Data Communications Network (Dcn) Planning Guide

8/12/2019 Data Communications Network (Dcn) Planning Guide

1/47

Title page

Alcatel-Lucent 1830

PHOTONIC SERVICE SWITCH (PSS) | Release 3.6.0 and

3.6.1

DATA COMMUNICATIONS NETWORK (DCN) PLANNING GUIDE

8DG60888RAAAIssue 1

July 2011


2/47

Legal notice

Legal notice

Alcatel, Lucent, Alcatel-Lucent and the Alcatel-Lucent logo are trademarks of Alcatel-Lucent. All other trademarks are the property of their respective

owners.

The information presented is subject to change without notice. Alcatel-Lucent assumes no responsibility for inaccuracies contained herein.

Copyright 2011 Alcatel-Lucent. All rights reserved.

Notice

Every effort has been made to ensure that the information in this document is complete and accurate at the time of printing. However, information is subjectto change.

This manual applies to Alcatel-Lucent 1830 PSS.

Documentation support

Please contact your Technical Support Services (TSS) team.


3/47

Alcatel-Lucent 1830 PSS Data Communication Page 3 of 47

Network (DCN) Planning Guide Guide8DG60888RAAA Release 3.6.0 and 3.6.1Issue 1 July 2011

Table of Contents

Page

1 ABOUT THIS DOCUMENT....................................................................................41.1 Document conventions .................................................................................................................................52 INTRODUCTION ...................................................................................................72.1 The 1830 PSS management network................................................................................................ ........ 72.2 Networks overview................................. ................................................................................ ..................... 92.3 The GMPLS network ............................................................................. .................................................. 113 1830 IP ARCHITECTURE...................................................................................123.1 NE IP architecture....................................................................................................................................123.2 Network IP architecture ..........................................................................................................................163.3 IP networks summary of a 1830PSS.......................................................................................................214 PHYSICAL NETWORK DESCRIPTION.............................................................244.1 1830 PSS boards........................................................................................................................................245 BUILDING 1830PSS DCN NETWORKS............................................................285.1 Single OSPF area ............................................................................................................... ....................... 306 NETWORK REQUIREMENTS............................................................................346.1 External routers .............................................................................................................. .......................... 346.2 Time management ....................................................................................................................................366.3 Address plan................................................................................................................... ........................... 367 SECURITY...........................................................................................................397.1 Use RADIUS for user identification ............................................................................................. ..........397.2 Secure/unsecure mode..............................................................................................................................397.3 Firewall configuration, list of protocols/ports ........................................................................... ............427.4 IPSec tunnel...............................................................................................................................................447.5 Syslog server ............................................................................................................... ............................... 46


4/47



1 About this document

The document applies to 1830PSS R3.6.x.

This document presents the global architecture of the 1830 PSS management network and detailsthe engineering rules to apply for network design and during the installation.

1830 PSS nodes belong to a WDM sub-network.A WDM sub-network is composed of several NEs inter-connected via OTS physical connections.It corresponds to a tuning entity; there is 3R regeneration at the border of a WDM sub-network.

PSS1/PSS4 can be considered as extensions of nodes to which they are connected and they alsobelong to the same WDM sub-network.External devices directly connected to a 1830PSS also belong to the WDM sub-network.

DCN of WDM 1830PSS WDM sub-network relies on OSPF routing protocol.Other boxes of the network (for example 1850TSS, 1678, 1660 ) can run another routing protocoland we strongly suggest that they belong to another routing domain.


5/47



1.1 Document conventions

Within this document, following conventions are used:

The product associated rules are presented as follows. Those aim at describing what is

supported or not:

Rule: ()

Rule 1: Rule format presentation

The Engineering Guidelines are presented as follows. These are recommendations to get the

best of the product and/or network within supported space:

Engineering Guidelines: ()

The rule is always written in bold

Justification and/or examples are always written in italic

Guideline 1.1-1: Guideline format presentation

The restrictions are presented as the following. Typically when the behaviour is not as

predicted, is not as described into standards

Restriction: ()

The Customer Inputs which points to high level information required to implement associated

network design:

Network Design: ()

And where:

: Identifies which Node, Network Element, Interface it is applicable (e.g.

LR, OADM, )

: Gives a title to the rule

: Indicates the root cause for it (see Table 1 : Meaning of )


6/47



(Short Name)

(Long Name)

Meaning

HC Hard Coded Either Hardware or Software is responsible for this.

M Mandatory No control but must be followed for the system to

operate properly into a supported environment.

S Standard Required by Standard

D Design Mainly for restriction and if related with Design

T Test Mainly for restriction and if related with Tests

R Recommended

(Optional)

No control and not mandatory but recommended

for:

- Design: To follow good Network Design

basis and principles.

- Availability: To ensure Network robustness.

- Performances: To provide with an

optimized usage of resources.

- Security: To secure network against

potential attacks.

Operations: To offer better operational

effectiveness for site or network extension,

upgrade, reconfiguration

Table 1 : Meaning of


7/47



2 Introduction

2.1 The 1830 PSS management network

The following figure depicts a 1830 network and its associated management network consisting inmanagers and DCN: Data Communication Network.

Management information and control from the Operations System (OS) is carried from one NE to theother over the internal 1830 PSS network via the Optical Supervisory Channel (OSC). Managementcommunication can also be carried over the GCC, and is a necessary design feature for the 1830 PSSbecause of expected support for the 1830 PSS-1 Edge Device, a.k.a. the Small Pizza-Box (SPB). Thefollowing figure shows the high-level management overview.

FTP Servers

NMS

ManagementDCN

1830

GNE

1830-PSS-

Network

Remotely

Managed

Device

IP

1830

RNE

IP

Fig. 1 - 1830PSS Network Management Overview

The remotely managed device, as shown in the above figure, can be an IP-device co-located withthe 1830 NE (e.g. Raman amplifier) connected via the extension LAN. Or, the device could be the1830 PSS-1 Edge Device which connects to the 1830 PSS over the GCC. Connection over the GCC is

illustrated in the following figure:


8/47



IP

NMS

OSC

OSC

OSC

135 . 10 . 10 . 1 / 32 135 . 10 . 10 . 2/ 32 135 .10 . 10 .3 /32

135 .10 .10 . 4 /32

135 .10 .10 .5 /32

135 .10 .10 .6/32

135 .10 .10 .7/32

135 .10 .10 .8/32

PPP-GCC

1 PPP-GCC

1

PPP-GCC

1, 2, 3

PPP-GCC

1, 2, 3

NE2

135.1.1.2/32

GNE NE3

135.1.1.3/32

Fig. 2 - 1830PSS Communicating with PSS-1 Edge Device over the GCC

The basic communications network architecture for the 1830 PSS-32 includes all LAN interfaces,OSC interfaces, and GCC interfaces. LAN interfaces include the OAMP, VoIP, E1, E2, CIT, andExtension Shelf (ES) connections. The OSC interfaces can vary from one up to 20, one for eachdegree. The OSC carries node-to-node communication, sharing of OSPF LSAs, Wave Tracker keys,SCOT messages, etc.

The GCC interfaces can vary from 1 up to 32, depending on the number of supported OTs that areprovisioned for GCC0 termination. GCC0 terminations on the 1830 PSS-32 system are supported by

the 11STAR1 (client port), 11STMM10 (client port), 4DPA4 (line port),11DPE12, PSS1GBE, PSS1MD4,11QPA4, 11DPE12E, 11DPM12 OTs. The other end of this 11STAR1 OT is the 1830 PSS-1 Edge Device.

Engineering Guidelines: 1830 PSS1/PSS4 specific rule for GCC - R

A GCC channel can transport management flow of up-to 16 NEs (typically

PSS1/PSS4) serially connected via GCC.

(See previous picture).


9/47



The full gamut of communications network sizing architecture is shown in the following figure:

1830-PSS

Network

Co-

Located

SNMP-managed

External device

E1-LAN135.50.10.1/30

135.50.10.2/30

135.1.1.6/32 135.1.1.7/32

135.1.1.8/32

135.1.1.2/32

135.1.1.3/32

135.1.1.4/32

OSCOSC

OSC

OSC

OSC

OSC

OSC

OSC

OSC

135.1.1.5/32

192.168.1.2/30

192.168.1.1/30

192.168.1.5/30

192.168 .1.6/30

192.168.1 .9/30

192.168.1.10/30

GNE

N2

N3

N4

N5

N6 N7

N8

135.1.1.1/32

13 5.1 0.10. 1/ 32 1 35. 10.1 0. 2/ 32 135.10.10.3/32

135.10.10.4/32

135.10.10.5/32

135.10.10.6/32

135.10.10.7/32

135.10.10.8/32

-PSS1 Network

IP

NMS

PPP-GCC

1PPP-GCC

1

PPP-GCC

1, 2, 3

PPP-GCC

1, 2, 3

Fig. 3 Complete Management View with PSS and PSS-1

2.2 Networks overview

The 1830PSS is not standalone equipment; it is part of WDM sub-networks. The communications,internal and external, are IP based. It has to be managed through an IP network.

An 1830 network includes mainly three kinds of equipments. Basically the same boards and shelvesbut with different functions:

- Line terminal

- OADM (ROADM, TOADM, FOADM)

- ILA (In Line Repeater)

Each 1830 NE can be configured as GNE (Gateway Network Element) to provide an access fromthe DCN to all the NEs on the optical network.

They can be installed following three topologies


10/47



Linear Architecture:

At least the two NEs terminating the line must be configured as GNEs, providing redundancy formanagement access to the other intermediate NEs.

Fig. 3 1830 Linear architecture

Ring architecture:

At least 2 distinct NEs can be chosen to function as GNEs to provide redundant access to the WDMsub-network

Fig. 4 1830 Ring architecture

LILA

Line Terminal

as GNE

OADM

OADM as GNE

Line Terminal

as GNEOADM

LILA LILA

Line Terminal

as GNE


11/47



Meshed architecture:

This kind of architecture may lead to isolated NEs which must be accessible for management. Itneeds more than two GNEs for redundancy.

Example below: On failure of the optical link between them and their neighbor, the two WDMTerminals remain reachable for management.

Fig. 5 1830 Meshed architecture

2.3 The GMPLS network

GMPLS for Generalized Multi Protocol Label Switching is not the purpose of this document but is,

from the 1830PSS network point of view, one of the main functions of the 1830. This chapter recallssome basic information about GMPLS because the DCN design cant be done without taking intoaccount some GMPLS network constraint.

GMPLS applies in the 1830PSS, on PSS36/32/16. It does not apply to PSS1/4. The visible part is thecontrol plane. Through the DCN, orders can be sent to the control plane which will be able tomanage the photonic routing and switching and convert an input wavelength on an incoming

interface to an output wavelength on an outgoing interface.

GMPLS in 1830PSSLM provides

- Path provisioning

- Path restoration

In a WDM sub-network, activation of GMPLS is optional.

On 1830PSS, GMRE embedded application is in charge of GMPLS. GMRE addresses shall be definedon nodes which have to run the GMRE application.

GMPLS Control messages are transported by the WDM DCN like Management messages. The sameDCN is used both for management Plane and Control Plane.

Activation of GMPLS has low impact on WDM DCN (GMRE addresses added + additional traffic on thesame WDM DCN).

LIL

OADM as GNE

OADM

OADM

TOADM

OADM

LineTerminal

as GNE

Line Terminal as

GNE


12/47



3 1830 IP architecture

3.1 NE IP architecture

The 1830 brings a full IP communication architecture.On each 1830PSS, IP is used for

- External communication:

- Management purpose (communication between manager and NE)

- Inter-NE communication

- VoIP for the IP phone facility

- Connection of external devices

- On internal private networks

- Internal LAN for Inter-shelves / inter-boards communication

- Local management connection of the Craft Terminal

-

The 1830PSS-36 functional interfaces:

On MTX (Matrix) board:

- VoIP: connection for IP phone

- E1-LAN, E2-LAN: for connections with externally managed devices.

- ES1, ES2: internal ports used for connections with the extension shelves.

On FLC (First Level Controller) board:

- CIT: Craft Interface Terminal, local communication, corresponds to port 1 of the active ECin main shelf

- OAMP: external communication with the EMS (External Management System)

The 1830PSS-32/16 functional interfaces:

On USRPNL board:


- VoIP: connection for IP phone

- E1-LAN, E2-LAN: for connections with externally managed devices.

On EC board:

- CIT: Craft Interface Terminal, local communication


The 1830PSS-4 functional interfaces:

On EC board:


- CIT LAN port /CRAFT port (pin1/2/3/6 for CIT, pin7/8 for RS232Rx/Tx, pin4 GND for RS232)


13/47



:craft interface terminal , local communication (specific cable)


On EC board:

- CIT: Craft Interface Terminal, local communication


The 1830PSS-1 Edge Device functional interfaces:

On FAN board:

- CIT: local communication (PhM, CLI, WebUI)

- LAN1 master shelf: external communication (PhM, CLI, WebUI)

- LAN1 (expansion) and LAN2 internal communication and daisy chaining

IP addresses set at initial commissioning

- OAMP: One Interface address with the backbone. The front router will have an interface inthe same subnet. Could be routed or not. At least /30 subnet.

- SYSTEM(*): Loopback address assigned to the SYSTEM interface. It is the managementaddress of the NE. Must be routed toward the backbone. The value is set during the initialcommissioning phase or via ED-IP-IF (see chapter 3.3)(*) SYSTEM can also be named RID (Router ID) Loopback IP or NE address in otherdocuments.

- GMRENODE(or CPN): Loopback address assigned to the GMRE node interface. It is the maincontrol plane address of the GMRE. Must be routed toward the backbone for redundancy. Itmust be defined during the initial commissioning phase (see chapter 3.3).

- GMRENOTIFY(or CPNOTIFY): Loopback address assigned to the GMRE notify interface. It isa secondary control plane address of the GMRE. Must be routed toward the backbone for

redundancy. It must be defined during the initial commissioning phase (see chapter 3.3).

Protocols:

- CLI, Telnet, SSH, SSL, SNMP, TL1, HTTP, HTTPs: Used for management of 1830PSS

- CLI and MTNM/Corba : Used for the management of the GMPLS network

- OSPF-TE for SCOT : used for WDM power adjustment automation

- Application sFTP/tFTP/FTP : used for file transfer as upgrade or Data Base backup/restore.

- NTP for time management


14/47



3.1.1 Protocols stacks

The TCP/IP protocol stack supported for an IP-based DCN will be as shown in the following table:

Protocol stack network part

Ethernet interface

PPPARP+ IPv4 over DIX

IPv4 + IP forwarding

TCPOSPFUDP

OSC

LAN

(->NMS)

L2

L3

L4

LAPTOP

Appli-cation Upper Layers

OAMP CIT

GCC0

IP

minimal

Shelves

daisy chain

ES2ES1E1 E2

External

Devices

3.1.2 IP routing

IP forwarding table is built on 1830 PSS thanks to OSPF routing protocol.

OSPF

OAMP

EMS

CIT

PPP

(OSC,GCC0)

VoIP

ES1, ES2

E1, E2

Fig. 2 Routing architecture


15/47



OSPF is enabled by interface:

- OSPF is always enabled on the PPP Serial interfaces (OSC/GCC0).

- OSPF is always enabled in passive mode on SYSTEM Management Loopback address(In some documents, the management Node address can be identified another way).

- OSPF is enabled in passive mode on GMRE Loopback addresses if GMRE application is used; it is

disabled otherwise.

- By default, OSPF is disabled on LAN interfaces.It can be enabled or enabled in Passive mode on any of them:

- OSPF is typically enabled on the OAMP interface if GNE.

- OSPF is typically disabled on CIT since it is not assigned a routable address.CIT can be provisioned with a routable address and set to Passive mode.

- OSPF is typically enabled in passive mode on E1 and E2 interfaces when an externaldevice is connected.

- OSPF is typically enabled in passive mode on VOIP interface can be activated on theVoIP interface.

- OSPF is disabled within the Internal Network (ES1,ES2)

OSPF advertisement:

OSPF advertises the Loopback addresses, the serial interfaces and the directly connectedsub-networks if it is enabled on the interface.

When OSPF is enabled in passive mode on an interface, no OSPF message is sent on thisinterface but OSPF advertises this interface subnet on all other OSPF enabled interfaces.

When OSPF is enabled on an interface, OSPF messages are exchanged via this interface.

Remark:

On 1830, OSPF is:

Disabled on an interface by setting the STATUS to DISABLE,

Enabled on an interface by setting the STATUS to ENABLE,

Enabled in passive mode on an interface by setting the STATUS to REDISTRIBUTE.


16/47



3.2 Network IP architecture

This will be illustrated on a meshed network but applies to all the topologies

Fig. 3 1830 IP Architecture overview

The inside routers are logical routers running in Linux environment. The routing protocol is OSPF.

Customer addresses

- They are used for the network management.

- Only the GNEs are directly connected to the management network

EMS

OSPFarea

Customer Mana ement Backbone

Workstation

@SYSTEM_1@SYSTEM_2

@SYSTEM_3

@SYSTEM_4

@SYSTEM_6

@SYSTEM_7

@SYSTEM_8

@SYSTEM_9

@OAMP_1 @OAMP_6 @OAMP_8

@OMS

DCNCustomeraddresses

@W1

@PhMWorkstation

@SYSTEM_5

1830 EMSSubnet

@VoIP_2 @E1

Control OSPF area

@GMRE_1

@GMRE_2

@GMRE_3

@GMRE_4

@GMRE_6@GMRE_7

@GMRE_8

@GMRE_5

@GMRE_9

LRILA

TOADM

1830PSS GNE

TOADM

1830PSS GNE

LRILA

IP phoneLocal dhcp connection

(1 per 1830)

SNMP external device

Local dhcp connection(2 per 1830)

Per @GMRE_#:@GMRENODE@GMRENOTIFY

Internaladdresses

ZIC 172.16.1.0/24Local dhcp connection(1 per 1830)


17/47



- Each 1830 NE must be reachable from the management network through a GNE even on asingle failure of an OSC/GCC link.

- In order help summarization, routing and filtering at the border of a WDM sub-network, IPaddresses shall be assigned depending on the nature and usage of the interface.For that purpose, we shall identify several types of networks (a dedicated range ofaddresses shall be reserved for each sub-network.

Different types of networks:

- MGMT networkfor Management Loopback addresses(SYSTEM):Each 1830PSS isassigned a management address. Typically, this network is advertized outside theWDM sub-network in order to reach EMS/NMS managers.

- CP networkfor Control Plane Loopback addresses (GMRENODE& GMRENOTIFY):when GMPLS is used in a WDM sub-network, each 1830PSS (excepted PSS1 & PSS4) isassigned 2 GMRE addresses.

- VOIP networkforVoIP addresses: used for IP phone access.Each 1830PSS can be assigned a VOIP /30 subnet (-> 1 IP address for PSS VOIP LANinterface + 1 IP address for IP phone) in order to connect an IP phone to the1830PSS. This network which is the summarization of all VOIP subnets can beadvertized or not outside the WDM sub-network depending if the Phone network

goes on beyond thee WDM sub-network or not.

- EXTD networkfor External Devices addresses (E1& E2). When connecting anexternal Device to E1 or E2 LAN port, the NE can be assigned a /30 subnet (-> 1 IPaddress for 1830 LAN interface + 1 IP address for External device). Typically, thisnetwork is advertized outside the WDM sub-network in order to reach EMS/NMSmanagers.

- INT networkfor addresses needed in order to reach interfaces which are involvedin routing process. This network is useful within an Area and it is not advertizedoutside the WDM sub-network. For example, LAN1& LAN2for inter-connection ofPSS1 shall be taken in INT network range since these addresses dont need to beknown outside the Area. Another example could be the assignment of a routableaddress to CIT interface in order to manage remotely another NE from CIT port.

-OAMP

addresses several cases are possible (typically the OAMP address is differentfrom the SYSTEM address):

In case of direct link between OAMP and external router, a /30 subnetwithin the INT network range can be used;

In case there are also other Devices on the same LAN, it could be useful totake several contiguous /30 (we need in that case at least a /29) within theEXTD network;

Otherwise, the need is to assign a free IP address to OAMP port within analready existing sub-network.

Internal addresses (not advertised in by OSPF protocol)

- Internal sub-network: 100.0.0.0/16 sub-network is reserved for the NE internal sub-network. Internal addresses are automatically assigned by NE starting from the (Rack,Shelf, Slot, Port) information of the Element to be addressed.

- CIT address: 172.16.0.1/24. Dedicated to the local craft terminal.


18/47



Rule: 1830PSS Number of OSPF Areas

The rule is to have only one area for all 1830 NEs of a WDM sub-network.

See the specific design described in chapter 3.3.


19/47



Organization of the networks which belong to the Area corresponding to a WDM sub-network:

Organization of the Network

(based on a /24 network)Name Function Subnet address

Numberof groups

First address Last address

MGMTLoopbac k addresses for

Management

x.x.x.0

(given by

customer)256

MGMT0=

x.x.x.0/32

MGMT255=

x.x.x.255/32

CP

GMPLS control plane

(2 @ per node which

run GMPLS)

x.x.x.0

(given by

customer)

128CP0=

x.x.x.0/31

CP127=

x.x.x.254/31

VoIP IP phone

x.x.x.0

(given bycustomer)

64VOIP0=

x.x.x.0/30

VOIP63=

x.x.x.252/30

EXTDExternal Devices

addresses

x.x.x.0

(given by

customer)

64EXTD0=

x.x.x.0/30

EXTD63=

x.x.x.252/30

INT

LAN interfaces which

are advertised by OSPF

but are internal in the

Area.

INT range does not

need to be advertisedoutside the Area.

x.x.x.0

(given by

customer)

64INT0=

x.x.x.0/30

INT63=

x.x.x.252/30

OAMP

External DCN access.

(Recommended

configure as a Point to

Point network between

the GNE and its front

router)

Customer

defined

At least 2

(1 per

GNE)

- -

Engineering Guidelines: 1830PSS Organization of Networks within a WDMsub-network - M

MGMT network addresses range shall be provided by customer for NEsmanagement addresses assignment.

CP network addresses range shall be provided by customer for NEs ControlPlane addresses assignment if GMPLS is enabled in the WDM sub-network.

VoIP network addresses range shall be provided by customer for NEs VoIPaddresses assignment if Voice over IP solution is used in the WDM sub-


20/47



network.

EXTD network addresses range shall be provided by customer for ExternalDevices addresses assignment if needed.

INT network addresses range shall be provided by customer for enabling LANinterfaces involved in routing process within an Area but unknown by manager.

Address range of each Network cannot correspond to 1830PSS internaladdresses (100.0.0.0/16 and 172.16.0.1/24)

Size of each network depends of the WDM sub-network size.Typically each range of addresses correspond to a /24 sub-network.

Engineering Guidelines: 1830PSS(16,32,36) NE addresses assignment - M

1830PSS (PSS16, PSS32 or PSS36) shall be assigned:

A Management Loopback address within the MGMT range

GMRE Loopback addresses in the CP range if it is a PSS16/32/36 and if

GMPLS is enabled in the WDM sub-network Optionally CIT address within the INT or EXTD range

Optionally VOIP address within the VOIP range

Optionally E1/E2 addresses within the EXTD range

Optionally OAMP address

Engineering Guidelines: 1830PSS(1,4) NE addresses assignment - M

1830PSS (PSS16, PSS32 or PSS36) shall be assigned:

A Management Loopback address within the MGMT range

Optionally CIT address within the INT or EXTD range

Optionally LAN1/LAN2 addresses within the INT (general) or EXTD(specific need) range


21/47


22/47




23/47



Engineering Guidelines: 1830PSS SYSTEM@ unique - M

The operator must be sure the SYSTEM address is unique in the scope of its

DCN. ,It can be performed by:

Assignation of a MGMT addresses range to the WDM sub-network taken intoaccount further extensions.

Each node is assigned a MGMT address.

Example where NE is assigned the MGMT4 address within the MGMT 135.1.1.0/24network:SYSTEM=MGMT4=135.1.1.4

Engineering Guidelines: 1830PSS GMRE@ unique - M

The operator must be sure the GMRENODE and GMRENOTIFY addresses arenot duplicated in the Area.

In order to be ready for further GMPLS evolutions, it is recommended that theseaddresses are unique in the customer DCN.

It can be performed by:

Assignation of a CP addresses range to the WDM sub-network taken intoaccount further extensions.

Each node which runs GMRE application is assigned a CP address.

Example where NE is assigned the CP2 addresses within the CP 135.1.5.0/24network:

GMRENODE=CP2_node=135.1.5.4

GMRENOTIFY=CP2_notify=135.1.5.5


24/47



4 Physical Network description

4.1 1830 PSS boards

4.1.1 FLC & MTX (MT0C) PSS36

FLC (First Level Controller) provides two (2) general purpose switched auto-sensing LAN ports(10/100BaseTX),

Ethernet #1 CIT - is dedicated to CIT connection

Ethernet #2 - OAMP - is dedicated to DCN backbone connection but can be used to connectlocal third party equipment.

MTX (matrix) provides four (4) general purpose switched auto-sensing LAN ports (10/100BaseTX),

Ethernet #1 - VoIP - and externally managed devices. The VoIP port can be used to connectto an IP phone.

Ethernet #2 - AUX for future use.

Ethernet #3 and #4 E1 and E2 - two External LAN ports (which can be used to connect toexternally managed devices), labeled E1-LAN and E2-LAN. These ports are auto-sensing, soeither a cross-over or straight-thru Ethernet cable can be used

In PSS36 LAN interface redundancy is strictly coupled to FLC/MT0C redundancy, i.e. onlythe LAN interfaces, which are hosted on the active FLC/MT0C, are enabled. The LAN interfaces ofthe standby FLC/MT0C are disabled.

But, R3.6 PSS36 doesnt really support redundancy for FLC/MT0 packs

PF PF44 45

.

Daisy chain23

2 3 4 5 6 7 8 9 12 13 16 17 18 19 20 21

40

BTC

FLC

FAN

MT0C

10 11 14

24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39

41

4342

1

BTC

22

15

MT0C FLC

VoIP

AUX

ES1

ES2CIT

OAMPE1

E2

Front router tocustomer network

CIT interface

Disabled

IP phone


25/47



4.1.2 User panel PSS32/ PSS16

USRPNL (User panel) provides four (4) general purpose switched auto-sensing LAN ports(10/100BaseTX),

Ethernet #1 OAMP - for connection to EMS/NMS, The OAMP port shall be used to connectto the External Management System (EMS).

Ethernet #2 VoIP - and externally managed devices. The VoIP port can be used to connectto an IP phone.

Ethernet #3 and #4 E-LAN1 and E-LAN2 - two External LAN ports (which can be used toconnect to externally managed devices), labeled E1-LAN and E2-LAN. These ports are auto-sensing, so either a cross-over or straight-thru Ethernet cable can be used

The NE shall support 2 craft ports. There will be a female (DB9) and a USB-B port. Both willsupport local RS-232C Serial interface (support setting: 34800 baud, 1 stop bit, no parity) forconnection to craft terminal via serial link.

The role of USRPNL in EC redundancy

In case of failure of active EC, the communication towards NMS should be kept. Theapplications will be launched on the standby EC. Through the back plane a LAN communication isestablish between USRPLN board and the two EC boards. The USRPNL board will update its ARPtable with the MAC address of the new EC active.

4.1.3 EC - Controller board PSS32/ PSS16

EC (Equipment Shelf Controller) provides four (4) general purpose switched auto-sensing LAN ports(10/100BaseTX),


Ethernet #2 - AUX - is dedicated to DCN backbone connection but can be used to connectlocal third party equipment. This port is for future use.

Ethernet #3 and #4 ES1 and ES2 - are reserved for Inter-shelves connectivity (betweenMaster/slave or between slaves shelves)

Front router to customer network

.

IP hone External devices


26/47



4.1.4 EC - Controller board PSS-4

EC provides four (4) general purpose switched auto-sensing LAN ports (10/100BaseTX), forconnection to EMS/NMS, cascading and externally managed devices (in future release).

The OAMP port shall be used to connect to the Element Management System (EMS).

The CIT port and CRAFT port are reused one LAN Port , ( pin1/2/3/6 for CIT, pin7/8 forRS232Rx/Tx, pin4 GND for RS232) .The CIT port is used for the local NE commissioning

Local RS-232 Serial interface (support setting: 38400 baud, 1 stop bit, no parity)is forconnection to craft terminal via serial link.

The bottom two ports (labeled ES1 and ES2; ES for extension shelf) shall be used to connectto 1830 PSS-4 extension shelves, a.k.a. sub-shelves.

4.1.5 FAN - PSS-1 Edge Device

FAN provides three (3) general purpose switched auto-sensing LAN ports (10/100BaseTX) the portsare physically connected to the Ethernet switch on the equipment controller through back planelinks

From previousShelf

To next shelf

Inter shelves links

Disabled


27/47




Ethernet #2 and #3 LAN1 and LAN2 - are used to support the management networkconnection (see table bellow) or daisy-chained LAN connections among Edge Devices.

Management Port User Interface IP Service

CIT PhM, CLI, WebUI DHCPLAN1 (Master) PhM, CLI, WebUI

LAN2 -- --

LAN1 and LAN2 operational mode

Master Shelf Master Shelf Sub-shelf

Stand-alone Mode Mini-NE mode Mini-NE mode

LAN1 DCN DCN Internal LAN

LAN2 Disabled Internal LAN Internal LAN

4.1.6 Managers

1830 PSS provides several management interfaces (SNMP, TL1, Web UI, CLI).

It can be managed by following Alcatel-Lucent managers:

The 1350 OMS is the network management product that provides unified end-to-endnetwork management and operational support for all network element products in theAlcatel-Lucent's Optics portfolio. It includes including service provisioning over multi-technology optical infrastructures.It provides the ASON (Automatically Switched Optical Network) management of thenetwork.It is the management solution of Alcatel-Lucent when GMPLS is used.

The PhM is another network management product focussed on 1830PSS that provides WDMmanagement.

The 5620 SAM is designed to manage IP/Optics networks.


28/47



5 Building 1830PSS DCN networks

We define a WDM sub-network by:

- Group of 1830 PSS linked together via WDM links

- PSS1 & PSS4 nodes which are connected to a WDM 1830 PSS are also part of the WDM sub-

network

- 3R regeneration at the border of the WDM sub-network (OTU Trail is terminated)

Other characteristics:

- Nodes of a WDM sun-network belong to the same management Area and have a centralized

Management System (ALU 1350 OMS).

- If GMPLS is used in the WDM sub-network, there is One, undividable Control Plan area

The 1830 DCN network architecture ensures the reliability of the connections for DCN and WDM

networks.

To ensure the reliability of the 1830 DCN network, several solutions are implemented.

- Meshed architecture.

- At least two GNE per subnet

- Dynamic routing protocol OSPF

Remind:

A Node belongs to an OSPF Area if at least one interface is enabled in this Area.

It is possible that an area is defined without any interface enabled in this Area

(for example, Area#0 is always defined on 1830).

The main rule is that each NE must have at least two links to two different neighbors. Links can be

OSC, GCC or Ethernet; neighbors can be 1830PSS or IP router.

Engineering Guidelines: 1830PSS - Routes redundancy - R

Each 1830PSS must be connected at least to two NEs/routers within the same

OSPF Area, by OSC or GCC link or by Ethernet link.


29/47



This request is a nice-to-have in PSS1 & PSS4 cases.

Engineering Guidelines: 1830 OAMP on GNE - R

A 1830PSS plays the GNE role when it provides an access to the external DCN.

Typically:

this access is performed via OAMP interface towards an external

router

OSPF is enabled on OAMP interface and it is in the same Area as other

interfaces.

OAMP access is secured by other GNEs and there is no need to be

locally resilient to OAMP failure.

Nerveless, it is not forbidden to use another LAN interface (for example

E1 or E2) in order to locally secure the OAMP link.

Engineering Guidelines: 1830 - GNE number - R

The recommendation is to have at least two GNE must be configured per OSPF

area.

Additional rules (fair load sharing of outgoing traffic between GNEs):

GNEs are defined in such a way that any RNE is at a reasonable

distance from closest GNE.

Typically, 2 GNEs are requested for areas of up-to 100 NEs + 1 GNE per

additional group of 100 NEs in the Area.

With the OSPF protocol, each area must be connected to the 0 area for inter-area exchanges.

The area 0 is called the backbone. Here, that means WDM management backbone. The 0 area is

dedicated to the DCN 1830PSS network. If connections are needed toward a higher level network it

is up to the network design team to provide a solution for network connections.


30/47



5.1 Single OSPF area

Customer Network

Customer IP Network

Eth

1350 OMS

Terminal

IP only

Terminal

Repeater

OADM

Eth

IP

Eth

IP

OSC

OSC

OSC

GNE 1GNE 2

Only one OSPF area is needed

-> AREA #i

Customer OSPF area is

-> AREA #0

#i

0

Direct link

Fig. 4 Single OSPF area, linear WDM

The diagram above describes the standard case of a single area. All the 1830PSS belong to the same

area (#i) and the customer backbone is the area 0.

Redundancy within the Area #i is provided thanks to a Direct Link between the Routers at the

border of the area. This link can be made over a tunnel through the backbone (tunnel is configured

on external router only, not available on 1830). The constraint is to maintain it within the area #i.

Customer Network

Customer IP Network

Eth

1350 OMS

Terminal

IP only

Terminal

Repeater

OADM

Eth

IP

Eth

IP

OSC

OSC

OSC

GNE 1GNE 2

Only one OSPF area is needed

-> AREA #i

Customer OSPF area is

-> AREA #0

#i

0

Fig. 5 Single OSPF area, ring WDM


31/47



In this case, redundancy within the Area #i is provided thanks WDM redundancy.

In both previous cases, when the backbone is very simple and dedicated to the management of the

WDM network, this can be simplified in a single area#0 (-> Area#i=Area#0). Its up to the network

designer and the customer to decide.

Engineering Guidelines: 1830PSS WDM sub-network and OSPF Area- M

All Nodes of a WDM sub-network must belong to the same OSPF Area.

It is requested for wavelength keys distribution constraints.

Typically, a DCN OSPF area is assigned per WDM sub-network

It is possible to set several WDM sub-networks in the same OSPF area if it is compatible with

maximum number of NEs.


32/47



Engineering Guidelines: 1830PSS Default OSPF parameters - D

Dynamic routing configuration

- The routing protocol is OSPF, it runs on all 1830 PSS.

- The 1830PSS default OSPF parameters are:

- Hello interval : 10

- Dead interval : 40

- Metric : 10(OSC), 40(GCC OTU1), 30(GCC OTU2), 20(GC C OTU3), 10(OAMP)

- Route priority : 1

- Subnets advertised by the NE :

- SYSTEM (NE management address = IP_RID).

- Optionally

GMRE addresses (GMRENODE & GMRENOTIFY) if GMRE application is

activated. It does not apply to PSS1/PSS4.

OAMP subnet (typically GNE case)

Subnets used to reach external devices (E1, E2)

Subnets used for NE DCN inter-connection via LAN (LAN1,LAN2)

VOIP

CIT if routable address assigned to C IT port

Engineering Guidelines: 1830PSS number of NEs per OSPF Area- D

In the DCN network, the maximum number of Nodes per Area is 500.


33/47



Engineering Guidelines: 1830PSS number GMPLS NEs in a WDM sub-network- D

If GMPLS is enabled in a WDM sub-network, the maximum number of 1830 PSS which run

GMPLS is 100 (PSS1 & PSS4 dont run GMPLS).

5.2 Multiple OSPF areas

GNE1j

GNE 2j

Eth

OSC

OSC

GNE 1i

OSPF area -> AREA #i

OSPF area is AREA #0

OSPF area -> AREA #j

External

Device

Eth Eth

Eth

Summarization

on ABRs

Dynamic routes

Through the

backbone

GNE 2i

OSC

WDM sub-networkWDM sub-network

Fig. 6 Multiple OSPF area

In a multi-area environment, each WDM sub-network is in a dedicated Area.


34/47



6 Network requirements

6.1 External routers

Front routers for 1830PSS DCN must provide routes to join the Management equipments (1350 OMS)

and the other 1830PSS through the DCN.

The rules are:

Engineering Guidelines: 1830PSS Router - D

- One router per GNE

- Dynamic routing is recommended (see also next Engineering Guidelines Routes

management for front router).

- No redundancy required on each GNE, it is based on routes toward the other GNE.

(Ref rule Engineering Guidelines GNE number)

- The router needs one physical interface connected to the 1830PSS (10/100 Mb/s).

- The connection port is called OAMP. Depending of the type of the PSS shelf

used the port can be placed on User Panel, FLC or MTX.

- The IP address of the interface toward the 1830PSS must be in the OAMP subnet

Engineering Guidelines: 1830PSS - Routes management for front router - D

Dynamic routing configuration

- The routing protocol is OSPF; it must be activated at the interface with the GNE.

- The interface to the GNE must be set in the same area than the 1830 OAMP

interface.

- The configuration of interface to the backbone will depend on the customer DCN

(for example, routing protocol is Customer specific). It is the responsibility of the

network design team to adapt the external interfac e to particular needs (backbone

routing protocol, .


35/47



- Summarization: Routes summarization has to be activated at the border of the area.

Only a subset of the addresses shall be summarized (see 3.2).

- Routes to advertise to the GNE

We recommend to use a totally stubby area so only a default route is advertised tothe GNE.

If standard area must be used (not recommended), the following routes must be

advertised

- Management subnet. This avoids routes recalculation if the 1350 OMS has to

move inside the management subnet and is not so wide than a default route.

Other optional routers features

Depending of other capabilities of the router, the following features are useful:

- Access lists. They can restrict the access to the 1350 OMS (the active one and the

standby one) inside the management subnet.

- Ip port filtering

- Qos marking

- IPsec tunneling. Mandatory if IP flow has to cross an unsecure network.

Engineering Guidelines: 1830PSS Intra area path redundancy - D

A direct path has to set between each front router inside a DCN area, if the path

redundancy is not ensured by a fully meshed architecture of the WDM network (through the

OSC/GCC).

Due to hosts (1830PSS) routes summarization inside the front routers, this path must be an intra

area path. Depending of project constraints, it can be any kind of direct link or a tunnel via

the backbone.


36/47



This p a th w ill ensure the d efe nse o f rout ing in c a se o f OSC / GC C fa ilure in a linea r netw ork for

insta nc e.

6.2 Time managementThe NE shall support the NTP protocol version 3 (RFC 1305) and version 4 (see ntp.org). Thisprovides the mechanisms to synchronize time and coordinate time distribution in large networks. Ituses a retunable-time design in which a distributed subnet of time servers operating in a self-organizing, hierarchical-master-slave configuration synchronizes local clocks within the subnet tonational time standards via wire or radio. The servers can also redistribute reference time via localrouting algorithms and time daemons. NTP has been designed to work in TCP/IP environment usingUDP datagrams.

Rule: 1830PSS - NTP version

The 1830 NTP release is version 3(RFC 1305) and version 4 (4.2.6p2).

The NE shall interoperate transparently with NTP servers that support either version 3or version 4.

Engineering Guideline: 1830PSS NTP server - M

It is mandatory to provide an access to a NTP server for each 1830PSS in such a way that all

1830 PSS of a WDM sub-network are synchonized on the same time

The recommendation is to use the Network Manager as NTP server. Notice that the EMS is a NTP

tier 2 server which shall be connected to a tier 1 server.

Up to three NTP servers can be declared. It is mandatory to keep them synchronized. The backup

server must send the same time than the main one.

The NTP feature can be activated from ZIC or via management interface commands.

6.3 Address plan

A WDM sub-network will request one OSPF area.

To design a WDM sub-network, the customer must provide following information:


37/47



Table 3 : Network addresses plan

NE type Address subnet MaskRouter

gatewayAddress

For Management systems

1350 OMS DCN Mngt . . . . . . / BR1 . . .

1350 OMS GMPLS Mngt . . . . . . / BR2 . . .

W_i WS Mngt . . . . . . / BR3 . . .

As many lines as WorkStation for management (2)

WDM sub-network

OSPF Area :

Network type Address subnet MaskRouter

gatewayAddress

MGMT . . . /

CP /

VoIP . . . /

EXTD . . . /

INT . . . /

Ext. router 1 subnet (ER1) . . . /30

Ext. router 2 subnet (ER2) . . . /30

As many external routers asGNEs

/30

NE Name Interface Address subnet MaskRouter

gatewayAddress

For 1830PSS of GNE typeOAMP . . . . . . . /30 R1 . . .

SYSTEM MGMT. . . . /32

GMRENODE CP. . . . /32

GMRENOTIFY CP. . . . /32

CIT local 172.16.0.1 172.16.0.0 /24

VOIP VOIP. . . . . . . /30

E1 EXTD. . . . . . . /30

GNE_1PSS.

E2 EXTD. . . . . . . /30

OAMP . . . . . . . /30 R2 . . .



GMRENOTIFY CP. . . . /32

CIT local 172.16.0.1 172.16.0.0 /24

VOIP VOIP. . . . . . . /30

E1 EXTD. . . . . . . /30

GNE_2PSS.

E2 EXTD. . . . . . . /30


38/47



As many 8 lines as GNE (at least 2 GNEs)

For PSS16/PSS32/PSS36 of non GNE type



GMRENOTIFY CP. . . . /32CIT local 172.16.0.1 172.16.0.0 /24

VOIP VOIP. . . . . . . /30

E1 EXTD. . . . . . . /30

E2 EXTD. . . . . . . /30

NE_i

OAMP . . . . . . . /30

As many 8 lines as PSS

For PSS1/PSS4 of non GNE type


CIT local 172.16.0.1 172.16.0.0 /24

LAN1 INT. . . . . . . /30

NE_i

LAN2 INT. . . . . . . /30

As many 4 lines as PSS

R1 R2 intra area link (tunnel)

Backbone TunnelRouter @interface Subnet Area @ Subnet Area Source dest

R1 . . . . . . / . . . . . . . . .R2 . . . . . . / . . .

. . . /. . . . . .


39/47



7 Security

7.1 Use RADIUS for user identificationAt first installation the 1830PSS user authentication is done with local database user definitions.Using RADIUS will permit to reinforce this security and share between several NE the same userdefinitions.

The procedure for setting RADIUS is:

1. Choose a RADIUS server

2. Activate the server for user authentication.

7.1.1 Set the RADIUS server

The following command will set the RADIUS server on the 1830PSS.

[TL1]ENT-RADIUS-SERVER:::::RAD1,ENABLE:IPADDR=[,PORT=],SECRET=;

[CLI]config admin authentication radius add RAD1 [:]

Is the IP address of the RADIUS server

Is the IP port used by your RADIUS server, from 1 to 65000. Default value is 1812.

is a 5 to 32 chars password.

7.1.2 Enable RADIUS usage

The following command will force user authentication using RADIUS server on the 1830PSS.

[TL1]SET-RADIUS-AUTH:::::RADIUS;

[CLI]config admin authentication order radius

7.2 Secure/unsecure mode

At commissioning the 1830PSS is provided in unsecure mode. In secure mode, for the TL1/CLI flow,the telnet (23, 3082, 3083), ftp (20&21) and http (80) flow will be disabled and only SSH (22), SFTPand HTTPs (443) will be available.

This protocol implements ciphering and provides authentication of the 1830PSS. It has to beimplemented on each 1830PSS NE (GNE or not) and the 1830PSS will act as a server, clients areapplications on the 1350 OMS or any other terminal or customer OMS.

As described below, the customer network administrator can choose to install the public key andthe certificate in his network or let the user accept the certificate and key at the first connection.

The procedure for implementing the secure mode is:

1. Generate the SSH key

2. Set the secure mode on.In secure mode the user will not be able to connect without SSH. So the key must havebeen generated before commuting to secure mode.


40/47



7.2.1 Certificate generation

7.2.1.1 SSH/SFTP

The 1830PSS is provided without any SSH key. A standard certificate can be generated using TL1 orCLI :

Public and private keys will be generated on the 1830PSS.

[TL1]INIT-SSH-KEY:[TID]::[CTAG]:::[KEYTYPE=][,MODULUS=];

KEYTYPE is DSA.

MODULUS is 0.

[CLI]crypto key generate

Examples:

- To generate a DSA key:[TL1]INIT-SSH-KEY::::::KEYTYPE=DSA,MODULUS=0;

The network administrator can then get the public key (7.2.2.1.1) and install it on his servers.


41/47



7.2.1.2 HTTPs

The 1830PSS is provided with a self signed certificate. Its up to the customer to allow thiscertificate in his network by adding it to his trusted certificates list.

The first time a user will connect to the NE, he will obtain the following screen.

Fig. 7: Internet Explorer and Mozilla Certificates alert

The right action is to select No or Do not accept this certificate and contact your

network administrator.

Customer Administrator

The network administrator should examine the certificate and if he recognizes it, add it tothe trusted certificates list.


42/47



7.2.2 Secure mode initialization

The TL1 or CLI commands allows setting the SECURE MODE

The syntax is:

[TL1]SET-ATTR-SECUDFLT::::::SECACC=ENCRYPTED;

[CLI]crypto admin ui mode encrypted

Restriction: 1830PSS Secure mode compatibility

Warning:

- Before changing the secure mode to ENCRYPTED, check the ability of

the managers to use SSH, HTTPs and sFTP. All the remote systems

must be compliants.

- Changing the secure mode will provoque a reboot of the 1830PSS and if

the remote systems can not use SSH, HTTPs and sFTP, they will no

longer be able to connect the the 1830PSS.

7.2.2.1.1 Getting the public key

The TL1 or CLI command allows to get the public key of the NE.

[TL1]RTRV-SSH-KEY;

[CLI]crypto key details

This key should be distributed on the ssh clients. If it is not, the client must be allowed to acceptthe key at first connection.

This command can be used whatever is the secure mode (secure or insecure).

7.2.2.1.2 Certificate modification

To modify the certificate, a new generation must be launched

7.3 Firewall configuration, list of protocols/ports

7.3.1 Ports in secure mode

Table 4 : Management flows and ports toward the GNE 1830PSS

NameSrc

portDest Port Dialogue initiator Comment

SSH 22/tcp Manager Secured telnet and ftp. Use SSH

TL1 secure sessionopened through CLIsession over SSHport 22using tools tl1 CLIcommand

Manager

HTTPS 443/tcp Manager HTTPS


43/47



Table 5 : Management flows and ports from the GNE 1830PSS

7.3.2 Ports in non secured mode

Table 6 : Management flows and ports toward the GNE 1830PSS

NameSrc

portDest Port Dialogue initiator Comment

Telnet 23/tcp Manager

HTTP 80/tcp Manager

TL1 3082/tcp ManagerDestination port opened by OAMserver TL1 agent raw mode

3083/tcp ManagerDestination port opened by OAMserver TL1 agent

MTNM/Corba 34567/tcp Manager GMPLS MTNM management

GMRE CLI 30000/tcp manager GMPLS CLI management

Table 7 : Management flows and ports from the GNE 1830PSS

NameSrc

portDest Port

Dialogue

initiatorComment

FTP 20&21/tcp 1830PSS

sFTP 22/tcp 1830PSS Secured FTP

MTNM/Corba 5066/tcp 1830PSS GMPLS MTNM management

NTP 123/udp 1830PSS Network time of day sync port.

NameSrc

portDest Port

Dialogue

initiatorComment

sFTP 22/tcp 1830PSS

NTP 123/udp 1830PSS Network time of day sync port.


44/47



7.4 IPSec tunnel

If an IPSec tunnel is needed, the feature must be implemented in the front router. This will be arequirement for the routers features.

Rule: 1830PSS Network security level

It is up to the customer to determine the security level of his network and so to

decide if IPSec is required.

The customer is in charge of its own networks. The 1830PSS product is

provided with engeeniring rules allowing the customer to maintain a high level

of security.

Engineering Guidelines 1: 1830PSS - IPSec tunneling - R

Alcatel-Lucent recommendation is to implement IPSec tunnel. Front routermust be able to manage IPSec tunneling (this feature is not available on

1830PSS).

If the management system has to go through an unsecure network between theOMS and the 1830 GNE, IPSec tunneling is highly recommended and tunnelingit to be implemented in the front router.

Same recommendation about the intra area link between the front routers of theGNEs.

An unsecure network could be the internet domain or a third party network for

instance.


45/47



TerminalTerminal

Repeater

OADM

IPIP

OSC

OSC

OSC#i

Direct link throught

IPSEC or GRE tunnel,

inside Area # i

EMS/NMS

Internet

Management Centre

IPSEC or GRE

tunnel,for management

R2R1

Customer Management

network

GNE 2GNE 1

Customer Aggregation network

Boston LANMiami LAN

IPSEC tunnel,

for management

through internet

OSPF area

Customer IntranetCustomer

Emergency

Access

Optional firewall Mandatory firewall End/Start of tunnel

Fig. 8: IPSEC tunneling

The figure above describes three uses of tunnels.

- The first one is to secure the rescue intra area link between R1 and R2. This allows theextension of the OSPF area and builds a ring with the 1830PSS, R1 and R2 inside the area #i.(green surrounded).Example in appendix.

- The second one is to secure communications coming through a not trusted network (ie.Internet) (orange). Tunnel must be established to cross the unsecured network. Firewallsare mandatory. Typically, these tunnels are set towards the management centre

- The third one is to secure the communication channel between R1 and the managementcentre (blue). In the example, a tunnel is set between the customer LAN and R1; anotherone is set between the customer LAN and R2. Here there is a tunnel betweenrouter/firewall. Firewalls are optional (grey), depending on the security level of each zone.Notice that it is recommended to end tunnel before crossing a firewall (and reopen it onthe other side of the firewall if needed).

WARNING: This is not a real security diagram. It is here only to introduce IPSec tunnels


46/47



7.5 Syslog server

Rule: 1830PSS - Syslog server

The 1830PSS do not support syslog server

7.6 Hardening advices

7.6.1 1830PSS

Some TL1 commands are available for hardening the 1830PSS

- SET-ATTR-SECUDFLT

- SET-ATTR-SECULOG

- ED-USER-SECU

We strongly advise to use these commands for hardening the 1830PSS DCN interface.

Engineering Guidelines: 1830PSS - SET-ATTR-SECUDFLT R

SET-ATTR-SECUDFLT:

MINPIDLEN=10 Minimum password length

PAGE=30 Default value for password aging in days

PCND=7 Default number of days to change the password after PAGE.

PCNN=3 Default number of login with aged password after PAGE

POINT=180 Default value for password obsolescence value in days

MINITVL=15 Default value for minimum interval in seconds between two

invalid login attempts.

MXINV=3 Max Invalid Attempts, indicates the maximum number of

consecutive invalid login attempts (regardless of time interval

or number of sessions), before an NE shall logout a user and

lockout the user channel.

TMOUT=15 Default number of minutes of inactivity before closing session

KMINTVL=0 Keep Alive Message Interval,

Not activated (not implemented in 1830PSS)

SECACC=SECURE Secure / unsecure mode

For more details about SET-ATTR-SECUDFLT command, read the document ref Error!

Reference source not fou nd.


47/47

7.6.2 Router

Engineering Guidelines: 1830PSS - Router hardening - R

The security features of the router should be activated. Policies, access lists,authentication, encryption

7.6.3 Architecture

Engineering Guidelines: 1830PSS - Firewall - R

Firewalls can be implemented at the border of a WDM sub-network in order tofilter flows at going From/To WDM.

Firewalls must be implemented if the IP flow has to go through unsecure zones.

Date post:	03-Jun-2018
Category:	Documents
Upload:	larba-sawadogo
View:	374 times
Download:	22 times

Data Communications Network (Dcn) Planning Guide

Documents