Data Communications Network (DCN) Planning Guide

Title page
Alcatel-Lucent 1830
PHOTONIC SERVICE SWITCH (PSS) | Release 3.6.0 and
3.6.1
DATA COMMUNICATIONS NETWORK (DCN) PLANNING GUIDE
8DG60888RAAA
Issue 1
July 2011
Legal notice
Legal notice
Alcatel, Lucent, Alcatel-Lucent and the Alcatel-Lucent logo are trademarks of Alcatel-Lucent. All other trademarks are the property of their respective
owners.
The information presented is subject to change without notice. Alcatel-Lucent assumes no responsibility for inaccuracies contained herein.
Copyright 2011 Alcatel-Lucent. All rights reserved.
Notice
Every effort has been made to ensure that the information in this document is complete and accurate at the time of printing. However, information is subject
to change.
This manual applies to Alcatel-Lucent 1830 PSS.
Documentation support
Please contact your Technical Support Services (TSS) team.

Alcatel-Lucent 1830 PSS Data Communication Page 3 of 47
Network (DCN) Planning Guide Guide
8DG60888RAAA Release 3.6.0 and 3.6.1
Issue 1 July 2011
Table of Contents
Page
1 ABOUT THIS DOCUMENT....................................................................................4
1.1 Document conventions ................................................................................................................................. 5
2 INTRODUCTION................................................................................................... 7
2.1 The 1830 PSS management network........................................................................................................ 7
2.2 Networks overview...................................................................................................................................... 9
2.3 The GMPLS network............................................................................................................................... 11
3 1830 IP ARCHITECTURE................................................................................... 12
3.1 NE IP architecture.................................................................................................................................... 12
3.2 Network IP architecture .......................................................................................................................... 16
3.3 IP networks summary of a 1830PSS....................................................................................................... 21
4 PHYSICAL NETWORK DESCRIPTION............................................................. 24
4.1 1830 PSS boards........................................................................................................................................ 24
5 BUILDING 1830PSS DCN NETWORKS............................................................ 28
5.1 Single OSPF area...................................................................................................................................... 30
6 NETWORK REQUIREMENTS............................................................................ 34
6.1 External routers ........................................................................................................................................ 34
6.2 Time management .................................................................................................................................... 36
6.3 Address plan.............................................................................................................................................. 36
7 SECURITY........................................................................................................... 39
7.1 Use RADIUS for user identification....................................................................................................... 39
7.2 Secure/unsecure mode.............................................................................................................................. 39
7.3 Firewall configuration, list of protocols/ports ....................................................................................... 42
7.4 IPSec tunnel............................................................................................................................................... 44
7.5 Syslog server.............................................................................................................................................. 46

Issue 1 July 2011
1 About this document
The document applies to 1830PSS R3.6.x.
This document presents the global architecture of the 1830 PSS management network and details
the engineering rules to apply for network design and during the installation.
1830 PSS nodes belong to a WDM sub-network.
A WDM sub-network is composed of several NEs inter-connected via OTS physical connections.
It corresponds to a tuning entity; there is 3R regeneration at the border of a WDM sub-network.
PSS1/PSS4 can be considered as extensions of nodes to which they are connected and they also
belong to the same WDM sub-network.
External devices directly connected to a 1830PSS also belong to the WDM sub-network.
DCN of WDM 1830PSS WDM sub-network relies on OSPF routing protocol.
Other boxes of the network (for example 1850TSS, 1678, 1660 ) can run another routing protocol
and we strongly suggest that they belong to another routing domain.

Issue 1 July 2011
1.1 Document conventions
Within this document, following conventions are used:
The product associated rules are presented as follows. Those aim at describing what is
supported or not:
Rule: <Domain> <Name> (<Nature>)

Rule 1: Rule format presentation
The Engineering Guidelines are presented as follows. These are recommendations to get the
best of the product and/or network within supported space:
Engineering Guidelines: <Domain> <Name> (<Nature>)
The rule is always written in bold
Justification and/or examples are always written in italic
Guideline 1.1-1: Guideline format presentation
The restrictions are presented as the following. Typically when the behaviour is not as
predicted, is not as described into standards
Restriction: <Domain> <Name> (<Nature>)

The Customer Inputs which points to high level information required to implement associated
network design:
Network Design: <Domain> <Name> (<Nature>)

And where:
<Domain>: Identifies which Node, Network Element, Interface it is applicable (e.g.
LR, OADM, )
<Name>: Gives a title to the rule
<Nature>: Indicates the root cause for it (see Table 1 : Meaning of <Nature>)

Issue 1 July 2011

<Nature>
(Short Name)
<Nature>
(Long Name)
Meaning
HC Hard Coded Either Hardware or Software is responsible for this.
M Mandatory No control but must be followed for the system to
operate properly into a supported environment.
S Standard Required by Standard
D Design Mainly for restriction and if related with Design
T Test Mainly for restriction and if related with Tests
R Recommended
(Optional)
No control and not mandatory but recommended
for:
- Design: To follow good Network Design
basis and principles.
- Availability: To ensure Network robustness.
- Performances: To provide with an
optimized usage of resources.
- Security: To secure network against
potential attacks.
Operations: To offer better operational
effectiveness for site or network extension,
upgrade, reconfiguration
Table 1 : Meaning of <Nature>

Issue 1 July 2011
2 Introduction
2.1 The 1830 PSS management network
The following figure depicts a 1830 network and its associated management network consisting in
managers and DCN: Data Communication Network.
Management information and control from the Operations System (OS) is carried from one NE to the
other over the internal 1830 PSS network via the Optical Supervisory Channel (OSC). Management
communication can also be carried over the GCC, and is a necessary design feature for the 1830 PSS
because of expected support for the 1830 PSS-1 Edge Device, a.k.a. the Small Pizza-Box (SPB). The
following figure shows the high-level management overview.

FTP Servers
NMS
Management
DCN
1830
GNE
1830-PSS -
Network
Remotely
Managed
Device
IP
1830
RNE
IP

Fig. 1 - 1830PSS Network Management Overview

The remotely managed device, as shown in the above figure, can be an IP-device co-located with
the 1830 NE (e.g. Raman amplifier) connected via the extension LAN. Or, the device could be the
1830 PSS-1 Edge Device which connects to the 1830 PSS over the GCC. Connection over the GCC is
illustrated in the following figure:

Issue 1 July 2011

IP
NMS
OSC
OSC
OSC
135 . 10 . 10 . 1 / 32 135 . 10 . 10 . 2/ 32 135 .10 . 10 . 3 /32
135 . 10 . 10 . 4 / 32
135 . 10 . 10 . 5 / 32
135 . 10 . 10 . 6 / 32
135 . 10 . 10 . 7 / 32
135 . 10 . 10 . 8 / 32
PPP-GCC
1 PPP-GCC
1
PPP-GCC
1, 2, 3
PPP-GCC
1, 2, 3
NE2
135.1.1.2/32
GNE NE3
135.1.1.3/32

Fig. 2 - 1830PSS Communicating with PSS-1 Edge Device over the GCC
The basic communications network architecture for the 1830 PSS-32 includes all LAN interfaces,
OSC interfaces, and GCC interfaces. LAN interfaces include the OAMP, VoIP, E1, E2, CIT, and
Extension Shelf (ES) connections. The OSC interfaces can vary from one up to 20, one for each
degree. The OSC carries node-to-node communication, sharing of OSPF LSAs, Wave Tracker keys,
SCOT messages, etc.
The GCC interfaces can vary from 1 up to 32, depending on the number of supported OTs that are
provisioned for GCC0 termination. GCC0 terminations on the 1830 PSS-32 system are supported by
the 11STAR1 (client port), 11STMM10 (client port), 4DPA4 (line port),11DPE12, PSS1GBE, PSS1MD4,
11QPA4, 11DPE12E, 11DPM12 OTs. The other end of this 11STAR1 OT is the 1830 PSS-1 Edge Device.

Engineering Guidelines: 1830 PSS1/PSS4 specific rule for GCC - R
A GCC channel can transport management flow of up-to 16 NEs (typically
PSS1/PSS4) serially connected via GCC.
(See previous picture).

Issue 1 July 2011

The full gamut of communications network sizing architecture is shown in the following figure:

1830-PSS
Network
Co-
Located
SNMP-managed
External device
E1-LAN
135.50.10.1/30
135.50.10.2/30
135.1.1.6/32
135.1.1.7/32
135.1.1.8/32
135.1.1.2/32
135.1.1.3/32
135.1.1.4/32
OSC
OSC
OSC
OSC
OSC
OSC
OSC
OSC
OSC
135.1.1.5/32
192 .168. 1.2/30
192 .168.1.1/ 30
192.168 .1. 5/30
192.168 .1.6/30
192.168 .1.9/30
192. 168.1.10/30
GNE
N2
N3
N4
N5
N6
N7
N8
135.1.1.1/32
135.10.10.1/32 135.10.10.2/32 135.10.10.3/32
135.10.10.4/32
135.10.10.5/32
135.10.10.6/32
135.10.10.7/32
135.10.10.8/32
-PSS1 Network
IP
NMS
PPP-GCC
1
PPP-GCC
1
PPP-GCC
1, 2, 3
PPP-GCC
1, 2, 3

Fig. 3 Complete Management View with PSS and PSS-1
2.2 Networks overview
The 1830PSS is not standalone equipment; it is part of WDM sub-networks. The communications,
internal and external, are IP based. It has to be managed through an IP network.
An 1830 network includes mainly three kinds of equipments. Basically the same boards and shelves
but with different functions:
- Line terminal
- OADM (ROADM, TOADM, FOADM)
- ILA (In Line Repeater)
Each 1830 NE can be configured as GNE (Gateway Network Element) to provide an access from
the DCN to all the NEs on the optical network.
They can be installed following three topologies

Issue 1 July 2011
Linear Architecture:
At least the two NEs terminating the line must be configured as GNEs, providing redundancy for
management access to the other intermediate NEs.

Fig. 3 1830 Linear architecture
Ring architecture:
At least 2 distinct NEs can be chosen to function as GNEs to provide redundant access to the WDM
sub-network

Fig. 4 1830 Ring architecture
L
ILA
Line Terminal
as GNE
OADM
OADM as GNE
Line Terminal
as GNE
OADM
L
ILA
L
ILA
Line Terminal
as GNE

Issue 1 July 2011
Meshed architecture:
This kind of architecture may lead to isolated NEs which must be accessible for management. It
needs more than two GNEs for redundancy.
Example below: On failure of the optical link between them and their neighbor, the two WDM
Terminals remain reachable for management.

Fig. 5 1830 Meshed architecture

2.3 The GMPLS network
GMPLS for Generalized Multi Protocol Label Switching is not the purpose of this document but is,
from the 1830PSS network point of view, one of the main functions of the 1830. This chapter recalls
some basic information about GMPLS because the DCN design cant be done without taking into
account some GMPLS network constraint.
GMPLS applies in the 1830PSS, on PSS36/32/16. It does not apply to PSS1/4. The visible part is the
control plane. Through the DCN, orders can be sent to the control plane which will be able to
manage the photonic routing and switching and convert an input wavelength on an incoming
interface to an output wavelength on an outgoing interface.

GMPLS in 1830PSSLM provides
- Path provisioning
- Path restoration
In a WDM sub-network, activation of GMPLS is optional.
On 1830PSS, GMRE embedded application is in charge of GMPLS. GMRE addresses shall be defined
on nodes which have to run the GMRE application.
GMPLS Control messages are transported by the WDM DCN like Management messages. The same
DCN is used both for management Plane and Control Plane.
Activation of GMPLS has low impact on WDM DCN (GMRE addresses added + additional traffic on the
same WDM DCN).

L
IL
OADM as GNE
OADM
OADM
TOADM
OADM
LineTerminal
as GNE
Line Terminal as
GNE

Issue 1 July 2011

3 1830 IP architecture
3.1 NE IP architecture
The 1830 brings a full IP communication architecture.
On each 1830PSS, IP is used for
- External communication:
- Management purpose (communication between manager and NE)
- Inter-NE communication
- VoIP for the IP phone facility
- Connection of external devices

- On internal private networks
- Internal LAN for Inter-shelves / inter-boards communication
- Local management connection of the Craft Terminal
-

The 1830PSS-36 functional interfaces:
On MTX (Matrix) board:
- VoIP: connection for IP phone
- E1-LAN, E2-LAN: for connections with externally managed devices.
- ES1, ES2: internal ports used for connections with the extension shelves.
On FLC (First Level Controller) board:
- CIT: Craft Interface Terminal, local communication, corresponds to port 1 of the active EC
in main shelf
- OAMP: external communication with the EMS (External Management System)

The 1830PSS-32/16 functional interfaces:
On USRPNL board:
- VoIP: connection for IP phone
- E1-LAN, E2-LAN: for connections with externally managed devices.
On EC board:
- CIT: Craft Interface Terminal, local communication

The 1830PSS-4 functional interfaces:
On EC board:
- CIT LAN port /CRAFT port (pin1/2/3/6 for CIT, pin7/8 for RS232Rx/Tx, pin4 GND for RS232)

Issue 1 July 2011
:craft interface terminal , local communication (specific cable)
On EC board:
- CIT: Craft Interface Terminal, local communication

The 1830PSS-1 Edge Device functional interfaces:
On FAN board:
- CIT: local communication (PhM, CLI, WebUI)
- LAN1 master shelf: external communication (PhM, CLI, WebUI)
- LAN1 (expansion) and LAN2 internal communication and daisy chaining

IP addresses set at initial commissioning
- OAMP: One Interface address with the backbone. The front router will have an interface in
the same subnet. Could be routed or not. At least /30 subnet.
- SYSTEM (*): Loopback address assigned to the SYSTEM interface. It is the management
address of the NE. Must be routed toward the backbone. The value is set during the initial
commissioning phase or via ED-IP-IF (see chapter 3.3)
(*) SYSTEM can also be named RID (Router ID) Loopback IP or NE address in other
documents.
- GMRENODE (or CPN): Loopback address assigned to the GMRE node interface. It is the main
control plane address of the GMRE. Must be routed toward the backbone for redundancy. It
must be defined during the initial commissioning phase (see chapter 3.3).
- GMRENOTIFY(or CPNOTIFY): Loopback address assigned to the GMRE notify interface. It is
a secondary control plane address of the GMRE. Must be routed toward the backbone for
redundancy. It must be defined during the initial commissioning phase (see chapter 3.3).

Protocols:
- CLI, Telnet, SSH, SSL, SNMP, TL1, HTTP, HTTPs: Used for management of 1830PSS
- CLI and MTNM/Corba : Used for the management of the GMPLS network
- OSPF-TE for SCOT : used for WDM power adjustment automation
- Application sFTP/tFTP/FTP : used for file transfer as upgrade or Data Base backup/restore.
- NTP for time management

Issue 1 July 2011
3.1.1 Protocols stacks
The TCP/IP protocol stack supported for an IP-based DCN will be as shown in the following table:
Protocol stack network part
Ethernet interface
PPP
ARP+ IPv4 over DIX
IPv4 + IP forwarding
TCP OSPF UDP
OSC
LAN
(->NMS)
L2
L3
L4
LAPTOP
Appli-
cation Upper Layers
OAMP CIT
GCC0
IP
minimal
Shelves
daisy chain
ES2 ES1
E1 E2
External
Devices

3.1.2 IP routing
IP forwarding table is built on 1830 PSS thanks to OSPF routing protocol.
OSPF
OAMP
EMS
CIT
PPP
(OSC,GCC0)
VoIP
ES1, ES2
E1, E2

Fig. 2 Routing architecture

Issue 1 July 2011
OSPF is enabled by interface:
- OSPF is always enabled on the PPP Serial interfaces (OSC/GCC0).
- OSPF is always enabled in passive mode on SYSTEM Management Loopback address
(In some documents, the management Node address can be identified another way).
- OSPF is enabled in passive mode on GMRE Loopback addresses if GMRE application is used; it is
disabled otherwise.
- By default, OSPF is disabled on LAN interfaces.
It can be enabled or enabled in Passive mode on any of them:
- OSPF is typically enabled on the OAMP interface if GNE.
- OSPF is typically disabled on CIT since it is not assigned a routable address.
CIT can be provisioned with a routable address and set to Passive mode.
- OSPF is typically enabled in passive mode on E1 and E2 interfaces when an external
device is connected.
- OSPF is typically enabled in passive mode on VOIP interface can be activated on the
VoIP interface.
- OSPF is disabled within the Internal Network (ES1,ES2)

OSPF advertisement:
OSPF advertises the Loopback addresses, the serial interfaces and the directly connected
sub-networks if it is enabled on the interface.
When OSPF is enabled in passive mode on an interface, no OSPF message is sent on this
interface but OSPF advertises this interface subnet on all other OSPF enabled interfaces.
When OSPF is enabled on an interface, OSPF messages are exchanged via this interface.

Remark:
On 1830, OSPF is:
Disabled on an interface by setting the STATUS to DISABLE,
Enabled on an interface by setting the STATUS to ENABLE,
Enabled in passive mode on an interface by setting the STATUS to REDISTRIBUTE.

Issue 1 July 2011
3.2 Network IP architecture
This will be illustrated on a meshed network but applies to all the topologies

Fig. 3 1830 IP Architecture overview

The inside routers are logical routers running in Linux environment. The routing protocol is OSPF.
Customer addresses
- They are used for the network management.
- Only the GNEs are directly connected to the management network
EMS
OSPF
area
Customer Management Backbone
Workstation
@SYSTEM_1
@SYSTEM_2
@SYSTEM_3
@SYSTEM_4
@SYSTEM_6
@SYSTEM_7
@SYSTEM_8
@SYSTEM_9
@OAMP_1 @OAMP_6 @OAMP_8
@OMS
DCN
Customer
addresses
@W1
@PhM
Workstation
@SYSTEM_5
1830 EMS
Subnet
@VoIP_2 @E1
Control OSPF area
@GMRE_1
@GMRE_2
@GMRE_3
@GMRE_4
@GMRE_6
@GMRE_7
@GMRE_8
@GMRE_5
@GMRE_9
LR ILA
TOADM
1830PSS GNE
TOADM
1830PSS GNE
LR ILA
IP phone
Local dhcp connection
(1 per 1830)
SNMP external device
(2 per 1830)
Per @GMRE_#:
@GMRENODE
@GMRENOTIFY
Internal
addresses
ZIC 172.16.1.0/24
(1 per 1830)

Issue 1 July 2011
- Each 1830 NE must be reachable from the management network through a GNE even on a
single failure of an OSC/GCC link.
- In order help summarization, routing and filtering at the border of a WDM sub-network, IP
addresses shall be assigned depending on the nature and usage of the interface.
For that purpose, we shall identify several types of networks (a dedicated range of
addresses shall be reserved for each sub-network.
Different types of networks:
- MGMT network for Management Loopback addresses (SYSTEM): Each 1830PSS is
assigned a management address. Typically, this network is advertized outside the
WDM sub-network in order to reach EMS/NMS managers.
- CP network for Control Plane Loopback addresses (GMRENODE & GMRENOTIFY):
when GMPLS is used in a WDM sub-network, each 1830PSS (excepted PSS1 & PSS4) is
assigned 2 GMRE addresses.
- VOIP network for VoIP addresses: used for IP phone access.
Each 1830PSS can be assigned a VOIP /30 subnet (-> 1 IP address for PSS VOIP LAN
interface + 1 IP address for IP phone) in order to connect an IP phone to the
1830PSS. This network which is the summarization of all VOIP subnets can be
advertized or not outside the WDM sub-network depending if the Phone network
goes on beyond thee WDM sub-network or not.
- EXTD network for External Devices addresses (E1 & E2). When connecting an
external Device to E1 or E2 LAN port, the NE can be assigned a /30 subnet (-> 1 IP
address for 1830 LAN interface + 1 IP address for External device). Typically, this
network is advertized outside the WDM sub-network in order to reach EMS/NMS
managers.
- INT network for addresses needed in order to reach interfaces which are involved
in routing process. This network is useful within an Area and it is not advertized
outside the WDM sub-network. For example, LAN1 & LAN2 for inter-connection of
PSS1 shall be taken in INT network range since these addresses dont need to be
known outside the Area. Another example could be the assignment of a routable
address to CIT interface in order to manage remotely another NE from CIT port.
- OAMP addresses several cases are possible (typically the OAMP address is different
from the SYSTEM address):
In case of direct link between OAMP and external router, a /30 subnet
within the INT network range can be used;
In case there are also other Devices on the same LAN, it could be useful to
take several contiguous /30 (we need in that case at least a /29) within the
EXTD network;
Otherwise, the need is to assign a free IP address to OAMP port within an
already existing sub-network.

Internal addresses (not advertised in by OSPF protocol)
- Internal sub-network: 100.0.0.0/16 sub-network is reserved for the NE internal sub-
network. Internal addresses are automatically assigned by NE starting from the (Rack,
Shelf, Slot, Port) information of the Element to be addressed.
- CIT address: 172.16.0.1/24. Dedicated to the local craft terminal.

Issue 1 July 2011
Rule: 1830PSS Number of OSPF Areas
The rule is to have only one area for all 1830 NEs of a WDM sub-network.
See the specific design described in chapter 3.3.

Issue 1 July 2011

Organization of the networks which belong to the Area corresponding to a WDM sub-network:
Organization of the Network
(based on a /24 network)
Name Function Subnet address
Number
of groups
First address Last address
MGMT
Loopback addresses for
Management
x.x.x.0
(given by
customer)

256
MGMT0=
x.x.x.0/32
MGMT255=
x.x.x.255/32
CP
GMPLS control plane
(2 @ per node which
run GMPLS)
x.x.x.0
(given by
customer)
128
CP0=
x.x.x.0/31
CP127=
x.x.x.254/31
VoIP IP phone
x.x.x.0
(given by
customer)
64
VOIP0=
x.x.x.0/30
VOIP63=
x.x.x.252/30
EXTD
External Devices
addresses
x.x.x.0
(given by
customer)
64
EXTD0=
x.x.x.0/30
EXTD63=
x.x.x.252/30
INT
LAN interfaces which
are advertised by OSPF
but are internal in the
Area.
INT range does not
need to be advertised
outside the Area.
x.x.x.0
(given by
customer)
64
INT0=
x.x.x.0/30
INT63=
x.x.x.252/30
OAMP
External DCN access.
(Recommended
configure as a Point to
Point network between
the GNE and its front
router)
Customer
defined
At least 2
(1 per
GNE)
- -

Engineering Guidelines: 1830PSS Organization of Networks within a WDM
sub-network - M
MGMT network addresses range shall be provided by customer for NEs
management addresses assignment.
CP network addresses range shall be provided by customer for NEs Control
Plane addresses assignment if GMPLS is enabled in the WDM sub-network.
VoIP network addresses range shall be provided by customer for NEs VoIP
addresses assignment if Voice over IP solution is used in the WDM sub-

Issue 1 July 2011
network.
EXTD network addresses range shall be provided by customer for External
Devices addresses assignment if needed.
INT network addresses range shall be provided by customer for enabling LAN
interfaces involved in routing process within an Area but unknown by manager.

Address range of each Network cannot correspond to 1830PSS internal
addresses (100.0.0.0/16 and 172.16.0.1/24)
Size of each network depends of the WDM sub-network size.
Typically each range of addresses correspond to a /24 sub-network.

Engineering Guidelines: 1830PSS(16,32,36) NE addresses assignment - M
1830PSS (PSS16, PSS32 or PSS36) shall be assigned:
A Management Loopback address within the MGMT range
GMRE Loopback addresses in the CP range if it is a PSS16/32/36 and if
GMPLS is enabled in the WDM sub-network
Optionally CIT address within the INT or EXTD range
Optionally VOIP address within the VOIP range
Optionally E1/E2 addresses within the EXTD range
Optionally OAMP address

Engineering Guidelines: 1830PSS(1,4) NE addresses assignment - M
1830PSS (PSS16, PSS32 or PSS36) shall be assigned:
A Management Loopback address within the MGMT range
Optionally CIT address within the INT or EXTD range
Optionally LAN1/LAN2 addresses within the INT (general) or EXTD
(specific need) range

Issue 1 July 2011
3.3 IP networks summary of a 1830PSS
Table 2 : DCN IP networks summary of a 1830PSS
Initial commissioning
Name Function Subnet address
mas
k
Initial
setting
Manually
updated or
acknowledg
ed
OSPF
interface
OAMP
External DCN access.
(Recommended d
configure as a Point
to Point network
between the GNE
and its front router)
Customer
defined
At
least
/30
None Yes
ENABLE
if GNE
OAMP on
USRPNL (PSS-
16/32) or FLC
(PSS-36)
SYSTEM
(R_ID)
Loopback address
for management
MGMT

/32
Initial
commissio
ning
Yes
PASSIV
E
Loopback0
GMREnod
e
(=CPN)
GMPLS control plane
Loopback address
CP (even addr)
for PSS 16/32/ 36

/32 None Yes
PASSIV
E
Loopback1
GMREnotif
y
(=CPNOTIFY)
Additional GMPLS
control plane
Loopback address
GMREnode+1
for PSS 16/32/ 36
/32 None Yes
PASSIV
E
Loopback2
CIT
ZIC/ Local craft
terminal
(*) Default or INT
or EXTD
/30 172.16.0.1 Yes No
CIT port on EC
(PSS-16/32) or
FLC (PSS-36) or
FAN (PSS-1)
VoIP IP phone access VOIP /30 0.0.0.0/0 Yes
PASSIV
E
if used
VoIP on
USRPNL (PSS-
16/32) or MT0
(PSS-36)
E1/2-LAN
Connection with
externally managed
device
135.50.10.1 /30 0.0.0.0/0 Yes
PASSIV
E
if used
E1-LAN, E2-LAN
on USRPNL
(PSS-16/32) or
MT0(PSS-36)
(*) several possibilities for CIT port:
- if only local NE managed, keep the default address (default mask is / 24)
- if purpose is to reach other NEs within the WDM sub-network, assign a /30 within the INT
range
- if purpose is to reach any NE, assign a /30 within the EXTD range
SYSTEM@ is the only IP address which must always be set on an 1830PSS.

Issue 1 July 2011

Issue 1 July 2011

Engineering Guidelines: 1830PSS SYSTEM@ unique - M
The operator must be sure the SYSTEM address is unique in the scope of its
DCN. ,
It can be performed by:
Assignation of a MGMT addresses range to the WDM sub-network taken into
account further extensions.
Each node is assigned a MGMT address.

Example where NE is assigned the MGMT4 address within the MGMT 135.1.1.0/24
network:
SYSTEM=MGMT4=135.1.1.4

Engineering Guidelines: 1830PSS GMRE@ unique - M
The operator must be sure the GMRENODE and GMRENOTIFY addresses are
not duplicated in the Area.
In order to be ready for further GMPLS evolutions, it is recommended that these
addresses are unique in the customer DCN.

It can be performed by:
Assignation of a CP addresses range to the WDM sub-network taken into
account further extensions.
Each node which runs GMRE application is assigned a CP address.

Example where NE is assigned the CP2 addresses within the CP 135.1.5.0/24
network:
GMRENODE=CP2_node=135.1.5.4
GMRENOTIFY=CP2_notify=135.1.5.5

Issue 1 July 2011

4 Physical Network description
4.1 1830 PSS boards

4.1.1 FLC & MTX (MT0C) PSS36
FLC (First Level Controller) provides two (2) general purpose switched auto-sensing LAN ports
(10/100BaseTX),
Ethernet #1 CIT - is dedicated to CIT connection
Ethernet #2 - OAMP - is dedicated to DCN backbone connection but can be used to connect
local third party equipment.

MTX (matrix) provides four (4) general purpose switched auto-sensing LAN ports (10/100BaseTX),
Ethernet #1 - VoIP - and externally managed devices. The VoIP port can be used to connect
to an IP phone.
Ethernet #2 - AUX for future use.
Ethernet #3 and #4 E1 and E2 - two External LAN ports (which can be used to connect to
externally managed devices), labeled E1-LAN and E2-LAN. These ports are auto-sensing, so
either a cross-over or straight-thru Ethernet cable can be used

In PSS36 LAN interface redundancy is strictly coupled to FLC/MT0C redundancy, i.e. only
the LAN interfaces, which are hosted on the active FLC/MT0C, are enabled. The LAN interfaces of
the standby FLC/MT0C are disabled.
But, R3.6 PSS36 doesnt really support redundancy for FLC/MT0 packs
PF PF
44 45

.
Daisy chain
23
2 3 4 5 6 7 8 9 12 13 16 17 18 19 20 21
40
BTC
FLC
FAN
MT0C
10 11 14
24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39
41
43
42
1
BTC
22
15
MT0C FLC
VoIP
AUX
ES1
ES2
CIT
OAMP
E1
E2
Front router to
customer network
CIT interface
Disabled
IP phone

Issue 1 July 2011
4.1.2 User panel PSS32/ PSS16
USRPNL (User panel) provides four (4) general purpose switched auto-sensing LAN ports
(10/100BaseTX),
Ethernet #1 OAMP - for connection to EMS/NMS, The OAMP port shall be used to connect
to the External Management System (EMS).
Ethernet #2 VoIP - and externally managed devices. The VoIP port can be used to connect
to an IP phone.
Ethernet #3 and #4 E-LAN1 and E-LAN2 - two External LAN ports (which can be used to
connect to externally managed devices), labeled E1-LAN and E2-LAN. These ports are auto-
sensing, so either a cross-over or straight-thru Ethernet cable can be used
The NE shall support 2 craft ports. There will be a female (DB9) and a USB-B port. Both will
support local RS-232C Serial interface (support setting: 34800 baud, 1 stop bit, no parity) for
connection to craft terminal via serial link.

The role of USRPNL in EC redundancy
In case of failure of active EC, the communication towards NMS should be kept. The
applications will be launched on the standby EC. Through the back plane a LAN communication is
establish between USRPLN board and the two EC boards. The USRPNL board will update its ARP
table with the MAC address of the new EC active.

4.1.3 EC - Controller board PSS32/ PSS16
EC (Equipment Shelf Controller) provides four (4) general purpose switched auto-sensing LAN ports
(10/100BaseTX),
Ethernet #2 - AUX - is dedicated to DCN backbone connection but can be used to connect
local third party equipment. This port is for future use.
Ethernet #3 and #4 ES1 and ES2 - are reserved for Inter-shelves connectivity (between
Master/slave or between slaves shelves)
Front router to customer network
.
IP phone External devices

Issue 1 July 2011

4.1.4 EC - Controller board PSS-4
EC provides four (4) general purpose switched auto-sensing LAN ports (10/100BaseTX), for
connection to EMS/NMS, cascading and externally managed devices (in future release).
The OAMP port shall be used to connect to the Element Management System (EMS).
The CIT port and CRAFT port are reused one LAN Port , ( pin1/2/3/6 for CIT, pin7/8 for
RS232Rx/Tx, pin4 GND for RS232) .The CIT port is used for the local NE commissioning
Local RS-232 Serial interface (support setting: 38400 baud, 1 stop bit, no parity)is for
connection to craft terminal via serial link.
The bottom two ports (labeled ES1 and ES2; ES for extension shelf) shall be used to connect
to 1830 PSS-4 extension shelves, a.k.a. sub-shelves.

4.1.5 FAN - PSS-1 Edge Device
FAN provides three (3) general purpose switched auto-sensing LAN ports (10/100BaseTX) the ports
are physically connected to the Ethernet switch on the equipment controller through back plane
links
From previous
Shelf
To next shelf
Inter shelves links
Disabled

Issue 1 July 2011
Ethernet #2 and #3 LAN1 and LAN2 - are used to support the management network
connection (see table bellow) or daisy-chained LAN connections among Edge Devices.

Management Port User Interface IP Service
CIT PhM, CLI, WebUI DHCP
LAN1 (Master) PhM, CLI, WebUI
LAN2 -- --

LAN1 and LAN2 operational mode
Master Shelf Master Shelf Sub-shelf
Stand-alone Mode Mini-NE mode Mini-NE mode
LAN1 DCN DCN Internal LAN
LAN2 Disabled Internal LAN Internal LAN

4.1.6 Managers
1830 PSS provides several management interfaces (SNMP, TL1, Web UI, CLI).
It can be managed by following Alcatel-Lucent managers:
The 1350 OMS is the network management product that provides unified end-to-end
network management and operational support for all network element products in the
Alcatel-Lucent's Optics portfolio. It includes including service provisioning over multi-
technology optical infrastructures.
It provides the ASON (Automatically Switched Optical Network) management of the
network.
It is the management solution of Alcatel-Lucent when GMPLS is used.
The PhM is another network management product focussed on 1830PSS that provides WDM
management.
The 5620 SAM is designed to manage IP/Optics networks.

Issue 1 July 2011

5 Building 1830PSS DCN networks
We define a WDM sub-network by:
- Group of 1830 PSS linked together via WDM links
- PSS1 & PSS4 nodes which are connected to a WDM 1830 PSS are also part of the WDM sub-
network
- 3R regeneration at the border of the WDM sub-network (OTU Trail is terminated)
Other characteristics:
- Nodes of a WDM sun-network belong to the same management Area and have a centralized
Management System (ALU 1350 OMS).
- If GMPLS is used in the WDM sub-network, there is One, undividable Control Plan area
The 1830 DCN network architecture ensures the reliability of the connections for DCN and WDM
networks.
To ensure the reliability of the 1830 DCN network, several solutions are implemented.
- Meshed architecture.
- At least two GNE per subnet
- Dynamic routing protocol OSPF
Remind:
A Node belongs to an OSPF Area if at least one interface is enabled in this Area.
It is possible that an area is defined without any interface enabled in this Area
(for example, Area#0 is always defined on 1830).
The main rule is that each NE must have at least two links to two different neighbors. Links can be
OSC, GCC or Ethernet; neighbors can be 1830PSS or IP router.

Engineering Guidelines: 1830PSS - Routes redundancy - R
Each 1830PSS must be connected at least to two NEs/routers within the same
OSPF Area, by OSC or GCC link or by Ethernet link.

Issue 1 July 2011
This request is a nice-to-have in PSS1 & PSS4 cases.

Engineering Guidelines: 1830 OAMP on GNE - R
A 1830PSS plays the GNE role when it provides an access to the external DCN.
Typically:
this access is performed via OAMP interface towards an external
router
OSPF is enabled on OAMP interface and it is in the same Area as other
interfaces.
OAMP access is secured by other GNEs and there is no need to be
locally resilient to OAMP failure.
Nerveless, it is not forbidden to use another LAN interface (for example
E1 or E2) in order to locally secure the OAMP link.

Engineering Guidelines: 1830 - GNE number - R
The recommendation is to have at least two GNE must be configured per OSPF
area.
Additional rules (fair load sharing of outgoing traffic between GNEs):
GNEs are defined in such a way that any RNE is at a reasonable
distance from closest GNE.
Typically, 2 GNEs are requested for areas of up-to 100 NEs + 1 GNE per
additional group of 100 NEs in the Area.
With the OSPF protocol, each area must be connected to the 0 area for inter-area exchanges.
The area 0 is called the backbone. Here, that means WDM management backbone. The 0 area is
dedicated to the DCN 1830PSS network. If connections are needed toward a higher level network it
is up to the network design team to provide a solution for network connections.

Issue 1 July 2011
5.1 Single OSPF area
Customer Network
Customer IPNetwork
Eth
1350 OMS
Terminal
I P only
Terminal
Repeater
OADM
Eth
IP
Eth
IP
OSC
OSC
OSC
GNE 1
GNE 2
Only one OSPF area is needed
-> AREA #i
Customer OSPF area is
-> AREA #0
#i
0
Direct link

Fig. 4 Single OSPF area, linear WDM
The diagram above describes the standard case of a single area. All the 1830PSS belong to the same
area (#i) and the customer backbone is the area 0.
Redundancy within the Area #i is provided thanks to a Direct Link between the Routers at the
border of the area. This link can be made over a tunnel through the backbone (tunnel is configured
on external router only, not available on 1830). The constraint is to maintain it within the area #i.
Customer Network
Customer IPNetwork
Eth
1350 OMS
Terminal
I P only
Terminal
Repeater
OADM
Eth
IP
Eth
IP
OSC
OSC
OSC
GNE 1
GNE 2
Only one OSPF area is needed
-> AREA #i
Customer OSPF area is
-> AREA #0
#i
0

Fig. 5 Single OSPF area, ring WDM

Issue 1 July 2011
In this case, redundancy within the Area #i is provided thanks WDM redundancy.
In both previous cases, when the backbone is very simple and dedicated to the management of the
WDM network, this can be simplified in a single area#0 (-> Area#i=Area#0). Its up to the network
designer and the customer to decide.

Engineering Guidelines: 1830PSS WDM sub-network and OSPF Area- M
All Nodes of a WDM sub-network must belong to the same OSPF Area.
It is requested for wavelength keys distribution constraints.
Typically, a DCN OSPF area is assigned per WDM sub-network
It is possible to set several WDM sub-networks in the same OSPF area if it is compatible with
maximum number of NEs.

Issue 1 July 2011

Engineering Guidelines: 1830PSS Default OSPF parameters - D
Dynamic routing configuration
- The routing protocol is OSPF, it runs on all 1830 PSS.
- The 1830PSS default OSPF parameters are:
- Hello interval : 10
- Dead interval : 40
- Metric : 10(OSC), 40(GCC OTU1), 30(GCC OTU2), 20(GCC OTU3), 10(OAMP)
- Route priority : 1
- Subnets advertised by the NE :
- SYSTEM (NE management address =IP_RID).
- Optionally
GMRE addresses (GMRENODE & GMRENOTIFY) if GMRE application is
activated. It does not apply to PSS1/PSS4.
OAMP subnet (typically GNE case)
Subnets used to reach external devices (E1, E2)
Subnets used for NE DCN inter-connection via LAN (LAN1,LAN2)
VOIP
CIT if routable address assigned to CIT port

Engineering Guidelines: 1830PSS number of NEs per OSPF Area- D
In the DCN network, the maximum number of Nodes per Area is 500.

Issue 1 July 2011
Engineering Guidelines: 1830PSS number GMPLS NEs in a WDM sub-network- D
If GMPLS is enabled in a WDM sub-network, the maximum number of 1830 PSS which run
GMPLS is 100 (PSS1 & PSS4 dont run GMPLS).

5.2 Multiple OSPF areas
GNE1j
GNE 2j
Eth
OSC
OSC
GNE 1i
OSPF area -> AREA #i
OSPF area is AREA #0
OSPF area -> AREA #j
External
Device
Eth Eth
Eth
Summarization
on ABRs
Dynamic routes
Through the
backbone
GNE 2i
OSC
WDM sub-network WDM sub-network

Fig. 6 Multiple OSPF area
In a multi-area environment, each WDM sub-network is in a dedicated Area.

Issue 1 July 2011

6 Network requirements
6.1 External routers
Front routers for 1830PSS DCN must provide routes to join the Management equipments (1350 OMS)
and the other 1830PSS through the DCN.
The rules are:
Engineering Guidelines: 1830PSS Router - D
- One router per GNE
- Dynamic routing is recommended (see also next Engineering Guidelines Routes
management for front router).
- No redundancy required on each GNE, it is based on routes toward the other GNE.
(Ref rule Engineering Guidelines GNE number)
- The router needs one physical interface connected to the 1830PSS (10/ 100 Mb/s).
- The connection port is called OAMP. Depending of the type of the PSS shelf
used the port can be placed on User Panel, FLC or MTX.
- The IP address of the interface toward the 1830PSS must be in the OAMP subnet

Engineering Guidelines: 1830PSS - Routes management for front router - D
Dynamic routing configuration
- The routing protocol is OSPF; it must be activated at the interface with the GNE.
- The interface to the GNE must be set in the same area than the 1830 OAMP
interface.
- The configuration of interface to the backbone will depend on the customer DCN
(for example, routing protocol is Customer specific). It is the responsibility of the
network design team to adapt the external interface to particular needs (backbone
routing protocol, .

Issue 1 July 2011
- Summarization: Routes summarization has to be activated at the border of the area.
Only a subset of the addresses shall be summarized (see 3.2).
- Routes to advertise to the GNE
We recommend to use a totally stubby area so only a default route is advertised to
the GNE.
If standard area must be used (not recommended), the following routes must be
advertised
- Management subnet. This avoids routes recalculation if the 1350 OMS has to
move inside the management subnet and is not so wide than a default route.
Other optional routers features
Depending of other capabilities of the router, the following features are useful:
- Access lists. They can restrict the access to the 1350 OMS (the active one and the
standby one) inside the management subnet.
- Ip port filtering
- Qos marking
- IPsec tunneling. Mandatory if IP flow has to cross an unsecure network.

Engineering Guidelines: 1830PSS Intra area path redundancy - D
A direct path has to set between each front router inside a DCN area, if the path
redundancy is not ensured by a fully meshed architecture of the WDM network (through the
OSC/GCC).
Due to hosts (1830PSS) routes summarization inside the front routers, this path must be an intra
area path. Depending of project constraints, it can be any kind of direct link or a tunnel via
the backbone.

Issue 1 July 2011
This path will ensure the defense of routing in case of OSC/GCC failure in a linear network for
instance.

6.2 Time management
The NE shall support the NTP protocol version 3 (RFC 1305) and version 4 (see ntp.org). This
provides the mechanisms to synchronize time and coordinate time distribution in large networks. It
uses a retunable-time design in which a distributed subnet of time servers operating in a self-
organizing, hierarchical-master-slave configuration synchronizes local clocks within the subnet to
national time standards via wire or radio. The servers can also redistribute reference time via local
routing algorithms and time daemons. NTP has been designed to work in TCP/IP environment using
UDP datagrams.

Rule: 1830PSS - NTP version
The 1830 NTP release is version 3 (RFC 1305) and version 4 (4.2.6p2).
The NE shall interoperate transparently with NTP servers that support either version 3
or version 4.

Engineering Guideline: 1830PSS NTP server - M
It is mandatory to provide an access to a NTP server for each 1830PSS in such a way that all
1830 PSS of a WDM sub-network are synchonized on the same time
The recommendation is to use the Network Manager as NTP server. Notice that the EMS is a NTP
tier 2 server which shall be connected to a tier 1 server.
Up to three NTP servers can be declared. It is mandatory to keep them synchronized. The backup
server must send the same time than the main one.

The NTP feature can be activated from ZIC or via management interface commands.

6.3 Address plan
A WDM sub-network will request one OSPF area.
To design a WDM sub-network, the customer must provide following information:

Issue 1 July 2011
Table 3 : Network addresses plan
NE type Address subnet Mask
Router
gateway
Address
For Management systems
1350 OMS DCN Mngt . . . . . . / BR1 . . .
1350 OMS GMPLS Mngt . . . . . . / BR2 . . .
W_i WS Mngt . . . . . . / BR3 . . .
As many lines as WorkStation for management (
2
)
WDM sub-network
OSPF Area :
Network type Address subnet Mask
Router
gateway
Address
MGMT . . . /
CP /
VoIP . . . /
EXTD . . . /
INT . . . /
Ext. router 1 subnet (ER1) . . . /30
Ext. router 2 subnet (ER2) . . . /30
As many external routers as
GNEs
/30
NE Name Interface Address subnet Mask
Router
gateway
Address
For 1830PSS of GNE type
OAMP . . . . . . . /30 R1 . . .
SYSTEM MGMT. . . . /32
GMRENODE CP. . . . /32
GMRENOTIFY CP. . . . /32
CIT local 172.16.0.1 172.16.0.0 /24
VOIP VOIP. . . . . . . /30
E1 EXTD. . . . . . . /30
GNE_1
PSS.
E2 EXTD. . . . . . . /30
OAMP . . . . . . . /30 R2 . . .
CIT local 172.16.0.1 172.16.0.0 /24
VOIP VOIP. . . . . . . /30
E1 EXTD. . . . . . . /30
GNE_2
PSS.

E2 EXTD. . . . . . . /30

Issue 1 July 2011
As many 8 lines as GNE (at least 2 GNEs)
For PSS16/PSS32/PSS36 of non GNE type
CIT local 172.16.0.1 172.16.0.0 /24
VOIP VOIP. . . . . . . /30
E1 EXTD. . . . . . . /30
E2 EXTD. . . . . . . /30
NE_i

OAMP . . . . . . . /30
As many 8 lines as PSS

For PSS1/PSS4 of non GNE type
CIT local 172.16.0.1 172.16.0.0 /24
LAN1 INT. . . . . . . /30
NE_i

LAN2 INT. . . . . . . /30
As many 4 lines as PSS

R1 R2 intra area link (tunnel)
Backbone Tunnel
Route
r
@interface Subnet Area @ Subnet Area Source dest
R1 . . . . . . / . . . . . . . . .
R2 . . . . . . / . . .
. . . /
. . . . . .

Issue 1 July 2011

7 Security
7.1 Use RADIUS for user identification
At first installation the 1830PSS user authentication is done with local database user definitions.
Using RADIUS will permit to reinforce this security and share between several NE the same user
definitions.
The procedure for setting RADIUS is:
1. Choose a RADIUS server
2. Activate the server for user authentication.

7.1.1 Set the RADIUS server
The following command will set the RADIUS server on the 1830PSS.
[TL1]ENT-RADIUS-SERVER:::::RAD1,ENABLE:IPADDR=<ip>[,PORT=<port>],SECRET=<
sharedSecret>;
[CLI] config admin authentication radius add RAD1 <ip> [:<port>]
<sharedSecret>
<ip> Is the IP address of the RADIUS server
<port> Is the IP port used by your RADIUS server, from 1 to 65000. Default value is 1812.
<sharedSecret> is a 5 to 32 chars password.
7.1.2 Enable RADIUS usage
The following command will force user authentication using RADIUS server on the 1830PSS.
[TL1]SET-RADIUS-AUTH:::::RADIUS;
[CLI]config admin authentication order radius
7.2 Secure/unsecure mode
At commissioning the 1830PSS is provided in unsecure mode. In secure mode, for the TL1/CLI flow,
the telnet (23, 3082, 3083), ftp (20&21) and http (80) flow will be disabled and only SSH (22), SFTP
and HTTPs (443) will be available.
This protocol implements ciphering and provides authentication of the 1830PSS. It has to be
implemented on each 1830PSS NE (GNE or not) and the 1830PSS will act as a server, clients are
applications on the 1350 OMS or any other terminal or customer OMS.
As described below, the customer network administrator can choose to install the public key and
the certificate in his network or let the user accept the certificate and key at the first connection.
The procedure for implementing the secure mode is:
1. Generate the SSH key
2. Set the secure mode on.
In secure mode the user will not be able to connect without SSH. So the key must have
been generated before commuting to secure mode.

Issue 1 July 2011
7.2.1 Certificate generation
7.2.1.1 SSH/SFTP
The 1830PSS is provided without any SSH key. A standard certificate can be generated using TL1 or
CLI :
Public and private keys will be generated on the 1830PSS.
[TL1]INIT-SSH-KEY:[TID]::[CTAG]:::[KEYTYPE=][,MODULUS=];
KEYTYPE is DSA.
MODULUS is 0.
[CLI]crypto key generate
Examples:
- To generate a DSA key:
[TL1]INIT-SSH-KEY::::::KEYTYPE=DSA,MODULUS=0;

The network administrator can then get the public key (7.2.2.1.1) and install it on his servers.

Issue 1 July 2011

7.2.1.2 HTTPs
The 1830PSS is provided with a self signed certificate. Its up to the customer to allow this
certificate in his network by adding it to his trusted certificates list.
The first time a user will connect to the NE, he will obtain the following screen.

Fig. 7: Internet Explorer and Mozilla Certificates alert
The right action is to select No or Do not accept this certificate and contact your
network administrator.
Customer Administrator
The network administrator should examine the certificate and if he recognizes it, add it to
the trusted certificates list.

Issue 1 July 2011
7.2.2 Secure mode initialization
The TL1 or CLI commands allows setting the SECURE MODE
The syntax is:
[TL1]SET-ATTR-SECUDFLT::::::SECACC=ENCRYPTED;
[CLI]crypto admin ui mode encrypted

Restriction: 1830PSS Secure mode compatibility
Warning:
- Before changing the secure mode to ENCRYPTED, check the ability of
the managers to use SSH, HTTPs and sFTP. All the remote systems
must be compliants.
- Changing the secure mode will provoque a reboot of the 1830PSS and if
the remote systems can not use SSH, HTTPs and sFTP, they will no
longer be able to connect the the 1830PSS.

7.2.2.1.1 Getting the public key
The TL1 or CLI command allows to get the public key of the NE.
[TL1]RTRV-SSH-KEY;
[CLI]crypto key details
This key should be distributed on the ssh clients. If it is not, the client must be allowed to accept
the key at first connection.
This command can be used whatever is the secure mode (secure or insecure).
7.2.2.1.2 Certificate modification
To modify the certificate, a new generation must be launched
7.3 Firewall configuration, list of protocols/ports
7.3.1 Ports in secure mode
Table 4 : Management flows and ports toward the GNE 1830PSS
Name
Src
port
Dest Port Dialogue initiator Comment

SSH 22/tcp Manager Secured telnet and ftp. Use SSH
TL1 secure session
opened through CLI
session over SSH
port 22
using tools tl1 CLI
command
Manager

HTTPS 443/tcp Manager HTTPS

Issue 1 July 2011
Table 5 : Management flows and ports from the GNE 1830PSS

7.3.2 Ports in non secured mode
Table 6 : Management flows and ports toward the GNE 1830PSS
Name
Src
port
Dest Port Dialogue initiator Comment

Telnet 23/tcp Manager
HTTP 80/tcp Manager
TL1 3082/tcp Manager
Destination port opened by OAM
server TL1 agent raw mode

3083/tcp Manager
Destination port opened by OAM
server TL1 agent

MTNM/Corba 34567/tcp Manager GMPLS MTNM management
GMRE CLI 30000/tcp manager GMPLS CLI management

Table 7 : Management flows and ports from the GNE 1830PSS
Name
Src
port
Dest Port
Dialogue
initiator
Comment
FTP 20&21/tcp 1830PSS
sFTP 22/tcp 1830PSS Secured FTP
MTNM/Corba 5066/tcp 1830PSS GMPLS MTNM management
NTP 123/udp 1830PSS Network time of day sync port.
Name
Src
port
Dest Port
Dialogue
initiator
Comment
sFTP 22/tcp 1830PSS
NTP 123/udp 1830PSS Network time of day sync port.

Issue 1 July 2011
7.4 IPSec tunnel
If an IPSec tunnel is needed, the feature must be implemented in the front router. This will be a
requirement for the routers features.

Rule: 1830PSS Network security level
It is up to the customer to determine the security level of his network and so to
decide if IPSec is required.
The customer is in charge of its own networks. The 1830PSS product is
provided with engeeniring rules allowing the customer to maintain a high level
of security.

Engineering Guidelines 1: 1830PSS - IPSec tunneling - R
Alcatel-Lucent recommendation is to implement IPSec tunnel. Front router
must be able to manage IPSec tunneling (this feature is not available on
1830PSS).
If the management system has to go through an unsecure network between the
OMS and the 1830 GNE, IPSec tunneling is highly recommended and tunneling
it to be implemented in the front router.
Same recommendation about the intra area link between the front routers of the
GNEs.
An unsecure network could be the internet domain or a third party network for
instance.

Issue 1 July 2011
Terminal
Terminal
Repeater
OADM
IP
IP
OSC
OSC
OSC
#i
Direct link throught
IPSEC or GREtunnel,
inside Area # i
EMS/ NMS
Internet
Management Centre
IPSEC or GRE
tunnel,
for management
R2
R1
Customer Management
network
GNE 2
GNE 1
Customer Aggregation network
Boston LAN
Miami LAN
IPSEC tunnel,
for management
through internet
OSPF area
Customer Intranet
Customer
Emergency
Access
Optional firewall Mandatory firewall End/Start of tunnel

Fig. 8: IPSEC tunneling
The figure above describes three uses of tunnels.
- The first one is to secure the rescue intra area link between R1 and R2. This allows the
extension of the OSPF area and builds a ring with the 1830PSS, R1 and R2 inside the area #i.
(green surrounded).
Example in appendix.
- The second one is to secure communications coming through a not trusted network (ie.
Internet) (orange). Tunnel must be established to cross the unsecured network. Firewalls
are mandatory. Typically, these tunnels are set towards the management centre
- The third one is to secure the communication channel between R1 and the management
centre (blue). In the example, a tunnel is set between the customer LAN and R1; another
one is set between the customer LAN and R2. Here there is a tunnel between
router/firewall. Firewalls are optional (grey), depending on the security level of each zone.
Notice that it is recommended to end tunnel before crossing a firewall (and reopen it on
the other side of the firewall if needed).

WARNING: This is not a real security diagram. It is here only to introduce IPSec tunnels

Issue 1 July 2011
7.5 Syslog server
Rule: 1830PSS - Syslog server
The 1830PSS do not support syslog server

7.6 Hardening advices
7.6.1 1830PSS
Some TL1 commands are available for hardening the 1830PSS
- SET-ATTR-SECUDFLT
- SET-ATTR-SECULOG
- ED-USER-SECU

We strongly advise to use these commands for hardening the 1830PSS DCN interface.

Engineering Guidelines: 1830PSS - SET-ATTR-SECUDFLT R
SET-ATTR-SECUDFLT:
MINPIDLEN=10 Minimum password length
PAGE=30 Default value for password aging in days
PCND=7 Default number of days to change the password after PAGE.
PCNN=3 Default number of login with aged password after PAGE
POINT=180 Default value for password obsolescence value in days
MINITVL=15 Default value for minimum interval in seconds between two
invalid login attempts.
MXINV=3 Max Invalid Attempts, indicates the maximum number of
consecutive invalid login attempts (regardless of time interval
or number of sessions), before an NE shall logout a user and
lockout the user channel.
TMOUT=15 Default number of minutes of inactivity before closing session
KMINTVL=0 Keep Alive Message Interval,
Not activated (not implemented in 1830PSS)
SECACC=SECURE Secure / unsecure mode
For more details about SET-ATTR-SECUDFLT command, read the document ref Error!
Reference source not found.

Issue 1 July 2011
7.6.2 Router
Engineering Guidelines: 1830PSS - Router hardening - R
The security features of the router should be activated. Policies, access lists,
authentication, encryption

7.6.3 Architecture
Engineering Guidelines: 1830PSS - Firewall - R
Firewalls can be implemented at the border of a WDM sub-network in order to
filter flows at going From/To WDM.
Firewalls must be implemented if the IP flow has to go through unsecure zones.

Data Communications Network (DCN) Planning Guide

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Data Communications Network (DCN) Planning Guide

Caricato da

Copyright:

Formati disponibili

Title page

Potrebbero piacerti anche