Cisco Systems 15310-MA Security

CHAPT ER

5-1

Cisco ONS 15310-MA SDH Reference Manual, Release 9.1 and Release 9.2

78-19417-01

5

Security

This chapter provides information about Cisco ONS 15310-MA SDH user security. To provision

security, refer to the Cisco ONS 15310-MA SDH Procedure Guide.

Chapter topics include:

• 5.1 Users IDs and Security Levels, page 5-1

• 5.2 User Privileges and Policies, page 5-2

• 5.3 Audit Trail, page 5-7

• 5.4 RADIUS Security, page 5-8

5.1 Users IDs and Security Levels

A CISCO15 user ID is provided with the ONS 15310-MA SDH for use with initial login. Use this ID to

set up other ONS 15310-MA SDH user IDs. (For instructions, see the “Turn Up a Node” chapter in the

Cisco ONS 15310-MA SDH Procedure Guide.)

Note Cisco Transport Controller (CTC) does not display the CISCO15 user ID when you log in.

An ONS 15310-MA SDH node can support up to 500 user IDs. Each CTC or Transaction Language 1

(TL1) user ID can be assigned one of the following security levels:

• Retrieve—Users can retrieve and view CTC information but cannot set or modify parameters.

• Maintenance—Users can access only the ONS 15310-MA SDH maintenance options.

• Provisioning—Users can access provisioning and maintenance options.

• Superuser—Users can perform all of the functions of the other security levels as well as set names,

passwords, and security levels for other users.

By default, multiple concurrent user ID sessions are permitted on the node; that is, multiple users can

log into a node using the same user ID. However, you can provision the node to allow only a single login

per user ID and prevent concurrent logins for all users.

See Table 5-3 on page 5-6 for idle user timeout information for each security level.

Contents

Main Cisco ONS 15310-MA SDH Reference Manual Page CONTENTS Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Preface Revision History Document Objectives Audience Related Documentation Document Conventions xxiv xxv Page xxvii Page Obtaining Optical Networking Information Where to Find Safety and Warning Information Cisco Optical Networking Product Documentation CD-ROM Obtaining Documentation and Submitting a Service Request Page Cisco ONS 15310-MA SDH Shelf Assembly Hardware 1.1 Installation Overview 1.2 Rack Installation 1.2.1 Mounting Brackets 1.2.2 Mounting a Single Node 1.2.3 Mounting Multiple Nodes 1.3 Electrical Interface Assemblies 1-6 Chapter 1 Cisco ONS 15310-MA SDH Shelf Assembly Hardware Front Door Figure 1-3 High-Density EIA Connectors 1.4 Front Door 1.5 Rear Cover 1.6 Power and Ground Description Page Page 1.7 Shelf Temperature 1.8 Cable Description and Installation 1.8.1 Cabling Types Page 1-12 Statement 1084 1.8.2 Fiber Cable Installation 1.8.3 Coaxial Cable Installation 1.8.4 E1 Cable Installation Page Page 1.8.5 Alarm Cable Installation Page 1.8.6 BITS Cable Installation 1.8.7 UDC Cable Installation 1.9 Cable Routing and Management 1.9.1 Standard Cable Management Bracket 1.9.2 Extended Cable Management Bracket 1.10 Fan-Tray Assembly 1.10.1 Fan Speed and Power Requirements 1.10.2 Fan Failure 1.10.3 Air Filter 1.10.4 Orderwire Page 1.11 Cards and Slots Page Page Card Reference 2.1 Card Summary and Compatibility 2.1.1 Card Summary 2.1.2 Card Compatibility 2-4 2.2 15310E-CTX-K9 Card 2.2.1 System Cross-Connect 2.2.2 15310E-CTX-K9 Card Side Switches 2.2.3 15310E-CTX-K9 Optical Interfaces 2.2.4 15310E-CTX-K9 Card-Level Indicators 2.2.5 15310E-CTX-K9 Port-Level Indicators 2.3 CE-100T-8 Card 2-7 Figure 2-3 CE-100T-8 Faceplate and Block Diagram CE-100T-8 2.3.1 CE-100T-8 Card-Level Indicators 2.3.2 CE-100T-8 Port-Level Indicators 2.4 CE-MR-6 Card Page 2-11 CE-MR-6 Card Figure 2-4 shows the CE-MR-6 card faceplate and block diagram. Figure 2-4 CE-MR-6 Faceplate and Block Diagram CE-MR-6 2.5 ML-100T-8 Card 2.5.1 ML-100T-8 Card Description 2.5.2 ML-Series Cisco IOS CLI Console Port 2-14 ML-100T-8 Card Figure 2-6 shows the ML-100T-8 card faceplate and block diagram. Figure 2-6 ML-100T-8 Card Faceplate and Block Diagram ML-100T-8 2.5.3 ML-100T-8 Card-Level Indicators 2.5.4 ML-100T-8 Port-Level Indicators 2.6 E1_21_E3_DS3_3 and E1_63_E3_DS3_3 Cards 2-17 E1_21_E3_DS3_3 and E1_63_E3_DS3_3 Cards 29-56 59-65 2.6.1 E1_21_E3_DS3_3 and E1_63_E3_DS3_3 Card-Level Indicators The E1_21_E3_DS3_3 and E1_63_E3_DS3_3 cards have three card-level LED indicators (Table 2-10). 1-28 2.7 Filler Cards 2.8 SFP Modules 2.8.1 Compatibility by Card 2.8.2 SFP Description 2.8.3 PPM Provisioning Card Protection 3.1 Overview 3.2 ONS 15310-MA SDH Card and Port Protection 3.2.1 1:1 Electrical Card Protection Page 3.2.2 .LMSP Optical Port Protection 3.2.3 .15310E-CTX-K9 Card Equipment Protection 3.3 Automatic Protection Switching 3.4 External Switching Commands Page Cisco Transport Controller Operation 4.1 CTC Software Delivery Methods 4.1.1 CTC Software Installed on the 15310E-CTX-K9 Card 4.1.2 CTC Software Installed on the PC or UNIX Workstation 4.2 CTC Installation Overview 4.3 PC, UNIX and Mac Workstation Requirements Page 4.4 ONS 15310-MA SDH Connection 4.5 CTC Login 4.6 CTC Window 4.6.1 Node View 4.6.1.1 CTC Card Colors Page 4.6.1.2 Node View Card Shortcuts 4.6.1.3 Node View Tabs 4.6.2 Network View 4.6.2.1 CTC Node Colors 4.6.2.2 Network View Tabs 4.6.2.3 DCC Links 4.6.2.4 Link Consolidation 4.6.3 Card View 4.6.4 Print and Export CTC Data 4.7 Using the CTC Launcher Application to Manage Multiple ONS Nodes 4-17 Page 4.8 Common Control Card Reset 4.9 Traffic Card Reset 4.10 Database Backup 4.11 Software Revert Security 5.1 Users IDs and Security Levels 5.2 User Privileges and Policies 5.2.1 User Privileges by CTC Action Page Page 5.2.2 Security Policies 5.2.2.1 Superuser Privileges for Provisioning Users 5.2.2.2 Idle User Timeout 5.2.2.3 User Password, Login, and Access Policies 5.3 Audit Trail 5.3.1 Audit Trail Log Entries 5.3.2 Audit Trail Capacities 5.4 RADIUS Security 5.4.1 RADIUS Authentication 5.4.2 Shared Secrets Page Page Timing 6.1 Timing Parameters 6-2 recommend its use because it can create timing loops. Use mixed timing mode with caution. 6.2 Network Timing 6.3 Synchronization Status Messaging Page Page Circuits and Tunnels 7.1 Overview 7.2 Circuit Properties 7.2.1 Circuit Status 7.2.2 Circuit States 7.2.3 Circuit Protection Types 7.2.4 Circuit Information in the Edit Circuits Window Page 7.3 VC-12 Bandwidth 7.4 VC Low-order Path Tunnels and Aggregation Points 7.5 DCC Tunnels 7.5.1 Traditional DCC Tunnels 7.5.2 IP-Encapsulated Tunnels 7.6 Subnetwork Connection Protection Circuits 7.6.1 Open-Ended Subnetwork Connection Protection Circuits 7.6.2 Go-and-Return Subnetwork Connection Protection Routing 7.7 Virtual Concatenated Circuits 7.7.1 VCAT Circuit States 7.7.2 VCAT Member Routing 7.7.3 Link Capacity Adjustment 7.7.4 VCAT Circuit Size 7.7.5 Open-Ended VCAT 7.7.5.1 Open-Ended VCAT Protection 7.8 Section and Path Trace 7.9 Bridge and Roll 7.9.1 Rolls Window 7.9.2 Roll Status 7.9.3 Single and Dual Rolls Page 7.9.4 Two-Circuit Bridge and Roll 7.9.5 Protected Circuits 7.10 Merged Circuits 7.11 Reconfigured Circuits 7.12 Server Trails 7.12.1 Server Trail Protection Types 7.12.2 VCAT Circuit Routing over Server Trails 7.12.2.1 Shared Resource Link Group Page Management Network Connectivity 8.1 IP Networking Overview 8.2 IP Addressing Scenarios 8.2.1 Scenario 1: CTC and ONS 15310-MA SDH Nodes on the Same Subnet 8.2.2 Scenario 2: CTC and ONS 15310-MA SDH Nodes Connected to a Router 8.2.3 Scenario 3: Using Proxy ARP to Enable an ONS 15310-MA SDH Gateway Page 8-6 8.2.4 Scenario 4: Default Gateway on CTC Computer 8.2.5 Scenario 5: Using Static Routes to Connect to LANs 8-8 The destination and subnet mask entries control access to the ONS 15310-MA SDH nodes: as the destination with a subnet mask of 255.255.255.255. 192.168.1.0) and a subnet mask of 255.255.255.0. 8-9 8.2.6 Scenario 6: Using OSPF Page 8.2.7 Scenario 7: Provisioning the ONS 15310-MA SDH Proxy Server Page Page 8-14 Page 8.3 Routing Table Page 8.4 External Firewalls Page 8.5 Open GNE 8-21 8-22 8.6 TCP/IP and OSI Networking 8.6.1 Point-to-Point Protocol 8.6.2 Link Access Protocol on the D Channel 8.6.3 OSI Connectionless Network Service Page 39.840F.80.000000.0000.0000.0000.xxxxxxxxxxxx.00 8.6.4 OSI Routing 8.6.4.1 End System-to-Intermediate System Protocol 8.6.4.2 Intermediate System-to-Intermediate System Protocol 8.6.5 TARP 8.6.5.1 TARP Processing 8.6.5.2 TARP Loop Detection Buffer 8.6.5.3 Manual TARP Adjacencies 8.6.5.4 Manual TID to NSAP Provisioning 8.6.6 OSI Virtual Routers 8.6.7 IP-over-CLNS Tunnels 8.6.7.1 Provisioning IP-over-CLNS Tunnels 8.6.7.2 IP Over CLNS Tunnel Scenario 1: ONS Node to Other Vendor GNE 8.6.7.3 IP-Over-CLNS Tunnel Scenario 2: ONS Node to Router Page 8.6.7.4 IP-Over-CLNS Tunnel Scenario 3: ONS Node to Router Across an OSI DCN Page 8.6.8 Provisioning OSI in CTC 8.7 IPv6 Network Compatibility 8.8 IPv6 Native Support 8.8.1 IPv6 Enabled Mode 8.8.2 IPv6 Disabled Mode 8.8.3 IPv6 in Non-secure Mode 8.8.4 IPv6 in Secure Mode 8.8.5 IPv6 Limitations 8.9 FTP Support for ENE Database Backup SDH Topologies and Upgrades 9.1 Subnetwork Connection Protection Configurations 9.1.1 Subnetwork Connection Protection Bandwidth 9.1.2 Subnetwork Connection Protection Application Example 9.2 Terminal Point-to-Point and Linear ADM Configurations 9.3 Interoperability 9.3.1 Subtending Rings 9-5 Figure 9-6 shows a ring of ONS 15310-MA SDH nodes subtended from a ring of ONS 15454 nodes. 9.3.2 Linear Connections 9.4 Path-Protected Mesh Networks Page 9.5 Four Node Configurations 9.6 STMN Speed Upgrades 9.6.1 Span Upgrade Wizard 9.6.2 Manual Span Upgrades 9.7 Overlay Ring Circuits Page Alarm Monitoring and Management 10.1 Overview 10.2 Viewing Alarms Page 10.2.1 Viewing Alarms With Each Nodes Time Zone 10.2.2 Controlling Alarm Display 10.2.3 Filtering Alarms 10.2.4 Viewing Alarm-Affected Circuits 10.2.5 Conditions Tab 10.2.6 Controlling the Conditions Display 10.2.6.1 Retrieving and Displaying Conditions 10.2.6.2 Conditions Column Descriptions 10.2.6.3 Filtering Conditions 10.2.7 Viewing History 10.2.7.1 History Column Descriptions 10.2.7.2 Retrieving and Displaying Alarm and Condition History 10.2.8 Alarm History and Log Buffer Capacities 10.3 Alarm Severities 10.4 Alarm Profiles 10.4.1 Creating and Modifying Alarm Profiles 10.4.2 Alarm Profile Buttons 10.4.3 Alarm Profile Editing 10.4.4 Alarm Severity Options 10.4.5 Row Display Options 10.4.6 Applying Alarm Profiles 10.5 Alarm Suppression 10.5.1 Alarms Suppressed for Maintenance 10.5.2 Alarms Suppressed by User Command 10.6 External Alarms and Controls 10.6.1 External Alarm Input 10.6.2 External Control Output Performance Monitoring 11.1 Threshold Performance Monitoring Page 11.2 Intermediate-Path Performance Monitoring 11.3 Pointer Justification Count Performance Monitoring 11.4 Performance Monitoring Parameter Definitions Page Page Page Page Page Page Page Page 11.5 Performance Monitoring for Electrical Ports 11.5.1 E1 Port Performance Monitoring Parameters Page 11.5.2 E3 Port Performance Monitoring Parameters 11.5.3 DS3 Port Performance Monitoring Parameters 11-18 11.6 Performance Monitoring for Ethernet Cards 11.6.1 CE-100T-8, CE-MR-6, ML-100T-8 Card Ethernet Performance Monitoring Parameters 11.6.1.1 CE-100T-8, CE-MR-6, and ML-100T-8 Card Ether Ports Statistics Window Page Page 11.6.1.2 CE-100T-8, CE-MR-6, and ML-100T-8 Card Ether Ports Utilization Window 11.6.1.3 CE-100T-8, CE-MR-6, and ML-100T-8 Card Ether Ports History Window 11.6.1.4 CE-100T-8, CE-MR-6, and ML-100T-8 Card POS Ports Statistics Parameters Page 11.6.1.5 CE-100T-8, CE-MR-6, and ML-100T-8 Card POS Ports Utilization Window 11.6.1.6 CE-100T-8, CE-MR-6, and ML-100T-8 Card POS Ports History Window 11.7 Performance Monitoring for Optical Ports 11.7.1 STM1 Port Performance Monitoring Parameters Page 11.7.2 STM4 Port Performance Monitoring Parameters Page 11.7.3 STM16 Port Performance Monitoring Parameters for ONS 15310-MA SDH Page Page Page SNMP 12.1 SNMP Overview 12.2 SNMP Basic Components Page 12.3 SNMP Version Support 12.3.1 SNMPv3 Support 12.4 SNMP Message Types 12.5 SNMP Management Information Bases 12.5.1 IETF-Standard MIBs for the ONS 15310-MA SDH 12.5.2 Proprietary ONS 15310-MA SDH MIBs Page Page Page Page 12.6 SNMP Trap Content 12.6.1 Generic and IETF Traps 12.6.2 Variable Trap Bindings 12.7 SNMPv1/v2 Community Names 12.8 SNMPv1/v2 Proxy Support Over Firewalls 12.9 SNMPv3 Proxy Configuration 12.10 SNMP Remote Monitoring 12.10.1 Ethernet Statistics Group 12.10.1.1 Row Creation in etherStatsTable 12.10.1.2 Get Requests and GetNext Requests 12.10.1.3 Row Deletion in etherStatsTable 12.10.2 History Control Group 12.10.2.1 History Control Table 12.10.2.2 Row Creation in historyControlTable 12.10.2.3 Get Requests and GetNext Requests 12.10.2.4 Row Deletion in historyControl Table 12.10.3 Ethernet History RMON Group 12.10.3.1 64-Bit etherHistoryHighCapacityTable 12.10.4 Alarm RMON Group 12.10.4.1 Alarm Table 12.10.4.2 Row Creation in alarmTable 12.10.4.3 Get Requests and GetNext Requests 12.10.4.4 Row Deletion in alarmTable 12.10.5 Event RMON Group 12.10.5.1 Event Table 12.10.5.2 Log Table Page A Specifications A.1 Cisco ONS 15310-MA SDH Shelf Specifications A.1.1 Alarm Interface A.1.2 UDC Interface A.1.3 Cisco Transport Controller LAN Interface A.1.4 TL1 Craft Interface A.1.5 Configurations A.1.6 LEDs A.1.7 Push Buttons A.1.8 BITS Interface A.1.9 System Timing A.1.10 Power Specifications A.1.11 Environmental Specifications A.1.12 Fan-Tray Assembly Specifications A.1.13 Shelf Dimensions A.2 Card Specifications A.2.1 15310E-CTX-K9 Card A.2.2 Nonvolatile Memory A.2.3 CE-100T-8 and ML-100T-8 Cards A.2.4 CE-MR-6 Card A.2.5 E1_21_E3_DS3_3 and E1_63_E3_DS3_3 Cards Page A.2.6 Filler Cards A.3 SFP Specifications Page Page A.4 Purcell FLX25GT Cabinet Specifications A.4.1 Power Specifications A.4.2 Environmental Specifications A.4.3 ONS 15310-MA SDH OSP Statements A.4.4 ONS 15310-MA OSP configuration Turn off or on AC power in Purcell FLX25GT OSP cabinet Page B Administrative and Service States B.1 Service States B.2 Administrative States B.3 Service State Transitions B.3.1 Card Service State Transitions Page Page B.3.2 Port and Cross-Connect Service State Transitions Page Page Page Page Page Page B.3.3 Pluggable Equipment Service State Transitions Page C Network Element Defaults C.1 Network Element Defaults Description C.2 CTC Default Settings C.3 Cisco ONS 15310-MA SDH Card Default Settings C.3.1 Configuration Defaults C.3.2 Threshold Defaults C.3.3 Defaults by Card C.3.3.1 15310E-CTX-K9 Card Default Settings Page Page Page Page Page Page Page Page Page C.3.3.2 E1_21_E3_DS3_3 Card Default Settings Page Page Page Page Page C.3.3.3 E1_63_E3_DS3_3 Card Default Settings Page Page Page Page Page Page C.3.3.4 Ethernet Card Default Settings C.4 Cisco ONS 15310-MA SDH Node Default Settings Page Page Page Page Page Page Page Page Page C.4.1 Time Zones Page Page Page INDEX Numerics A B C Page D E F G H I J L M N O P R S Page T U V W