|
|
This chapter describes the procedures for configuring the Cisco ONS 15304 to be managed remotely through in-band Synchronous Digital Hierarchy (SDH) regenerator section data communication channel (SDCC) links. This chapter also describes strategies for interfacing to the wide-area data communication network (DCN), which provides management connectivity between management sites and one or more SDH rings.
In this document, the management network within the SDH ring formed from the SDCC links is distinguished from the lower speed management wide-area network referred to as the DCN. The term SDCC refers to the 192 kbps in-band channel formed from overhead bytes D1, D2, and D3. The DCN is a separate, packet-based wide-area network usually based on X.25 or TCP/IP protocols.
When the Cisco ONS 15304 is first installed, the SDCC and DCN network interfaces need to be configured and activated to permit remote management. The procedures described in this chapter should be conducted in close physical proximity to the Cisco ONS 15304, as remote management can only be partially configured. If access to the console port is not available, recovery from accidental misconfiguration might be difficult.
Configuration of the Cisco ONS 15304 using a remote modem attached to the console port is a viable alternative, although physical access to the Cisco ONS 15304 might still be required to help isolate fiber connectivity problems during installation if the SDCC interfaces do not come up.
The Cisco ONS 15304 is a Cisco IOS software-based device that is managed principally through IP protocols. The Cisco ONS 15304 also supports connectionless network service (CLNS) protocols for interoperability with "foreign" network elements manufactured by other vendors. The Cisco ONS 15304 supports IP natively, as well as CLNS for compatibility. The support for both IP and CLNS protocol stacks allows the Cisco ONS 15304 to have rich management capabilities afforded by IP protocols, while preserving SDH/GR-253 compatibility with network elements manufactured by other vendors on the same ring.
From an application-layer perspective, the Cisco ONS 15304 is managed using Telnet, Simple Network Management Protocol (SNMP), TFTP, Domain Name System (DNS), and other Internet-based protocols. This IP-oriented management methodology contrasts with traditional SDH/GR-253 based network elements that support only OSI protocols, and which specify the use of CLNS, IS-IS, or ES-IS at the network layer.
In order to be compatible, and to allow management traffic to traverse between the Cisco ONS 15304 and foreign network elements manufactured by other vendors, the Cisco ONS 15304 needs to be configured to enable CLNS, so that existing ring management capabilities and traffic are not disrupted. This implies that the SDCC interfaces on the Cisco ONS 15304 need to be configured to run CLNS, as a minimum, under normal circumstances. CLNS can be activated on other interfaces, if desired, but this might not be necessary. The information given in this chapter focuses primarily on setting up CLNS only on the SDCC interfaces.
This chapter describes the process for setting up the management plane network. This network is comprised of three types of interfaces within the Cisco ONS 15304:
The SDCC channels provide an in-band management path within STM-1 fiber rings, of which there are two interfaces, one for each side of the fiber. The management Ethernet interface is used primarily as a high-speed local access port for craft user access, but could be used to connect to another router to connect to the DCN network. The serial E1 interfaces, which are normally used for user services, can be redirected and used to carry management traffic instead.
Provisioning the Cisco ONS 15304 to permit remote manageability involves the configuration processes described below. The remaining sections in this chapter are organized according to this series of processes, in the following order:
1. Enabling CLNS---CLNS packet forwarding and IS-IS and ES-IS routing processes should be started as a first step. A CLNS Network Entity Title (NET) needs to be assigned as part of this process. Without proper CLNS configuration, traffic to other network elements might be disrupted.
2. Configuring SDCC Interfaces---Two SDCC interfaces are present for the Cisco ONS 15304. Both SDCC interfaces must be configured with Q.921 and CLNS to achieve interoperability with other SDH standards-based network elements. This is usually the first, and most important, step. The Q.921 protocol support and CLNS feature set permit interoperability with other vendors' network elements.
3. Setting Up IP-over-Connectionless Network Protocol (CLNP) Tunnels---One or more IP-over-CLNP tunnels need to be created to allow IP traffic to be carried within CLNS packets. IP-over-CLNS tunnels can be used wherever CLNS traffic is carried. From the perspective of CLNS, each Cisco ONS 15304 can be seen as a separate IP "island" in a sea of CLNS. The tunnels are links that provide connectivity between the IP islands.
The IP-over-CLNP tunnels can be built between Cisco ONS 15304s on the same ring, or between the Cisco ONS 15304 and EMS separated across a DCN. The Cisco Transport Manager/ConnectWay tunneling software, available as part of the Element Management Software, can be used to terminate the tunnel at EMS sites. In other instances, it might be useful to build tunnels between a designated Cisco ONS 15304, serving as a hub for management traffic, and other Cisco ONS 15304s. The nominated Cisco ONS 15304 becomes a point where IP traffic is directed before being forwarded to other Cisco ONS 15304 network elements on the ring. Therefore, the Cisco ONS 15304 is designated as the management hub for the ring.
4. Enabling the Ethernet Management Interface---The Ethernet management port is intended for use as either a craft access port or an attachment to a central office LAN. If using a central office LAN, CLNS or IP must be configured on this port.
5. Using a Serial E1 Channel as a Management Interface---As an alternate connectivity solution, the serial channels in the Cisco ONS 15304 can be used as a management interface. That is, a serial channel that would otherwise be used for user traffic can be used to carry management traffic. Typically, a single E1 channel terminates on a designated Cisco ONS 15304 serving as a management hub, with IP-over-CLNP tunnels to other Cisco ONS 15304 devices on the ring. The serial E1 channel is treated like any other interface, and can run both IP and CLNS.
The serial E1 channel can also be used to overcome congestion within the gateway network element (GNE) by using one of the user E1 channels as a management data link. This configuration helps off-load some packet processing activities from the GNE.
6. Specifying an Access List---As a final step, IP access lists can be established to prevent user traffic from entering the management network, and vice versa. Because access lists vary from one network deployment to another, it is hard to specify the necessary configurations in a way that is sufficiently general for multiple applications. For this reason, this step is described without much detail.
As an alternative strategy, out-of-band management through an asynchronous modem or terminal server is also possible. This management strategy is not discussed here, but might be an option for some applications. The console port can interface to most standard modems, which support the ability to disable the AT command set. In this scenario, the SDCC links and CLNS might still need to be configured to allow traffic to traverse the Cisco ONS 15304 for compatibility.
In situations where only Cisco ONS 15304 routers are present in the SDH ring, it is possible to set up the SDCC network to operate with only IP protocols. Currently, there are no standards governing usage of IP within the SDCC, but IP protocols are supported by the Cisco ONS 15304 using HDLC, PPP, or Q.921 link layers. The SDCC interfaces can be treated like any other IP-capable interface. An IP address can be assigned to an SDCC link. Because IP can be used in its native form, tunneling is not be required.
CLNS must be enabled if any of the other network elements on the SDH/GR-253 ring require CLNS. The process for setting up CLNS on the Cisco ONS 15304 is straightforward, but must be configured carefully. The following steps provide a summary of configurations that work in most applications.
As a first step, CLNS needs to be enabled on the Cisco ONS 15304. This process involves turning on CLNS routing with the IS-IS and ES-IS routing. The Network Entity Title (NSAP address + N-Selector) must also be specified. This NET typically uses the MAC address of the management Ethernet interface (Ethernet 0) as the system ID. The configuration process is described below.
After typing each of the following commands, press the Enter key:
Step 1 Log in to the Cisco ONS 15304 at the ONS> prompt and enter the username and password when prompted:
login
Step 2 Enter configuration mode:
configure terminal
Step 3 Activate CLNS routing:
clns routing
Step 4 Activate IS-IS routing:
router isis
Step 5 Specify the Network Entity Title (NET) that will be used by the IS-IS routing process:
net (40-byte-nsap-and-n-selector)
Step 6 Exit configuration mode:
exit
For more information about other configuration options for CLNS, refer to Part 3 of the Cisco Network Protocols Configuration Guide.
Before any management traffic can traverse the SDCC links embedded in the STM-1 overhead, the SDCC interfaces must be configured and activated. By default, these interfaces are turned off, and must be activated. In most standard SDH applications, the Q.921 protocol must be configured in Acknowledge Information Transfer Mode (AITS), which is a reliable data link layer protocol.
After typing each of the following commands, press the Enter key:
Step 1 Log in to the Cisco ONS 15304 at the ONS> prompt and enter the username and password when prompted:
login
Step 2 Enter configuration mode:
configure terminal
Step 3 Configure the section DCC interface connected to SAM A:
interface SDCCA 0
Step 4 Enable Q.921 encapsulation with the specified local operating mode:
encapsulation q921 <network | user> clns
If the remote end of the SDCC link is running in "user" mode, the local side should be running in "network" mode, and vice versa.
Step 5 Activate CLNS routing on the SDCC interface:
clns router isis
Step 6 (Optional) Adjust the CLNS maximum transmission unit (MTU) size, if necessary:
clns mtu 512
See the following comment regarding setting the CLNS MTU to no larger than the Q.921 I-Frame size parameter given by N201.
Step 7 Turn on the interface:
no shutdown
Step 8 Exit configuration mode:
exit
Repeat Step 4 through Step 7 for the section DCC interface that terminates on SAM B. This interface is referred to as "SDCCB," and the instance number for the interface remains set to the value 0 (for example, interface SDCCB 0).
It might be necessary to tune the MTU size for optimum performance. Some network elements on the SDH ring might have limitations and might require a setting smaller than the default value of 1500 bytes. If you choose to set the CLNS MTU, set it to a value no greater than the Q.921 N201 maximum I-Frame size parameter. As a general rule, configure CLNS MTU equal to Q.921 N201. Generally, you will not need to configure interface MTU, as the default value 1500 is usually sufficient. If you still decide to configure interface MTU, ensure that the following holds true:
CLNS MTU <= Q.921 N201 <= interface MTU
The Cisco ONS 15304 supports a tunneling mode in which an IP packet can be encapsulated within a CLNP packet, sent across a CLNS network, and then restored at the tunnel destination, to recover the original IP packet. The CLNP-over-IP tunnel is a virtual interface named CTunnel that must be established before IP communication can commence across a CLNS network. Like other tunnels, a CTunnel can be viewed as a point-to-point link. The CTunnels are normally established between the following devices:
Figure 4-1 illustrates how CTunnels can be used to provide connectivity between IP islands within a CLNS network.
Several steps are necessary when configuring a CLNP-over-IP tunnel. The steps involve:
After typing each of the following commands, press the Enter key:
Step 1 Log in to the Cisco ONS 15304 at the ONS> prompt and enter the username and password when prompted:
login
Step 2 Enter configuration mode:
configure terminal
Step 3 Create an IP-over-CLNP tunnel:
interface CTunnel tunnel-id
The first instance of the virtual interface is always 0. The interface number must be incremented for each unique tunnel. Interface numbering always begins with the number 0.
Step 4 Specify the destination NSAP address of the tunnel:
ctunnel destination remote-NSAP-address
This address specifies where the tunnel ends, and where IP packet is extracted.
Step 5 Assign an IP address to the tunnel and specify the NSAP address of the remote tunnel endpoint:
ip address interface-address subnet-mask
Step 6 Activate the interface:
no shutdown
This step is not required, as the virtual interfaces automatically come up in the active state when created.
Step 7 Exit configuration mode:
exit
Multiple tunnels can be created to provide broader and more robust connectivity. For each new tunnel, the interface number must be incremented to guarantee it is unique.
The Cisco ONS 15304 supports an Ethernet port that is used to support management activities.
After typing each of the following commands, press the Enter key:
Step 1 Log in to the Cisco ONS 15304 at the ONS> prompt and enter the username and password when prompted:
login
Step 2 Enter configuration mode:
configure terminal
Step 3 Configure the management Ethernet port:
interface Ethernet 0
Step 4 Assign an IP address to the tunnel and specify the NSAP address of the remote tunnel endpoint:
ip address interface-address subnet-mask
Step 5 (Optional) Activate the interface:
no shutdown
This step is not required, because the virtual interfaces automatically come up in the active state when created.
Step 6 Exit configuration mode:
exit
The SDH version of the Cisco ONS 15304 supports up to 21 E1channels, of which one or more can be used to carry management traffic. These E1 channels are normally used to carry user traffic, but can be used for management traffic in instances where network elements do not interoperate adequately, or where more management bandwidth is required.
For example, a serial channel can be used to extract management traffic from an SDH ring instead of using a separate out-of-band path. In this case a serial E1 channel terminates at the Cisco ONS 15304, and the Cisco ONS 15304 can be designated as a gateway for extracting and inserting traffic into the SDH ring. Figure 4-2 illustrates an example of how the serial channels can be used for management traffic.
The serial E1 interface is treated as another routable interface within the system. In most cases, the serial channel is configured to run IP, but it could be configured to run CLNS as well. The following instructions explain how to drop-terminate a channel and configure it for IP operation. CLNS can be configured on the serial interface in the same manner as the SDCC interfaces, but this configuration mode is not described here.
After typing each of the following commands, press the Enter key:
Step 1 Log in to the Cisco ONS 15304 at the ONS> prompt and enter the username and password when prompted:
login
Step 2 Enter configuration mode:
configure terminal
Step 3 Activate the STM-1 optical interface and the associated VC-4:
ine enter stm1 ab admin is
ine enter vc4 vc4-id path-type drop admin is
If the STM-1 and VC-4 have already been created, these two steps are not necessary. The STM-1 and VC-4 must be in the in-service state.
Step 4 Terminate the VC-12 and cross-connect it to the serial E1 interface:
ine enter vc12 vc12-id path-type drop admin is
ine enter seriale1 ser-id admin is
ine enter crs seriale1 ser-id vc12 vc12-id
Step 5 Enter interface configuration mode for the serial interface:
interface seriale1 ser-id
Step 6 Assign an IP address and activate the selected interface:
ip address interface address subnet mask no shutdown
Step 7 Exit configuration mode:
exit
If a serial channel is used as a management channel, Cisco highly recommends using access lists to restrict user traffic from entering the serial channel. If access to the serial channel is not restricted, congestion might occur, along with a possible breach of security between the user and management plane networks. You can use Cisco security features to protect all management plane interfaces.
After interfaces and network layers are configured, access lists should be specified to prevent traffic from the user payload interfaces from entering the management interfaces and vice versa. Access lists help ensure that no unauthorized traffic is routed between the user and management planes of the network.
To define a standard IP access list, use the following command in global configuration mode:
access-list access-list-number {deny | permit} source [source-wildcard]
To define an extended IP access list, use the following command in global configuration mode:
access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [established] [log]
After you create an access list, you can apply it to one or more interfaces. Access lists can be applied on either outbound or inbound interfaces. When controlling access to an interface, you can use a name or number.
To apply an access list to an interface, use the following command in interface configuration mode:
ip access-group {access-list-number | name} {in | out}
For outbound access lists, after receiving and routing a packet to a controlled interface, the software checks the source address of the packet against the access list. If the access list permits the address, the software transmits the packet. If the access list rejects the address, the software discards the packet and returns an ICMP Host Unreachable message.
When you apply an access list that has not yet been defined to an interface, the software will act as if the access list has not been applied to the interface and will accept all packets. Remember this behavior if you use undefined access lists as a means of security in your network.
Posted: Wed Feb 23 16:01:23 PST 2000
Copyright 1989 - 2000©Cisco Systems Inc.