22-13
Cisco ONS 15454 DWDM Installation and Operations Guide, R6.0
August 2005
Chapter 22 Management Connectivity Reference
22.2.7 Scenario 7: Provisioning the ONS 15454 Proxy Server
The ONS 15454 gateway setting performs the following tasks:
• Isolates DCC IP traffic from Ethernet (craft port) traffic and accepts packets based on filtering rules.
The filtering rules (see Table 22-3 on page 22-16 and Table 22-4 on page 22-17) depend on whether
the packet arrives at the ONS 15454 DCC or TCC2/TCC2P Ethernet interface.
• Processes Simple Network Time Protocol (SNTP) and Network Time Protocol (NTP) requests.
ONS 15454 ENEs can derive time-of-day from an SNTP/NTP LAN server through the GNE
ONS 15454.
• Processes Simple Network Management Protocol version 1 (SNMPv1) traps. The GNE ONS 15454
receives SNMPv1 traps from the ENE ONS 15454s and forwards or relays the traps to SNMPv1 trap
destinations or ONS 15454 SNMP relay nodes.
The ONS 15454 proxy server is provisioned using the Enable proxy server on port check box on the
Provisioning > Network > General tab. If checked, the ONS 15454 serves as a proxy for connections
between CTC clients and ONS 15454s that are DCC-connected to the proxy ONS 15454. The CTC client
establishes connections to DCC-connected nodes through the proxy node. The CTC client can connect
to nodes that it cannot directly reach from the host on which it runs. If not selected, the node does not
proxy for any CTC clients, although any established proxy connections continue until the CTC client
exits. In addition, you can set the proxy server as an ENE or a GNE:
• End Network Element (ENE)—If set as an ENE, the ONS 15454 neither installs nor advertises
default or static routes that go through its Ethernet port. However, an ENE does install and advertise
routes that go through the DCC. CTC computers can communicate with the ONS 15454 using the
TCC2/TCC2P craft port, but they cannot communicate directly with any other DCC-connected
ONS 15454.
In addition, firewall is enabled, which means that the node prevents IP traffic from being routed
between the DCC and the LAN port. The ONS 15454 can communicate with machines connected to
the LAN port or connected through the DCC. However, the DCC-connected machines cannot
communicate with the LAN-connected machines, and the LAN-connected machines cannot
communicate with the DCC-connected machines. A CTC client using the LAN to connect to the
firewall-enabled node can use the proxy capability to manage the DCC-connected nodes that would
otherwise be unreachable. A CTC client connected to a DCC-connected node can only manage other
DCC-connected nodes and the firewall itself.
• Gateway Network Element (GNE)—If set as a GNE, the CTC computer is visible to other
DCC-connected nodes and firewall is enabled.
• Proxy-only—If Proxy-only is selected, firewall is not enabled. CTC can communicate with any
other DCC-connected ONS 15454s.
Note If you launch CTC against a node through a Network Address Translation (NAT) or Port Address
Translation (PAT) router and that node does not have proxy enabled, your CTC session starts and initially
appears to be fine. However CTC never receives alarm updates and disconnects and reconnects every two
minutes. If the proxy is accidentally disabled, it is still possible to enable the proxy during a reconnect
cycle and recover your ability to manage the node, even through a NAT/PAT firewall.
Figure 22-10 shows an ONS 15454 proxy server implementation. A GNE ONS 15454 is connected to a
central office LAN and to ENE ONS 15454s. The central office LAN is connected to a NOC LAN, which
has CTC computers. The NOC CTC computer and craft technicians must both be able to access the
ONS 15454 ENEs. However, the craft technicians must be prevented from accessing or seeing the NOC
or central office LANs.
To Next Page
Loading...
