web servers. All other traffic is allowed. hostname(config)# access-list ACL_IN extended deny tcp host 10.1.1.4 host 209.165.201.29 eq www hostname(config)# access-list ACL_IN extended deny tcp host 10.1.1.78 host 209.165.201.29 eq www hostname(config)# access-list ACL_IN extended deny tcp host 10.1.1.89 host 209.165.201.29 eq www16-17 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 16 Identifying Traffic with Access Lists Simplifying Access Lists with Object Grouping hostname(config)# access-list ACL_IN extended deny tcp host 10.1.1.4 host 209.165.201.16 eq www hostname(config)# access-list ACL_IN extended deny tcp host 10.1.1.78 host 209.165.201.16 eq www hostname(config)# access-list ACL_IN extended deny tcp host 10.1.1.89 host 209.165.201.16 eq www hostname(config)# access-list ACL_IN extended deny tcp host 10.1.1.4 host 209.165.201.78 eq www hostname(config)# access-list ACL_IN extended deny tcp host 10.1.1.78 host 209.165.201.78 eq www hostname(config)# access-list ACL_IN extended deny tcp host 10.1.1.89 host 209.165.201.78 eq www hostname(config)# access-list ACL_IN extended permit ip any any hostname(config)# access-group ACL_IN in interface inside If you make two network object groups, one for the inside hosts, and one for the web servers, then the configuration can be simplified and can be easily modified to add more hosts: hostname(config)# object-group network denied hostname(config-network)# network-object host 10.1.1.4 hostname(config-network)# network-object host 10.1.1.78 hostname(config-network)# network-object host 10.1.1.89 hostname(config-network)# object-group network web hostname(config-network)# network-object host 209.165.201.29 hostname(config-network)# network-object host 209.165.201.16 hostname(config-network)# network-object host 209.165.201.78 hostname(config-network)# access-list ACL_IN extended deny tcp object-group denied object-group web eq www hostname(config)# access-list ACL_IN extended permit ip any any hostname(config)# access-group ACL_IN in interface inside Displaying Object Groups To display a list of the currently configured object groups, enter the following command: hostname(config)# show object-group [protocol | network | service | icmp-type | id grp_id] If you enter the command without any parameters, the system displays all configured object groups. The following is sample output from the show object-group command: hostname# show object-group object-group network ftp_servers description: This is a group of FTP servers network-object host 209.165.201.3 network-object host 209.165.201.4 object-group network TrustedHosts network-object host 209.165.201.1 network-object 192.168.1.0 255.255.255.0 group-object ftp_servers Removing Object Groups To remove an object group, enter one of the following commands. Note You cannot remove an object group or make an object group empty if it is used in an access list.16-18 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 16 Identifying Traffic with Access Lists Adding Remarks to Access Lists • To remove a specific object group, enter the following command: hostname(config)# no object-group grp_id • To remove all object groups of the specified type, enter the following command: hostname(config)# clear object-group [protocol | network | services | icmp-type] If you do not enter a type, all object groups are removed. Adding Remarks to Access Lists You can include remarks about entries in any access list, including extended, EtherType, and standard access lists. The remarks make the access list easier to understand. To add a remark after the last access-list command you entered, enter the following command: hostname(config)# access-list access_list_name remark text If you enter the remark before any access-list command, then the remark is the first line in the access list. If you delete an access list using the no access-list access_list_name command, then all the remarks are also removed. The text can be up to 100 characters in length. You can enter leading spaces at the beginning of the text. Trailing spaces are ignored. For example, you can add remarks before each ACE, and the remark appears in the access list in this location. Entering a dash (-) at the beginning of the remark helps set it apart from ACEs. hostname(config)# access-list OUT remark - this is the inside admin address hostname(config)# access-list OUT extended permit ip host 209.168.200.3 any hostname(config)# access-list OUT remark - this is the hr admin address hostname(config)# access-list OUT extended permit ip host 209.168.200.4 any Scheduling Extended Access List Activation You can schedule each ACE to be activated at specific times of the day and week by applying a time range to the ACE. This section includes the following topics: • Adding a Time Range, page 16-18 • Applying the Time Range to an ACE, page 16-19 Adding a Time Range To add a time range to implement a time-based access list, perform the following steps: Step 1 Identify the time-range name by entering the following command: hostname(config)# time-range name Step 2 Specify the time range as either a recurring time range or an absolute time range.16-19 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 16 Identifying Traffic with Access Lists Scheduling Extended Access List Activation Note Users could experience a delay of approximately 80 to 100 seconds after the specified end time for the ACL to become inactive. For example, if the specified end time is 3:50, because the end time is inclusive, the command is picked up anywhere between 3:51:00 and 3:51:59. After the command is picked up, the security appliance finishes any currently running task and then services the command to deactivate the ACL. Multiple periodic entries are allowed per time-range command. If a time-range command has both absolute and periodic values specified, then the periodic commands are evaluated only after the absolute start time is reached, and are not further evaluated after the absolute end time is reached. • Recurring time range: hostname(config-time-range)# periodic days-of-the-week time to [days-of-the-week] time You can specify the following values for days-of-the-week: – monday, tuesday, wednesday, thursday, friday, saturday, and sunday. – daily – weekdays – weekend The time is in the format hh:mm. For example, 8:00 is 8:00 a.m. and 20:00 is 8:00 p.m. • Absolute time range: hostname(config-time-range)# absolute start time date [end time date] The time is in the format hh:mm. For example, 8:00 is 8:00 a.m. and 20:00 is 8:00 p.m. The date is in the format day month year; for example, 1 january 2006. The following is an example of an absolute time range beginning at 8:00 a.m. on January 1, 2006. Because no end time and date are specified, the time range is in effect indefinitely. hostname(config)# time-range for2006 hostname(config-time-range)# absolute start 8:00 1 january 2006 The following is an example of a weekly periodic time range from 8:00 a.m. to 6:00 p.m on weekdays.: hostname(config)# time-range workinghours hostname(config-time-range)# periodic weekdays 8:00 to 18:00 Applying the Time Range to an ACE To apply the time range to an ACE, use the following command: hostname(config)# access-list access_list_name [extended] {deny | permit}...[time-range name] See the “Adding an Extended Access List” section on page 16-5 for complete access-list command syntax.16-20 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 16 Identifying Traffic with Access Lists Logging Access List Activity Note If you also enable logging for the ACE, use the log keyword before the time-range keyword. If you disable the ACE using the inactive keyword, use the inactive keyword as the last keyword. The following example binds an access list named “Sales” to a time range named “New_York_Minute.” hostname(config)# access-list Sales line 1 extended deny tcp host 209.165.200.225 host 209.165.201.1 time-range New_York_Minute Logging Access List Activity This section describes how to configure access list logging for extended access lists and Webtype access lists. This section includes the following topics: • Access List Logging Overview, page 16-20 • Configuring Logging for an Access Control Entry, page 16-21 • Managing Deny Flows, page 16-22 Access List Logging Overview By default, when traffic is denied by an extended ACE or a Webtype ACE, the security appliance generates system message 106023 for each denied packet, in the following form: %ASA|PIX-4-106023: Deny protocol src [interface_name:source_address/source_port] dst interface_name:dest_address/dest_port [type {string}, code {code}] by access_group acl_id If the security appliance is attacked, the number of system messages for denied packets can be very large. We recommend that you instead enable logging using system message 106100, which provides statistics for each ACE and lets you limit the number of system messages produced. Alternatively, you can disable all logging. Note Only ACEs in the access list generate logging messages; the implicit deny at the end of the access list does not generate a message. If you want all denied traffic to generate messages, add the implicit ACE manually to the end of the access list, as follows. hostname(config)# access-list TEST deny ip any any log The log options at the end of the extended access-list command lets you to set the following behavior: • Enable message 106100 instead of message 106023 • Disable all logging • Return to the default logging using message 106023 System message 106100 is in the following form: %ASA|PIX-n-106100: access-list acl_id {permitted | denied} protocol interface_name/source_address(source_port) -> interface_name/dest_address(dest_port) hit-cnt number ({first hit | number-second interval})16-21 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 16 Identifying Traffic with Access Lists Logging Access List Activity When you enable logging for message 106100, if a packet matches an ACE, the security appliance creates a flow entry to track the number of packets received within a specific interval. The security appliance generates a system message at the first hit and at the end of each interval, identifying the total number of hits during the interval. At the end of each interval, the security appliance resets the hit count to 0. If no packets match the ACE during an interval, the security appliance deletes the flow entry. A flow is defined by the source and destination IP addresses, protocols, and ports. Because the source port might differ for a new connection between the same two hosts, you might not see the same flow increment because a new flow was created for the connection. See the “Managing Deny Flows” section on page 16-22 to limit the number of logging flows. Permitted packets that belong to established connections do not need to be checked against access lists; only the initial packet is logged and included in the hit count. For connectionless protocols, such as ICMP, all packets are logged even if they are permitted, and all denied packets are logged. See the Cisco Security Appliance Logging Configuration and System Log Messages for detailed information about this system message. Configuring Logging for an Access Control Entry To configure logging for an ACE, see the following information about the log option: hostname(config)# access-list access_list_name [extended] {deny | permit}...[log [[level] [interval secs] | disable | default]] See the “Adding an Extended Access List” section on page 16-5 and “Adding a Webtype Access List” section on page 16-11 for complete access-list command syntax. If you enter the log option without any arguments, you enable system log message 106100 at the default level (6) and for the default interval (300 seconds). See the following options: • level—A severity level between 0 and 7. The default is 6. • interval secs—The time interval in seconds between system messages, from 1 to 600. The default is 300. This value is also used as the timeout value for deleting an inactive flow. • disable—Disables all access list logging. • default—Enables logging to message 106023. This setting is the same as having no log option. For example, you configure the following access list: hostname(config)# access-list outside-acl permit ip host 1.1.1.1 any log 7 interval 600 hostname(config)# access-list outside-acl permit ip host 2.2.2.2 any hostname(config)# access-list outside-acl deny ip any any log 2 hostname(config)# access-group outside-acl in interface outside When a packet is permitted by the first ACE of outside-acl, the security appliance generates the following system message: %ASA|PIX-7-106100: access-list outside-acl permitted tcp outside/1.1.1.1(12345) -> inside/192.168.1.1(1357) hit-cnt 1 (first hit) Although 20 additional packets for this connection arrive on the outside interface, the traffic does not have to be checked against the access list, and the hit count does not increase. If one more connection by the same host is initiated within the specified 10 minute interval (and the source and destination ports remain the same), then the hit count is incremented by 1 and the following message is displayed at the end of the 10 minute interval: %ASA|PIX-7-106100: access-list outside-acl permitted tcp outside/1.1.1.1(12345)-> inside/192.168.1.1(1357) hit-cnt 2 (600-second interval)16-22 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 16 Identifying Traffic with Access Lists Logging Access List Activity When a packet is denied by the third ACE, the security appliance generates the following system message: %ASA|PIX-2-106100: access-list outside-acl denied ip outside/3.3.3.3(12345) -> inside/192.168.1.1(1357) hit-cnt 1 (first hit) 20 additional attempts within a 5 minute interval (the default) result in the following message at the end of 5 minutes: %ASA|PIX-2-106100: access-list outside-acl denied ip outside/3.3.3.3(12345) -> inside/192.168.1.1(1357) hit-cnt 21 (300-second interval) Managing Deny Flows When you enable logging for message 106100, if a packet matches an ACE, the security appliance creates a flow entry to track the number of packets received within a specific interval. The security appliance has a maximum of 32 K logging flows for ACEs. A large number of flows can exist concurrently at any point of time. To prevent unlimited consumption of memory and CPU resources, the security appliance places a limit on the number of concurrent deny flows; the limit is placed only on deny flows (and not permit flows) because they can indicate an attack. When the limit is reached, the security appliance does not create a new deny flow for logging until the existing flows expire. For example, if someone initiates a DoS attack, the security appliance can create a large number of deny flows in a short period of time. Restricting the number of deny flows prevents unlimited consumption of memory and CPU resources. When you reach the maximum number of deny flows, the security appliance issues system message 106100: %ASA|PIX-1-106101: The number of ACL log deny-flows has reached limit (number). To configure the maximum number of deny flows and to set the interval between deny flow alert messages (106101), enter the following commands: • To set the maximum number of deny flows permitted per context before the security appliance stops logging, enter the following command: hostname(config)# access-list deny-flow-max number The number is between 1 and 4096. 4096 is the default. • To set the amount of time between system messages (number 106101) that identify that the maximum number of deny flows was reached, enter the following command: hostname(config)# access-list alert-interval secs The seconds are between 1 and 3600. 300 is the default.C H A P T E R 17-1 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 17 Applying NAT This chapter describes Network Address Translation (NAT). In routed firewall mode, the security appliance can perform NAT between each network. Note In transparent firewall mode, the security appliance does not support NAT. This chapter contains the following sections: • NAT Overview, page 17-1 • Configuring NAT Control, page 17-16 • Using Dynamic NAT and PAT, page 17-17 • Using Static NAT, page 17-26 • Using Static PAT, page 17-27 • Bypassing NAT, page 17-29 • NAT Examples, page 17-33 NAT Overview This section describes how NAT works on the security appliance, and includes the following topics: • Introduction to NAT, page 17-2 • NAT Control, page 17-3 • NAT Types, page 17-5 • Policy NAT, page 17-9 • NAT and Same Security Level Interfaces, page 17-13 • Order of NAT Commands Used to Match Real Addresses, page 17-14 • Mapped Address Guidelines, page 17-14 • DNS and NAT, page 17-1417-2 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 17 Applying NAT NAT Overview Introduction to NAT Address translation substitutes the real address in a packet with a mapped address that is routable on the destination network. NAT is comprised of two steps: the process in which a real address is translated into a mapped address, and then the process to undo translation for returning traffic. The security appliance translates an address when a NAT rule matches the traffic. If no NAT rule matches, processing for the packet continues. The exception is when you enable NAT control. NAT control requires that packets traversing from a higher security interface (inside) to a lower security interface (outside) match a NAT rule, or else processing for the packet stops. (See the “Security Level Overview” section on page 7-1 for more information about security levels, and see “NAT Control” section on page 17-3 for more information about NAT control). Note In this document, all types of translation are generally referred to as NAT. When discussing NAT, the terms inside and outside are relative, and represent the security relationship between any two interfaces. The higher security level is inside and the lower security level is outside; for example, interface 1 is at 60 and interface 2 is at 50, so interface 1 is “inside” and interface 2 is “outside.” Some of the benefits of NAT are as follows: • You can use private addresses on your inside networks. Private addresses are not routable on the Internet. (See the “Private Networks” section on page D-2 for more information.) • NAT hides the real addresses from other networks, so attackers cannot learn the real address of a host. • You can resolve IP routing problems such as overlapping addresses. See Table 25-1 on page 25-3 for information about protocols that do not support NAT. Figure 17-1 shows a typical NAT scenario, with a private network on the inside. When the inside host at 10.1.2.27 sends a packet to a web server, the real source address, 10.1.2.27, of the packet is changed to a mapped address, 209.165.201.10. When the server responds, it sends the response to the mapped address, 209.165.201.10, and the security appliance receives the packet. The security appliance then undoes the translation of the mapped address, 209.165.201.10 back to the real address, 10.1.2.27 before sending it on to the host.17-3 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 17 Applying NAT NAT Overview Figure 17-1 NAT Example See the following commands for this example: hostname(config)# nat (inside) 1 10.1.2.0 255.255.255.0 hostname(config)# global (outside) 1 209.165.201.1-209.165.201.15 NAT Control NAT control requires that packets traversing from an inside interface to an outside interface match a NAT rule; for any host on the inside network to access a host on the outside network, you must configure NAT to translate the inside host address (see Figure 17-2). Figure 17-2 NAT Control and Outbound Traffic Web Server www.cisco.com Outside Inside 209.165.201.2 10.1.2.1 10.1.2.27 130023 Translation 10.1.2.27 209.165.201.10 Originating Packet Undo Translation 209.165.201.10 10.1.2.27 Responding Security Packet Appliance 10.1.1.1 NAT No NAT 209.165.201.1 Inside Outside 10.1.2.1 Security Appliance 13221217-4 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 17 Applying NAT NAT Overview Interfaces at the same security level are not required to use NAT to communicate. However, if you configure dynamic NAT or PAT on a same security interface, then all traffic from the interface to a same security interface or an outside interface must match a NAT rule (see Figure 17-3). Figure 17-3 NAT Control and Same Security Traffic Similarly, if you enable outside dynamic NAT or PAT, then all outside traffic must match a NAT rule when it accesses an inside interface (see Figure 17-4). Figure 17-4 NAT Control and Inbound Traffic Static NAT does not cause these restrictions. By default, NAT control is disabled, so you do not need to perform NAT on any networks unless you choose to perform NAT. If you upgraded from an earlier version of software, however, NAT control might be enabled on your system. Even with NAT control disabled, you need to perform NAT on any addresses for which you configure dynamic NAT. See the “Dynamic NAT and PAT Implementation” section on page 17-17 for more information on how dynamic NAT is applied. If you want the added security of NAT control but do not want to translate inside addresses in some cases, you can apply a NAT exemption or identity NAT rule on those addresses. (See the “Bypassing NAT” section on page 17-29 for more information). To configure NAT control, see the “Configuring NAT Control” section on page 17-16. Note In multiple context mode, the packet classifier might rely on the NAT configuration to assign packets to contexts if you do not enable unique MAC addresses for shared interfaces. See the “How the Security Appliance Classifies Packets” section on page 3-3 for more information about the relationship between the classifier and NAT. 10.1.1.1 Dyn. NAT No NAT 209.165.201.1 Level 50 Level 50 or Outside 10.1.2.1 Security Appliance 10.1.1.1 10.1.1.1 No NAT Level 50 Level 50 Security Appliance 132215 209.165.202.129 No NAT 209.165.202.129 Outside Inside Security Appliance 209.165.202.129 209.165.200.240 Dyn. NAT 10.1.1.50 Outside Inside Security Appliance No NAT 13221317-5 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 17 Applying NAT NAT Overview NAT Types This section describes the available NAT types. You can implement address translation as dynamic NAT, Port Address Translation, static NAT, or static PAT or as a mix of these types. You can also configure rules to bypass NAT, for example, if you enable NAT control but do not want to perform NAT. This section includes the following topics: • Dynamic NAT, page 17-5 • PAT, page 17-7 • Static NAT, page 17-7 • Static PAT, page 17-8 • Bypassing NAT When NAT Control is Enabled, page 17-9 Dynamic NAT Dynamic NAT translates a group of real addresses to a pool of mapped addresses that are routable on the destination network. The mapped pool can include fewer addresses than the real group. When a host you want to translate accesses the destination network, the security appliance assigns it an IP address from the mapped pool. The translation is added only when the real host initiates the connection. The translation is in place only for the duration of the connection, and a given user does not keep the same IP address after the translation times out (see the timeout xlate command in the Cisco Security Appliance Command Reference). Users on the destination network, therefore, cannot reliably initiate a connection to a host that uses dynamic NAT (even if the connection is allowed by an access list), and the security appliance rejects any attempt to connect to a real host address directly. See the following “Static NAT” or “Static PAT” sections for reliable access to hosts. Note In some cases, a translation is added for a connection (see the show xlate command) even though the session is denied by the security appliance. This condition occurs with an outbound access list, a management-only interface, or a backup interface. The translation times out normally. Figure 17-5 shows a remote host attempting to connect to the real address. The connection is denied because the security appliance only allows returning connections to the mapped address.17-6 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 17 Applying NAT NAT Overview Figure 17-5 Remote Host Attempts to Connect to the Real Address Figure 17-6 shows a remote host attempting to initiate a connection to a mapped address. This address is not currently in the translation table, so the security appliance drops the packet. Figure 17-6 Remote Host Attempts to Initiate a Connection to a Mapped Address Note For the duration of the translation, a remote host can initiate a connection to the translated host if an access list allows it. Because the address is unpredictable, a connection to the host is unlikely. However in this case, you can rely on the security of the access list. Web Server www.example.com Outside Inside 209.165.201.2 10.1.2.1 10.1.2.27 Translation 10.1.2.27 209.165.201.10 10.1.2.27 Security Appliance 132216 Web Server www.example.com Outside Inside 209.165.201.2 10.1.2.1 10.1.2.27 Security Appliance 209.165.201.10 13221717-7 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 17 Applying NAT NAT Overview Dynamic NAT has these disadvantages: • If the mapped pool has fewer addresses than the real group, you could run out of addresses if the amount of traffic is more than expected. Use PAT if this event occurs often, because PAT provides over 64,000 translations using ports of a single address. • You have to use a large number of routable addresses in the mapped pool; if the destination network requires registered addresses, such as the Internet, you might encounter a shortage of usable addresses. The advantage of dynamic NAT is that some protocols cannot use PAT. For example, PAT does not work with IP protocols that do not have a port to overload, such as GRE version 0. PAT also does not work with some applications that have a data stream on one port and the control path on another and are not open standard, such as some multimedia applications. See the “When to Use Application Protocol Inspection” section on page 25-2 for more information about NAT and PAT support. PAT PAT translates multiple real addresses to a single mapped IP address. Specifically, the security appliance translates the real address and source port (real socket) to the mapped address and a unique port above 1024 (mapped socket). Each connection requires a separate translation, because the source port differs for each connection. For example, 10.1.1.1:1025 requires a separate translation from 10.1.1.1:1026. After the connection expires, the port translation also expires after 30 seconds of inactivity. The timeout is not configurable. Users on the destination network cannot reliably initiate a connection to a host that uses PAT (even if the connection is allowed by an access list). Not only can you not predict the real or mapped port number of the host, but the security appliance does not create a translation at all unless the translated host is the initiator. See the following “Static NAT” or “Static PAT” sections for reliable access to hosts. PAT lets you use a single mapped address, thus conserving routable addresses. You can even use the security appliance interface IP address as the PAT address. PAT does not work with some multimedia applications that have a data stream that is different from the control path. See the “When to Use Application Protocol Inspection” section on page 25-2 for more information about NAT and PAT support. Note For the duration of the translation, a remote host can initiate a connection to the translated host if an access list allows it. Because the port address (both real and mapped) is unpredictable, a connection to the host is unlikely. Nevertheless, in this case, you can rely on the security of the access list. However, policy PAT does not support time-based ACLs. Static NAT Static NAT creates a fixed translation of real address(es) to mapped address(es).With dynamic NAT and PAT, each host uses a different address or port for each subsequent translation. Because the mapped address is the same for each consecutive connection with static NAT, and a persistent translation rule exists, static NAT allows hosts on the destination network to initiate traffic to a translated host (if there is an access list that allows it). The main difference between dynamic NAT and a range of addresses for static NAT is that static NAT allows a remote host to initiate a connection to a translated host (if there is an access list that allows it), while dynamic NAT does not. You also need an equal number of mapped addresses as real addresses with static NAT.17-8 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 17 Applying NAT NAT Overview Static PAT Static PAT is the same as static NAT, except it lets you specify the protocol (TCP or UDP) and port for the real and mapped addresses. This feature lets you identify the same mapped address across many different static statements, so long as the port is different for each statement (you cannot use the same mapped address for multiple static NAT statements). For applications that require application inspection for secondary channels (FTP, VoIP, etc.), the security appliance automatically translates the secondary ports. For example, if you want to provide a single address for remote users to access FTP, HTTP, and SMTP, but these are all actually different servers on the real network, you can specify static PAT statements for each server that uses the same mapped IP address, but different ports (see Figure 17-7). Figure 17-7 Static PAT See the following commands for this example: hostname(config)# static (inside,outside) tcp 209.165.201.3 ftp 10.1.2.27 ftp netmask 255.255.255.255 hostname(config)# static (inside,outside) tcp 209.165.201.3 http 10.1.2.28 http netmask 255.255.255.255 hostname(config)# static (inside,outside) tcp 209.165.201.3 smtp 10.1.2.29 smtp netmask 255.255.255.255 You can also use static PAT to translate a well-known port to a non-standard port or vice versa. For example, if your inside web servers use port 8080, you can allow outside users to connect to port 80, and then undo translation to the original port 8080. Similarly, if you want to provide extra security, you can tell your web users to connect to non-standard port 6785, and then undo translation to port 80. Host Outside Inside Undo Translation 209.165.201.3:21 10.1.2.27 Undo Translation 209.165.201.3:80 10.1.2.28 Undo Translation 209.165.201.3:25 10.1.2.29 FTP server 10.1.2.27 HTTP server 10.1.2.28 SMTP server 10.1.2.29 13003117-9 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 17 Applying NAT NAT Overview Bypassing NAT When NAT Control is Enabled If you enable NAT control, then inside hosts must match a NAT rule when accessing outside hosts. If you do not want to perform NAT for some hosts, then you can bypass NAT for those hosts (alternatively, you can disable NAT control). You might want to bypass NAT, for example, if you are using an application that does not support NAT (see the “When to Use Application Protocol Inspection” section on page 25-2 for information about inspection engines that do not support NAT). You can configure traffic to bypass NAT using one of three methods. All methods achieve compatibility with inspection engines. However, each method offers slightly different capabilities, as follows: • Identity NAT (nat 0 command)—When you configure identity NAT (which is similar to dynamic NAT), you do not limit translation for a host on specific interfaces; you must use identity NAT for connections through all interfaces. Therefore, you cannot choose to perform normal translation on real addresses when you access interface A, but use identity NAT when accessing interface B. Regular dynamic NAT, on the other hand, lets you specify a particular interface on which to translate the addresses. Make sure that the real addresses for which you use identity NAT are routable on all networks that are available according to your access lists. For identity NAT, even though the mapped address is the same as the real address, you cannot initiate a connection from the outside to the inside (even if the interface access list allows it). Use static identity NAT or NAT exemption for this functionality. • Static identity NAT (static command)—Static identity NAT lets you specify the interface on which you want to allow the real addresses to appear, so you can use identity NAT when you access interface A, and use regular translation when you access interface B. Static identity NAT also lets you use policy NAT, which identifies the real and destination addresses when determining the real addresses to translate (see the “Policy NAT” section on page 17-9 for more information about policy NAT). For example, you can use static identity NAT for an inside address when it accesses the outside interface and the destination is server A, but use a normal translation when accessing the outside server B. • NAT exemption (nat 0 access-list command)—NAT exemption allows both translated and remote hosts to initiate connections. Like identity NAT, you do not limit translation for a host on specific interfaces; you must use NAT exemption for connections through all interfaces. However, NAT exemption does let you specify the real and destination addresses when determining the real addresses to translate (similar to policy NAT), so you have greater control using NAT exemption. However unlike policy NAT, NAT exemption does not consider the ports in the access list. Policy NAT Policy NAT lets you identify real addresses for address translation by specifying the source and destination addresses in an extended access list. You can also optionally specify the source and destination ports. Regular NAT can only consider the real addresses. For example, you can use translate the real address to mapped address A when it accesses server A, but translate the real address to mapped address B when it accesses server B. Note Policy NAT does not support time-based ACLs. When you specify the ports in policy NAT for applications that require application inspection for secondary channels (FTP, VoIP, etc.), the security appliance automatically translates the secondary ports.17-10 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 17 Applying NAT NAT Overview Note All types of NAT support policy NAT except for NAT exemption. NAT exemption uses an access list to identify the real addresses, but differs from policy NAT in that the ports are not considered. See the “Bypassing NAT” section on page 17-29 for other differences. You can accomplish the same result as NAT exemption using static identity NAT, which does support policy NAT. Figure 17-8 shows a host on the 10.1.2.0/24 network accessing two different servers. When the host accesses the server at 209.165.201.11, the real address is translated to 209.165.202.129. When the host accesses the server at 209.165.200.225, the real address is translated to 209.165.202.130 so that the host appears to be on the same network as the servers, which can help with routing. Figure 17-8 Policy NAT with Different Destination Addresses See the following commands for this example: hostname(config)# access-list NET1 permit ip 10.1.2.0 255.255.255.0 209.165.201.0 255.255.255.224 hostname(config)# access-list NET2 permit ip 10.1.2.0 255.255.255.0 209.165.200.224 255.255.255.224 hostname(config)# nat (inside) 1 access-list NET1 hostname(config)# global (outside) 1 209.165.202.129 hostname(config)# nat (inside) 2 access-list NET2 hostname(config)# global (outside) 2 209.165.202.130 Server 1 209.165.201.11 Server 2 209.165.200.225 DMZ Inside 10.1.2.27 10.1.2.0/24 130039 209.165.201.0/27 209.165.200.224/27 Translation 10.1.2.27 209.165.202.129 Translation 10.1.2.27 209.165.202.130 Packet Dest. Address: 209.165.201.11 Packet Dest. Address: 209.165.200.22517-11 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 17 Applying NAT NAT Overview Figure 17-9 shows the use of source and destination ports. The host on the 10.1.2.0/24 network accesses a single host for both web services and Telnet services. When the host accesses the server for web services, the real address is translated to 209.165.202.129. When the host accesses the same server for Telnet services, the real address is translated to 209.165.202.130. Figure 17-9 Policy NAT with Different Destination Ports See the following commands for this example: hostname(config)# access-list WEB permit tcp 10.1.2.0 255.255.255.0 209.165.201.11 255.255.255.255 eq 80 hostname(config)# access-list TELNET permit tcp 10.1.2.0 255.255.255.0 209.165.201.11 255.255.255.255 eq 23 hostname(config)# nat (inside) 1 access-list WEB hostname(config)# global (outside) 1 209.165.202.129 hostname(config)# nat (inside) 2 access-list TELNET hostname(config)# global (outside) 2 209.165.202.130 For policy static NAT (and for NAT exemption, which also uses an access list to identify traffic), both translated and remote hosts can originate traffic. For traffic originated on the translated network, the NAT access list specifies the real addresses and the destination addresses, but for traffic originated on the remote network, the access list identifies the real addresses and the source addresses of remote hosts who are allowed to connect to the host using this translation. Web and Telnet server: 209.165.201.11 Internet Inside Translation 10.1.2.27:80 209.165.202.129 10.1.2.27 10.1.2.0/24 Translation 10.1.2.27:23 209.165.202.130 Web Packet Dest. Address: 209.165.201.11:80 Telnet Packet Dest. Address: 209.165.201.11:23 13004017-12 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 17 Applying NAT NAT Overview Figure 17-10 shows a remote host connecting to a translated host. The translated host has a policy static NAT translation that translates the real address only for traffic to and from the 209.165.201.0/27 network. A translation does not exist for the 209.165.200.224/27 network, so the translated host cannot connect to that network, nor can a host on that network connect to the translated host. Figure 17-10 Policy Static NAT with Destination Address Translation See the following commands for this example: hostname(config)# access-list NET1 permit ip 10.1.2.0 255.255.255.224 209.165.201.0 255.255.255.224 hostname(config)# static (inside,outside) 209.165.202.128 access-list NET1 Note For policy static NAT, in undoing the translation, the ACL in the static command is not used. If the destination address in the packet matches the mapped address in the static rule, the static rule is used to untranslate the address. Note Policy NAT does not support SQL*Net, but it is supported by regular NAT. See the “When to Use Application Protocol Inspection” section on page 25-2 for information about NAT support for other protocols. You cannot use policy static NAT to translate different real addresses to the same mapped address. For example, Figure 17-11 shows two inside hosts, 10.1.1.1 and 10.1.1.2, that you want to be translated to 209.165.200.225. When outside host 209.165.201.1 connects to 209.165.200.225, then the connection goes to 10.1.1.1. When outside host 209.165.201.2 connects to the same mapped address, 209.165.200.225, you want the connection to go to 10.1.1.2. However, only one source address in the access list can be used. Since the first ACE is for 10.1.1.1, then all inbound connections sourced from 209.165.201.1 and 209.165.201.2 and destined to 209.165.200.255 will have their destination address translated to 10.1.1.1. 209.165.201.11 209.165.200.225 DMZ Inside No Translation 10.1.2.27 10.1.2.27 10.1.2.0/27 209.165.201.0/27 209.165.200.224/27 Undo Translation 209.165.202.128 13003717-13 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 17 Applying NAT NAT Overview Figure 17-11 Real Addresses Cannot Share the Same Mapped Address See the following commands for this example. (Although the second ACE in the example does allow 209.165.201.2 to connect to 209.165.200.225, it only allows 209.165.200.225 to be translated to 10.1.1.1.) hostname(config)# static (in,out) 209.165.200.225 access-list policy-nat hostname(config)# access-list policy-nat permit ip host 10.1.1.1 host 209.165.201.1 hostname(config)# access-list policy-nat permit ip host 10.1.1.2 host 209.165.201.2 NAT and Same Security Level Interfaces NAT is not required between same security level interfaces even if you enable NAT control. You can optionally configure NAT if desired. However, if you configure dynamic NAT when NAT control is enabled, then NAT is required. See the “NAT Control” section on page 17-3 for more information. Also, when you specify a group of IP address(es) for dynamic NAT or PAT on a same security interface, then you must perform NAT on that group of addresses when they access any lower or same security level interface (even when NAT control is not enabled). Traffic identified for static NAT is not affected. See the “Allowing Communication Between Interfaces on the Same Security Level” section on page 7-6 to enable same security communication. Note The security appliance does not support VoIP inspection engines when you configure NAT on same security interfaces. These inspection engines include Skinny, SIP, and H.323. See the “When to Use Application Protocol Inspection” section on page 25-2 for supported inspection engines. 209.165.201.1 Outside Inside 10.1.1.1 209.165.201.2 10.1.1.2 Undo Translation 209.165.200.225 10.1.1.1 209.165.200.225 10.1.1.2 No Undo Translation 24298117-14 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 17 Applying NAT NAT Overview Order of NAT Commands Used to Match Real Addresses The security appliance matches real addresses to NAT commands in the following order: 1. NAT exemption (nat 0 access-list)—In order, until the first match. Identity NAT is not included in this category; it is included in the regular static NAT or regular NAT category. We do not recommend overlapping addresses in NAT exemption statements because unexpected results can occur. 2. Static NAT and Static PAT (regular and policy) (static)—In order, until the first match. Static identity NAT is included in this category. 3. Policy dynamic NAT (nat access-list)—In order, until the first match. Overlapping addresses are allowed. 4. Regular dynamic NAT (nat)—Best match. Regular identity NAT is included in this category. The order of the NAT commands does not matter; the NAT statement that best matches the real address is used. For example, you can create a general statement to translate all addresses (0.0.0.0) on an interface. If you want to translate a subset of your network (10.1.1.1) to a different address, then you can create a statement to translate only 10.1.1.1. When 10.1.1.1 makes a connection, the specific statement for 10.1.1.1 is used because it matches the real address best. We do not recommend using overlapping statements; they use more memory and can slow the performance of the security appliance. Mapped Address Guidelines When you translate the real address to a mapped address, you can use the following mapped addresses: • Addresses on the same network as the mapped interface. If you use addresses on the same network as the mapped interface (through which traffic exits the security appliance), the security appliance uses proxy ARP to answer any requests for mapped addresses, and thus intercepts traffic destined for a real address. This solution simplifies routing, because the security appliance does not have to be the gateway for any additional networks. However, this approach does put a limit on the number of available addresses used for translations. For PAT, you can even use the IP address of the mapped interface. • Addresses on a unique network. If you need more addresses than are available on the mapped interface network, you can identify addresses on a different subnet. The security appliance uses proxy ARP to answer any requests for mapped addresses, and thus intercepts traffic destined for a real address. If you use OSPF, and you advertise routes on the mapped interface, then the security appliance advertises the mapped addresses. If the mapped interface is passive (not advertising routes) or you are using static routing, then you need to add a static route on the upstream router that sends traffic destined for the mapped addresses to the security appliance. DNS and NAT You might need to configure the security appliance to modify DNS replies by replacing the address in the reply with an address that matches the NAT configuration. You can configure DNS modification when you configure each translation. For example, a DNS server is accessible from the outside interface. A server, ftp.cisco.com, is on the inside interface. You configure the security appliance to statically translate the ftp.cisco.com real address (10.1.3.14) to a mapped address (209.165.201.10) that is visible on the outside network (see 17-15 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 17 Applying NAT NAT Overview Figure 17-12). In this case, you want to enable DNS reply modification on this static statement so that inside users who have access to ftp.cisco.com using the real address receive the real address from the DNS server, and not the mapped address. When an inside host sends a DNS request for the address of ftp.cisco.com, the DNS server replies with the mapped address (209.165.201.10). The security appliance refers to the static statement for the inside server and translates the address inside the DNS reply to 10.1.3.14. If you do not enable DNS reply modification, then the inside host attempts to send traffic to 209.165.201.10 instead of accessing ftp.cisco.com directly. Figure 17-12 DNS Reply Modification See the following command for this example: hostname(config)# static (inside,outside) 209.165.201.10 10.1.3.14 netmask 255.255.255.255 dns Note If a user on a different network (for example, DMZ) also requests the IP address for ftp.cisco.com from the outside DNS server, then the IP address in the DNS reply is also modified for this user, even though the user is not on the Inside interface referenced by the static command. DNS Server Outside Inside User 130021 1 2 3 4 5 DNS Reply Modification 209.165.201.10 10.1.3.14 DNS Reply 209.165.201.10 DNS Reply 10.1.3.14 DNS Query ftp.cisco.com? FTP Request 10.1.3.14 Security Appliance ftp.cisco.com 10.1.3.14 Static Translation on Outside to: 209.165.201.1017-16 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 17 Applying NAT Configuring NAT Control Figure 17-13 shows a web server and DNS server on the outside. The security appliance has a static translation for the outside server. In this case, when an inside user requests the address for ftp.cisco.com from the DNS server, the DNS server responds with the real address, 209.165.20.10. Because you want inside users to use the mapped address for ftp.cisco.com (10.1.2.56) you need to configure DNS reply modification for the static translation. Figure 17-13 DNS Reply Modification Using Outside NAT See the following command for this example: hostname(config)# static (outside,inside) 10.1.2.56 209.165.201.10 netmask 255.255.255.255 dns Configuring NAT Control NAT control requires that packets traversing from an inside interface to an outside interface match a NAT rule. See the “NAT Control” section on page 17-3 for more information. To enable NAT control, enter the following command: hostname(config)# nat-control To disable NAT control, enter the no form of the command. ftp.cisco.com 209.165.201.10 DNS Server Outside Inside User 10.1.2.27 Static Translation on Inside to: 10.1.2.56 130022 1 2 7 6 5 4 3 DNS Query ftp.cisco.com? DNS Reply 209.165.201.10 DNS Reply Modification 209.165.201.10 10.1.2.56 DNS Reply 10.1.2.56 FTP Request 209.165.201.10 Dest Addr. Translation 10.1.2.56 209.165.201.10 FTP Request 10.1.2.56 Security Appliance17-17 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 17 Applying NAT Using Dynamic NAT and PAT Using Dynamic NAT and PAT This section describes how to configure dynamic NAT and PAT, and includes the following topics: • Dynamic NAT and PAT Implementation, page 17-17 • Configuring Dynamic NAT or PAT, page 17-23 Dynamic NAT and PAT Implementation For dynamic NAT and PAT, you first configure a nat command identifying the real addresses on a given interface that you want to translate. Then you configure a separate global command to specify the mapped addresses when exiting another interface (in the case of PAT, this is one address). Each nat command matches a global command by comparing the NAT ID, a number that you assign to each command (see Figure 17-14). Figure 17-14 nat and global ID Matching See the following commands for this example: hostname(config)# nat (inside) 1 10.1.2.0 255.255.255.0 hostname(config)# global (outside) 1 209.165.201.3-209.165.201.10 130027 Web Server: www.cisco.com Outside Inside Global 1: 209.165.201.3- 209.165.201.10 NAT 1: 10.1.2.0/24 10.1.2.27 Translation 10.1.2.27 209.165.201.317-18 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 17 Applying NAT Using Dynamic NAT and PAT You can enter a nat command for each interface using the same NAT ID; they all use the same global command when traffic exits a given interface. For example, you can configure nat commands for Inside and DMZ interfaces, both on NAT ID 1. Then you configure a global command on the Outside interface that is also on ID 1. Traffic from the Inside interface and the DMZ interface share a mapped pool or a PAT address when exiting the Outside interface (see Figure 17-15). Figure 17-15 nat Commands on Multiple Interfaces See the following commands for this example: hostname(config)# nat (inside) 1 10.1.2.0 255.255.255.0 hostname(config)# nat (dmz) 1 10.1.1.0 255.255.255.0 hostname(config)# global (outside) 1 209.165.201.3-209.165.201.10 Web Server: www.cisco.com Outside DMZ Inside Global 1: 209.165.201.3- 209.165.201.10 NAT 1: 10.1.2.0/24 NAT 1: 10.1.1.0/24 10.1.1.15 10.1.2.27 130028 Translation 10.1.2.27 209.165.201.3 Translation 10.1.1.15 209.165.201.417-19 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 17 Applying NAT Using Dynamic NAT and PAT You can also enter a global command for each interface using the same NAT ID. If you enter a global command for the Outside and DMZ interfaces on ID 1, then the Inside nat command identifies traffic to be translated when going to both the Outside and the DMZ interfaces. Similarly, if you also enter a nat command for the DMZ interface on ID 1, then the global command on the Outside interface is also used for DMZ traffic. (See Figure 17-16). Figure 17-16 global and nat Commands on Multiple Interfaces See the following commands for this example: hostname(config)# nat (inside) 1 10.1.2.0 255.255.255.0 hostname(config)# nat (dmz) 1 10.1.1.0 255.255.255.0 hostname(config)# global (outside) 1 209.165.201.3-209.165.201.10 hostname(config)# global (dmz) 1 10.1.1.23 If you use different NAT IDs, you can identify different sets of real addresses to have different mapped addresses. For example, on the Inside interface, you can have two nat commands on two different NAT IDs. On the Outside interface, you configure two global commands for these two IDs. Then, when traffic from Inside network A exits the Outside interface, the IP addresses are translated to pool A addresses; while traffic from Inside network B are translated to pool B addresses (see Figure 17-17). If you use policy NAT, you can specify the same real addresses for multiple nat commands, as long as the the destination addresses and ports are unique in each access list. Web Server: www.cisco.com Outside DMZ Inside Global 1: 209.165.201.3- 209.165.201.10 NAT 1: 10.1.2.0/24 NAT 1: 10.1.1.0/24 Global 1: 10.1.1.23 10.1.1.15 10.1.2.27 130024 Translation 10.1.2.27 209.165.201.3 Translation 10.1.1.15 209.165.201.4 Translation 10.1.2.27 10.1.1.23:2024 Security Appliance17-20 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 17 Applying NAT Using Dynamic NAT and PAT Figure 17-17 Different NAT IDs See the following commands for this example: hostname(config)# nat (inside) 1 10.1.2.0 255.255.255.0 hostname(config)# nat (inside) 2 192.168.1.0 255.255.255.0 hostname(config)# global (outside) 1 209.165.201.3-209.165.201.10 hostname(config)# global (outside) 2 209.165.201.11 You can enter multiple global commands for one interface using the same NAT ID; the security appliance uses the dynamic NAT global commands first, in the order they are in the configuration, and then uses the PAT global commands in order. You might want to enter both a dynamic NAT global command and a PAT global command if you need to use dynamic NAT for a particular application, but want to have a backup PAT statement in case all the dynamic NAT addresses are depleted. Similarly, you might enter two PAT statements if you need more than the approximately 64,000 PAT sessions that a single PAT mapped statement supports (see Figure 17-18). Web Server: www.cisco.com Outside Inside Global 1: 209.165.201.3- 209.165.201.10 Global 2: 209.165.201.11 NAT 1: 10.1.2.0/24 NAT 2: 192.168.1.0/24 10.1.2.27 192.168.1.14 Translation 10.1.2.27 209.165.201.3 Translation 192.168.1.14 209.165.201.11:4567 130025 Security Appliance17-21 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 17 Applying NAT Using Dynamic NAT and PAT Figure 17-18 NAT and PAT Together See the following commands for this example: hostname(config)# nat (inside) 1 10.1.2.0 255.255.255.0 hostname(config)# global (outside) 1 209.165.201.3-209.165.201.4 hostname(config)# global (outside) 1 209.165.201.5 For outside NAT, you need to identify the nat command for outside NAT (the outside keyword). If you also want to translate the same traffic when it accesses an inside interface (for example, traffic on a DMZ is translated when accessing the Inside and the Outside interfaces), then you must configure a separate nat command without the outside option. In this case, you can identify the same addresses in both statements and use the same NAT ID (see Figure 17-19). Note that for outside NAT (DMZ interface to Inside interface), the inside host uses a static command to allow outside access, so both the source and destination addresses are translated. Web Server: www.cisco.com Outside Inside Global 1: 209.165.201.3- 209.165.201.4 Global 1: 209.165.201.5 NAT 1: 10.1.2.0/24 10.1.2.27 10.1.2.28 10.1.2.29 130026 Translation 10.1.2.27 209.165.201.3 Translation 10.1.2.28 209.165.201.4 Translation 10.1.2.29 209.165.201.5:609617-22 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 17 Applying NAT Using Dynamic NAT and PAT Figure 17-19 Outside NAT and Inside NAT Combined See the following commands for this example: hostname(config)# nat (dmz) 1 10.1.1.0 255.255.255.0 outside hostname(config)# nat (dmz) 1 10.1.1.0 255.255.255.0 hostname(config)# static (inside,dmz) 10.1.1.5 10.1.2.27 netmask 255.255.255.255 hostname(config)# global (outside) 1 209.165.201.3-209.165.201.4 hostname(config)# global (inside) 1 10.1.2.30-1-10.1.2.40 When you specify a group of IP address(es) in a nat command, then you must perform NAT on that group of addresses when they access any lower or same security level interface; you must apply a global command with the same NAT ID on each interface, or use a static command. NAT is not required for that group when it accesses a higher security interface, because to perform NAT from outside to inside, you must create a separate nat command using the outside keyword. If you do apply outside NAT, then the NAT requirements preceding come into effect for that group of addresses when they access all higher security interfaces. Traffic identified by a static command is not affected. Outside DMZ Inside Global 1: 209.165.201.3- 209.165.201.10 Global 1: 10.1.2.30- 10.1.2.40 Static to DMZ: 10.1.2.27 10.1.1.5 Outside NAT 1: 10.1.1.0/24 NAT 1: 10.1.1.0/24 10.1.1.15 10.1.2.27 Translation 10.1.1.15 209.165.201.4 Translation 10.1.1.15 10.1.2.30 Undo Translation 10.1.1.5 10.1.2.27 13003817-23 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 17 Applying NAT Using Dynamic NAT and PAT Configuring Dynamic NAT or PAT This section describes how to configure dynamic NAT or dynamic PAT. The configuration for dynamic NAT and PAT are almost identical; for NAT you specify a range of mapped addresses, and for PAT you specify a single address. Figure 17-20 shows a typical dynamic NAT scenario. Only translated hosts can create a NAT session, and responding traffic is allowed back. The mapped address is dynamically assigned from a pool defined by the global command. Figure 17-20 Dynamic NAT Figure 17-21 shows a typical dynamic PAT scenario. Only translated hosts can create a NAT session, and responding traffic is allowed back. The mapped address defined by the global command is the same for each translation, but the port is dynamically assigned. Figure 17-21 Dynamic PAT For more information about dynamic NAT, see the “Dynamic NAT” section on page 17-5. For more information about PAT, see the “PAT” section on page 17-7. Note If you change the NAT configuration, and you do not want to wait for existing translations to time out before the new NAT information is used, you can clear the translation table using the clear xlate command. However, clearing the translation table disconnects all current connections that use translations. 10.1.1.1 209.165.201.1 Inside Outside 10.1.1.2 209.165.201.2 130032 Security Appliance 10.1.1.1:1025 209.165.201.1:2020 Inside Outside 10.1.1.1:1026 209.165.201.1:2021 10.1.1.2:1025 209.165.201.1:2022 130034 Security Appliance17-24 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 17 Applying NAT Using Dynamic NAT and PAT To configure dynamic NAT or PAT, perform the following steps: Step 1 To identify the real addresses that you want to translate, enter one of the following commands: • Policy NAT: hostname(config)# nat (real_interface) nat_id access-list acl_name [dns] [outside] [norandomseq] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns] You can identify overlapping addresses in other nat commands. For example, you can identify 10.1.1.0 in one command, but 10.1.1.1 in another. The traffic is matched to a policy NAT command in order, until the first match, or for regular NAT, using the best match. See the following description about options for this command: – access-list acl_name—Identify the real addresses and destination addresses using an extended access list. Create the access list using the access-list command (see the “Adding an Extended Access List” section on page 16-5). This access list should include only permit ACEs. You can optionally specify the real and destination ports in the access list using the eq operator. Policy NAT considers the inactive and time-range keywords, but it does not support ACL with all inactive and time-range ACEs. – nat_id—An integer between 1 and 65535. The NAT ID should match a global command NAT ID. See the “Dynamic NAT and PAT Implementation” section on page 17-17 for more information about how NAT IDs are used. 0 is reserved for NAT exemption. (See the “Configuring NAT Exemption” section on page 17-32 for more information about NAT exemption.) – dns—If your nat command includes the address of a host that has an entry in a DNS server, and the DNS server is on a different interface from a client, then the client and the DNS server need different addresses for the host; one needs the mapped address and one needs the real address. This option rewrites the address in the DNS reply to the client. The translated host needs to be on the same interface as either the client or the DNS server. Typically, hosts that need to allow access from other interfaces use a static translation, so this option is more likely to be used with the static command. (See the “DNS and NAT” section on page 17-14 for more information.) – outside—If this interface is on a lower security level than the interface you identify by the matching global statement, then you must enter outside to identify the NAT instance as outside NAT. – norandomseq, tcp tcp_max_conns, udp udp_max_conns, and emb_limit—These keywords set connection limits. However, we recommend using a more versatile method for setting connection limits; see the “Configuring Connection Limits and Timeouts” section on page 23-6. • Regular NAT: hostname(config)# nat (real_interface) nat_id real_ip [mask [dns] [outside] [norandomseq] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns]] The nat_id is an integer between 1 and 2147483647. The NAT ID must match a global command NAT ID. See the “Dynamic NAT and PAT Implementation” section on page 17-17 for more information about how NAT IDs are used. 0 is reserved for identity NAT. See the “Configuring Identity NAT” section on page 17-30 for more information about identity NAT. See the preceding policy NAT command for information about other options. Step 2 To identify the mapped address(es) to which you want to translate the real addresses when they exit a particular interface, enter the following command: hostname(config)# global (mapped_interface) nat_id {mapped_ip[-mapped_ip] | interface}17-25 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 17 Applying NAT Using Dynamic NAT and PAT This NAT ID should match a nat command NAT ID. The matching nat command identifies the addresses that you want to translate when they exit this interface. You can specify a single address (for PAT) or a range of addresses (for NAT). The range can go across subnet boundaries if desired. For example, you can specify the following “supernet”: 192.168.1.1-192.168.2.254 For example, to translate the 10.1.1.0/24 network on the inside interface, enter the following command: hostname(config)# nat (inside) 1 10.1.1.0 255.255.255.0 hostname(config)# global (outside) 1 209.165.201.1-209.165.201.30 To identify a pool of addresses for dynamic NAT as well as a PAT address for when the NAT pool is exhausted, enter the following commands: hostname(config)# nat (inside) 1 10.1.1.0 255.255.255.0 hostname(config)# global (outside) 1 209.165.201.5 hostname(config)# global (outside) 1 209.165.201.10-209.165.201.20 To translate the lower security dmz network addresses so they appear to be on the same network as the inside network (10.1.1.0), for example, to simplify routing, enter the following commands: hostname(config)# nat (dmz) 1 10.1.2.0 255.255.255.0 outside dns hostname(config)# global (inside) 1 10.1.1.45 To identify a single real address with two different destination addresses using policy NAT, enter the following commands (see Figure 17-8 on page 17-10 for a related figure): hostname(config)# access-list NET1 permit ip 10.1.2.0 255.255.255.0 209.165.201.0 255.255.255.224 hostname(config)# access-list NET2 permit ip 10.1.2.0 255.255.255.0 209.165.200.224 255.255.255.224 hostname(config)# nat (inside) 1 access-list NET1 tcp 0 2000 udp 10000 hostname(config)# global (outside) 1 209.165.202.129 hostname(config)# nat (inside) 2 access-list NET2 tcp 1000 500 udp 2000 hostname(config)# global (outside) 2 209.165.202.130 To identify a single real address/destination address pair that use different ports using policy NAT, enter the following commands (see Figure 17-9 on page 17-11 for a related figure): hostname(config)# access-list WEB permit tcp 10.1.2.0 255.255.255.0 209.165.201.11 255.255.255.255 eq 80 hostname(config)# access-list TELNET permit tcp 10.1.2.0 255.255.255.0 209.165.201.11 255.255.255.255 eq 23 hostname(config)# nat (inside) 1 access-list WEB hostname(config)# global (outside) 1 209.165.202.129 hostname(config)# nat (inside) 2 access-list TELNET hostname(config)# global (outside) 2 209.165.202.13017-26 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 17 Applying NAT Using Static NAT Using Static NAT This section describes how to configure a static translation. Figure 17-22 shows a typical static NAT scenario. The translation is always active so both translated and remote hosts can originate connections, and the mapped address is statically assigned by the static command. Figure 17-22 Static NAT You cannot use the same real or mapped address in multiple static commands between the same two interfaces. Do not use a mapped address in the static command that is also defined in a global command for the same mapped interface. For more information about static NAT, see the “Static NAT” section on page 17-7. Note If you remove a static command, existing connections that use the translation are not affected. To remove these connections, enter the clear local-host command. You cannot clear static translations from the translation table with the clear xlate command; you must remove the static command instead. Only dynamic translations created by the nat and global commands can be removed with the clear xlate command. To configure static NAT, enter one of the following commands. • For policy static NAT, enter the following command: hostname(config)# static (real_interface,mapped_interface) {mapped_ip | interface} access-list acl_name [dns] [norandomseq] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns] Create the access list using the access-list command (see the “Adding an Extended Access List” section on page 16-5). This access list should include only permit ACEs. The source subnet mask used in the access list is also used for the mapped addresses. You can also specify the real and destination ports in the access list using the eq operator. Policy NAT does not consider the inactive or time-range keywords; all ACEs are considered to be active for policy NAT configuration. See the “Policy NAT” section on page 17-9 for more information. If you specify a network for translation (for example, 10.1.1.0 255.255.255.0), then the security appliance translates the .0 and .255 addresses. If you want to prevent access to these addresses, be sure to configure an access list to deny access. See the “Configuring Dynamic NAT or PAT” section on page 17-23 for information about the other options. 10.1.1.1 209.165.201.1 Inside Outside 10.1.1.2 209.165.201.2 130035 Security Appliance17-27 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 17 Applying NAT Using Static PAT • To configure regular static NAT, enter the following command: hostname(config)# static (real_interface,mapped_interface) {mapped_ip | interface} real_ip [netmask mask] [dns] [norandomseq] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns] See the “Configuring Dynamic NAT or PAT” section on page 17-23 for information about the options. For example, the following policy static NAT example shows a single real address that is translated to two mapped addresses depending on the destination address (see Figure 17-8 on page 17-10 for a related figure): hostname(config)# access-list NET1 permit ip host 10.1.2.27 209.165.201.0 255.255.255.224 hostname(config)# access-list NET2 permit ip host 10.1.2.27 209.165.200.224 255.255.255.224 hostname(config)# static (inside,outside) 209.165.202.129 access-list NET1 hostname(config)# static (inside,outside) 209.165.202.130 access-list NET2 The following command maps an inside IP address (10.1.1.3) to an outside IP address (209.165.201.12): hostname(config)# static (inside,outside) 209.165.201.12 10.1.1.3 netmask 255.255.255.255 The following command maps the outside address (209.165.201.15) to an inside address (10.1.1.6): hostname(config)# static (outside,inside) 10.1.1.6 209.165.201.15 netmask 255.255.255.255 The following command statically maps an entire subnet: hostname(config)# static (inside,dmz) 10.1.1.0 10.1.2.0 netmask 255.255.255.0 Using Static PAT This section describes how to configure a static port translation. Static PAT lets you translate the real IP address to a mapped IP address, as well as the real port to a mapped port. You can choose to translate the real port to the same port, which lets you translate only specific types of traffic, or you can take it further by translating to a different port. Figure 17-23 shows a typical static PAT scenario. The translation is always active so both translated and remote hosts can originate connections, and the mapped address and port is statically assigned by the static command. Figure 17-23 Static PAT For applications that require application inspection for secondary channels (FTP, VoIP, etc.), the security appliance automatically translates the secondary ports. 10.1.1.1:23 209.165.201.1:23 Inside Outside 10.1.1.2:8080 209.165.201.2:80 130044 Security Appliance17-28 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 17 Applying NAT Using Static PAT You cannot use the same real or mapped address in multiple static statements between the same two interfaces. Do not use a mapped address in the static command that is also defined in a global command for the same mapped interface. For more information about static PAT, see the “Static PAT” section on page 17-8. Note If you remove a static command, existing connections that use the translation are not affected. To remove these connections, enter the clear local-host command. You cannot clear static translations from the translation table with the clear xlate command; you must remove the static command instead. Only dynamic translations created by the nat and global commands can be removed with the clear xlate command. To configure static PAT, enter one of the following commands. • For policy static PAT, enter the following command: hostname(config)# static (real_interface,mapped_interface) {tcp | udp} {mapped_ip | interface} mapped_port access-list acl_name [dns] [norandomseq] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns] Create the access list using the access-list command (see the “Adding an Extended Access List” section on page 16-5). The protocol in the access list must match the protocol you set in this command. For example, if you specify tcp in the static command, then you must specify tcp in the access list. Specify the port using the eq operator. This access list should include only permit ACEs. The source subnet mask used in the access list is also used for the mapped addresses. Policy NAT does not consider the inactive or time-range keywords; all ACEs are considered to be active for policy NAT configuration. If you specify a network for translation (for example, 10.1.1.0 255.255.255.0), then the security appliance translates the .0 and .255 addresses. If you want to prevent access to these addresses, be sure to configure an access list to deny access. See the “Configuring Dynamic NAT or PAT” section on page 17-23 for information about the other options. • To configure regular static PAT, enter the following command: hostname(config)# static (real_interface,mapped_interface) {tcp | udp} {mapped_ip | interface} mapped_port real_ip real_port [netmask mask] [dns] [norandomseq] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns] See the “Configuring Dynamic NAT or PAT” section on page 17-23 for information about the options. Note When configuring static PAT with FTP, you need to add entries for both TCP ports 20 and 21. You must specify port 20 so that the source port for the active transfer is not modified to another port, which may interfere with other devices that perform NAT on FTP traffic. For example, for Telnet traffic initiated from hosts on the 10.1.3.0 network to the security appliance outside interface (10.1.2.14), you can redirect the traffic to the inside host at 10.1.1.15 by entering the following commands: hostname(config)# access-list TELNET permit tcp host 10.1.1.15 eq telnet 10.1.3.0 255.255.255.0 eq telnet hostname(config)# static (inside,outside) tcp 10.1.2.14 telnet access-list TELNET17-29 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 17 Applying NAT Bypassing NAT For HTTP traffic initiated from hosts on the 10.1.3.0 network to the security appliance outside interface (10.1.2.14), you can redirect the traffic to the inside host at 10.1.1.15 by entering: hostname(config)# access-list HTTP permit tcp host 10.1.1.15 eq http 10.1.3.0 255.255.255.0 eq http hostname(config)# static (inside,outside) tcp 10.1.2.14 http access-list HTTP To redirect Telnet traffic from the security appliance outside interface (10.1.2.14) to the inside host at 10.1.1.15, enter the following command: hostname(config)# static (inside,outside) tcp 10.1.2.14 telnet 10.1.1.15 telnet netmask 255.255.255.255 If you want to allow the preceding real Telnet server to initiate connections, though, then you need to provide additional translation. For example, to translate all other types of traffic, enter the following commands. The original static command provides translation for Telnet to the server, while the nat and global commands provide PAT for outbound connections from the server. hostname(config)# static (inside,outside) tcp 10.1.2.14 telnet 10.1.1.15 telnet netmask 255.255.255.255 hostname(config)# nat (inside) 1 10.1.1.15 255.255.255.255 hostname(config)# global (outside) 1 10.1.2.14 If you also have a separate translation for all inside traffic, and the inside hosts use a different mapped address from the Telnet server, you can still configure traffic initiated from the Telnet server to use the same mapped address as the static statement that allows Telnet traffic to the server. You need to create a more exclusive nat statement just for the Telnet server. Because nat statements are read for the best match, more exclusive nat statements are matched before general statements. The following example shows the Telnet static statement, the more exclusive nat statement for initiated traffic from the Telnet server, and the statement for other inside hosts, which uses a different mapped address. hostname(config)# static (inside,outside) tcp 10.1.2.14 telnet 10.1.1.15 telnet netmask 255.255.255.255 hostname(config)# nat (inside) 1 10.1.1.15 255.255.255.255 hostname(config)# global (outside) 1 10.1.2.14 hostname(config)# nat (inside) 2 10.1.1.0 255.255.255.0 hostname(config)# global (outside) 2 10.1.2.78 To translate a well-known port (80) to another port (8080), enter the following command: hostname(config)# static (inside,outside) tcp 10.1.2.45 80 10.1.1.16 8080 netmask 255.255.255.255 Bypassing NAT This section describes how to bypass NAT. You might want to bypass NAT when you enable NAT control. You can bypass NAT using identity NAT, static identity NAT, or NAT exemption. See the “Bypassing NAT When NAT Control is Enabled” section on page 17-9 for more information about these methods. This section includes the following topics: • Configuring Identity NAT, page 17-30 • Configuring Static Identity NAT, page 17-30 • Configuring NAT Exemption, page 17-3217-30 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 17 Applying NAT Bypassing NAT Configuring Identity NAT Identity NAT translates the real IP address to the same IP address. Only “translated” hosts can create NAT translations, and responding traffic is allowed back. Figure 17-24 shows a typical identity NAT scenario. Figure 17-24 Identity NAT Note If you change the NAT configuration, and you do not want to wait for existing translations to time out before the new NAT information is used, you can clear the translation table using the clear xlate command. However, clearing the translation table disconnects all current connections that use translations. To configure identity NAT, enter the following command: hostname(config)# nat (real_interface) 0 real_ip [mask [dns] [outside] [norandomseq] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns] See the “Configuring Dynamic NAT or PAT” section on page 17-23 for information about the options. For example, to use identity NAT for the inside 10.1.1.0/24 network, enter the following command: hostname(config)# nat (inside) 0 10.1.1.0 255.255.255.0 Configuring Static Identity NAT Static identity NAT translates the real IP address to the same IP address. The translation is always active, and both “translated” and remote hosts can originate connections. Static identity NAT lets you use regular NAT or policy NAT. Policy NAT lets you identify the real and destination addresses when determining the real addresses to translate (see the “Policy NAT” section on page 17-9 for more 209.165.201.1 209.165.201.1 Inside Outside 209.165.201.2 209.165.201.2 130033 Security Appliance17-31 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 17 Applying NAT Bypassing NAT information about policy NAT). For example, you can use policy static identity NAT for an inside address when it accesses the outside interface and the destination is server A, but use a normal translation when accessing the outside server B. Figure 17-25 shows a typical static identity NAT scenario. Figure 17-25 Static Identity NAT Note If you remove a static command, existing connections that use the translation are not affected. To remove these connections, enter the clear local-host command. You cannot clear static translations from the translation table with the clear xlate command; you must remove the static command instead. Only dynamic translations created by the nat and global commands can be removed with the clear xlate command. To configure static identity NAT, enter one of the following commands: • To configure policy static identity NAT, enter the following command: hostname(config)# static (real_interface,mapped_interface) real_ip access-list acl_id [dns] [norandomseq] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns] Create the access list using the access-list command (see the “Adding an Extended Access List” section on page 16-5). This access list should include only permit ACEs. Make sure the source address in the access list matches the real_ip in this command. Policy NAT does not consider the inactive or time-range keywords; all ACEs are considered to be active for policy NAT configuration. See the “Policy NAT” section on page 17-9 for more information. See the “Configuring Dynamic NAT or PAT” section on page 17-23 for information about the other options. • To configure regular static identity NAT, enter the following command: hostname(config)# static (real_interface,mapped_interface) real_ip real_ip [netmask mask] [dns] [norandomseq] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns] Specify the same IP address for both real_ip arguments. See the “Configuring Dynamic NAT or PAT” section on page 17-23 for information about the other options. For example, the following command uses static identity NAT for an inside IP address (10.1.1.3) when accessed by the outside: hostname(config)# static (inside,outside) 10.1.1.3 10.1.1.3 netmask 255.255.255.255 209.165.201.1 209.165.201.1 Inside Outside 209.165.201.2 209.165.201.2 130036 Security Appliance17-32 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 17 Applying NAT Bypassing NAT The following command uses static identity NAT for an outside address (209.165.201.15) when accessed by the inside: hostname(config)# static (outside,inside) 209.165.201.15 209.165.201.15 netmask 255.255.255.255 The following command statically maps an entire subnet: hostname(config)# static (inside,dmz) 10.1.2.0 10.1.2.0 netmask 255.255.255.0 The following static identity policy NAT example shows a single real address that uses identity NAT when accessing one destination address, and a translation when accessing another: hostname(config)# access-list NET1 permit ip host 10.1.2.27 209.165.201.0 255.255.255.224 hostname(config)# access-list NET2 permit ip host 10.1.2.27 209.165.200.224 255.255.255.224 hostname(config)# static (inside,outside) 10.1.2.27 access-list NET1 hostname(config)# static (inside,outside) 209.165.202.130 access-list NET2 Configuring NAT Exemption NAT exemption exempts addresses from translation and allows both real and remote hosts to originate connections. NAT exemption lets you specify the real and destination addresses when determining the real traffic to exempt (similar to policy NAT), so you have greater control using NAT exemption than identity NAT. However unlike policy NAT, NAT exemption does not consider the ports in the access list. Use static identity NAT to consider ports in the access list. Figure 17-26 shows a typical NAT exemption scenario. Figure 17-26 NAT Exemption Note If you remove a NAT exemption configuration, existing connections that use NAT exemption are not affected. To remove these connections, enter the clear local-host command. To configure NAT exemption, enter the following command: hostname(config)# nat (real_interface) 0 access-list acl_name [outside] [norandomseq] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns] Create the access list using the access-list command (see the “Adding an Extended Access List” section on page 16-5). This access list can include both permit ACEs and deny ACEs. Do not specify the real and destination ports in the access list; NAT exemption does not consider the ports. NAT exemption considers the inactive and time-range keywords, but it does not support ACL with all inactive and time-range ACEs. 209.165.201.1 209.165.201.1 Inside Outside 209.165.201.2 209.165.201.2 130036 Security Appliance17-33 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 17 Applying NAT NAT Examples See the “Configuring Dynamic NAT or PAT” section on page 17-23 for information about the other options. By default, this command exempts traffic from inside to outside. If you want traffic from outside to inside to bypass NAT, then add an additional nat command and enter outside to identify the NAT instance as outside NAT. You might want to use outside NAT exemption if you configure dynamic NAT for the outside interface and want to exempt other traffic. For example, to exempt an inside network when accessing any destination address, enter the following command: hostname(config)# access-list EXEMPT permit ip 10.1.2.0 255.255.255.0 any hostname(config)# nat (inside) 0 access-list EXEMPT To use dynamic outside NAT for a DMZ network, and exempt another DMZ network, enter the following command: hostname(config)# nat (dmz) 1 10.1.2.0 255.255.255.0 outside dns hostname(config)# global (inside) 1 10.1.1.45 hostname(config)# access-list EXEMPT permit ip 10.1.3.0 255.255.255.0 any hostname(config)# nat (dmz) 0 access-list EXEMPT To exempt an inside address when accessing two different destination addresses, enter the following commands: hostname(config)# access-list NET1 permit ip 10.1.2.0 255.255.255.0 209.165.201.0 255.255.255.224 hostname(config)# access-list NET1 permit ip 10.1.2.0 255.255.255.0 209.165.200.224 255.255.255.224 hostname(config)# nat (inside) 0 access-list NET1 NAT Examples This section describes typical scenarios that use NAT solutions, and includes the following topics: • Overlapping Networks, page 17-34 • Redirecting Ports, page 17-3517-34 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 17 Applying NAT NAT Examples Overlapping Networks In Figure 17-27, the security appliance connects two private networks with overlapping address ranges. Figure 17-27 Using Outside NAT with Overlapping Networks Two networks use an overlapping address space (192.168.100.0/24), but hosts on each network must communicate (as allowed by access lists). Without NAT, when a host on the inside network tries to access a host on the overlapping DMZ network, the packet never makes it past the security appliance, which sees the packet as having a destination address on the inside network. Moreover, if the destination address is being used by another host on the inside network, that host receives the packet. To solve this problem, use NAT to provide non-overlapping addresses. If you want to allow access in both directions, use static NAT for both networks. If you only want to allow the inside interface to access hosts on the DMZ, then you can use dynamic NAT for the inside addresses, and static NAT for the DMZ addresses you want to access. This example shows static NAT. To configure static NAT for these two interfaces, perform the following steps. The 10.1.1.0/24 network on the DMZ is not translated. Step 1 Translate 192.168.100.0/24 on the inside to 10.1.2.0 /24 when it accesses the DMZ by entering the following command: hostname(config)# static (inside,dmz) 10.1.2.0 192.168.100.0 netmask 255.255.255.0 Step 2 Translate the 192.168.100.0/24 network on the DMZ to 10.1.3.0/24 when it accesses the inside by entering the following command: hostname(config)# static (dmz,inside) 10.1.3.0 192.168.100.0 netmask 255.255.255.0 Step 3 Configure the following static routes so that traffic to the dmz network can be routed correctly by the security appliance: hostname(config)# route dmz 192.168.100.128 255.255.255.128 10.1.1.2 1 hostname(config)# route dmz 192.168.100.0 255.255.255.128 10.1.1.2 1 192.168.100.2 inside 192.168.100.0/24 outside 10.1.1.2 192.168.100.1 192.168.100.2 dmz 192.168.100.0/24 192.168.100.3 10.1.1.1 130029 192.168.100.317-35 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 17 Applying NAT NAT Examples The security appliance already has a connected route for the inside network. These static routes allow the security appliance to send traffic for the 192.168.100.0/24 network out the DMZ interface to the gateway router at 10.1.1.2. (You need to split the network into two because you cannot create a static route with the exact same network as a connected route.) Alternatively, you could use a more broad route for the DMZ traffic, such as a default route. If host 192.168.100.2 on the DMZ network wants to initiate a connection to host 192.168.100.2 on the inside network, the following events occur: 1. The DMZ host 192.168.100.2 sends the packet to IP address 10.1.2.2. 2. When the security appliance receives this packet, the security appliance translates the source address from 192.168.100.2 to 10.1.3.2. 3. Then the security appliance translates the destination address from 10.1.2.2 to 192.168.100.2, and the packet is forwarded. Redirecting Ports Figure 17-28 illustrates a typical network scenario in which the port redirection feature might be useful. Figure 17-28 Port Redirection Using Static PAT In the configuration described in this section, port redirection occurs for hosts on external networks as follows: • Telnet requests to IP address 209.165.201.5 are redirected to 10.1.1.6. • FTP requests to IP address 209.165.201.5 are redirected to 10.1.1.3. • HTTP request to security appliance outside IP address 209.165.201.25 are redirected to 10.1.1.5. • HTTP port 8080 requests to PAT address 209.165.201.15 are redirected to 10.1.1.7 port 80. Telnet Server 10.1.1.6 209.165.201.25 209.165.201.5 209.165.201.15 10.1.1.1 Inside FTP Server 10.1.1.3 Web Server 10.1.1.5 Web Server 10.1.1.7 Outside 13003017-36 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 17 Applying NAT NAT Examples To implement this scenario, perform the following steps: Step 1 Configure PAT for the inside network by entering the following commands: hostname(config)# nat (inside) 1 0.0.0.0 0.0.0.0 0 0 hostname(config)# global (outside) 1 209.165.201.15 Step 2 Redirect Telnet requests for 209.165.201.5 to 10.1.1.6 by entering the following command: hostname(config)# static (inside,outside) tcp 209.165.201.5 telnet 10.1.1.6 telnet netmask 255.255.255.255 Step 3 Redirect FTP requests for IP address 209.165.201.5 to 10.1.1.3 by entering the following command: hostname(config)# static (inside,outside) tcp 209.165.201.5 ftp 10.1.1.3 ftp netmask 255.255.255.255 Step 4 Redirect HTTP requests for the security appliance outside interface address to 10.1.1.5 by entering the following command: hostname(config)# static (inside,outside) tcp interface www 10.1.1.5 www netmask 255.255.255.255 Step 5 Redirect HTTP requests on port 8080 for PAT address 209.165.201.15 to 10.1.1.7 port 80 by entering the following command: hostname(config)# static (inside,outside) tcp 209.165.201.15 8080 10.1.1.7 www netmask 255.255.255.255C H A P T E R 18-1 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 18 Permitting or Denying Network Access This chapter describes how to control network access through the security appliance using access lists. To create an extended access lists or an EtherType access list, see Chapter 16, “Identifying Traffic with Access Lists.” Note You use ACLs to control network access in both routed and transparent firewall modes. In transparent mode, you can use both extended ACLs (for Layer 3 traffic) and EtherType ACLs (for Layer 2 traffic). To access the security appliance interface for management access, you do not also need an access list allowing the host IP address. You only need to configure management access according to Chapter 40, “Managing System Access.” This chapter includes the following sections: • Inbound and Outbound Access List Overview, page 18-1 • Applying an Access List to an Interface, page 18-2 Inbound and Outbound Access List Overview By default, all traffic from a higher-security interface to a lower-security interface is allowed. Access lists let you either allow traffic from lower-security interfaces, or restrict traffic from higher-security interfaces. The security appliance supports two types of access lists: • Inbound—Inbound access lists apply to traffic as it enters an interface. • Outbound—Outbound access lists apply to traffic as it exits an interface. Note “Inbound” and “outbound” refer to the application of an access list on an interface, either to traffic entering the security appliance on an interface or traffic exiting the security appliance on an interface. These terms do not refer to the movement of traffic from a lower security interface to a higher security interface, commonly known as inbound, or from a higher to lower interface, commonly known as outbound. An outbound access list is useful, for example, if you want to allow only certain hosts on the inside networks to access a web server on the outside network. Rather than creating multiple inbound access lists to restrict access, you can create a single outbound access list that allows only the specified hosts 18-2 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 18 Permitting or Denying Network Access Applying an Access List to an Interface (see Figure 18-1). See the “IP Addresses Used for Access Lists When You Use NAT” section on page 16-3 for information about NAT and IP addresses. The outbound access list prevents any other hosts from reaching the outside network. Figure 18-1 Outbound Access List See the following commands for this example: hostname(config)# access-list OUTSIDE extended permit tcp host 209.165.201.4 host 209.165.200.225 eq www hostname(config)# access-list OUTSIDE extended permit tcp host 209.165.201.6 host 209.165.200.225 eq www hostname(config)# access-list OUTSIDE extended permit tcp host 209.165.201.8 host 209.165.200.225 eq www hostname(config)# access-group OUTSIDE out interface outside Applying an Access List to an Interface To apply an extended access list to the inbound or outbound direction of an interface, enter the following command: hostname(config)# access-group access_list_name {in | out} interface interface_name [per-user-override] You can apply one access list of each type (extended and EtherType) to both directions of the interface. See the “Inbound and Outbound Access List Overview” section on page 18-1 for more information about access list directions. Web Server: 209.165.200.225 Inside HR Eng Outside Static NAT 10.1.1.14 209.165.201.4 Static NAT 10.1.2.67 209.165.201.6 Static NAT 10.1.3.34 209.165.201.8 ACL Outbound Permit HTTP from 209.165.201.4, 209.165.201.6, and 209.165.201.8 to 209.165.200.225 Deny all others 132210 ACL Inbound Permit from any to any ACL Inbound Permit from any to any ACL Inbound Permit from any to any Security appliance18-3 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 18 Permitting or Denying Network Access Applying an Access List to an Interface The per-user-override keyword allows dynamic access lists that are downloaded for user authorization to override the access list assigned to the interface. For example, if the interface access list denies all traffic from 10.0.0.0, but the dynamic access list permits all traffic from 10.0.0.0, then the dynamic access list overrides the interface access list for that user. See the “Configuring RADIUS Authorization” section for more information about per-user access lists. The per-user-override keyword is only available for inbound access lists. For connectionless protocols, you need to apply the access list to the source and destination interfaces if you want traffic to pass in both directions. The following example illustrates the commands required to enable access to an inside web server with the IP address 209.165.201.12 (this IP address is the address visible on the outside interface after NAT): hostname(config)# access-list ACL_OUT extended permit tcp any host 209.165.201.12 eq www hostname(config)# access-group ACL_OUT in interface outside You also need to configure NAT for the web server. The following access lists allow any hosts to communicate between the inside and hr networks, but only specific hosts (209.168.200.3 and 209.168.200.4) to access the outside network, as shown in the last line below: hostname(config)# access-list ANY extended permit ip any any hostname(config)# access-list OUT extended permit ip host 209.168.200.3 any hostname(config)# access-list OUT extended permit ip host 209.168.200.4 any hostname(config)# access-group ANY in interface inside hostname(config)# access-group ANY in interface hr hostname(config)# access-group OUT out interface outside For example, the following sample access list allows common EtherTypes originating on the inside interface: hostname(config)# access-list ETHER ethertype permit ipx hostname(config)# access-list ETHER ethertype permit bpdu hostname(config)# access-list ETHER ethertype permit mpls-unicast hostname(config)# access-group ETHER in interface inside The following access list allows some EtherTypes through the security appliance, but denies all others: hostname(config)# access-list ETHER ethertype permit 0x1234 hostname(config)# access-list ETHER ethertype permit bpdu hostname(config)# access-list ETHER ethertype permit mpls-unicast hostname(config)# access-group ETHER in interface inside hostname(config)# access-group ETHER in interface outside The following access list denies traffic with EtherType 0x1256 but allows all others on both interfaces: hostname(config)# access-list nonIP ethertype deny 1256 hostname(config)# access-list nonIP ethertype permit any hostname(config)# access-group ETHER in interface inside hostname(config)# access-group ETHER in interface outside18-4 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 18 Permitting or Denying Network Access Applying an Access List to an InterfaceC H A P T E R 19-1 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 19 Applying AAA for Network Access This chapter describes how to enable AAA (pronounced “triple A”) for network access. For information about AAA for management access, see the “Configuring AAA for System Administrators” section on page 40-5. This chapter contains the following sections: • AAA Performance, page 19-1 • Configuring Authentication for Network Access, page 19-1 • Configuring Authorization for Network Access, page 19-6 • Configuring Accounting for Network Access, page 19-13 • Using MAC Addresses to Exempt Traffic from Authentication and Authorization, page 19-14 AAA Performance The security appliance uses “cut-through proxy” to significantly improve performance compared to a traditional proxy server. The performance of a traditional proxy server suffers because it analyzes every packet at the application layer of the OSI model. The security appliance cut-through proxy challenges a user initially at the application layer and then authenticates against standard AAA servers or the local database. After the security appliance authenticates the user, it shifts the session flow, and all traffic flows directly and quickly between the source and destination while maintaining session state information. Configuring Authentication for Network Access This section includes the following topics: • Authentication Overview, page 19-2 • Enabling Network Access Authentication, page 19-3 • Enabling Secure Authentication of Web Clients, page 19-5 • Authenticating Directly with the Security Appliance, page 19-619-2 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 19 Applying AAA for Network Access Configuring Authentication for Network Access Authentication Overview The security appliance lets you configure network access authentication using AAA servers. This section includes the following topics: • One-Time Authentication, page 19-2 • Applications Required to Receive an Authentication Challenge, page 19-2 • Security Appliance Authentication Prompts, page 19-2 • Static PAT and HTTP, page 19-3 • Enabling Network Access Authentication, page 19-3 One-Time Authentication A user at a given IP address only needs to authenticate one time for all rules and types, until the authentication session expires. (See the timeout uauth command in the Cisco Security Appliance Command Reference for timeout values.) For example, if you configure the security appliance to authenticate Telnet and FTP, and a user first successfully authenticates for Telnet, then as long as the authentication session exists, the user does not also have to authenticate for FTP. Applications Required to Receive an Authentication Challenge Although you can configure the security appliance to require authentication for network access to any protocol or service, users can authenticate directly with HTTP, HTTPS, Telnet, or FTP only. A user must first authenticate with one of these services before the security appliance allows other traffic requiring authentication. The authentication ports that the security appliance supports for AAA are fixed: • Port 21 for FTP • Port 23 for Telnet • Port 80 for HTTP • Port 443 for HTTPS Security Appliance Authentication Prompts For Telnet and FTP, the security appliance generates an authentication prompt. For HTTP, the security appliance uses basic HTTP authentication by default, and provides an authentication prompt. You can optionally configure the security appliance to redirect users to an internal web page where they can enter their username and password (configured with the aaa authentication listener command). For HTTPS, the security appliance generates a custom login screen. You can optionally configure the security appliance to redirect users to an internal web page where they can enter their username and password (configured with the aaa authentication listener command). Redirection is an improvement over the basic method because it provides an improved user experience when authenticating, and an identical user experience for HTTP and HTTPS in both Easy VPN and firewall modes. It also supports authenticating directly with the security appliance.19-3 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 19 Applying AAA for Network Access Configuring Authentication for Network Access You might want to continue to use basic HTTP authentication if: you do not want the security appliance to open listening ports; if you use NAT on a router and you do not want to create a translation rule for the web page served by the security appliance; basic HTTP authentication might work better with your network. For example non-browser applications, like when a URL is embedded in email, might be more compatible with basic authentication. After you authenticate correctly, the security appliance redirects you to your original destination. If the destination server also has its own authentication, the user enters another username and password. If you use basic HTTP authentication and need to enter another username and password for the destination server, then you need to configure the virtual http command. Note If you use HTTP authentication without using the aaa authentication secure-http-client command, the username and password are sent from the client to the security appliance in clear text. We recommend that you use the aaa authentication secure-http-client command whenever you enable HTTP authentication. For more information about the aaa authentication secure-http-client command, see the “Enabling Secure Authentication of Web Clients” section on page 19-5. For FTP, a user has the option of entering the security appliance username followed by an at sign (@) and then the FTP username (name1@name2). For the password, the user enters the security appliance password followed by an at sign (@) and then the FTP password (password1@password2). For example, enter the following text. name> jamiec@jchrichton password> letmein@he110 This feature is useful when you have cascaded firewalls that require multiple logins. You can separate several names and passwords by multiple at signs (@). Static PAT and HTTP For HTTP authentication, the security appliance checks real ports when static PAT is configured. If it detects traffic destined for real port 80, regardless of the mapped port, the security appliance intercepts the HTTP connection and enforces authentication. For example, assume that outside TCP port 889 is translated to port 80 (www) and that any relevant access lists permit the traffic: static (inside,outside) tcp 10.48.66.155 889 192.168.123.10 www netmask 255.255.255.255 Then when users try to access 10.48.66.155 on port 889, the security appliance intercepts the traffic and enforces HTTP authentication. Users see the HTTP authentication page in their web browsers before the security appliance allows HTTP connection to complete. If the local port is different than port 80, as in the following example: static (inside,outside) tcp 10.48.66.155 889 192.168.123.10 111 netmask 255.255.255.255 Then users do not see the authentication page. Instead, the security appliance sends to the web browser an error message indicating that the user must be authenticated prior using the requested service. Enabling Network Access Authentication To enable network access authentication, perform the following steps:19-4 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 19 Applying AAA for Network Access Configuring Authentication for Network Access Step 1 Using the aaa-server command, identify your AAA servers. If you have already identified your AAA servers, continue to the next step. For more information about identifying AAA servers, see the “Identifying AAA Server Groups and Servers” section on page 13-12. Step 2 Using the access-list command, create an access list that identifies the source addresses and destination addresses of traffic you want to authenticate. For steps, see the “Adding an Extended Access List” section on page 16-5. The permit ACEs mark matching traffic for authentication, while deny entries exclude matching traffic from authentication. Be sure to include the destination ports for either HTTP, HTTPS, Telnet, or FTP in the access list because the user must authenticate with one of these services before other services are allowed through the security appliance. Step 3 To configure authentication, enter the following command: hostname(config)# aaa authentication match acl_name interface_name server_group Where acl_name is the name of the access list you created in Step 2, interface_name is the name of the interface as specified with the nameif command, and server_group is the AAA server group you created in Step 1. Note You can alternatively use the aaa authentication include command (which identifies traffic within the command). However, you cannot use both methods in the same configuration. See the Cisco Security Appliance Command Reference for more information. Step 4 (Optional) To enable the redirection method of authentication for HTTP or HTTPS connections, enter the following command: hostname(config)# aaa authentication listener http[s] interface_name [port portnum] redirect where the interface_name argument is the interface on which you want to enable listening ports. The port portnum argument specifies the port number that the security appliance listens on; the defaults are 80 (HTTP) and 443 (HTTPS). Enter this command separately for HTTP and for HTTPS. Step 5 (Optional) If you are using the local database for network access authentication and you want to limit the number of consecutive failed login attempts that the security appliance allows any given user account, use the following command: hostname(config)# aaa local authentication attempts max-fail number Where number is between 1 and 16. For example: hostname(config)# aaa local authentication attempts max-fail 7 Tip To clear the lockout status of a specific user or all users, use the clear aaa local user lockout command. For example, the following commands authenticate all inside HTTP traffic and SMTP traffic: hostname(config)# aaa-server AuthOutbound protocol tacacs+19-5 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 19 Applying AAA for Network Access Configuring Authentication for Network Access hostname(config-aaa-server-group)# exit hostname(config)# aaa-server AuthOutbound (inside) host 10.1.1.1 hostname(config-aaa-server-host)# key TACPlusUauthKey hostname(config-aaa-server-host)# exit hostname(config)# access-list MAIL_AUTH extended permit tcp any any eq smtp hostname(config)# access-list MAIL_AUTH extended permit tcp any any eq www hostname(config)# aaa authentication match MAIL_AUTH inside AuthOutbound hostname(config)# aaa authentication listener http inside redirect The following commands authenticate Telnet traffic from the outside interface to a particular server (209.165.201.5): hostname(config)# aaa-server AuthInbound protocol tacacs+ hostname(config-aaa-server-group)# exit hostname(config)# aaa-server AuthInbound (inside) host 10.1.1.1 hostname(config-aaa-server-host)# key TACPlusUauthKey hostname(config-aaa-server-host)# exit hostname(config)# access-list TELNET_AUTH extended permit tcp any host 209.165.201.5 eq telnet hostname(config)# aaa authentication match TELNET_AUTH outside AuthInbound Enabling Secure Authentication of Web Clients The security appliance provides a method of securing HTTP authentication. Without securing HTTP authentication, usernames and passwords from the client to the security appliance would be passed as clear text. By using the aaa authentication secure-http-client command, you enable the exchange of usernames and passwords between a web client and the security appliance with HTTPS. After enabling this feature, when a user requires authentication when using HTTP, the security appliance redirects the HTTP user to an HTTPS prompt. After you authenticate correctly, the security appliance redirects you to the original HTTP URL. To enable secure authentication of web clients, enter the following command: hostname(config)# aaa authentication secure-http-client Secured web-client authentication has the following limitations: • A maximum of 16 concurrent HTTPS authentication sessions are allowed. If all 16 HTTPS authentication processes are running, a new connection requiring authentication will not succeed. • When uauth timeout 0 is configured (the uauth timeout is set to 0), HTTPS authentication might not work. If a browser initiates multiple TCP connections to load a web page after HTTPS authentication, the first connection is let through, but the subsequent connections trigger authentication. As a result, users are continuously presented with an authentication page, even if the correct username and password are entered each time. To work around this, set the uauth timeout to 1 second with the timeout uauth 0:0:1 command. However, this workaround opens a 1-second window of opportunity that might allow non-authenticated users to go through the firewall if they are coming from the same source IP address. • Because HTTPS authentication occurs on the SSL port 443, users must not configure an access-list command statement to block traffic from the HTTP client to HTTP server on port 443. Furthermore, if static PAT is configured for web traffic on port 80, it must also be configured for the SSL port. In the following example, the first line configures static PAT for web traffic and the second line must be added to support the HTTPS authentication configuration. static (inside,outside) tcp 10.132.16.200 www 10.130.16.10 www static (inside,outside) tcp 10.132.16.200 443 10.130.16.10 44319-6 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 19 Applying AAA for Network Access Configuring Authorization for Network Access Authenticating Directly with the Security Appliance If you do not want to allow HTTP, HTTPS, Telnet, or FTP through the security appliance but want to authenticate other types of traffic, you can authenticate with the security appliance directly using HTTP, HTTPS, or Telnet. This section includes the following topics: • Enabling Direct Authentication Using HTTP and HTTPS, page 19-6 • Enabling Direct Authentication Using Telnet, page 19-6 Enabling Direct Authentication Using HTTP and HTTPS If you enabled the redirect method of HTTP and HTTPS authentication in the “Enabling Network Access Authentication” section on page 19-3, then you also automatically enabled direct authentication. If you want to continue to use basic HTTP authentication, but want to enable direct authentication for HTTP and HTTPS, then enter the following command: hostname(config)# aaa authentication listener http[s] interface_name [port portnum] where the interface_name argument is the interface on which you want to enable direct authentication. The port portnum argument specifies the port number that the security appliance listens on; the defaults are 80 (HTTP) and 443 (HTTPS). Enter this command separately for HTTP and for HTTPS. You can authenticate directly with the security appliance at the following URLs when you enable AAA for the interface: http://interface_ip[:port]/netaccess/connstatus.html https://interface_ip[:port]/netaccess/connstatus.html Enabling Direct Authentication Using Telnet To enable direct authentication with Telnet, configure a virtual Telnet server. With virtual Telnet, the user Telnets to a given IP address configured on the security appliance, and the security appliance provides a Telnet prompt. To configure a virtual Telnet server, enter the following command: hostname(config)# virtual telnet ip_address where the ip_address argument sets the IP address for the virtual Telnet server. Make sure this address is an unused address that is routed to the security appliance. For example, if you perform NAT for inside addresses when they access the outside, and you want to provide outside access to the virtual Telnet server, you can use one of the global NAT addresses for the virtual Telnet server address. Configuring Authorization for Network Access After a user authenticates for a given connection, the security appliance can use authorization to further control traffic from the user. This section includes the following topics: • Configuring TACACS+ Authorization, page 19-7 • Configuring RADIUS Authorization, page 19-819-7 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 19 Applying AAA for Network Access Configuring Authorization for Network Access Configuring TACACS+ Authorization You can configure the security appliance to perform network access authorization with TACACS+. You identify the traffic to be authorized by specifying access lists that authorization rules must match. Alternatively, you can identify the traffic directly in authorization rules themselves. Tip Using access lists to identify traffic to be authorized can greatly reduced the number of authorization commands you must enter. This is because each authorization rule you enter can specify only one source and destination subnet and service, whereas an access list can include many entries. Authentication and authorization statements are independent; however, any unauthenticated traffic matched by an authorization statement will be denied. For authorization to succeed, a user must first authenticate with the security appliance. Because a user at a given IP address only needs to authenticate one time for all rules and types, if the authentication session hasn’t expired, authorization can occur even if the traffic is matched by an authentication statement. After a user authenticates, the security appliance checks the authorization rules for matching traffic. If the traffic matches the authorization statement, the security appliance sends the username to the TACACS+ server. The TACACS+ server responds to the security appliance with a permit or a deny for that traffic, based on the user profile. The security appliance enforces the authorization rule in the response. See the documentation for your TACACS+ server for information about configuring network access authorizations for a user. To configure TACACS+ authorization, perform the following steps: Step 1 Enable authentication. For more information, see the “Enabling Network Access Authentication” section on page 19-3. If you have already enabled authentication, continue to the next step. Step 2 Using the access-list command, create an access list that identifies the source addresses and destination addresses of traffic you want to authorize. For steps, see the “Adding an Extended Access List” section on page 16-5. The permit ACEs mark matching traffic for authorization, while deny entries exclude matching traffic from authorization. The access list you use for authorization matching should contain rules that are equal to or a subset of the rules in the access list used for authentication matching. Note If you have configured authentication and want to authorize all the traffic being authenticated, you can use the same access list you created for use with the aaa authentication match command. Step 3 To enable authorization, enter the following command: hostname(config)# aaa authorization match acl_name interface_name server_group where acl_name is the name of the access list you created in Step 2, interface_name is the name of the interface as specified with the nameif command or by default, and server_group is the AAA server group you created when you enabled authentication.19-8 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 19 Applying AAA for Network Access Configuring Authorization for Network Access Note Alternatively, you can use the aaa authorization include command (which identifies traffic within the command) but you cannot use both methods in the same configuration. See the Cisco Security Appliance Command Reference for more information. The following commands authenticate and authorize inside Telnet traffic. Telnet traffic to servers other than 209.165.201.5 can be authenticated alone, but traffic to 209.165.201.5 requires authorization. hostname(config)# access-list TELNET_AUTH extended permit tcp any any eq telnet hostname(config)# access-list SERVER_AUTH extended permit tcp any host 209.165.201.5 eq telnet hostname(config)# aaa-server AuthOutbound protocol tacacs+ hostname(config-aaa-server-group)# exit hostname(config)# aaa-server AuthOutbound (inside) host 10.1.1.1 hostname(config-aaa-server-host)# key TACPlusUauthKey hostname(config-aaa-server-host)# exit hostname(config)# aaa authentication match TELNET_AUTH inside AuthOutbound hostname(config)# aaa authorization match SERVER_AUTH inside AuthOutbound Configuring RADIUS Authorization When authentication succeeds, the RADIUS protocol returns user authorizations in the access-accept message sent by a RADIUS server. For more information about configuring authentication, see the “Configuring Authentication for Network Access” section on page 19-1. When you configure the security appliance to authenticate users for network access, you are also implicitly enabling RADIUS authorizations; therefore, this section contains no information about configuring RADIUS authorization on the security appliance. It does provide information about how the security appliance handles access list information received from RADIUS servers. You can configure a RADIUS server to download an access list to the security appliance or an access list name at the time of authentication. The user is authorized to do only what is permitted in the user-specific access list. Note If you have used the access-group command to apply access lists to interfaces, be aware of the following effects of the per-user-override keyword on authorization by user-specific access lists: • Without the per-user-override keyword, traffic for a user session must be permitted by both the interface access list and the user-specific access list. • With the per-user-override keyword, the user-specific access list determines what is permitted. For more information, see the access-group command entry in the Cisco Security Appliance Command Reference. This section includes the following topics: • Configuring a RADIUS Server to Send Downloadable Access Control Lists, page 19-9 • Configuring a RADIUS Server to Download Per-User Access Control List Names, page 19-1219-9 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 19 Applying AAA for Network Access Configuring Authorization for Network Access Configuring a RADIUS Server to Send Downloadable Access Control Lists This section describes how to configure Cisco Secure ACS or a third-party RADIUS server, and includes the following topics: • About the Downloadable Access List Feature and Cisco Secure ACS, page 19-9 • Configuring Cisco Secure ACS for Downloadable Access Lists, page 19-10 • Configuring Any RADIUS Server for Downloadable Access Lists, page 19-11 • Converting Wildcard Netmask Expressions in Downloadable Access Lists, page 19-12 About the Downloadable Access List Feature and Cisco Secure ACS Downloadable access lists is the most scalable means of using Cisco Secure ACS to provide the appropriate access lists for each user. It provides the following capabilities: • Unlimited access list size—Downloadable access lists are sent using as many RADIUS packets as required to transport the full access list from Cisco Secure ACS to the security appliance. • Simplified and centralized management of access lists—Downloadable access lists enable you to write a set of access lists once and apply it to many user or group profiles and distribute it to many security appliances. This approach is most useful when you have very large access list sets that you want to apply to more than one Cisco Secure ACS user or group; however, its ability to simplify Cisco Secure ACS user and group management makes it useful for access lists of any size. The security appliance receives downloadable access lists from Cisco Secure ACS using the following process: 1. The security appliance sends a RADIUS authentication request packet for the user session. 2. If Cisco Secure ACS successfully authenticates the user, Cisco Secure ACS returns a RADIUS access-accept message that contains the internal name of the applicable downloadable access list. The Cisco IOS cisco-av-pair RADIUS VSA (vendor 9, attribute 1) contains the following attribute-value pair to identify the downloadable access list set: ACS:CiscoSecure-Defined-ACL=acl-set-name where acl-set-name is the internal name of the downloadable access list, which is a combination of the name assigned to the access list by the Cisco Secure ACS administrator and the date and time that the access list was last modified. 3. The security appliance examines the name of the downloadable access list and determines if it has previously received the named downloadable access list. – If the security appliance has previously received the named downloadable access list, communication with Cisco Secure ACS is complete and the security appliance applies the access list to the user session. Because the name of the downloadable access list includes the date and time it was last modified, matching the name sent by Cisco Secure ACS to the name of an access list previous downloaded means that the security appliance has the most recent version of the downloadable access list. – If the security appliance has not previously received the named downloadable access list, it may have an out-of-date version of the access list or it may not have downloaded any version of the access list. In either case, the security appliance issues a RADIUS authentication request using the downloadable access list name as the username in the RADIUS request and a null password attribute. In a cisco-av-pair RADIUS VSA, the request also includes the following attribute-value pairs:19-10 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 19 Applying AAA for Network Access Configuring Authorization for Network Access AAA:service=ip-admission AAA:event=acl-download In addition, the security appliance signs the request with the Message-Authenticator attribute (IETF RADIUS attribute 80). 4. Upon receipt of a RADIUS authentication request that has a username attribute containing the name of a downloadable access list, Cisco Secure ACS authenticates the request by checking the Message-Authenticator attribute. If the Message-Authenticator attribute is missing or incorrect, Cisco Secure ACS ignores the request. The presence of the Message-Authenticator attribute prevents malicious use of a downloadable access list name to gain unauthorized network access. The Message-Authenticator attribute and its use are defined in RFC 2869, RADIUS Extensions, available at http://www.ietf.org. 5. If the access list required is less than approximately 4 KB in length, Cisco Secure ACS responds with an access-accept message containing the access list. The largest access list that can fit in a single access-accept message is slightly less than 4 KB because some of the message must be other required attributes. Cisco Secure ACS sends the downloadable access list in a cisco-av-pair RADIUS VSA. The access list is formatted as a series of attribute-value pairs that each contain an ACE and are numbered serially: ip:inacl#1=ACE-1 ip:inacl#2=ACE-2 . . . ip:inacl#n=ACE-n An example of an attribute-value pair follows: ip:inacl#1=permit tcp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0 6. If the access list required is more than approximately 4 KB in length, Cisco Secure ACS responds with an access-challenge message that contains a portion of the access list, formatted as described above, and an State attribute (IETF RADIUS attribute 24), which contains control data used by Cisco Secure ACS to track the progress of the download. Cisco Secure ACS fits as many complete attribute-value pairs into the cisco-av-pair RADIUS VSA as it can without exceeding the maximum RADIUS message size. The security appliance stores the portion of the access list received and responds with another access-request message containing the same attributes as the first request for the downloadable access list plus a copy of the State attribute received in the access-challenge message. This repeats until Cisco Secure ACS sends the last of the access list in an access-accept message. Configuring Cisco Secure ACS for Downloadable Access Lists You can configure downloadable access lists on Cisco Secure ACS as a shared profile component and then assign the access list to a group or to an individual user. The access list definition consists of one or more security appliance commands that are similar to the extended access-list command (see the “Adding an Extended Access List” section on page 16-5), except without the following prefix: access-list acl_name extended The following example is a downloadable access list definition on Cisco Secure ACS version 3.3: +--------------------------------------------+19-11 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 19 Applying AAA for Network Access Configuring Authorization for Network Access | Shared profile Components | | | | Downloadable IP ACLs Content | | | | Name: acs_ten_acl | | | | ACL Definitions | | | | permit tcp any host 10.0.0.254 | | permit udp any host 10.0.0.254 | | permit icmp any host 10.0.0.254 | | permit tcp any host 10.0.0.253 | | permit udp any host 10.0.0.253 | | permit icmp any host 10.0.0.253 | | permit tcp any host 10.0.0.252 | | permit udp any host 10.0.0.252 | | permit icmp any host 10.0.0.252 | | permit ip any any | +--------------------------------------------+ For more information about creating downloadable access lists and associating them with users, see the user guide for your version of Cisco Secure ACS. On the security appliance, the downloaded access list has the following name: #ACSACL#-ip-acl_name-number The acl_name argument is the name that is defined on Cisco Secure ACS (acs_ten_acl in the preceding example), and number is a unique version ID generated by Cisco Secure ACS. The downloaded access list on the security appliance consists of the following lines: access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit tcp any host 10.0.0.254 access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit udp any host 10.0.0.254 access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit icmp any host 10.0.0.254 access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit tcp any host 10.0.0.253 access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit udp any host 10.0.0.253 access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit icmp any host 10.0.0.253 access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit tcp any host 10.0.0.252 access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit udp any host 10.0.0.252 access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit icmp any host 10.0.0.252 access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit ip any any Configuring Any RADIUS Server for Downloadable Access Lists You can configure any RADIUS server that supports Cisco IOS RADIUS VSAs to send user-specific access lists to the security appliance in a Cisco IOS RADIUS cisco-av-pair VSA (vendor 9, attribute 1). In the cisco-av-pair VSA, configure one or more ACEs that are similar to the access-list extended command (see the “Adding an Extended Access List” section on page 16-5), except that you replace the following command prefix: access-list acl_name extended with the following text: ip:inacl#nnn= The nnn argument is a number in the range from 0 to 999999999 that identifies the order of the command statement to be configured on the security appliance. If this parameter is omitted, the sequence value is 0, and the order of the ACEs inside the cisco-av-pair RADIUS VSA is used.19-12 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 19 Applying AAA for Network Access Configuring Authorization for Network Access The following example is an access list definition as it should be configured for a cisco-av-pair VSA on a RADIUS server: ip:inacl#1=permit tcp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0 ip:inacl#99=deny tcp any any ip:inacl#2=permit udp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0 ip:inacl#100=deny udp any any ip:inacl#3=permit icmp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0 For information about making unique per user the access lists that are sent in the cisco-av-pair attribute, see the documentation for your RADIUS server. On the security appliance, the downloaded access list name has the following format: AAA-user-username The username argument is the name of the user that is being authenticated. The downloaded access list on the security appliance consists of the following lines. Notice the order based on the numbers identified on the RADIUS server. access-list AAA-user-bcham34-79AD4A08 permit tcp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0 access-list AAA-user-bcham34-79AD4A08 permit udp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0 access-list AAA-user-bcham34-79AD4A08 permit icmp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0 access-list AAA-user-bcham34-79AD4A08 deny tcp any any access-list AAA-user-bcham34-79AD4A08 deny udp any any Downloaded access lists have two spaces between the word “access-list” and the name. These spaces serve to differentiate a downloaded access list from a local access list. In this example, “79AD4A08” is a hash value generated by the security appliance to help determine when access list definitions have changed on the RADIUS server. Converting Wildcard Netmask Expressions in Downloadable Access Lists If a RADIUS server provides downloadable access lists to Cisco VPN 3000 Series Concentrators as well as to the security appliance, you may need the security appliance to convert wildcard netmask expressions to standard netmask expressions. This is because Cisco VPN 3000 Series Concentrators support wildcard netmask expressions but the security appliance only supports standard netmask expressions. Configuring the security appliance to convert wildcard netmask expressions helps minimize the effects of these differences upon how you configure downloadable access lists on your RADIUS servers. Translation of wildcard netmask expressions means that downloadable access lists written for Cisco VPN 3000 Series Concentrators can be used by the security appliance without altering the configuration of the downloadable access lists on the RADIUS server. You configure access list netmask conversion on a per server basis, using the acl-netmask-convert command, available in the AAA-server configuration mode. For more information about configuring a RADIUS server, see “Identifying AAA Server Groups and Servers” section on page 13-12. For more information about the acl-netmask-convert command, see the Cisco Security Appliance Command Reference. Configuring a RADIUS Server to Download Per-User Access Control List Names To download a name for an access list that you already created on the security appliance from the RADIUS server when a user authenticates, configure the IETF RADIUS filter-id attribute (attribute number 11) as follows: filter-id=acl_name19-13 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 19 Applying AAA for Network Access Configuring Accounting for Network Access Note In Cisco Secure ACS, the value for filter-id attributes are specified in boxes in the HTML interface, omitting filter-id= and entering only acl_name. For information about making unique per user the filter-id attribute value, see the documentation for your RADIUS server. See the “Adding an Extended Access List” section on page 16-5 to create an access list on the security appliance. Configuring Accounting for Network Access The security appliance can send accounting information to a RADIUS or TACACS+ server about any TCP or UDP traffic that passes through the security appliance. If that traffic is also authenticated, then the AAA server can maintain accounting information by username. If the traffic is not authenticated, the AAA server can maintain accounting information by IP address. Accounting information includes when sessions start and stop, username, the number of bytes that pass through the security appliance for the session, the service used, and the duration of each session. To configure accounting, perform the following steps: Step 1 If you want the security appliance to provide accounting data per user, you must enable authentication. For more information, see the “Enabling Network Access Authentication” section on page 19-3. If you want the security appliance to provide accounting data per IP address, enabling authentication is not necessary and you can continue to the next step. Step 2 Using the access-list command, create an access list that identifies the source addresses and destination addresses of traffic you want accounted. For steps, see the “Adding an Extended Access List” section on page 16-5. The permit ACEs mark matching traffic for authorization, while deny entries exclude matching traffic from authorization. Note If you have configured authentication and want accounting data for all the traffic being authenticated, you can use the same access list you created for use with the aaa authentication match command. Step 3 To enable accounting, enter the following command: hostname(config)# aaa accounting match acl_name interface_name server_group Note Alternatively, you can use the aaa accounting include command (which identifies traffic within the command) but you cannot use both methods in the same configuration. See the Cisco Security Appliance Command Reference for more information. The following commands authenticate, authorize, and account for inside Telnet traffic. Telnet traffic to servers other than 209.165.201.5 can be authenticated alone, but traffic to 209.165.201.5 requires authorization and accounting.19-14 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 19 Applying AAA for Network Access Using MAC Addresses to Exempt Traffic from Authentication and Authorization hostname(config)# aaa-server AuthOutbound protocol tacacs+ hostname(config-aaa-server-group)# exit hostname(config)# aaa-server AuthOutbound (inside) host 10.1.1.1 hostname(config-aaa-server-host)# key TACPlusUauthKey hostname(config-aaa-server-host)# exit hostname(config)# access-list TELNET_AUTH extended permit tcp any any eq telnet hostname(config)# access-list SERVER_AUTH extended permit tcp any host 209.165.201.5 eq telnet hostname(config)# aaa authentication match TELNET_AUTH inside AuthOutbound hostname(config)# aaa authorization match SERVER_AUTH inside AuthOutbound hostname(config)# aaa accounting match SERVER_AUTH inside AuthOutbound Using MAC Addresses to Exempt Traffic from Authentication and Authorization The security appliance can exempt from authentication and authorization any traffic from specific MAC addresses. For example, if the security appliance authenticates TCP traffic originating on a particular network but you want to allow unauthenticated TCP connections from a specific server, you would use a MAC exempt rule to exempt from authentication and authorization any traffic from the server specified by the rule. This feature is particularly useful to exempt devices such as IP phones that cannot respond to authentication prompts. To use MAC addresses to exempt traffic from authentication and authorization, perform the following steps: Step 1 To configure a MAC list, enter the following command: hostname(config)# mac-list id {deny | permit} mac macmask Where the id argument is the hexadecimal number that you assign to the MAC list. To group a set of MAC addresses, enter the mac-list command as many times as needed with the same ID value. Because you can only use one MAC list for AAA exemption, be sure that your MAC list includes all the MAC addresses you want to exempt. You can create multiple MAC lists, but you can only use one at a time. The order of entries matters, because the packet uses the first entry it matches, as opposed to a best match scenario. If you have a permit entry, and you want to deny an address that is allowed by the permit entry, be sure to enter the deny entry before the permit entry. The mac argument specifies the source MAC address in 12-digit hexadecimal form; that is, nnnn.nnnn.nnnn. The macmask argument specifies the portion of the MAC address that should be used for matching. For example, ffff.ffff.ffff matches the MAC address exactly. ffff.ffff.0000 matches only the first 8 digits. Step 2 To exempt traffic for the MAC addresses specified in a particular MAC list, enter the following command: hostname(config)# aaa mac-exempt match id Where id is the string identifying the MAC list containing the MAC addresses whose traffic is to be exempt from authentication and authorization. You can only enter one instance of the aaa mac-exempt command.19-15 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 19 Applying AAA for Network Access Using MAC Addresses to Exempt Traffic from Authentication and Authorization The following example bypasses authentication for a single MAC address: hostname(config)# mac-list abc permit 00a0.c95d.0282 ffff.ffff.ffff hostname(config)# aaa mac-exempt match abc The following entry bypasses authentication for all Cisco IP Phones, which have the hardware ID 0003.E3: hostname(config)# mac-list acd permit 0003.E300.0000 FFFF.FF00.0000 hostname(config)# aaa mac-exempt match acd The following example bypasses authentication for a a group of MAC addresses except for 00a0.c95d.02b2. Enter the deny statement before the permit statement, because 00a0.c95d.02b2 matches the permit statement as well, and if it is first, the deny statement will never be matched. hostname(config)# mac-list 1 deny 00a0.c95d.0282 ffff.ffff.ffff hostname(config)# mac-list 1 permit 00a0.c95d.0000 ffff.ffff.0000 hostname(config)# aaa mac-exempt match 119-16 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 19 Applying AAA for Network Access Using MAC Addresses to Exempt Traffic from Authentication and AuthorizationC H A P T E R 20-1 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 20 Applying Filtering Services This chapter describes ways to filter web traffic to reduce security risks or prevent inappropriate use. This chapter contains the following sections: • Filtering Overview, page 20-1 • Filtering ActiveX Objects, page 20-2 • Filtering Java Applets, page 20-3 • Filtering URLs and FTP Requests with an External Server, page 20-4 • Viewing Filtering Statistics and Configuration, page 20-9 Filtering Overview This section describes how filtering can provide greater control over traffic passing through the security appliance. Filtering can be used in two distinct ways: • Filtering ActiveX objects or Java applets • Filtering with an external filtering server Instead of blocking access altogether, you can remove specific undesirable objects from HTTP traffic, such as ActiveX objects or Java applets, that may pose a security threat in certain situations. You can also use URL filtering to direct specific traffic to an external filtering server, such an Secure Computing SmartFilter (formerly N2H2) or Websense filtering server. Long URL, HTTPS, and FTP filtering can now be enabled using both Websense and Secure Computing SmartFilter for URL filtering. Filtering servers can block traffic to specific sites or types of sites, as specified by the security policy. Note URL caching will only work if the version of the URL server software from the URL server vender supports it. Because URL filtering is CPU-intensive, using an external filtering server ensures that the throughput of other traffic is not affected. However, depending on the speed of your network and the capacity of your URL filtering server, the time required for the initial connection may be noticeably slower when filtering traffic with an external filtering server.20-2 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 20 Applying Filtering Services Filtering ActiveX Objects Filtering ActiveX Objects This section describes how to apply filtering to remove ActiveX objects from HTTP traffic passing through the firewall. This section includes the following topics: • ActiveX Filtering Overview, page 20-2 • Enabling ActiveX Filtering, page 20-2 ActiveX Filtering Overview ActiveX objects may pose security risks because they can contain code intended to attack hosts and servers on a protected network. You can disable ActiveX objects with ActiveX filtering. ActiveX controls, formerly known as OLE or OCX controls, are components you can insert in a web page or other application. These controls include custom forms, calendars, or any of the extensive third-party forms for gathering or displaying information. As a technology, ActiveX creates many potential problems for network clients including causing workstations to fail, introducing network security problems, or being used to attack servers. The filter activex command blocks the HTML commands by commenting them out within the HTML web page. ActiveX filtering of HTML files is performed by selectively replacing the and and and tags with comments. Filtering of nested tags is supported by converting top-level tags to comments. Caution This command also blocks any Java applets, image files, or multimedia objects that are embedded in object tags . If the or HTML tags split across network packets or if the code in the tags is longer than the number of bytes in the MTU, security appliance cannot block the tag. ActiveX blocking does not occur when users access an IP address referenced by the alias command or for WebVPN traffic. Enabling ActiveX Filtering This section describes how to remove ActiveX objects in HTTP traffic passing through the security appliance. To remove ActiveX objects, enter the following command in global configuration mode: hostname(config)# filter activex port[-port] local_ip local_mask foreign_ip foreign_mask To use this command, replace port with the TCP port to which filtering is applied. Typically, this is port 80, but other values are accepted. The http or url literal can be used for port 80. You can specify a range of ports by using a hyphen between the starting port number and the ending port number. The local IP address and mask identify one or more internal hosts that are the source of the traffic to be filtered. The foreign address and mask specify the external destination of the traffic to be filtered. You can set either address to 0.0.0.0 (or in shortened form, 0) to specify all hosts. You can use 0.0.0.0 for either mask (or in shortened form, 0) to specify all hosts. The following example specifies that ActiveX objects are blocked on all outbound connections: hostname(config)# filter activex 80 0 0 0 020-3 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 20 Applying Filtering Services Filtering Java Applets This command specifies that the ActiveX object blocking applies to web traffic on port 80 from any local host and for connections to any foreign host. To remove the configuration, use the no form of the command, as in the following example: hostname(config)# no filter activex 80 0 0 0 0 Filtering Java Applets This section describes how to apply filtering to remove Java applets from HTTP traffic passing through the firewall. Java applets may pose security risks because they can contain code intended to attack hosts and servers on a protected network. You can remove Java applets with the filter java command. The filter java command filters out Java applets that return to the security appliance from an outbound connection. The user still receives the HTML page, but the web page source for the applet is commented out so that the applet cannot execute. The filter java command does not filter WebVPN traffic. Note Use the filter activex command to remove Java applets that are embedded in tags. To remove Java applets in HTTP traffic passing through the firewall, enter the following command in global configuration mode: hostname(config)# filter java port[-port] local_ip local_mask foreign_ip foreign_mask To use this command, replace port with the TCP port to which filtering is applied. Typically, this is port 80, but other values are accepted. The http or url literal can be used for port 80. You can specify a range of ports by using a hyphen between the starting port number and the ending port number. The local IP address and mask identify one or more internal hosts that are the source of the traffic to be filtered. The foreign address and mask specify the external destination of the traffic to be filtered. You can set either address to 0.0.0.0 (or in shortened form, 0) to specify all hosts. You can use 0.0.0.0 for either mask (or in shortened form, 0) to specify all hosts. You can set either address to 0.0.0.0 (or in shortened form, 0) to specify all hosts. You can use 0.0.0.0 for either mask (or in shortened form, 0) to specify all hosts. The following example specifies that Java applets are blocked on all outbound connections: hostname(config)# filter java 80 0 0 0 0 This command specifies that the Java applet blocking applies to web traffic on port 80 from any local host and for connections to any foreign host. The following example blocks downloading of Java applets to a host on a protected network: hostname(config)# filter java http 192.168.3.3 255.255.255.255 0 0 This command prevents host 192.168.3.3 from downloading Java applets. To remove the configuration, use the no form of the command, as in the following example: hostname(config)# no filter java http 192.168.3.3 255.255.255.255 0 020-4 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 20 Applying Filtering Services Filtering URLs and FTP Requests with an External Server Filtering URLs and FTP Requests with an External Server This section describes how to filter URLs and FTP requests with an external server. This section includes the following topics: • URL Filtering Overview, page 20-4 • Identifying the Filtering Server, page 20-4 • Buffering the Content Server Response, page 20-6 • Caching Server Addresses, page 20-6 • Filtering HTTP URLs, page 20-7 • Filtering HTTPS URLs, page 20-8 • Filtering FTP Requests, page 20-9 URL Filtering Overview You can apply filtering to connection requests originating from a more secure network to a less secure network. Although you can use ACLs to prevent outbound access to specific content servers, managing usage this way is difficult because of the size and dynamic nature of the Internet. You can simplify configuration and improve security appliance performance by using a separate server running one of the following Internet filtering products: • Websense Enterprise for filtering HTTP, HTTPS, and FTP. • Secure Computing SmartFilter (formerly N2H2) for filtering HTTP, HTTPS, FTP, and long URL filtering. Note URL caching will only work if the version of the URL server software from the URL server vender supports it. Although security appliance performance is less affected when using an external server, users may notice longer access times to websites or FTP servers when the filtering server is remote from the security appliance. When filtering is enabled and a request for content is directed through the security appliance, the request is sent to the content server and to the filtering server at the same time. If the filtering server allows the connection, the security appliance forwards the response from the content server to the originating client. If the filtering server denies the connection, the security appliance drops the response and sends a message or return code indicating that the connection was not successful. If user authentication is enabled on the security appliance, then the security appliance also sends the user name to the filtering server. The filtering server can use user-specific filtering settings or provide enhanced reporting regarding usage. Identifying the Filtering Server You can identify up to four filtering servers per context. The security appliance uses the servers in order until a server responds. You can only configure a single type of server (Websense or Secure Computing SmartFilter ) in your configuration.20-5 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 20 Applying Filtering Services Filtering URLs and FTP Requests with an External Server Note You must add the filtering server before you can configure filtering for HTTP or HTTPS with the filter command. If you remove the filtering servers from the configuration, then all filter commands are also removed. Identify the address of the filtering server using the url-server command: For Websense: hostname(config)# url-server (if_name) host local_ip [timeout seconds] [protocol TCP | UDP version [1|4] [connections num_conns] ] For Secure Computing SmartFilter (formerly N2H2): hostname(config)# url-server (if_name) vendor {secure-computing | n2h2} host [port ] [timeout ] [protocol {TCP [connections ]} | UDP] where is the name of the security appliance interface connected to the filtering server (the default is inside). For the vendor {secure-computing | n2h2}, you can use ‘secure-computing as a vendor string, however, ‘n2h2’ is acceptable for backward compatibility. When the configuration entries are generated, ‘secure-computing’ is saved as the vendor string. The host is the IP address of the URL filtering server. The port is the Secure Computing SmartFilter server port number of the filtering server; the security appliance also listens for UDP replies on this port. Note The default port is 4005. This is the default port used by the Secure Computing SmartFilter server to communicate to the security appliance via TCP or UDP. For information on changing the default port, please refer to the Filtering by N2H2 Administrator's Guide. The timeout is the number of seconds the security appliance should keep trying to connect to the filtering server. The connections is the number of tries to attempt to make a connection between the host and server. For example, to identify a single Websense filtering server, enter the following command: hostname(config)# url-server (perimeter) host 10.0.1.1 protocol TCP version 4 This identifies a Websense filtering server with the IP address 10.0.1.1 on a perimeter interface of the security appliance.Version 4, which is enabled in this example, is recommended by Websense because it supports caching. To identify redundant Secure Computing SmartFilter servers, enter the following commands: hostname(config)# url-server (perimeter) vendor n2h2 host 10.0.1.1 hostname(config)# url-server (perimeter) vendor n2h2 host 10.0.1.2 This identifies two Sentian filtering servers, both on a perimeter interface of the security appliance.20-6 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 20 Applying Filtering Services Filtering URLs and FTP Requests with an External Server Buffering the Content Server Response When a user issues a request to connect to a content server, the security appliance sends the request to the content server and to the filtering server at the same time. If the filtering server does not respond before the content server, the server response is dropped. This delays the web server response from the point of view of the web client because the client must reissue the request. By enabling the HTTP response buffer, replies from web content servers are buffered and the responses are forwarded to the requesting client if the filtering server allows the connection. This prevents the delay that might otherwise occur. To configure buffering for responses to HTTP or FTP requests, perform the following steps: Step 1 To enable buffering of responses for HTTP or FTP requests that are pending a response from the filtering server, enter the following command: hostname(config)# url-block block block-buffer-limit Replace block-buffer with the maximum number of HTTP responses that can be buffered while awaiting responses from the url-server. Note Buffering URLs longer than 3072 bytes are not supported. Step 2 To configure the maximum memory available for buffering pending URLs (and for buffering long URLs), enter the following command: hostname(config)# url-block mempool-size memory-pool-size Replace memory-pool-size with a value from 2 to 10240 for a maximum memory allocation of 2 KB to 10 MB. Caching Server Addresses After a user accesses a site, the filtering server can allow the security appliance to cache the server address for a certain amount of time, as long as every site hosted at the address is in a category that is permitted at all times. Then, when the user accesses the server again, or if another user accesses the server, the security appliance does not need to consult the filtering server again. Note Requests for cached IP addresses are not passed to the filtering server and are not logged. As a result, this activity does not appear in any reports. You can accumulate Websense run logs before using the url-cache command. Use the url-cache command if needed to improve throughput, as follows: hostname(config)# url-cache dst | src_dst size Replace size with a value for the cache size within the range 1 to 128 (KB). Use the dst keyword to cache entries based on the URL destination address. Select this mode if all users share the same URL filtering policy on the Websense server.20-7 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 20 Applying Filtering Services Filtering URLs and FTP Requests with an External Server Use the src_dst keyword to cache entries based on both the source address initiating the URL request as well as the URL destination address. Select this mode if users do not share the same URL filtering policy on the Websense server. Filtering HTTP URLs This section describes how to configure HTTP filtering with an external filtering server. This section includes the following topics: • Configuring HTTP Filtering, page 20-7 • Enabling Filtering of Long HTTP URLs, page 20-7 • Truncating Long HTTP URLs, page 20-7 • Exempting Traffic from Filtering, page 20-8 Configuring HTTP Filtering You must identify and enable the URL filtering server before enabling HTTP filtering. When the filtering server approves an HTTP connection request, the security appliance allows the reply from the web server to reach the originating client. If the filtering server denies the request, the security appliance redirects the user to a block page, indicating that access was denied. To enable HTTP filtering, enter the following command: hostname(config)# filter url [http | port[-port] local_ip local_mask foreign_ip foreign_mask] [allow] [proxy-block] Replace port with one or more port numbers if a different port than the default port for HTTP (80) is used. Replace local_ip and local_mask with the IP address and subnet mask of a user or subnetwork making requests. Replace foreign_ip and foreign_mask with the IP address and subnet mask of a server or subnetwork responding to requests. The allow option causes the security appliance to forward HTTP traffic without filtering when the primary filtering server is unavailable. Use the proxy-block command to drop all requests to proxy servers. Enabling Filtering of Long HTTP URLs By default, the security appliance considers an HTTP URL to be a long URL if it is greater than 1159 characters. You can increase the maximum length allowed. Configure the maximum size of a single URL with the following command: hostname(config)# url-block url-size long-url-size Replace long-url-size with the maximum size in KB for each long URL being buffered. For Websense, this is a value from 2 to 4 for a maximum URL size of 2 KB to 4 KB; for Secure Computing, this is a value between 2 to 3 for a maximum URL size of 2 KB to 3 KB. The default value is 2. Truncating Long HTTP URLs By default, if a URL exceeds the maximum permitted size, then it is dropped. To avoid this, you can set the security appliance to truncate a long URL by entering the following command:20-8 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 20 Applying Filtering Services Filtering URLs and FTP Requests with an External Server hostname(config)# filter url [longurl-truncate | longurl-deny | cgi-truncate] The longurl-truncate option causes the security appliance to send only the hostname or IP address portion of the URL for evaluation to the filtering server when the URL is longer than the maximum length permitted. Use the longurl-deny option to deny outbound URL traffic if the URL is longer than the maximum permitted. Use the cgi-truncate option to truncate CGI URLs to include only the CGI script location and the script name without any parameters. Many long HTTP requests are CGI requests. If the parameters list is very long, waiting and sending the complete CGI request including the parameter list can use up memory resources and affect firewall performance. Exempting Traffic from Filtering To exempt specific traffic from filtering, enter the following command: hostname(config)# filter url except source_ip source_mask dest_ip dest_mask For example, the following commands cause all HTTP requests to be forwarded to the filtering server except for those from 10.0.2.54. hostname(config)# filter url http 0 0 0 0 hostname(config)# filter url except 10.0.2.54 255.255.255.255 0 0 Filtering HTTPS URLs You must identify and enable the URL filtering server before enabling HTTPS filtering. Note Websense and Smartfilter currently support HTTPS; older versions of Secure Computing SmartFilter (formerly N2H2) did not support HTTPS filtering. Because HTTPS content is encrypted, the security appliance sends the URL lookup without directory and filename information. When the filtering server approves an HTTPS connection request, the security appliance allows the completion of SSL connection negotiation and allows the reply from the web server to reach the originating client. If the filtering server denies the request, the security appliance prevents the completion of SSL connection negotiation. The browser displays an error message such as “The Page or the content cannot be displayed.” Note The security appliance does not provide an authentication prompt for HTTPS, so a user must authenticate with the security appliance using HTTP or FTP before accessing HTTPS servers. To enable HTTPS filtering, enter the following command: hostname(config)# filter https port[-port] localIP local_mask foreign_IP foreign_mask [allow] Replace port[-port] with a range of port numbers if a different port than the default port for HTTPS (443) is used. Replace local_ip and local_mask with the IP address and subnet mask of a user or subnetwork making requests. 20-9 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 20 Applying Filtering Services Viewing Filtering Statistics and Configuration Replace foreign_ip and foreign_mask with the IP address and subnet mask of a server or subnetwork responding to requests. The allow option causes the security appliance to forward HTTPS traffic without filtering when the primary filtering server is unavailable. Filtering FTP Requests You must identify and enable the URL filtering server before enabling FTP filtering. Note Websense and Smartfilter currently support FTP; older versions of Secure Computing SmartFilter (formerly known as N2H2) did not support FTP filtering. When the filtering server approves an FTP connection request, the security appliance allows the successful FTP return code to reach originating client. For example, a successful return code is “250: CWD command successful.” If the filtering server denies the request, alters the FTP return code to show that the connection was denied. For example, the security appliance changes code 250 to “550 Requested file is prohibited by URL filtering policy.” To enable FTP filtering, enter the following command: hostname(config)# filter ftp port[-port] localIP local_mask foreign_IP foreign_mask [allow] [interact-block] Replace port[-port] with a range of port numbers if a different port than the default port for FTP (21) is used. Replace local_ip and local_mask with the IP address and subnet mask of a user or subnetwork making requests. Replace foreign_ip and foreign_mask with the IP address and subnet mask of a server or subnetwork responding to requests. The allow option causes the security appliance to forward HTTPS traffic without filtering when the primary filtering server is unavailable. Use the interact-block option to prevent interactive FTP sessions that do not provide the entire directory path. An interactive FTP client allows the user to change directories without typing the entire path. For example, the user might enter cd ./files instead of cd /public/files. Viewing Filtering Statistics and Configuration This section describes how to monitor filtering statistics. This section includes the following topics: • Viewing Filtering Server Statistics, page 20-10 • Viewing Buffer Configuration and Statistics, page 20-11 • Viewing Caching Statistics, page 20-11 • Viewing Filtering Performance Statistics, page 20-11 • Viewing Filtering Configuration, page 20-1220-10 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 20 Applying Filtering Services Viewing Filtering Statistics and Configuration Viewing Filtering Server Statistics To show information about the filtering server, enter the following command: hostname# show running-config url-server The following is sample output from the show running-config url-server command: hostname# show running-config url-server url-server (outside) vendor n2h2 host 128.107.254.202 port 4005 timeout 5 protocol TCP To show information about the filtering server or to show statistics, enter the following command: The following is sample output from the show running-config url-server statistics command, which shows filtering statistics: hostname# show running-config url-server statistics Global Statistics: -------------------- URLs total/allowed/denied 13/3/10 URLs allowed by cache/server 0/3 URLs denied by cache/server 0/10 HTTPSs total/allowed/denied 138/137/1 HTTPSs allowed by cache/server 0/137 HTTPSs denied by cache/server 0/1 FTPs total/allowed/denied 0/0/0 FTPs allowed by cache/server 0/0 FTPs denied by cache/server 0/0 Requests dropped 0 Server timeouts/retries 0/0 Processed rate average 60s/300s 0/0 requests/second Denied rate average 60s/300s 0/0 requests/second Dropped rate average 60s/300s 0/0 requests/second Server Statistics: -------------------- 10.125.76.20 UP Vendor websense Port 15868 Requests total/allowed/denied 151/140/11 Server timeouts/retries 0/0 Responses received 151 Response time average 60s/300s 0/0 URL Packets Sent and Received Stats: ------------------------------------ Message Sent Received STATUS_REQUEST 1609 1601 LOOKUP_REQUEST 1526 1526 LOG_REQUEST 0 NA Errors: ------- RFC noncompliant GET method 0 URL buffer update failure 020-11 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 20 Applying Filtering Services Viewing Filtering Statistics and Configuration Viewing Buffer Configuration and Statistics The show running-config url-block command displays the number of packets held in the url-block buffer and the number (if any) dropped due to exceeding the buffer limit or retransmission. The following is sample output from the show running-config url-block command: hostname# show running-config url-block url-block url-mempool 128 url-block url-size 4 url-block block 128 This shows the configuration of the URL block buffer. The following is sample output from the show url-block block statistics command: hostname# show running-config url-block block statistics URL Pending Packet Buffer Stats with max block 128 ----------------------------------------------------- Cumulative number of packets held: 896 Maximum number of packets held (per URL): 3 Current number of packets held (global): 38 Packets dropped due to exceeding url-block buffer limit: 7546 HTTP server retransmission: 10 Number of packets released back to client: 0 This shows the URL block statistics. Viewing Caching Statistics The following is sample output from the show url-cache stats command: hostname# show url-cache stats URL Filter Cache Stats ---------------------- Size : 128KB Entries : 1724 In Use : 456 Lookups : 45 Hits : 8 This shows how the cache is used. Viewing Filtering Performance Statistics The following is sample output from the show perfmon command: hostname# show perfmon PERFMON STATS: Current Average Xlates 0/s 0/s Connections 0/s 2/s TCP Conns 0/s 2/s UDP Conns 0/s 0/s URL Access 0/s 2/s URL Server Req 0/s 3/s TCP Fixup 0/s 0/s TCPIntercept 0/s 0/s HTTP Fixup 0/s 3/s20-12 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 20 Applying Filtering Services Viewing Filtering Statistics and Configuration FTP Fixup 0/s 0/s AAA Authen 0/s 0/s AAA Author 0/s 0/s AAA Account 0/s 0/s This shows URL filtering performance statistics, along with other performance statistics. The filtering statistics are shown in the URL Access and URL Server Req rows. Viewing Filtering Configuration The following is sample output from the show running-config filter command: hostname# show running-config filter filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 C H A P T E R 21-1 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 21 Using Modular Policy Framework This chapter describes how to use Modular Policy Framework to create security policies for TCP and general connection settings, inspections, IPS, CSC, and QoS. This chapter includes the following sections: • Modular Policy Framework Overview, page 21-1 • Identifying Traffic (Layer 3/4 Class Map), page 21-4 • Configuring Special Actions for Application Inspections (Inspection Policy Map), page 21-7 • Defining Actions (Layer 3/4 Policy Map), page 21-15 • Applying Actions to an Interface (Service Policy), page 21-21 • Modular Policy Framework Examples, page 21-21 Modular Policy Framework Overview Modular Policy Framework provides a consistent and flexible way to configure security appliance features. For example, you can use Modular Policy Framework to create a timeout configuration that is specific to a particular TCP application, as opposed to one that applies to all TCP applications. This section includes the following topics: • Modular Policy Framework Features, page 21-1 • Modular Policy Framework Configuration Overview, page 21-2 • Default Global Policy, page 21-3 Modular Policy Framework Features Modular Policy Framework supports the following features: • QoS input policing • TCP normalization, TCP and UDP connection limits and timeouts, and TCP sequence number randomization • CSC • Application inspection • IPS • QoS output policing21-2 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 21 Using Modular Policy Framework Modular Policy Framework Overview • QoS standard priority queue • QoS traffic shaping, hierarchical priority queue Modular Policy Framework Configuration Overview Configuring Modular Policy Framework consists of the following tasks: 1. Identify the traffic on which you want to perform Modular Policy Framework actions by creating Layer 3/4 class maps. For example, you might want to perform actions on all traffic that passes through the security appliance; or you might only want to perform certain actions on traffic from 10.1.1.0/24 to any destination address. See the “Identifying Traffic (Layer 3/4 Class Map)” section on page 21-4. 2. If one of the actions you want to perform is application inspection, and you want to perform additional actions on some inspection traffic, then create an inspection policy map. The inspection policy map identifies the traffic and specifies what to do with it. For example, you might want to drop all HTTP requests with a body length greater than 1000 bytes. You can create a self-contained inspection policy map that identifies the traffic directly with match commands, or you can create an inspection class map for reuse or for more complicated matching. See the “Defining Actions in an Inspection Policy Map” section on page 21-8 and the “Identifying Traffic in an Inspection Class Map” section on page 21-11. 3. If you want to match text with a regular expression within inspected packets, you can create a regular expression or a group of regular expressions (a regular expression class map). Then, when you define the traffic to match for the inspection policy map, you can call on an existing regular expression. For example, you might want to drop all HTTP requests with a URL including the text “example.com.” Layer 3/4 Class Map Layer 3/4 Class Map 241506 Inspection Class Map/ Match Commands Inspection Policy Map Actions 24150721-3 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 21 Using Modular Policy Framework Modular Policy Framework Overview See the “Creating a Regular Expression” section on page 21-12 and the “Creating a Regular Expression Class Map” section on page 21-14. 4. Define the actions you want to perform on each Layer 3/4 class map by creating a Layer 3/4 policy map. Then, determine on which interfaces you want to apply the policy map using a service policy. See the “Defining Actions (Layer 3/4 Policy Map)” section on page 21-15 and the “Applying Actions to an Interface (Service Policy)” section on page 21-21. Default Global Policy By default, the configuration includes a policy that matches all default application inspection traffic and applies certain inspections to the traffic on all interfaces (a global policy). Not all inspections are enabled by default. You can only apply one global policy, so if you want to alter the global policy, you need to either edit the default policy or disable it and apply a new one. (An interface policy overrides the global policy for a particular feature.) Regular Expression Statement/ Regular Expression Class Map Inspection Class Map/ Match Commands Inspection Policy Map Actions 241509 Inspection Connection Limits Layer 3/4 Policy Map Service Policy IPS Inspection Connection Limits 24150821-4 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 21 Using Modular Policy Framework Identifying Traffic (Layer 3/4 Class Map) The default policy configuration includes the following commands: class-map inspection_default match default-inspection-traffic policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp service-policy global_policy global Identifying Traffic (Layer 3/4 Class Map) A Layer 3/4 class map identifies Layer 3 and 4 traffic to which you want to apply actions. The maximum number of Layer 3/4 class maps is 255 in single mode or per context in multiple mode.You can create multiple Layer 3/4 class maps for each Layer 3/4 policy map. You can create the following types of class maps: • Default Class Maps, page 21-4 • Creating a Layer 3/4 Class Map for Through Traffic, page 21-5 • Creating a Layer 3/4 Class Map for Management Traffic, page 21-7 Default Class Maps The configuration includes a default Layer 3/4 class map that the security appliance uses in the default global policy. It is called inspection_default and matches the default inspection traffic: class-map inspection_default match default-inspection-traffic Another class map that exists in the default configuration is called class-default, and it matches all traffic: class-map class-default match any This class map appears at the end of all Layer 3/4 policy maps and essentially tells the security appliance to not perform any actions on all other traffic. You can use the class-default class map if desired, rather than making your own match any class map. In fact, some features are only available for class-default, such as QoS traffic shaping.21-5 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 21 Using Modular Policy Framework Identifying Traffic (Layer 3/4 Class Map) Creating a Layer 3/4 Class Map for Through Traffic A Layer 3/4 class map matches traffic based on protocols, ports, IP addresses and other Layer 3 or 4 attributes. To define a Layer 3/4 class map, perform the following steps: Step 1 Create a Layer 3/4 class map by entering the following command: hostname(config)# class-map class_map_name hostname(config-cmap)# Where class_map_name is a string up to 40 characters in length. The name “class-default” is reserved. All types of class maps use the same name space, so you cannot reuse a name already used by another type of class map. The CLI enters class-map configuration mode. Step 2 (Optional) Add a description to the class map by entering the following command: hostname(config-cmap)# description string Step 3 Define the traffic to include in the class by matching one of the following characteristics. Unless otherwise specified, you can include only one match command in the class map. • Any traffic—The class map matches all traffic. hostname(config-cmap)# match any • Access list—The class map matches traffic specified by an extended access list. If the security appliance is operating in transparent firewall mode, you can use an EtherType access list. hostname(config-cmap)# match access-list access_list_name For more information about creating access lists, see the “Adding an Extended Access List” section on page 16-5 or the “Adding an EtherType Access List” section on page 16-8. For information about creating access lists with NAT, see the “IP Addresses Used for Access Lists When You Use NAT” section on page 16-3. • TCP or UDP destination ports—The class map matches a single port or a contiguous range of ports. hostname(config-cmap)# match port {tcp | udp} {eq port_num | range port_num port_num} Tip For applications that use multiple, non-contiguous ports, use the match access-list command and define an ACE to match each port. For a list of ports you can specify, see the “TCP and UDP Ports” section on page D-11. For example, enter the following command to match TCP packets on port 80 (HTTP): hostname(config-cmap)# match tcp eq 80 • Default traffic for inspection—The class map matches the default TCP and UDP ports used by all applications that the security appliance can inspect. hostname(config-cmap)# match default-inspection-traffic See the “Default Inspection Policy” section on page 25-3 for a list of default ports. The security appliance includes a default global policy that matches the default inspection traffic, and applies common inspections to the traffic on all interfaces. Not all applications whose ports are included in the match default-inspection-traffic command are enabled by default in the policy map.21-6 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 21 Using Modular Policy Framework Identifying Traffic (Layer 3/4 Class Map) You can specify a match access-list command along with the match default-inspection-traffic command to narrow the matched traffic. Because the match default-inspection-traffic command specifies the ports to match, any ports in the access list are ignored. • DSCP value in an IP header—The class map matches up to eight DSCP values. hostname(config-cmap)# match dscp value1 [value2] [...] [value8] For example, enter the following: hostname(config-cmap)# match dscp af43 cs1 ef • Precedence—The class map matches up to four precedence values, represented by the Type of Service (TOS) byte in the IP header. hostname(config-cmap)# match precedence value1 [value2] [value3] [value4] where value1 through value4 can be 0 to 7, corresponding to the possible precedences. • RTP traffic—The class map matches RTP traffic. hostname(config-cmap)# match rtp starting_port range The starting_port specifies an even-numbered UDP destination port between 2000 and 65534. The range specifies the number of additional UDP ports to match above the starting_port, between 0 and 16383. • Tunnel group traffic—The class map matches traffic for a tunnel group to which you want to apply QoS. hostname(config-cmap)# match tunnel-group name You can also specify one other match command to refine the traffic match. You can specify any of the preceding commands, except for the match any, match access-list, or match default-inspection-traffic commands. Or you can enter the following command to police each flow: hostname(config-cmap)# match flow ip destination address All traffic going to a unique IP destination address is considered a flow. The following is an example for the class-map command: hostname(config)# access-list udp permit udp any any hostname(config)# access-list tcp permit tcp any any hostname(config)# access-list host_foo permit ip any 10.1.1.1 255.255.255.255 hostname(config)# class-map all_udp hostname(config-cmap)# description "This class-map matches all UDP traffic" hostname(config-cmap)# match access-list udp hostname(config-cmap)# class-map all_tcp hostname(config-cmap)# description "This class-map matches all TCP traffic" hostname(config-cmap)# match access-list tcp hostname(config-cmap)# class-map all_http hostname(config-cmap)# description "This class-map matches all HTTP traffic" hostname(config-cmap)# match port tcp eq http hostname(config-cmap)# class-map to_server hostname(config-cmap)# description "This class-map matches all traffic to server 10.1.1.1" hostname(config-cmap)# match access-list host_foo21-7 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 21 Using Modular Policy Framework Configuring Special Actions for Application Inspections (Inspection Policy Map) Creating a Layer 3/4 Class Map for Management Traffic For management traffic to the security appliance, you might want to perform actions specific to this kind of traffic. You can specify a management class map that can match TCP or UDP ports. The types of actions available for a management class map in the policy map are specialized for management traffic. Namely, this type of class map lets you inspect RADIUS accounting traffic. To create a class map for management traffic to the security appliance, perform the following steps: Step 1 Create a class map by entering the following command: hostname(config)# class-map type management class_map_name hostname(config-cmap)# Where class_map_name is a string up to 40 characters in length. The name “class-default” is reserved. All types of class maps use the same name space, so you cannot reuse a name already used by another type of class map. The CLI enters class-map configuration mode. Step 2 (Optional) Add a description to the class map by entering the following command: hostname(config-cmap)# description string Step 3 Define the traffic to include in the class by matching the TCP or UDP port. You can include only one match command in the class map. hostname(config-cmap)# match port {tcp | udp} {eq port_num | range port_num port_num} For a list of ports you can specify, see the “TCP and UDP Ports” section on page D-11. For example, enter the following command to match TCP packets on port 10000: hostname(config-cmap)# match tcp eq 10000 Configuring Special Actions for Application Inspections (Inspection Policy Map) Modular Policy Framework lets you configure special actions for many application inspections. When you enable an inspection engine in the Layer 3/4 policy map, you can also optionally enable actions as defined in an inspection policy map. When the inspection policy map matches traffic within the Layer 3/4 class map for which you have defined an inspection action, then that subset of traffic will be acted upon as specified (for example, dropped or rate-limited). This section includes the following topics: • Inspection Policy Map Overview, page 21-8 • Defining Actions in an Inspection Policy Map, page 21-8 • Identifying Traffic in an Inspection Class Map, page 21-11 • Creating a Regular Expression, page 21-12 • Creating a Regular Expression Class Map, page 21-1421-8 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 21 Using Modular Policy Framework Configuring Special Actions for Application Inspections (Inspection Policy Map) Inspection Policy Map Overview See the “Configuring Application Inspection” section on page 25-5 for a list of applications that support inspection policy maps. An inspection policy map consists of one or more of the following elements. The exact options available for an inspection policy map depends on the application. • Traffic matching command—You can define a traffic matching command directly in the inspection policy map to match application traffic to criteria specific to the application, such as a URL string, for which you then enable actions. – Some traffic matching commands can specify regular expressions to match text inside a packet. Be sure to create and test the regular expressions before you configure the policy map, either singly or grouped together in a regular expression class map. • Inspection class map—(Not available for all applications. See the CLI help for a list of supported applications.) An inspection class map includes traffic matching commands that match application traffic with criteria specific to the application, such as a URL string. You then identify the class map in the policy map and enable actions. The difference between creating a class map and defining the traffic match directly in the inspection policy map is that you can create more complex match criteria and you can reuse class maps. – Some traffic matching commands can specify regular expressions to match text inside a packet. Be sure to create and test the regular expressions before you configure the policy map, either singly or grouped together in a regular expression class map. • Parameters—Parameters affect the behavior of the inspection engine. The default inspection policy map configuration includes the following commands, which sets the maximum message length for DNS packets to be 512 bytes: policy-map type inspect dns preset_dns_map parameters message-length maximum 512 Note There are other default inspection policy maps such as policy-map type inspect esmtp _default_esmtp_map. These default policy maps are created implicitly by the command inspect protocol. For example, inspect esmtp implicitly uses the policy map “_default_esmtp_map.” All the default policy maps can be shown by using the show running-config all policy-map command. Defining Actions in an Inspection Policy Map When you enable an inspection engine in the Layer 3/4 policy map, you can also optionally enable actions as defined in an inspection policy map. To create an inspection policy map, perform the following steps: Step 1 To create the HTTP inspection policy map, enter the following command: hostname(config)# policy-map type inspect application policy_map_name hostname(config-pmap)# See the “Configuring Application Inspection” section on page 25-5 for a list of applications that support inspection policy maps.21-9 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 21 Using Modular Policy Framework Configuring Special Actions for Application Inspections (Inspection Policy Map) The policy_map_name argument is the name of the policy map up to 40 characters in length. All types of policy maps use the same name space, so you cannot reuse a name already used by another type of policy map. The CLI enters policy-map configuration mode. Step 2 To apply actions to matching traffic, perform the following steps: a. Specify the traffic on which you want to perform actions using one of the following methods: • Specify the inspection class map that you created in the “Identifying Traffic in an Inspection Class Map” section on page 21-11 by entering the following command: hostname(config-pmap)# class class_map_name hostname(config-pmap-c)# • Specify traffic directly in the policy map using one of the match commands described for each application in Chapter 25, “Configuring Application Layer Protocol Inspection.” If you use a match not command, then any traffic that matches the criterion in the match not command does not have the action applied. b. Specify the action you want to perform on the matching traffic by entering the following command: hostname(config-pmap-c)# {[drop [send-protocol-error] | drop-connection [send-protocol-error]| mask | reset] [log] | rate-limit message_rate} Not all options are available for each application. Other actions specific to the application might also be available. See Chapter 25, “Configuring Application Layer Protocol Inspection,” for the exact options available. The drop keyword drops all packets that match. The send-protocol-error keyword sends a protocol error message. The drop-connection keyword drops the packet and closes the connection. The mask keyword masks out the matching portion of the packet. The reset keyword drops the packet, closes the connection, and sends a TCP reset to the server and/or client. The log keyword, which you can use alone or with one of the other keywords, sends a system log message. The rate-limit message_rate argument limits the rate of messages. Note You can specify multiple class or match commands in the policy map. If a packet matches multiple different match or class commands, then the order in which the security appliance applies the actions is determined by internal security appliance rules, and not by the order they are added to the policy map. The internal rules are determined by the application type and the logical progression of parsing a packet, and are not user-configurable. For example for HTTP traffic, parsing a Request Method field precedes parsing the Header Host Length field; an action for the Request Method field occurs before the action for the Header Host Length field. For example, the following match commands can be entered in any order, but the match request method get command is matched first. match request header host length gt 100 reset match request method get log21-10 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 21 Using Modular Policy Framework Configuring Special Actions for Application Inspections (Inspection Policy Map) If an action drops a packet, then no further actions are performed in the inspection policy map. For example, if the first action is to reset the connection, then it will never match any further match or class commands. If the first action is to log the packet, then a second action, such as resetting the connection, can occur. (You can configure both the reset (or drop-connection, and so on.) and the log action for the same match or class command, in which case the packet is logged before it is reset for a given match.) If a packet matches multiple match or class commands that are the same, then they are matched in the order they appear in the policy map. For example, for a packet with the header length of 1001, it will match the first command below, and be logged, and then will match the second command and be reset. If you reverse the order of the two match commands, then the packet will be dropped and the connection reset before it can match the second match command; it will never be logged. match request header length gt 100 log match request header length gt 1000 reset A class map is determined to be the same type as another class map or match command based on the lowest priority match command in the class map (the priority is based on the internal rules). If a class map has the same type of lowest priority match command as another class map, then the class maps are matched according to the order they are added to the policy map. If the lowest priority command for each class map is different, then the class map with the higher priority match command is matched first. For example, the following three class maps contain two types of match commands: match request-cmd (higher priority) and match filename (lower priority). The ftp3 class map includes both commands, but it is ranked according to the lowest priority command, match filename. The ftp1 class map includes the highest priority command, so it is matched first, regardless of the order in the policy map. The ftp3 class map is ranked as being of the same priority as the ftp2 class map, which also contains the match filename command. They are matched according to the order in the policy map: ftp3 and then ftp2. class-map inspect type ftp ftp1 match request-cmd get class-map inspect type ftp ftp2 match filename regex abc class-map inspect type ftp ftp3 match request-cmd get match filename regex abc policy-map type inspect ftp ftp class ftp3 log class ftp2 log class ftp1 log Step 3 To configure parameters that affect the inspection engine, enter the following command: hostname(config-pmap)# parameters hostname(config-pmap-p)# The CLI enters parameters configuration mode. For the parameters available for each application, see Chapter 25, “Configuring Application Layer Protocol Inspection.” The following is an example of an HTTP inspection policy map and the related class maps. This policy map is activated by the Layer 3/4 policy map, which is enabled by the service policy. hostname(config)# regex url_example example.com21-11 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 21 Using Modular Policy Framework Configuring Special Actions for Application Inspections (Inspection Policy Map) hostname(config)# regex url_example2 example2.com hostname(config)# class-map type regex match-any URLs hostname(config-cmap)# match regex url_example hostname(config-cmap)# match regex url_example2 hostname(config-cmap)# class-map type inspect http match-all http-traffic hostname(config-cmap)# match req-resp content-type mismatch hostname(config-cmap)# match request body length gt 1000 hostname(config-cmap)# match not request uri regex class URLs hostname(config-cmap)# policy-map type inspect http http-map1 hostname(config-pmap)# class http-traffic hostname(config-pmap-c)# drop-connection log hostname(config-pmap-c)# match req-resp content-type mismatch hostname(config-pmap-c)# reset log hostname(config-pmap-c)# parameters hostname(config-pmap-p)# protocol-violation action log hostname(config-pmap-p)# policy-map test hostname(config-pmap)# class test (a Layer 3/4 class map not shown) hostname(config-pmap-c)# inspect http http-map1 hostname(config-pmap-c)# service-policy test interface outside Identifying Traffic in an Inspection Class Map This type of class map allows you to match criteria that is specific to an application. For example, for DNS traffic, you can match the domain name in a DNS query. Note Not all applications support inspection class maps. See the CLI help for a list of supported applications. A class map groups multiple traffic matches. Traffic must match all of the match criteria to match the class map. You can alternatively identify the traffic you want to match directly in the policy map. The difference between creating a class map and defining the traffic match directly in the inspection policy map is that the class map lets you group multiple matches, and you can reuse class maps. For the traffic that you identify in this class map, you can specify actions such as dropping, resetting, and/or logging the connection in the inspection policy map. If you want to perform different actions on different types of traffic, you should identify the traffic directly in the policy map. To define an inspection class map, perform the following steps: Step 1 Create a class map by entering the following command: hostname(config)# class-map type inspect application [match-all] class_map_name hostname(config-cmap)# Where the application is the application you want to inspect. For supported applications, see Chapter 25, “Configuring Application Layer Protocol Inspection.” The class_map_name argument is the name of the class map up to 40 characters in length. The match-all keyword is the default, and specifies that traffic must match all criteria to match the class map. The CLI enters class-map configuration mode, where you can enter one or more match commands. Step 2 (Optional) To add a description to the class map, enter the following command:21-12 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 21 Using Modular Policy Framework Configuring Special Actions for Application Inspections (Inspection Policy Map) hostname(config-cmap)# description string Step 3 Define the traffic to include in the class by entering one or more match commands available for your application. To specify traffic that should not match the class map, use the match not command. For example, if the match not command specifies the string “example.com,” then any traffic that includes “example.com” does not match the class map. To see the match commands available for each application, see Chapter 25, “Configuring Application Layer Protocol Inspection.” The following example creates an HTTP class map that must match all criteria: hostname(config-cmap)# class-map type inspect http match-all http-traffic hostname(config-cmap)# match req-resp content-type mismatch hostname(config-cmap)# match request body length gt 1000 hostname(config-cmap)# match not request uri regex class URLs Creating a Regular Expression A regular expression matches text strings either literally as an exact string, or by using metacharacters so you can match multiple variants of a text string. You can use a regular expression to match the content of certain application traffic; for example, you can match a URL string inside an HTTP packet. Use Ctrl+V to escape all of the special characters in the CLI, such as question mark (?) or a tab. For example, type d[Ctrl+V]g to enter d?g in the configuration. See the regex command in the Cisco Security Appliance Command Reference for performance impact information when matching a regular expression to packets. Note As an optimization, the security appliance searches on the deobfuscated URL. Deobfuscation compresses multiple forward slashes (/) into a single slash. For strings that commonly use double slashes, like “http://”, be sure to search for “http:/” instead. Table 21-1 lists the metacharacters that have special meanings. Table 21-1 regex Metacharacters Character Description Notes . Dot Matches any single character. For example, d.g matches dog, dag, dtg, and any word that contains those characters, such as doggonnit. (exp) Subexpression A subexpression segregates characters from surrounding characters, so that you can use other metacharacters on the subexpression. For example, d(o|a)g matches dog and dag, but do|ag matches do and ag. A subexpression can also be used with repeat quantifiers to differentiate the characters meant for repetition. For example, ab(xy){3}z matches abxyxyxyz.21-13 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 21 Using Modular Policy Framework Configuring Special Actions for Application Inspections (Inspection Policy Map) | Alternation Matches either expression it separates. For example, dog|cat matches dog or cat. ? Question mark A quantifier that indicates that there are 0 or 1 of the previous expression. For example, lo?se matches lse or lose. Note You must enter Ctrl+V and then the question mark or else the help function is invoked. * Asterisk A quantifier that indicates that there are 0, 1 or any number of the previous expression. For example, lo*se matches lse, lose, loose, and so on. + Plus A quantifier that indicates that there is at least 1 of the previous expression. For example, lo+se matches lose and loose, but not lse. {x} Repeat quantifier Repeat exactly x times. For example, ab(xy){3}z matches abxyxyxyz. {x,} Minimum repeat quantifier Repeat at least x times. For example, ab(xy){2,}z matches abxyxyz, abxyxyxyz, and so on. [abc] Character class Matches any character in the brackets. For example, [abc] matches a, b, or c. [^abc] Negated character class Matches a single character that is not contained within the brackets. For example, [^abc] matches any character other than a, b, or c. [^A-Z] matches any single character that is not an uppercase letter. [a-c] Character range class Matches any character in the range. [a-z] matches any lowercase letter. You can mix characters and ranges: [abcq-z] matches a, b, c, q, r, s, t, u, v, w, x, y, z, and so does [a-cq-z]. The dash (-) character is literal only if it is the last or the first character within the brackets: [abc-] or [-abc]. "" Quotation marks Preserves trailing or leading spaces in the string. For example, " test" preserves the leading space when it looks for a match. ^ Caret Specifies the beginning of a line. \ Escape character When used with a metacharacter, matches a literal character. For example, \[ matches the left square bracket. char Character When character is not a metacharacter, matches the literal character. \r Carriage return Matches a carriage return 0x0d. \n Newline Matches a new line 0x0a. \t Tab Matches a tab 0x09. \f Formfeed Matches a form feed 0x0c. Table 21-1 regex Metacharacters (continued) Character Description Notes21-14 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 21 Using Modular Policy Framework Configuring Special Actions for Application Inspections (Inspection Policy Map) To test and create a regular expression, perform the following steps: Step 1 To test a regular expression to make sure it matches what you think it will match, enter the following command: hostname(config)# test regex input_text regular_expression Where the input_text argument is a string you want to match using the regular expression, up to 201 characters in length. The regular_expression argument can be up to 100 characters in length. Use Ctrl+V to escape all of the special characters in the CLI. For example, to enter a tab in the input text in the test regex command, you must enter test regex "test[Ctrl+V Tab]" "test\t". If the regular expression matches the input text, you see the following message: INFO: Regular expression match succeeded. If the regular expression does not match the input text, you see the following message: INFO: Regular expression match failed. Step 2 To add a regular expression after you tested it, enter the following command: hostname(config)# regex name regular_expression Where the name argument can be up to 40 characters in length. The regular_expression argument can be up to 100 characters in length. The following example creates two regular expressions for use in an inspection policy map: hostname(config)# regex url_example example\.com hostname(config)# regex url_example2 example2\.com Creating a Regular Expression Class Map A regular expression class map identifies one or more regular expressions. You can use a regular expression class map to match the content of certain traffic; for example, you can match URL strings inside HTTP packets. To create a regular expression class map, perform the following steps: Step 1 Create one or more regular expressions according to the “Creating a Regular Expression” section. \xNN Escaped hexadecimal number Matches an ASCII character using hexadecimal (exactly two digits). \NNN Escaped octal number Matches an ASCII character as octal (exactly three digits). For example, the character 040 represents a space. Table 21-1 regex Metacharacters (continued) Character Description Notes21-15 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 21 Using Modular Policy Framework Defining Actions (Layer 3/4 Policy Map) Step 2 Create a class map by entering the following command: hostname(config)# class-map type regex match-any class_map_name hostname(config-cmap)# Where class_map_name is a string up to 40 characters in length. The name “class-default” is reserved. All types of class maps use the same name space, so you cannot reuse a name already used by another type of class map. The match-any keyword specifies that the traffic matches the class map if it matches only one of the regular expressions. The CLI enters class-map configuration mode. Step 3 (Optional) Add a description to the class map by entering the following command: hostname(config-cmap)# description string Step 4 Identify the regular expressions you want to include by entering the following command for each regular expression: hostname(config-cmap)# match regex regex_name The following example creates two regular expressions, and adds them to a regular expression class map. Traffic matches the class map if it includes the string “example.com” or “example2.com.” hostname(config)# regex url_example example\.com hostname(config)# regex url_example2 example2\.com hostname(config)# class-map type regex match-any URLs hostname(config-cmap)# match regex url_example hostname(config-cmap)# match regex url_example2 Defining Actions (Layer 3/4 Policy Map) This section describes how to associate actions with Layer 3/4 class maps by creating a Layer 3/4 policy map. This section includes the following topics: • Layer 3/4 Policy Map Overview, page 21-15 • Default Layer 3/4 Policy Map, page 21-18 • Adding a Layer 3/4 Policy Map, page 21-19 Layer 3/4 Policy Map Overview This section describes how Layer 3/4 policy maps work, and includes the following topics: • Policy Map Guidelines, page 21-16 • Supported Feature Types, page 21-16 • Hierarchical Policy Maps, page 21-16 • Feature Directionality, page 21-17 • Feature Matching Guidelines within a Policy Map, page 21-17 • Feature Matching Guidelines for multiple Policy Maps, page 21-1821-16 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 21 Using Modular Policy Framework Defining Actions (Layer 3/4 Policy Map) • Order in Which Multiple Feature Actions are Applied, page 21-18 Policy Map Guidelines See the following guidelines for using policy maps: • You can only assign one policy map per interface. • You can apply the same policy map to multiple interfaces. • You can identify multiple Layer 3/4 class maps in a Layer 3/4 policy map. • For each class map, you can assign multiple actions from one or more feature types. • You can create a hierarchical policy map. See the “Hierarchical Policy Maps” section on page 21-16. Supported Feature Types Feature types supported by the Modular Policy Framework that you can enable in the policy map include the following: • QoS input policing • TCP normalization, TCP and UDP connection limits and timeouts, and TCP sequence number randomization • CSC • Application inspection • IPS • QoS output policing • QoS standard priority queue • QoS traffic shaping, hierarchical priority queue Hierarchical Policy Maps If you enable QoS traffic shaping for a class map, then you can optionally enable priority queueing for a subset of shaped traffic. To do so, you need to create a policy map for the priority queueing, and then within the traffic shaping policy map, you can call the priority class map. Only the traffic shaping class map is applied to an interface. See Chapter 24, “Configuring QoS,” for more information about this feature. Hierarchical policy maps are only supported for traffic shaping and priority queueing. To implement a hierarchical policy map, perform the following tasks: 1. Identify the prioritized traffic according to the “Identifying Traffic (Layer 3/4 Class Map)” section on page 21-4. You can create multiple class maps to be used in the hierarchical policy map. 2. Create a policy map according to the “Defining Actions (Layer 3/4 Policy Map)” section on page 21-15, and identify the sole action for each class map as priority. 3. Create a separate policy map according to the “Defining Actions (Layer 3/4 Policy Map)” section on page 21-15, and identify the shape action for the class-default class map. Traffic shaping can only be applied the to class-default class map.21-17 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 21 Using Modular Policy Framework Defining Actions (Layer 3/4 Policy Map) 4. For the same class map, identify the priority policy map that you created in Step 2 using the service-policy priority_policy_map command. 5. Apply the shaping policy map to the interface accrding to “Applying Actions to an Interface (Service Policy)” section on page 21-21. Feature Directionality Actions are applied to traffic bidirectionally or unidirectionally depending on the feature. For features that are applied bidirectionally, all traffic that enters or exits the interface to which you apply the policy map is affected if the traffic matches the class map for both directions. Note When you use a global policy, all features are unidirectional; features that are normally bidirectional when applied to a single interface only apply to the ingress of each interface when applied globally. Because the policy is applied to all interfaces, the policy will be applied in both directions so bidirectionality in this case is redundant. For features that are applied unidirectionally, for example QoS priority queue, only traffic that exits the interface to which you apply the policy map is affected. See Table 21-2 for the directionality of each feature. Feature Matching Guidelines within a Policy Map See the following guidelines for how a packet matches class maps in a policy map: • A packet can match only one class map in the policy map for each feature type. • When the packet matches a class map for a feature type, the security appliance does not attempt to match it to any subsequent class maps for that feature type. • If the packet matches a subsequent class map for a different feature type, however, then the security appliance also applies the actions for the subsequent class map. For example, if a packet matches a class map for connection limits, and also matches a class map for application inspection, then both class map actions are applied. Table 21-2 Feature Directionality Feature Single Interface Direction Global Direction TCP normalization, TCP and UDP connection limits and timeouts, and TCP sequence number randomization Bidirectional Ingress CSC Bidirectional Ingress Application inspection Bidirectional Ingress IPS Bidirectional Ingress QoS input policing Ingress Ingress QoS output policing Egress Egress QoS standard priority queue Egress Egress QoS traffic shaping, hierarchical priority queue Egress Egress21-18 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 21 Using Modular Policy Framework Defining Actions (Layer 3/4 Policy Map) If a packet matches a class map for application inspection, but also matches another class map that includes application inspection, then the second class map actions are not applied. Feature Matching Guidelines for multiple Policy Maps For TCP and UDP traffic (and ICMP when you enable stateful ICMP inspection), Modular Policy Framework operates on traffic flows, and not just individual packets. If traffic is part of an existing connection that matches a feature in a policy on one interface, that traffic flow cannot also match the same feature in a policy on another interface; only the first policy is used. For example, if HTTP traffic matches a policy on the inside interface to inspect HTTP traffic, and you have a separate policy on the outside interface for HTTP inspection, then that traffic is not also inspected on the egress of the outside interface. Similarly, the return traffic for that connection will not be inspected by the ingress policy of the outside interface, nor by the egress policy of the inside interface. For traffic that is not treated as a flow, for example ICMP when you do not enable stateful ICMP inspection, returning traffic can match a different policy map on the returning interface. For example, if you configure IPS inspection on the inside and outside interfaces, but the inside policy uses virtual sensor 1 while the outside policy uses virtual sensor 2, then a non-stateful Ping will match virtual sensor 1 outbound, but will match virtual sensor 2 inbound. Order in Which Multiple Feature Actions are Applied The order in which different types of actions in a policy map are performed is independent of the order in which the actions appear in the policy map. Actions are performed in the following order: • QoS input policing • TCP normalization, TCP and UDP connection limits and timeouts, and TCP sequence number randomization Note When a the security appliance performs a proxy service (such as AAA or CSC) or it modifies the TCP payload (such as FTP inspection), the TCP normalizer acts in dual mode, where it is applied before and after the proxy or payload modifying service. • CSC • Application inspection • IPS • QoS output policing • QoS standard priority queue • QoS traffic shaping, hierarchical priority queue Default Layer 3/4 Policy Map The configuration includes a default Layer 3/4 policy map that the security appliance uses in the default global policy. It is called global_policy and performs inspection on the default inspection traffic. You can only apply one global policy, so if you want to alter the global policy, you need to either reconfigure the default policy or disable it and apply a new one. The default policy map configuration includes the following commands:21-19 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 21 Using Modular Policy Framework Defining Actions (Layer 3/4 Policy Map) policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp Adding a Layer 3/4 Policy Map The maximum number of policy maps is 64. To create a Layer 3/4 policy map, perform the following steps: Step 1 Add the policy map by entering the following command: hostname(config)# policy-map policy_map_name The policy_map_name argument is the name of the policy map up to 40 characters in length. All types of policy maps use the same name space, so you cannot reuse a name already used by another type of policy map. The CLI enters policy-map configuration mode. Step 2 (Optional) Specify a description for the policy map: hostname(config-pmap)# description text Step 3 Specify a previously configured Layer 3/4 class map using the following command: hostname(config-pmap)# class class_map_name See the “Identifying Traffic (Layer 3/4 Class Map)” section on page 21-4 to add a class map. Step 4 Specify one or more actions for this class map. • IPS. See the “Diverting Traffic to the AIP SSM” section on page 22-2. • CSC. See the “Diverting Traffic to the CSC SSM” section on page 22-11. • TCP normalization. See the “Configuring TCP Normalization” section on page 23-1. • TCP and UDP connection limits and timeouts, and TCP sequence number randomization. See the “Configuring Connection Limits and Timeouts” section on page 23-6. • QoS. See Chapter 24, “Configuring QoS.” Note You can configure a hierarchical policy map for the traffic shaping and priority queue features. See the “Hierarchical Policy Maps” section on page 21-16 for more information. • Application inspection. See Chapter 25, “Configuring Application Layer Protocol Inspection.”21-20 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 21 Using Modular Policy Framework Defining Actions (Layer 3/4 Policy Map) Note If there is no match default_inspection_traffic command in a class map, then at most one inspect command is allowed to be configured under the class. Step 5 Repeat Step 3 and Step 4 for each class map you want to include in this policy map. The following is an example of a policy-map command for connection policy. It limits the number of connections allowed to the web server 10.1.1.1: hostname(config)# access-list http-server permit tcp any host 10.1.1.1 hostname(config)# class-map http-server hostname(config-cmap)# match access-list http-server hostname(config)# policy-map global-policy hostname(config-pmap)# description This policy map defines a policy concerning connection to http server. hostname(config-pmap)# class http-server hostname(config-pmap-c)# set connection conn-max 256 The following example shows how multi-match works in a policy map: hostname(config)# class-map inspection_default hostname(config-cmap)# match default-inspection-traffic hostname(config)# class-map http_traffic hostname(config-cmap)# match port tcp eq 80 hostname(config)# policy-map outside_policy hostname(config-pmap)# class inspection_default hostname(config-pmap-c)# inspect http http_map hostname(config-pmap-c)# inspect sip hostname(config-pmap)# class http_traffic hostname(config-pmap-c)# set connection timeout tcp 0:10:0 The following example shows how traffic matches the first available class map, and will not match any subsequent class maps that specify actions in the same feature domain: hostname(config)# class-map telnet_traffic hostname(config-cmap)# match port tcp eq 23 hostname(config)# class-map ftp_traffic hostname(config-cmap)# match port tcp eq 21 hostname(config)# class-map tcp_traffic hostname(config-cmap)# match port tcp range 1 65535 hostname(config)# class-map udp_traffic hostname(config-cmap)# match port udp range 0 65535 hostname(config)# policy-map global_policy hostname(config-pmap)# class telnet_traffic hostname(config-pmap-c)# set connection timeout tcp 0:0:0 hostname(config-pmap-c)# set connection conn-max 100 hostname(config-pmap)# class ftp_traffic hostname(config-pmap-c)# set connection timeout tcp 0:5:0 hostname(config-pmap-c)# set connection conn-max 50 hostname(config-pmap)# class tcp_traffic hostname(config-pmap-c)# set connection timeout tcp 2:0:0 hostname(config-pmap-c)# set connection conn-max 2000 When a Telnet connection is initiated, it matches class telnet_traffic. Similarly, if an FTP connection is initiated, it matches class ftp_traffic. For any TCP connection other than Telnet and FTP, it will match class tcp_traffic. Even though a Telnet or FTP connection can match class tcp_traffic, the security appliance does not make this match because they previously matched other classes.21-21 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 21 Using Modular Policy Framework Applying Actions to an Interface (Service Policy) Applying Actions to an Interface (Service Policy) To activate the Layer 3/4 policy map, create a service policy that applies it to one or more interfaces or that applies it globally to all interfaces. Interface service policies take precedence over the global service policy for a given feature. For example, if you have a global policy with inspections, and an interface policy with TCP normalization, then both inspections and TCP normalization are applied to the interface. However, if you have a global policy with inspections, and an interface policy with inspections, then only the interface policy inspections are applied to that interface. • To create a service policy by associating a policy map with an interface, enter the following command: hostname(config)# service-policy policy_map_name interface interface_name • To create a service policy that applies to all interfaces that do not have a specific policy, enter the following command: hostname(config)# service-policy policy_map_name global By default, the configuration includes a global policy that matches all default application inspection traffic and applies inspection to the traffic globally. You can only apply one global policy, so if you want to alter the global policy, you need to either edit the default policy or disable it and apply a new one. The default service policy includes the following command: service-policy global_policy global For example, the following command enables the inbound_policy policy map on the outside interface: hostname(config)# service-policy inbound_policy interface outside The following commands disable the default global policy, and enables a new one called new_global_policy on all other security appliance interfaces: hostname(config)# no service-policy global_policy global hostname(config)# service-policy new_global_policy global Modular Policy Framework Examples This section includes several Modular Policy Framework examples, and includes the following topics: • Applying Inspection and QoS Policing to HTTP Traffic, page 21-22 • Applying Inspection to HTTP Traffic Globally, page 21-22 • Applying Inspection and Connection Limits to HTTP Traffic to Specific Servers, page 21-23 • Applying Inspection to HTTP Traffic with NAT, page 21-2421-22 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 21 Using Modular Policy Framework Modular Policy Framework Examples Applying Inspection and QoS Policing to HTTP Traffic In this example (see Figure 21-1), any HTTP connection (TCP traffic on port 80) that enters or exits the security appliance through the outside interface is classified for HTTP inspection. Any HTTP traffic that exits the outside interface is classified for policing. Figure 21-1 HTTP Inspection and QoS Policing See the following commands for this example: hostname(config)# class-map http_traffic hostname(config-cmap)# match port tcp eq 80 hostname(config)# policy-map http_traffic_policy hostname(config-pmap)# class http_traffic hostname(config-pmap-c)# inspect http hostname(config-pmap-c)# police output 250000 hostname(config)# service-policy http_traffic_policy interface outside Applying Inspection to HTTP Traffic Globally In this example (see Figure 21-2), any HTTP connection (TCP traffic on port 80) that enters the security appliance through any interface is classified for HTTP inspection. Because the policy is a global policy, inspection occurs only as the traffic enters each interface. Figure 21-2 Global HTTP Inspection See the following commands for this example: hostname(config)# class-map http_traffic hostname(config-cmap)# match port tcp eq 80 143356 inside port 80 outside A Host A Host B port 80 Security appliance insp. insp. police inside port 80 outside A Host A Host B port 80 insp. insp. Security appliance 14341421-23 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 21 Using Modular Policy Framework Modular Policy Framework Examples hostname(config)# policy-map http_traffic_policy hostname(config-pmap)# class http_traffic hostname(config-pmap-c)# inspect http hostname(config)# service-policy http_traffic_policy global Applying Inspection and Connection Limits to HTTP Traffic to Specific Servers In this example (see Figure 21-3), any HTTP connection destined for Server A (TCP traffic on port 80) that enters the security appliance through the outside interface is classified for HTTP inspection and maximum connection limits. Connections initiated from server A to Host A does not match the access list in the class map, so it is not affected. Any HTTP connection destined for Server B that enters the security appliance through the inside interface is classified for HTTP inspection. Connections initiated from server B to Host B does not match the access list in the class map, so it is not affected. Figure 21-3 HTTP Inspection and Connection Limits to Specific Servers See the following commands for this example: hostname(config)# static (inside,outside) 209.165.201.1 192.168.1.2 hostname(config)# nat (inside) 1 192.168.1.0 255.255.255.0 hostname(config)# global (outside) 1 209.165.201.2 hostname(config)# access-list serverA extended permit tcp any host 209.165.201.1 eq 80 hostname(config)# access-list ServerB extended permit tcp any host 209.165.200.227 eq 80 hostname(config)# class-map http_serverA hostname(config-cmap)# match access-list serverA hostname(config)# class-map http_serverB hostname(config-cmap)# match access-list serverB hostname(config)# policy-map policy_serverA hostname(config-pmap)# class http_serverA hostname(config-pmap-c)# inspect http hostname(config-pmap-c)# set connection conn-max 100 hostname(config)# policy-map policy_serverB hostname(config-pmap)# class http_serverB hostname(config-pmap-c)# inspect http hostname(config)# service-policy policy_serverB interface inside hostname(config)# service-policy policy_serverA interface outside inside outside Server A Real Address: 192.168.1.2 Mapped Address: 209.165.201.1 Host B Real Address: 192.168.1.1 Mapped Address: 209.165.201.2:port Host A 209.165.200.226 Server B 209.165.200.227 port 80 port 80 insp. insp. set conns 143357 Security appliance21-24 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 21 Using Modular Policy Framework Modular Policy Framework Examples Applying Inspection to HTTP Traffic with NAT In this example, the Host on the inside network has two addresses: one is the real IP address 192.168.1.1, and the other is a mapped IP address used on the outside network, 209.165.200.225. Because the policy is applied to the inside interface, where the real address is used, then you must use the real IP address in the access list in the class map. If you applied it to the outside interface, you would use the mapped address. Figure 21-4 HTTP Inspection with NAT See the following commands for this example: hostname(config)# static (inside,outside) 209.165.200.225 192.168.1.1 hostname(config)# access-list http_client extended permit tcp host 192.168.1.1 any eq 80 hostname(config)# class-map http_client hostname(config-cmap)# match access-list http_client hostname(config)# policy-map http_client hostname(config-pmap)# class http_client hostname(config-pmap-c)# inspect http hostname(config)# service-policy http_client interface inside inside outside Host Real IP: 192.168.1.1 Mapped IP: 209.165.200.225 Server 209.165.201.1 port 80 insp. Security appliance 143416C H A P T E R 22-1 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 22 Managing AIP SSM and CSC SSM The Cisco ASA 5500 series adaptive security appliance supports a variety of SSMs. This chapter describes how to configure the adaptive security appliance to support an AIP SSM or a CSC SSM, including how to send traffic to these SSMs. For information about the 4GE SSM for the ASA 5000 series adaptive security appliance, see Chapter 5, “Configuring Ethernet Settings and Subinterfaces”. Note The Cisco PIX 500 series security appliances cannot support SSMs. This chapter includes the following sections: • Managing the AIP SSM, page 22-1 • Managing the CSC SSM, page 22-5 • Checking SSM Status, page 22-13 • Transferring an Image onto an SSM, page 22-14 Managing the AIP SSM This section contains the following topics: • About the AIP SSM, page 22-1 • Getting Started with the AIP SSM, page 22-2 • Diverting Traffic to the AIP SSM, page 22-2 • Sessioning to the AIP SSM and Running Setup, page 22-4 About the AIP SSM The ASA 5500 series adaptive security appliance supports the AIP SSM, which runs advanced IPS software that provides further security inspection. The adaptive security appliance diverts packets to the AIP SSM just before the packet exits the egress interface (or before VPN encryption occurs, if configured) and after other firewall policies are applied. For example, packets that are blocked by an access list are not forwarded to the AIP SSM.22-2 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 22 Managing AIP SSM and CSC SSM Managing the AIP SSM The AIP SSM can operate in one of two modes, as follows: • Inline mode—Places the AIP SSM directly in the traffic flow. No traffic can continue through the adaptive security appliance without first passing through, and being inspected by, the AIP SSM. This mode is the most secure because every packet is analyzed before being allowed through. Also, the AIP SSM can implement a blocking policy on a packet-by-packet basis. This mode, however, can affect throughput. You specify this mode with the inline keyword of the ips command. • Promiscuous mode—Sends a duplicate stream of traffic to the AIP SSM. This mode is less secure, but has little impact on traffic throughput. Unlike operation in inline mode, the SSM operating in promiscuous mode can only block traffic by instructing the adaptive security appliance to shun the traffic or by resetting a connection on the adaptive security appliance. Also, while the AIP SSM is analyzing the traffic, a small amount of traffic might pass through the adaptive security appliance before the AIP SSM can block it. You specify this mode with the inline keyword of the ips command. You can specify how the adaptive security appliance treats traffic when the AIP SSM is unavailable due to hardware failure or other causes. Two keywords of the ips command control this behavior. The fail-close keyword sets the adaptive security appliance to block all traffic if the AIP SSM is unavailable. The fail-open keyword sets the adaptive security appliance to allow all traffic through, uninspected, if the AIP SSM is unavailable. For more information about configuring the operating mode of the AIP SSM and how the adaptive security appliance treats traffic during an AIP SSM failure, see the “Diverting Traffic to the AIP SSM” section on page 22-2. Getting Started with the AIP SSM Configuring the AIP SSM is a two-part process that involves configuration of the ASA 5500 series adaptive security appliance first, and then configuration of the AIP SSM: 1. On the ASA 5500 series adaptive security appliance, identify traffic to divert to the AIP SSM (as described in the “Diverting Traffic to the AIP SSM” section on page 22-2). 2. On the AIP SSM, configure the inspection and protection policy, which determines how to inspect traffic and what to do when an intrusion is detected. Because the IPS software that runs on the AIP SSM is very robust and beyond the scope of this document, detailed configuration information is available in the following separate documentation: • Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface • Cisco Intrusion Prevention System Command Reference Diverting Traffic to the AIP SSM You use MPF commands to configure the adaptive security appliance to divert traffic to the AIP SSM. Before configuring the adaptive security appliance to do so, read Chapter 21, “Using Modular Policy Framework,” which introduces MPF concepts and common commands. To identify traffic to divert from the adaptive security appliance to the AIP SSM, perform the following steps: Step 1 Create an access list that matches all traffic: hostname(config)# access-list acl-name permit ip any any22-3 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 22 Managing AIP SSM and CSC SSM Managing the AIP SSM Step 2 Create a class map to identify the traffic that should be diverted to the AIP SSM. Use the class-map command to do so, as follows: hostname(config)# class-map class_map_name hostname(config-cmap)# where class_map_name is the name of the traffic class. When you enter the class-map command, the CLI enters class map configuration mode. Step 3 With the access list you created in Step 1, use a match access-list command to identify the traffic to be scanned: hostname(config-cmap)# match access-list acl-name Step 4 Create a policy map or modify an existing policy map that you want to use to send traffic to the AIP SSM. To do so, use the policy-map command, as follows. hostname(config-cmap)# policy-map policy_map_name hostname(config-pmap)# where policy_map_name is the name of the policy map. The CLI enters the policy map configuration mode and the prompt changes accordingly. Step 5 Specify the class map, created in Step 2, that identifies the traffic to be scanned. Use the class command to do so, as follows. hostname(config-pmap)# class class_map_name hostname(config-pmap-c)# where class_map_name is the name of the class map you created in Step 2. The CLI enters the policy map class configuration mode and the prompt changes accordingly. Step 6 Assign the traffic identified by the class map as traffic to be sent to the AIP SSM. Use the ips command to do so, as follows. hostname(config-pmap-c)# ips {inline | promiscuous} {fail-close | fail-open} The inline and promiscuous keywords control the operating mode of the AIP SSM. The fail-close and fail-open keywords control how the adaptive security appliance treats traffic when the AIP SSM is unavailable. For more information about the operating modes and failure behavior, see the “About the AIP SSM” section on page 22-1. Step 7 Use the service-policy command to apply the policy map globally or to a specific interface, as follows: hostname(config-pmap-c)# service-policy policy_map_name [global | interface interface_ID] hostname(config)# where policy_map_name is the policy map you configured in Step 4. If you want to apply the policy map to traffic on all the interfaces, use the global keyword. If you want to apply the policy map to traffic on a specific interface, use the interface interface_ID option, where interface_ID is the name assigned to the interface with the nameif command. Only one global policy is allowed. You can override the global policy on an interface by applying a service policy to that interface. You can only apply one policy map to each interface. The adaptive security appliance begins diverting traffic to the AIP SSM as specified. The following example diverts all IP traffic to the AIP SSM in promiscuous mode, and blocks all IP traffic should the AIP SSM card fail for any reason: hostname(config)# access-list IPS permit ip any any hostname(config)# class-map my-ips-class22-4 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 22 Managing AIP SSM and CSC SSM Managing the AIP SSM hostname(config-cmap)# match access-list IPS hostname(config-cmap)# policy-map my-ips-policy hostname(config-pmap)# class my-ips-class hostname(config-pmap-c)# ips promiscuous fail-close hostname(config-pmap-c)# service-policy my-ips-policy global For a complete example of network traffic diversion from the adaptive security appliance to the AIP SSM, see Example 16: Network Traffic Diversion. Sessioning to the AIP SSM and Running Setup After you have completed configuration of the ASA 5500 series adaptive security appliance to divert traffic to the AIP SSM, session to the AIP SSM and run the setup utility for initial configuration. Note You can either session to the SSM from the adaptive security appliance (by using the session 1 command) or you can connect directly to the SSM using SSH or Telnet on its management interface. Alternatively, you can use ASDM. To session to the AIP SSM from the adaptive security appliance, perform the following steps: Step 1 Enter the session 1 command to session from the ASA 5500 series adaptive security appliance to the AIP SSM: hostname# session 1 Opening command session with slot 1. Connected to slot 1. Escape character sequence is 'CTRL-^X'. Step 2 Enter the username and password. The default username and password are both cisco. Note The first time you log in to the AIP SSM you are prompted to change the default password. Passwords must be at least eight characters long and not a dictionary word. login: cisco Password: Last login: Fri Sep 2 06:21:20 from xxx.xxx.xxx.xxx ***NOTICE*** This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to export@cisco.com. ***LICENSE NOTICE*** There is no license key installed on the system. Please go to http://www.cisco.com/go/license to obtain a new license or install a license. AIP SSM# 22-5 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 22 Managing AIP SSM and CSC SSM Managing the CSC SSM Note If you see the preceding license notice (which displays only in some versions of software), you can ignore the message until you need to upgrade the signature files on the AIP SSM. The AIP SSM continues to operate at the current signature level until a valid license key is installed. You can install the license key at a later time. The license key does not affect the current functionality of the AIP SSM. Step 3 Enter the setup command to run the setup utility for initial configuration of the AIP SSM: AIP SSM# setup You are now ready to configure the AIP SSM for intrusion prevention. See the following two guides for AIP SSM configuration information: • Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface • Cisco Intrusion Prevention System Command Reference Managing the CSC SSM This section contains the following topics: • About the CSC SSM, page 22-5 • Getting Started with the CSC SSM, page 22-7 • Determining What Traffic to Scan, page 22-9 • Limiting Connections Through the CSC SSM, page 22-11 • Diverting Traffic to the CSC SSM, page 22-11 About the CSC SSM The ASA 5500 series adaptive security appliance supports the CSC SSM, which runs Content Security and Control software. The CSC SSM provides protection against viruses, spyware, spam, and other unwanted traffic. It accomplishes this by scanning the FTP, HTTP, POP3, and SMTP traffic that you configure the adaptive security appliance to send to it. Figure 22-1 illustrates the flow of traffic through an adaptive security appliance that has the following: • A CSC SSM installed and setup. • A service policy that determines what traffic is diverted to the SSM for scans. In this example, the client could be a network user who is accessing a website, downloading files from an FTP server, or retrieving mail from a POP3 server. SMTP scans differ in that you should configure the adaptive security appliance to scan traffic sent from outside to SMTP servers protected by the adaptive security appliance. Note The CSC SSM can scan FTP file transfers only when FTP inspection is enabled on the adaptive security appliance. By default, FTP inspection is enabled.22-6 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 22 Managing AIP SSM and CSC SSM Managing the CSC SSM Figure 22-1 Flow of Scanned Traffic with CSC SSM You use ASDM for system setup and monitoring of the CSC SSM. For advanced configuration of content security policies in the CSC SSM software, you access the web-based GUI for the CSC SSM by clicking links within ASDM. Use of the CSC SSM GUI is explained in the Trend Micro InterScan for Cisco CSC SSM Administrator Guide. Note ASDM and the CSC SSM maintain separate passwords. You can configure their passwords to be identical; however, changing one of these two passwords does not affect the other password. The connection between the host running ASDM and the adaptive security appliance is made through a management port on the adaptive security appliance. The connection to the CSC SSM GUI is made through the SSM management port. Because these two connections are required to manage the CSC SSM, any host running ASDM must be able to reach the IP address of both the adaptive security appliance management port and the SSM management port. Figure 22-2 shows an adaptive security appliance with a CSC SSM that is connected to a dedicated management network. While use of a dedicated management network is not required, we recommend it. Of particular interest in Figure 22-2 are the following: • An HTTP proxy server is connected to the inside network and to the management network. This enables the CSC SSM to contact the Trend Micro update server. • The management port of the adaptive security appliance is connected to the management network. To permit management of the adaptive security appliance and the CSC SSM, hosts running ASDM must be connected to the management network. • The management network includes an SMTP server for email notifications for the CSC SSM and a syslog server that the CSC SSM can send syslog messages to. 148386 Adaptive Security Appliance Main System Request sent Client Reply forwarded inside modular service policy Request forwarded Reply sent CSC SSM Server Diverted Traffic content security scan outside22-7 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 22 Managing AIP SSM and CSC SSM Managing the CSC SSM Figure 22-2 CSC SSM Deployment with a Management Network CSC SSM cannot suport stateful failover, because the CSC SSM does not maintain connection information and therefore cannot provide the failover unit with information necessary for stateful failover. The connections that a CSC SSM is scanning are dropped upon failure of the security appliance that the CSC SSM is installed in. When the standby adaptive security appliance becomes active, it will forward the scanned traffic to its CSC SSM and the connections will be reset. Getting Started with the CSC SSM Before you receive the security benefits provided by a CSC SSM, you must perform several steps beyond simple hardware installation of the SSM. This procedure provides an overview of those steps. To configure the adaptive security appliance and the CSC SSM, follow these steps: Step 1 If the CSC SSM did not come pre-installed in a Cisco ASA 5500 series adaptive security appliance, install it and connect a network cable to the management port of the SSM. For assistance with installation and connecting the SSM, see the Cisco ASA 5500 Series Hardware Installation Guide. The management port of the CSC SSM must be connected to your network to allow management of and automatic updates to the CSC SSM software. Additionally, the CSC SSM uses the management port for email notifications and syslogging. Step 2 With the CSC SSM, you should have received a Product Authorization Key (PAK). Use the PAK to register the CSC SSM at the following URL. http://www.cisco.com/go/license After you register, you will receive activation keys by email. The activation keys are required before you can complete Step 6 Step 3 Gather the following information, for use in Step 6. • Activation keys, received after completing Step 2. • SSM management port IP address, netmask, and gateway IP address. 148387 192.168.100.1 192.168.50.1 Notifications SMTP Server 192.168.50.38 SSM management port 10.6.13.67 Trend Micro Update Server Adaptive Security Appliance Main System inside CSC SSM HTTP outside Proxy management port ASDM Syslog Internet22-8 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 22 Managing AIP SSM and CSC SSM Managing the CSC SSM Note The SSM management port IP address must be accessible by the hosts used to run ASDM. The IP addresses for the SSM management port and the adaptive security appliance management interface can be in different subnets. • DNS server IP address. • HTTP proxy server IP address (required only if your security policies require use of a proxy server for HTTP access to the Internet). • Domain name and hostname for the SSM. • An email address and an SMTP server IP address and port number, for email notifications. • IP addresses of hosts or networks allowed to manage the CSC SSM. • Password for the CSC SSM. Step 4 In a web browser, access ASDM for the adaptive security appliance that the CSC SSM is in. Note If you are accessing ASDM for the first time, see the Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide for assistance with the Startup Wizard. For more information about enabling ASDM access, see the “Allowing HTTPS Access for ASDM” section on page 40-3. Step 5 Verify time settings on the adaptive security appliance. Time setting accuracy is important for logging of security events and for automatic updates of CSC SSM software. • If you manually control time settings, verify the clock settings, including time zone. Choose Configuration > Properties > Device Administration > Clock. • If you are using NTP, verify the NTP configuration. Choose Configuration > Properties > Device Administration > NTP. Step 6 In ASDM, run the Content Security setup wizard. To do so, access the ASDM GUI in a supported web browser and on the Home page, click the Content Security tab. The Content Security setup wizard runs. For assistance with the Content Security setup wizard, click the Help button. Note If you are accessing ASDM for the first time, see the Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide for assistance with the Startup Wizard. Step 7 On the ASA 5500 series adaptive security appliance, identify traffic to divert to the CSC SSM (as described in the “Diverting Traffic to the CSC SSM” section on page 22-11). Step 8 (Optional) Review the default content security policies in the CSC SSM GUI. The default content security policies are suitable for most implementations. Modifying them is advanced configuration that you should perform only after reading the Trend Micro InterScan for Cisco CSC SSM Administrator Guide. You review the content security policies by viewing the enabled features in the CSC SSM GUI. The availability of features depends on the license level you purchased. By default, all features included in the license you purchased are enabled. With a Base License, the features enabled by default are SMTP virus scanning, POP3 virus scanning and content filtering, webmail virus scanning, HTTP file blocking, FTP virus scanning and file blocking, logging, and automatic updates.22-9 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 22 Managing AIP SSM and CSC SSM Managing the CSC SSM With a Plus License, the additional features enabled by default are SMTP anti-spam, SMTP content filtering, POP3 anti-spam, URL blocking, and URL filtering. To access the CSC SSM GUI, in ASDM choose Configuration > Trend Micro Content Security, and then select one of the following: Web, Mail, File Transfer, or Updates. The blue links on these panes, beginning with the word “Configure”, open the CSC SSM GUI. Determining What Traffic to Scan The CSC SSM can scan FTP, HTTP, POP3, and SMTP traffic. It supports these protocols only when the destination port of the packet requesting the connection is the well known port for the protocol, that is, CSC SSM can scan only the following connections: • FTP connections opened to TCP port 21. • HTTP connections opened to TCP port 80. • POP3 connections opened to TCP port 110. • SMTP connections opened to TCP port 25. You can choose to scan traffic for all of these protocols or any combination of them. For example, if you do not allow network users to receive POP3 email, you would not want to configure the adaptive security appliance to divert POP3 traffic to the CSC SSM (you would want to block it instead). To maximize performance of the adaptive security appliance and the CSC SSM, divert to the CSC SSM only the traffic that you want the CSC SSM to scan. Needlessly diverting traffic that you do not want to scan, such as traffic between a trusted source and destination, can adversely affect network performance. The action of scanning traffic with the CSC SSM is enabled with the csc command, which must be part of a service policy. Service policies can be applied globally or to specific interfaces; therefore, you can choose to enable the csc command globally or for specific interfaces. Adding the csc command to your global policy ensures that all unencrypted connections through the adaptive security appliance are scanned by the CSC SSM; however, this may mean that traffic from trusted sources is needlessly scanned. If you enable the csc command in interface-specific service policies, it is bi-directional. This means that when the adaptive security appliance opens a new connection, if the csc command is active on either the inbound or the outbound interface of the connection and if the class map for the policy identifies traffic for scanning, the adaptive security appliance diverts it to the CSC SSM. However, bi-directionality means that if you divert to the CSC SSM any of the supported traffic types that cross a given interface, the CSC SSM is likely performing needless scans on traffic from your trusted inside networks. For example, URLs and files requested from web servers on a DMZ network are unlikely to pose content security risks to hosts on an inside network and you probably do not want the adaptive security appliance to divert such traffic to the CSC SSM. Therefore, we highly recommend using access lists to further limit the traffic selected by the class maps of CSC SSM service policies. Specifically, use access lists that match the following: • HTTP connections to outside networks. • FTP connections from clients inside the adaptive security appliance to servers outside the adaptive security appliance. • POP3 connections from clients inside the security appliance to servers outside the adaptive security appliance.22-10 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 22 Managing AIP SSM and CSC SSM Managing the CSC SSM • Incoming SMTP connections destined to inside mail servers. In Figure 22-3, the adaptive security appliance should be configured to divert traffic to CSC SSM requests from clients on the inside network for HTTP, FTP, and POP3 connections to the outside network and incoming SMTP connections from outside hosts to the mail server on the DMZ network. HTTP requests from the inside network to the web server on the DMZ network should not be scanned. Figure 22-3 Common Network Configuration for CSC SSM Scanning There are many ways you could configure the adaptive security appliance to identify the traffic that you want to scan. One approach is to define two service policies, one on the inside interface and the other on the outside interface, each with an access list that matches traffic to be scanned. The following access list could be used on the policy applied to the inside interface: access-list csc_out permit tcp 192.168.10.0 255.255.255.0 any eq 21 access-list csc_out deny tcp 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0 eq 80 access-list csc_out permit tcp 192.168.10.0 255.255.255.0 any eq 80 access-list csc_out permit tcp 192.168.10.0 255.255.255.0 any eq 110 As previously mentioned, policies applying the csc command to a specific interface are effective on both ingress and egress traffic, but by specifying 192.168.10.0 as the source network in the csc_out access list the policy applied to the inside interface matches only connections initiated by the hosts on the inside network. Notice also that the second ACE of the access list uses the deny keyword. This ACE does not mean the adaptive security appliance blocks traffic sent from the 192.168.10.0 network to TCP port 80 on the 192.168.20.0 network. It simply exempts the traffic from being matched by the policy map and thus prevents the adaptive security appliance from sending it to the CSC SSM. You can use deny statements in an access list to exempt connections with trusted external hosts from being scanned. For example, to reduce the load on the CSC SSM, you might want to exempt HTTP traffic to a well known, trusted site. If the web server at such a site had the IP address 209.165.201.7, you could add the following ACE to the csc_out access list to exclude HTTP connections between the trusted external web server and inside hosts from being scanned by CSC SSM: access-list csc_out deny tcp 192.168.10.0 255.255.255.0 209.165.201.7 255.255.255.255 eq 80 The second policy in this example, applied to the outside interface, could use the following access list: access-list csc_in permit tcp any 192.168.20.0 255.255.255.0 eq 25 192.168.30.0 192.168.20.0 (dmz) Web server Mail server 192.168.10.0 inside outside Internet Adaptive Security Appliance 14380022-11 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 22 Managing AIP SSM and CSC SSM Managing the CSC SSM This access list matches inbound SMTP connections from any external host to any host on the DMZ network. The policy applied to the outside interface would therefore ensure that incoming SMTP email would be diverted to the CSC SSM for scanning. It would not match SMTP connections from hosts on the inside network to the mail server on the DMZ network because those connections never use the outside interface. If the web server on the DMZ network receives files uploaded by HTTP from external hosts, you could add the following ACE to the csc_in access list to use the CSC SSM to protect the web server from infected files: access-list csc_in permit tcp any 192.168.20.0 255.255.255.0 eq 80 For a complete example service policy configuration using the access lists in this section, see Example 22-1. Limiting Connections Through the CSC SSM The adaptive security appliance can prevent the CSC SSM and the destinations of connections it scans from accepting or even receiving requests for more connections than desired. It can do so for embryonic connections or fully established connections. Also, you can specify limits for all clients included in a class-map and per-client limits. The set connection command lets you configure limits for embryonic connections or fully established connections. Also, you can specify limits for all clients included in a class-map and per-client limits. The per-client-embryonic-max and per-client-max parameters limit the maximum number of connections that individual clients can open. If a client uses more network resources simultaneously than is desired, you can use these parameters to limit the number of connections that the adaptive security appliance allows each client. DoS attacks seek to disrupt networks by overwhelming the capacity of key hosts with connections or requests for connections. You can use the set connection command to thwart DoS attacks. After you configure a per-client maximum that can be supported by hosts likely to be attacked, malicious clients will be unable to overwhelm hosts on protected networks. Use of the set connection command to protect the CSC SSM and the destinations of connections it scans is included in the “Diverting Traffic to the CSC SSM” section on page 22-11. Diverting Traffic to the CSC SSM You use MPF commands to configure the adaptive security appliance to divert traffic to the CSC SSM. Before configuring the adaptive security appliance to do so, read Chapter 21, “Using Modular Policy Framework,” which introduces MPF concepts and common commands. To identify traffic to divert from the adaptive security appliance to the CSC SSM, perform the following steps: Step 1 Create an access list that matches the traffic you want scanned by the CSC SSM. To do so, use the access-list extended command. Create as many ACEs as needed to match all the traffic. For example, if you want to specify FTP, HTTP, POP3, and SMTP traffic, you would need four ACEs. For guidance on identifying the traffic you want to scan, see the “Determining What Traffic to Scan” section on page 22-9. Step 2 Create a class map to identify the traffic that should be diverted to the CSC SSM. Use the class-map command to do so, as follows.22-12 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 22 Managing AIP SSM and CSC SSM Managing the CSC SSM hostname(config)# class-map class_map_name hostname(config-cmap)# where class_map_name is the name of the traffic class. When you enter the class-map command, the CLI enters class map configuration mode. Step 3 With the access list you created in Step 1, use a match access-list command to identify the traffic to be scanned: hostname(config-cmap)# match access-list acl-name Step 4 Create a policy map or modify an existing policy map that you want to use to send traffic to the CSC SSM. To do so, use the policy-map command, as follows. hostname(config-cmap)# policy-map policy_map_name hostname(config-pmap)# where policy_map_name is the name of the policy map. The CLI enters the policy map configuration mode and the prompt changes accordingly. Step 5 Specify the class map, created in Step 2, that identifies the traffic to be scanned. Use the class command to do so, as follows. hostname(config-pmap)# class class_map_name hostname(config-pmap-c)# where class_map_name is the name of the class map you created in Step 2. The CLI enters the policy map class configuration mode and the prompt changes accordingly. Step 6 If you want to enforce a per-client limit for simultaneous connections that the adaptive security appliance diverts to the CSC SSM, use the set connection command, as follows: hostname(config-pmap-c)# set connection per-client-max n where n is the maximum simultaneous connections the adaptive security appliance will allow per client. This prevents a single client from abusing the services of the CSC SSM or any server protected by the SSM, including prevention of attempts at DoS attacks on HTTP, FTP, POP3, or SMTP servers that the CSC SSM protects. Step 7 Assign the traffic identified by the class map as traffic to be sent to the CSC SSM. Use the csc command to do so, as follows. hostname(config-pmap-c)# csc {fail-close | fail-open} The fail-close and fail-open keywords control how the adaptive security appliance treats traffic when the CSC SSM is unavailable. For more information about the operating modes and failure behavior, see the “About the CSC SSM” section on page 22-5. Step 8 Use the service-policy command to apply the policy map globally or to a specific interface, as follows: hostname(config-pmap-c)# service-policy policy_map_name [global | interface interface_ID] hostname(config)# where policy_map_name is the policy map you configured in Step 4. If you want to apply the policy map to traffic on all the interfaces, use the global keyword. If you want to apply the policy map to traffic on a specific interface, use the interface interface_ID option, where interface_ID is the name assigned to the interface with the nameif command. Only one global policy is allowed. You can override the global policy on an interface by applying a service policy to that interface. You can only apply one policy map to each interface. The adaptive security appliance begins diverting traffic to the CSC SSM as specified.22-13 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 22 Managing AIP SSM and CSC SSM Checking SSM Status Example 22-1 is based on the network shown in Figure 22-3. It creates two service policies. The first policy, csc_out_policy, is applied to the inside interface and uses the csc_out access list to ensure that all outbound requests for FTP and POP3 are scanned. The csc_out access list also ensures that HTTP connections from inside to networks on the outside interface are scanned but it includes a deny ACE to exclude HTTP connections from inside to servers on the DMZ network. The second policy, csc_in_policy, is applied to the outside interface and uses the csc_in access list to ensure that requests for SMTP and HTTP originating on the outside interface and destined for the DMZ network are scanned by the CSC SSM. Scanning HTTP requests protects the web server from HTTP file uploads. Example 22-1 Service Policies for a Common CSC SSM Scanning Scenario hostname(config)# access-list csc_out permit tcp 192.168.10.0 255.255.255.0 any eq 21 hostname(config)# access-list csc_out deny tcp 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0 eq 80 hostname(config)# access-list csc_out permit tcp 192.168.10.0 255.255.255.0 any eq 80 hostname(config)# access-list csc_out permit tcp 192.168.10.0 255.255.255.0 any eq 110 hostname(config)# class-map csc_outbound_class hostname(config-cmap)# match access-list csc_out hostname(config)# policy-map csc_out_policy hostname(config-pmap)# class csc_outbound_class hostname(config-pmap-c)# csc fail-close hostname(config)# service-policy csc_out_policy interface inside hostname(config)# access-list csc_in permit tcp any 192.168.20.0 255.255.255.0 eq 25 hostname(config)# access-list csc_in permit tcp any 192.168.20.0 255.255.255.0 eq 80 hostname(config)# class-map csc_inbound_class hostname(config-cmap)# match access-list csc_in hostname(config)# policy-map csc_in_policy hostname(config-pmap)# class csc_inbound_class hostname(config-pmap-c)# csc fail-close hostname(config)# service-policy csc_in_policy interface outside Note FTP inspection must be enabled for CSC SSM to scan files transferred by FTP. FTP inspection is enabled by default. Checking SSM Status To check the status of an SSM, use the show module command. The follow example output is from an adaptive security appliance with a CSC SSM installed. The Status field indicates the operational status of the SSM. An SSM operating normally has a status of “Up” in the output of the show module command. While the adaptive security appliance transfers an application image to the SSM, the Status field in the output reads “Recover”. For more information about possible statuses, see the entry for the show module command in the Cisco Security Appliance Command Reference. hostname# show module 1 Mod Card Type Model Serial No. --- -------------------------------------------- ------------------ -----------22-14 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 22 Managing AIP SSM and CSC SSM Transferring an Image onto an SSM 0 ASA 5520 Adaptive Security Appliance ASA5520 P3000000034 1 ASA 5500 Series Security Services Module-20 ASA-SSM-20 0 Mod MAC Address Range Hw Version Fw Version Sw Version --- --------------------------------- ------------ ------------ --------------- 0 000b.fcf8.c30d to 000b.fcf8.c311 1.0 1.0(10)0 7.1(0)1 1 000b.fcf8.012c to 000b.fcf8.012c 1.0 1.0(10)0 Trend Micro InterScan Security Module Version 5.0 Mod SSM Application Name SSM Application Version --- ------------------------------ -------------------------- 1 Trend Micro InterScan Security Version 5.0 Mod Status Data Plane Status Compatability --- ------------------ --------------------- ------------- 0 Up Sys Not Applicable 1 Up Up The argument 1, at the end of the command, is the slot number occupied by the SSM. If you do not know the slot number, you can omit it and see information about all modules, including the adaptive security appliance, which is considered to occupy slot 0 (zero). Use the details keyword to view additional information for the SSM. The follow example output is from an adaptive security appliance with a CSC SSM installed. hostname# show module 1 details Getting details from the Service Module, please wait... ASA 5500 Series Security Services Module-20 Model: ASA-SSM-20 Hardware version: 1.0 Serial Number: 0 Firmware version: 1.0(10)0 Software version: Trend Micro InterScan Security Module Version 5.0 App. name: Trend Micro InterScan Security Module App. version: Version 5.0 Data plane Status: Up Status: Up HTTP Service: Up Mail Service: Up FTP Service: Up Activated: Yes Mgmt IP addr: 10.23.62.92 Mgmt web port: 8443 Transferring an Image onto an SSM For an intelligent SSM, such as AIP SSM or CSC SSM, you can transfer application images from a TFTP server to the SSM. This process supports upgrade images and maintenance images. Note If you are upgrading the application on the SSM, the SSM application may support backup of its configuration. If you do not back up the configuration of the SSM application, it is lost when you transfer an image onto the SSM. For more information about how your SSM supports backups, see the documentation for your SSM.22-15 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 22 Managing AIP SSM and CSC SSM Transferring an Image onto an SSM To transfer an image onto an intelligent SSM, perform the following steps: Step 1 Create or modify a recovery configuration for the SSM. To do so, perform the following steps: a. Determine if there is a recovery configuration for the SSM. To do so, use the show module command with the recover keyword, as follows. hostname# show module slot recover where slot is the slot number occupied by the SSM. If the recover keyword is not valid, a recovery configuration does not exist. The recover keyword of the show module command is available only when a recovery configuration exists for the SSM. Note When the adaptive security appliance operates in multiple context mode, the configure keyword is available only in the system context. If there is a recovery configuration for the SSM, the adaptive security appliance displays it. Examine the recovery configuration closely to ensure that it is correct, especially the Image URL field. The following example show a recovery configuration for an SSM in slot 1. hostname# show module 1 recover Module 1 recover parameters. . . Boot Recovery Image: Yes Image URL: tftp://10.21.18.1/ids-oldimg Port IP Address: 10.1.2.10 Port Mask : 255.255.255.0 Gateway IP Address: 10.1.2.254 b. If you need to create or modify the recovery configuration, use the hw-module module recover command with the configure keyword, as follows: hostname# hw-module module slot recover configure where slot is the slot number occupied by the SSM. Complete the prompts as applicable. If you are modifying a configuration, you can keep the previously configured value by pressing Enter. The following example shows the prompts. For more information about them, see the entry for the hw-module module recover command in the Cisco Security Appliance Command Reference. Image URL [tftp://0.0.0.0/]: Port IP Address [0.0.0.0]: VLAN ID [0]: Gateway IP Address [0.0.0.0]: Note Be sure the TFTP server you specify can transfer files up to 60 MB in size. Also, be sure the TFTP server can connect to the management port IP address that you specify for the SSM. After you complete the prompts, the adaptive security appliance is ready to transfer to the SSM the image that it finds at the URL you specified. Step 2 Transfer the image from the TFTP server to the SSM and restart the SSM. To do so, use the hw-module module recover command with the boot keyword, as follows. hostname# hw-module module slot recover boot where slot is the slot number occupied by the SSM.22-16 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 22 Managing AIP SSM and CSC SSM Transferring an Image onto an SSM Step 3 Check the progress of the image transfer and SSM restart process. To do so, use the show module command. For details, see the “Checking SSM Status” section on page 22-13. When the adaptive security appliance completes the image transfer and restart of the SSM, the SSM is running the newly transferred image. Note If your SSM supports configuration backups and you want to restore the configuration of the application running on the SSM, see the documentation for your SSM for details.C H A P T E R 23-1 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 23 Preventing Network Attacks This chapter describes how to prevent network attacks by configuring TCP normalization, limiting TCP and UDP connections, and many other protection features. This chapter includes the following sections: • Configuring TCP Normalization, page 23-1 • Configuring Connection Limits and Timeouts, page 23-6 • Preventing IP Spoofing, page 23-10 • Configuring the Fragment Size, page 23-11 • Blocking Unwanted Connections, page 23-11 • Configuring IP Audit for Basic IPS Support, page 23-12 Configuring TCP Normalization The TCP normalization feature identifies abnormal packets that the security appliance can act on when they are detected; for example, the security appliance can allow, drop, or clear the packets. TCP normalization helps protect the security appliance from attacks. This section includes the following topics: • TCP Normalization Overview, page 23-1 • Enabling the TCP Normalizer, page 23-2 TCP Normalization Overview The TCP normalizer includes non-configurable actions and configurable actions. Typically, non-configurable actions that drop or clear connections apply to packets that are always bad. Configurable actions (as detailed in “Enabling the TCP Normalizer” section on page 23-2) might need to be customized depending on your network needs. See the following guidelines for TCP normalization: • The normalizer does not protect from SYN floods. The security appliance includes SYN flood protection in other ways. • The normalizer always sees the SYN packet as the first packet in a flow unless the security appliance is in loose mode due to failover.23-2 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 23 Preventing Network Attacks Configuring TCP Normalization Enabling the TCP Normalizer This feature uses Modular Policy Framework, so that implementing TCP normalization consists of identifying traffic, specifying the TCP normalization actions, and activating TCP normalization on an interface. See Chapter 21, “Using Modular Policy Framework,” for more information. To configure TCP normalization, perform the following steps: Step 1 To specify the TCP normalization criteria that you want to look for, create a TCP map by entering the following command: hostname(config)# tcp-map tcp-map-name For each TCP map, you can customize one or more settings. Step 2 (Optional) Configure the TCP map criteria by entering one or more of the following commands (see Table 23-1). If you want to use the default settings for all criteria, you do not need to enter any commands for the TCP map. If you want to customize some settings, then the defaults are used for any commands you do not enter. The default configuration includes the following settings: no check-retransmission no checksum-verification exceed-mss allow queue-limit 0 timeout 4 reserved-bits allow syn-data allow synack-data drop invalid-ack drop seq-past-window drop tcp-options range 6 7 clear tcp-options range 9 255 clear tcp-options selective-ack allow tcp-options timestamp allow tcp-options window-scale allow ttl-evasion-protection urgent-flag clear window-variation allow-connection Table 23-1 tcp-map Commands Command Notes check-retransmission Prevents inconsistent TCP retransmissions. checksum-verification Verifies the checksum. exceed-mss {allow | drop} Sets the action for packets whose data length exceeds the TCP maximum segment size. (Default) The allow keyword allows packets whose data length exceeds the TCP maximum segment size. The drop keyword drops packets whose data length exceeds the TCP maximum segment size.23-3 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 23 Preventing Network Attacks Configuring TCP Normalization invalid-ack {allow | drop} Sets the action for packets with an invalid ACK. You might see invalid ACKs in the following instances: • In the TCP connection SYN-ACK-received status, if the ACK number of a received TCP packet is not exactly same as the sequence number of the next TCP packet sending out, it is an invalid ACK. • Whenever the ACK number of a received TCP packet is greater than the sequence number of the next TCP packet sending out, it is an invalid ACK. The allow keyword allows packets with an invalid ACK. (Default) The drop keyword drops packets with an invalid ACK. Note TCP packets with an invalid ACK are automatically allowed for WAAS connections. queue-limit pkt_num [timeout seconds] Sets the maximum number of out-of-order packets that can be buffered and put in order for a TCP connection, between 1 and 250 packets. The default is 0, which means this setting is disabled and the default system queue limit is used depending on the type of traffic: • Connections for application inspection (the inspect command), IPS (the ips command), and TCP check-retransmission (the TCP map check-retransmission command) have a queue limit of 3 packets. If the security appliance receives a TCP packet with a different window size, then the queue limit is dynamically changed to match the advertised setting. • For other TCP connections, out-of-order packets are passed through untouched. If you set the queue-limit command to be 1 or above, then the number of out-of-order packets allowed for all TCP traffic matches this setting. For application inspection, IPS, and TCP check-retransmission traffic, any advertised settings are ignored. For other TCP traffic, out-of-order packets are now buffered and put in order instead of passed through untouched. The timeout seconds argument sets the maximum amount of time that out-of-order packets can remain in the buffer, between 1 and 20 seconds; if they are not put in order and passed on within the timeout period, then they are dropped. The default is 4 seconds. You cannot change the timeout for any traffic if the pkt_num argument is set to 0; you need to set the limit to be 1 or above for the timeout keyword to take effect. Table 23-1 tcp-map Commands (continued) Command Notes23-4 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 23 Preventing Network Attacks Configuring TCP Normalization reserved-bits {allow | clear | drop} Sets the action for reserved bits in the TCP header. (Default) The allow keyword allows packets with the reserved bits in the TCP header. The clear keyword clears the reserved bits in the TCP header and allows the packet. The drop keyword drops the packet with the reserved bits in the TCP header. seq-past-window {allow | drop} Sets the action for packets that have past-window sequence numbers, namely the sequence number of a received TCP packet is greater than the right edge of the TCP receiving window. The allow keyword allows packets that have past-window sequence numbers. This action is only allowed if the queue-limit command is set to 0 (disabled). (Default) The drop keyword drops packets that have past-window sequence numbers. synack-data {allow | drop} Sets the action for TCP SYNACK packets that contain data. The allow keyword allows TCP SYNACK packets that contain data. (Default) The drop keyword drops TCP SYNACK packets that contain data. syn-data {allow | drop} Sets the action for SYN packets with data. (Default) The allow keyword allows SYN packets with data. The drop keyword drops SYN packets with data. tcp-options {selective-ack | timestamp | window-scale} {allow | clear} Or tcp-options range lower upper {allow | clear | drop} Sets the action for packets with TCP options, including the selective-ack, timestamp, or window-scale TCP options. (Default) The allow keyword allows packets with the specified option. (Default for range) The clear keyword clears the option and allows the packet. The drop keyword drops the packet with the specified option. The selective-ack keyword sets the action for the SACK option. The timestamp keyword sets the action for the timestamp option. Clearing the timestamp option disables PAWS and RTT. The widow-scale keyword sets the action for the window scale mechanism option. The range keyword specifies a range of options. The lower argument sets the lower end of the range as 6, 7, or 9 through 255. The upper argument sets the upper end of the range as 6, 7, or 9 through 255. Table 23-1 tcp-map Commands (continued) Command Notes23-5 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 23 Preventing Network Attacks Configuring TCP Normalization Step 3 To identify the traffic, add a class map using the class-map command. See the “Creating a Layer 3/4 Class Map for Through Traffic” section on page 21-5 for more information. For example, you can match all traffic using the following commands: hostname(config)# class-map TCPNORM hostname(config-cmap)# match any To match specific traffic, you can match an access list: hostname(config)# access list TCPNORM extended permit ip any 10.1.1.1 255.255.255.255 hostname(config)# class-map TCP_norm_class hostname(config-cmap)# match access-list TCPNORM Step 4 To add or edit a policy map that sets the actions to take with the class map traffic, enter the following commands: hostname(config)# policy-map name hostname(config-pmap)# class class_map_name hostname(config-pmap-c)# ttl-evasion-protection Disables the TTL evasion protection. Do not enter this command it you want to prevent attacks that attempt to evade security policy. For example, an attacker can send a packet that passes policy with a very short TTL. When the TTL goes to zero, a router between the security appliance and the endpoint drops the packet. It is at this point that the attacker can send a malicious packet with a long TTL that appears to the security appliance to be a retransmission and is passed. To the endpoint host, however, it is the first packet that has been received by the attacker. In this case, an attacker is able to succeed without security preventing the attack. urgent-flag {allow | clear} Sets the action for packets with the URG flag. The URG flag is used to indicate that the packet contains information that is of higher priority than other data within the stream. The TCP RFC is vague about the exact interpretation of the URG flag, therefore end systems handle urgent offsets in different ways, which may make the end system vulnerable to attacks. The allow keyword allows packets with the URG flag. (Default) The clear keyword clears the URG flag and allows the packet. window-variation {allow | drop} Sets the action for a connection that has changed its window size unexpectedly. The window size mechanism allows TCP to advertise a large window and to subsequently advertise a much smaller window without having accepted too much data. From the TCP specification, “shrinking the window” is strongly discouraged. When this condition is detected, the connection can be dropped. (Default) The allow keyword allows connections with a window variation. The drop keyword drops connections with a window variation. Table 23-1 tcp-map Commands (continued) Command Notes23-6 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 23 Preventing Network Attacks Configuring Connection Limits and Timeouts where the class_map_name is the class map from Step 1. For example: hostname(config)# policy-map TCP_norm_policy hostname(config-pmap)# class TCP_norm_class hostname(config-pmap-c)# Step 5 Apply the TCP map to the class map by entering the following command. hostname(config-pmap-c)# set connection advanced-options tcp-map-name Step 6 To activate the policy map on one or more interfaces, enter the following command: hostname(config)# service-policy policymap_name {global | interface interface_name} Where global applies the policy map to all interfaces, and interface applies the policy to one interface. Only one global policy is allowed. Interface service policies take precedence over the global service policy for a given feature. For example, if you have a global policy with inspections, and an interface policy with TCP normalization, then both inspections and TCP normalization are applied to the interface. However, if you have a global policy with inspections, and an interface policy with inspections, then only the interface policy inspections are applied to that interface. For example, to allow urgent flag and urgent offset packets for all traffic sent to the range of TCP ports between the well known FTP data port and the Telnet port, enter the following commands: hostname(config)# tcp-map tmap hostname(config-tcp-map)# urgent-flag allow hostname(config-tcp-map)# class-map urg-class hostname(config-cmap)# match port tcp range ftp-data telnet hostname(config-cmap)# policy-map pmap hostname(config-pmap)# class urg-class hostname(config-pmap-c)# set connection advanced-options tmap hostname(config-pmap-c)# service-policy pmap global Configuring Connection Limits and Timeouts This section describes how to set maximum TCP and UDP connections, maximum embryonic connections, maximum per-client connections, connection timeouts, dead connection detection, and how to disable TCP sequence randomization. You can set limits for connections that go through the security appliance, or for management connections to the security appliance. This section includes the following topics: • Connection Limit Overview, page 23-7 • Enabling Connection Limits and Timeouts, page 23-8 Note You can also configure maximum connections, maximum embryonic connections, and TCP sequence randomization in the NAT configuration. If you configure these settings for the same traffic using both methods, then the security appliance uses the lower limit. For TCP sequence randomization, if it is disabled using either method, then the security appliance disables TCP sequence randomization.23-7 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 23 Preventing Network Attacks Configuring Connection Limits and Timeouts Connection Limit Overview This section describes why you might want to limit connections, and includes the following topics: • TCP Intercept Overview, page 23-7 • Disabling TCP Intercept for Management Packets for Clientless SSL Compatibility, page 23-7 • Dead Connection Detection (DCD) Overview, page 23-7 • TCP Sequence Randomization Overview, page 23-8 TCP Intercept Overview Limiting the number of embryonic connections protects you from a DoS attack. The security appliance uses the per-client limits and the embryonic connection limit to trigger TCP Intercept, which protects inside systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination. TCP Intercept uses the SYN cookies algorithm to prevent TCP SYN-flooding attacks. A SYN-flooding attack consists of a series of SYN packets usually originating from spoofed IP addresses. The constant flood of SYN packets keeps the server SYN queue full, which prevents it from servicing connection requests. When the embryonic connection threshold of a connection is crossed, the security appliance acts as a proxy for the server and generates a SYN-ACK response to the client SYN request. When the security appliance receives an ACK back from the client, it can then authenticate the client and allow the connection to the server. Disabling TCP Intercept for Management Packets for Clientless SSL Compatibility By default, TCP management connections have TCP Intercept always enabled. When TCP Intercept is enabled, it intercepts the 3-way TCP connection establishment handshake packets and thus deprives the security appliance from processing the packets for clientless SSL. Clientless SSL requires the ability to process the 3-way handshake packets to provide selective ACK and other TCP options for clientless SSL connections. To disable TCP Intercept for management traffic, you can set the embryonic connection limit; only after the embryonic connection limit is reached is TCP Intercept enabled. Dead Connection Detection (DCD) Overview DCD detects a dead connection and allows it to expire, without expiring connections that can still handle traffic. You configure DCD when you want idle, but valid connections to persist. When you enable DCD, idle timeout behavior changes. With idle timeout, DCD probes are sent to each of the two end-hosts to determine the validity of the connection. If an end-host fails to respond after probes are sent at the configured intervals, the connection is freed, and reset values, if configured, are sent to each of the end-hosts. If both end-hosts respond that the connection is valid, the activity timeout is updated to the current time and the idle timeout is rescheduled accordingly. Enabling DCD changes the behavior of idle-timeout handling in the TCP normalizer. DCD probing resets the idle timeout on the connections seen in the show conn command. To determine when a connection that has exceeded the configured timeout value in the timeout command but is kept alive due to DCD probing, the show service-policy command includes counters to show the amount of activity from DCD.23-8 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 23 Preventing Network Attacks Configuring Connection Limits and Timeouts TCP Sequence Randomization Overview Each TCP connection has two ISNs: one generated by the client and one generated by the server. The security appliance randomizes the ISN of the TCP SYN passing in both the inbound and outbound directions. Randomizing the ISN of the protected host prevents an attacker from predicting the next ISN for a new connection and potentially hijacking the new session. TCP initial sequence number randomization can be disabled if required. For example: • If another in-line firewall is also randomizing the initial sequence numbers, there is no need for both firewalls to be performing this action, even though this action does not affect the traffic. • If you use eBGP multi-hop through the security appliance, and the eBGP peers are using MD5. Randomization breaks the MD5 checksum. • You use a WAAS device that requires the security appliance not to randomize the sequence numbers of connections. Enabling Connection Limits and Timeouts To set connection limits and timeouts, perform the following steps: Step 1 To identify the traffic, add a class map using the class-map command. See the “Creating a Layer 3/4 Class Map for Through Traffic” section on page 21-5 for more information. For example, you can match all traffic using the following commands: hostname(config)# class-map CONNS hostname(config-cmap)# match any To match specific traffic, you can match an access list: hostname(config)# access list CONNS extended permit ip any 10.1.1.1 255.255.255.255 hostname(config)# class-map CONNS hostname(config-cmap)# match access-list CONNS Step 2 To add or edit a policy map that sets the actions to take with the class map traffic, enter the following commands: hostname(config)# policy-map name hostname(config-pmap)# class class_map_name hostname(config-pmap-c)# where the class_map_name is the class map from Step 1. For example: hostname(config)# policy-map CONNS hostname(config-pmap)# class CONNS hostname(config-pmap-c)# Step 3 To set maximum connection limits or whether TCP sequence randomization is enabled, enter the following command: hostname(config-pmap-c)# set connection {[conn-max n] [embryonic-conn-max n] [per-client-embryonic-max n] [per-client-max n] [random-sequence-number {enable | disable}]}23-9 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 23 Preventing Network Attacks Configuring Connection Limits and Timeouts where the conn-max n argument sets the maximum number of simultaneous TCP and/or UDP connections that are allowed, between 0 and 65535. The default is 0, which allows unlimited connections. The embryonic-conn-max n argument sets the maximum number of simultaneous embryonic connections allowed, between 0 and 65535. The default is 0, which allows unlimited connections. The per-client-embryonic-max n argument sets the maximum number of simultaneous embryonic connections allowed per client, between 0 and 65535. The default is 0, which allows unlimited connections. The per-client-max n argument sets the maximum number of simultaneous connections allowed per client, between 0 and 65535. The default is 0, which allows unlimited connections. The random-sequence-number {enable | disable} keyword enables or disables TCP sequence number randomization. See the “TCP Sequence Randomization Overview” section on page 23-8 section for more information. You can enter this command all on one line (in any order), or you can enter each attribute as a separate command. The security appliance combines the command into one line in the running configuration. Step 4 To set connection timeouts, enter the following command: hostname(config-pmap-c)# set connection timeout {[embryonic hh:mm:ss] {tcp hh:mm:ss [reset]] [half-closed hh:mm:ss] [dcd hh:mm:ss [max_retries]]} where the embryonic hh:mm:ss keyword sets the timeout period until a TCP embryonic (half-open) connection is closed, between 0:0:5 and 1193:00:00. The default is 0:0:30. You can also set this value to 0, which means the connection never times out. The tcp hh:mm:ss keyword sets the idle timeout between 0:5:0 and 1193:00:00. The default is 1:0:0. You can also set this value to 0, which means the connection never times out. The reset keyword sends a reset to TCP endpoints when the connection times out. The security appliance sends the reset packet only in response to a host sending another packet for the timed-out flow (on the same source and destination port). The host then removes the connection from its connection table after receiving the reset packet. The host application can then attempt to establish a new connection using a SYN packet. The half-closed hh:mm:ss keyword sets the idle timeout between 0:5:0 and 1193:00:00. The default is 0:10:0. Half-closed connections are not affected by DCD. Also, the security appliance does not send a reset when taking down half-closed connections. The dcd keyword enables DCD. DCD detects a dead connection and allows it to expire, without expiring connections that can still handle traffic. You configure DCD when you want idle, but valid connections to persist. After a TCP connection times out, the security appliance sends DCD probes to the end hosts to determine the validity of the connection. If one of the end hosts fails to respond after the maximum retries are exhausted, the security appliance frees the connection. If both end hosts respond that the connection is valid, the security appliance updates the activity timeout to the current time and reschedules the idle timeout accordingly. The retry-interval sets the time duration in hh:mm:ss format to wait after each unresponsive DCD probe before sending another probe, between 0:0:1 and 24:0:0. The default is 0:0:15. The max-retries sets the number of consecutive failed retries for DCD before declaring the connection as dead. The minimum value is 1 and the maximum value is 255. The default is 5. You can enter this command all on one line (in any order), or you can enter each attribute as a separate command. The command is combined onto one line in the running configuration. Step 5 To activate the policy map on one or more interfaces, enter the following command: hostname(config)# service-policy policymap_name {global | interface interface_name}23-10 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 23 Preventing Network Attacks Preventing IP Spoofing Where global applies the policy map to all interfaces, and interface applies the policy to one interface. Only one global policy is allowed. Interface service policies take precedence over the global service policy for a given feature. For example, if you have a global policy with inspections, and an interface policy with TCP normalization, then both inspections and TCP normalization are applied to the interface. However, if you have a global policy with inspections, and an interface policy with inspections, then only the interface policy inspections are applied to that interface. The following example sets the connection limits and timeouts for all traffic: hostname(config)# class-map CONNS hostname(config-cmap)# match any hostname(config-cmap)# policy-map CONNS hostname(config-pmap)# class CONNS hostname(config-pmap-c)# set connection conn-max 1000 embryonic-conn-max 3000 hostname(config-pmap-c)# set connection timeout tcp 2:0:0 embryonic 0:40:0 half-closed 0:20:0 dcd hostname(config-pmap-c)# service-policy CONNS interface outside You can enter set connection commands with multiple parameters or you can enter each parameter as a separate command. The security appliance combines the commands into one line in the running configuration. For example, if you entered the following two commands in class configuration mode: hostname(config-pmap-c)# set connection conn-max 600 hostname(config-pmap-c)# set connection embryonic-conn-max 50 the output of the show running-config policy-map command would display the result of the two commands in a single, combined command: set connection conn-max 600 embryonic-conn-max 50 Preventing IP Spoofing This section lets you enable Unicast Reverse Path Forwarding on an interface. Unicast RPF guards against IP spoofing (a packet uses an incorrect source IP address to obscure its true source) by ensuring that all packets have a source IP address that matches the correct source interface according to the routing table. Normally, the security appliance only looks at the destination address when determining where to forward the packet. Unicast RPF instructs the security appliance to also look at the source address; this is why it is called Reverse Path Forwarding. For any traffic that you want to allow through the security appliance, the security appliance routing table must include a route back to the source address. See RFC 2267 for more information. For outside traffic, for example, the security appliance can use the default route to satisfy the Unicast RPF protection. If traffic enters from an outside interface, and the source address is not known to the routing table, the security appliance uses the default route to correctly identify the outside interface as the source interface. If traffic enters the outside interface from an address that is known to the routing table, but is associated with the inside interface, then the security appliance drops the packet. Similarly, if traffic enters the inside interface from an unknown source address, the security appliance drops the packet because the matching route (the default route) indicates the outside interface. Unicast RPF is implemented as follows: • ICMP packets have no session, so each packet is checked.23-11 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 23 Preventing Network Attacks Configuring the Fragment Size • UDP and TCP have sessions, so the initial packet requires a reverse route lookup. Subsequent packets arriving during the session are checked using an existing state maintained as part of the session. Non-initial packets are checked to ensure they arrived on the same interface used by the initial packet. To enable Unicast RPF, enter the following command: hostname(config)# ip verify reverse-path interface interface_name Configuring the Fragment Size By default, the security appliance allows up to 24 fragments per IP packet, and up to 200 fragments awaiting reassembly. You might need to let fragments on your network if you have an application that routinely fragments packets, such as NFS over UDP. However, if you do not have an application that fragments traffic, we recommend that you do not allow fragments through the security appliance. Fragmented packets are often used as DoS attacks. To set disallow fragments, enter the following command: hostname(config)# fragment chain 1 [interface_name] Enter an interface name if you want to prevent fragmentation on a specific interface. By default, this command applies to all interfaces. Blocking Unwanted Connections If you know that a host is attempting to attack your network (for example, system log messages show an attack), then you can block (or shun) connections based on the source IP address and other identifying parameters. No new connections can be made until you remove the shun. Note If you have an IPS that monitors traffic, such as an AIP SSM, then the IPS can shun connections automatically. To shun a connection manually, perform the following steps: Step 1 If necessary, view information about the connection by entering the following command: hostname# show conn The security appliance shows information about each connection, such as the following: TCP out 64.101.68.161:4300 in 10.86.194.60:23 idle 0:00:00 bytes 1297 flags UIO Step 2 To shun connections from the source IP address, enter the following command: hostname(config)# shun src_ip [dst_ip src_port dest_port [protocol]] [vlan vlan_id] If you enter only the source IP address, then all future connections are shunned; existing connections remain active. To drop an existing connection, as well as blocking future connections from the source IP address, enter the destination IP address, source and destination ports, and the protocol. By default, the protocol is 0 for IP.23-12 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 23 Preventing Network Attacks Configuring IP Audit for Basic IPS Support For multiple context mode, you can enter this command in the admin context, and by specifying a VLAN ID that is assigned to an interface in other contexts, you can shun the connection in other contexts. Step 3 To remove the shun, enter the following command: hostname(config)# no shun src_ip [vlan vlan_id] Configuring IP Audit for Basic IPS Support The IP audit feature provides basic IPS support for a security appliance that does not have an AIP SSM. It supports a basic list of signatures, and you can configure the security appliance to perform one or more actions on traffic that matches a signature. To enable IP audit, perform the following steps: Step 1 To define an IP audit policy for informational signatures, enter the following command: hostname(config)# ip audit name name info [action [alarm] [drop] [reset]] Where alarm generates a system message showing that a packet matched a signature, drop drops the packet, and reset drops the packet and closes the connection. If you do not define an action, then the default action is to generate an alarm. Step 2 To define an IP audit policy for attack signatures, enter the following command: hostname(config)# ip audit name name attack [action [alarm] [drop] [reset]] Where alarm generates a system message showing that a packet matched a signature, drop drops the packet, and reset drops the packet and closes the connection. If you do not define an action, then the default action is to generate an alarm. Step 3 To assign the policy to an interface, enter the following command: ip audit interface interface_name policy_name Step 4 To disable signatures, or for more information about signatures, see the ip audit signature command in the Cisco Security Appliance Command Reference.C H A P T E R 24-1 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 24 Configuring QoS Have you ever participated in a long-distance phone call that involved a satellite connection? The conversation might be interrupted with brief, but perceptible, gaps at odd intervals. Those gaps are the time, called the latency, between the arrival of packets being transmitted over the network. Some network traffic, such as voice and video, cannot tolerate long latency times. Quality of Service (QoS) is a feature that lets you give priority to critical traffic, prevent bandwidth hogging, and manage network bottlenecks to prevent packet drops. This chapter describes how to apply QoS policies, and includes the following sections: • QoS Overview, page 24-1 • Creating the Standard Priority Queue for an Interface, page 24-5 • Identifying Traffic for QoS Using Class Maps, page 24-8 • Creating a Policy for Standard Priority Queueing and/or Policing, page 24-9 • Creating a Policy for Traffic Shaping and Hierarchical Priority Queueing, page 24-11 • Viewing QoS Statistics, page 24-13 QoS Overview You should consider that in an ever-changing network environment, QoS is not a one-time deployment, but an ongoing, essential part of network design. Note QoS is only available in single context mode. This section describes the QoS features supported by the security appliance, and includes the following topics: • Supported QoS Features, page 24-2 • What is a Token Bucket?, page 24-2 • Policing Overview, page 24-3 • Priority Queueing Overview, page 24-3 • Traffic Shaping Overview, page 24-4 • DSCP and DiffServ Preservation, page 24-524-2 Cisco Security Appliance Command Line Configuration Guide OL-10088-02 Chapter 24 Configuring QoS QoS Overview Supported QoS Features The security appliance supports the following QoS features: • Policing—To prevent individual flows from hogging the network bandwidth, you can limit the maximum bandwidth used per flow. See the “Policing Overview” section on page 24-3 for more information. • Priority queuing—For critical traffic that cannot tolerate latency, such as Voice over IP (VoIP), you can identify traffic for Low Latency Queuing (LLQ) so that it is always transmitted ahead of other traffic. See the “Priority Queueing Overview” section on page 24-3 for more information.