Cisco Systems ONS 15327 manual Hitless Software Upgrades, Enable Proxy Server, Firewall

New Features and Functionality

Proxy Server is a set of three options (checkboxes) in the Provisioning > Network tabs listed under Gateway Settings: Craft Access Only, Enable Proxy and Enable Firewall. These new features can be used individually or in combination. Each is described briefly in the following sections.

Enable Proxy Server

When you select Enable Proxy, a proxy server task is activated on the ONS 15327 causing the ONS 15327 to behave in a similar manner to a SOCKS proxy for any other ONS 15327s that it has a DCC connection to. A CTC workstation connected to an ONS 15327 proxy server has CTC visibility to DCC-connected ONS 15327s and ONS 15454s even if there is no direct IP connectivity. All that is required is that the CTC workstation has connectivity to the ONS 15327 that has proxy server enabled.

Firewall

The Firewall feature can prevent CTC workstations from using an ONS 15327's DCC communications path to access other workstations on the DCN. When Firewall is enabled, unnecessary IP communications are restricted between the ONS 15327's DCC channels and the XTC Ethernet port. The node accomplishes this by discarding craft Ethernet packets not addressed to itself and DCC packets not addressed to itself or to a DCC peer.

Craft Access Only

In previous releases, when an ONS 15327 XTC card detected an active link on its LAN port it would advertise a route to other DCC connected ONS 15327s indicating that all packets with a destination matching its own subnet should be routed to its LAN port. If two or more ONS 15327s were on the same subnet and had active links, multiple routes would result for packets on this subnet. This would cause some packets to be sent to one of the ONS 15327s and others to be sent to another resulting in loss of connectivity to some of the nodes in CTC. In previous releases, this behavior could be prevented by entering a static host route in the ONS 15327 with the connected CTC workstation as its destination.

The Craft Access Only feature allows multiple CTC sessions to ONS 15327 which are all on the same subnet, without the need to enter static host routes. When the feature is enabled, the ONS 15327 will not advertise routes to other 15327s it has DCC connectivity to. The ONS 15327 will only send packets for the connected CTC workstation through its LAN port. Other packets arriving from or being sent to other DCC connected nodes will be routed as though the CTC workstation is not connected.

Hitless Software Upgrades

Software upgrades from a previous release to Release 3.3 can be accomplished with no bit errors on traffic traversing or terminating in the ONS 15327 outside of the standard thresholds for hitless provisioning (60ms). The exception to this capability is the E-series Ethernet cards. Due to the necessary topology change observed by the software during a XTC reset, and subsequent spanning tree re-convergence, E-series cards do not pass traffic from the time of the active XTC reset (during activation) until the E-series cards reboot, plus approximately 30 to 45 seconds for spanning tree re-convergence. The total down time for E-series Ethernet traffic is approximately five minutes.

Note G-series Ethernet cards operate at layer one and do not lose traffic during an upgrade.

Release Notes for Cisco ONS 15327 Release 3.3