22-26
Cisco ONS 15454 DWDM Installation and Operations Guide, R6.0
August 2005
Chapter 22 Management Connectivity Reference
22.6 Open GNE
access-list 100 permit tcp host 192.168.10.10 host 10.10.10.100 eq www
access-list 100 remark *** allows initial contact with ONS 15454 using http (port 80) ***
access-list 100 remark
access-list 100 permit tcp host 192.168.10.10 host 10.10.10.100 eq 57790
access-list 100 remark *** allows CTC communication with ONS 15454 GNE (port 57790) ***
access-list 100 remark
access-list 100 permit tcp host 192.168.10.10 host 10.10.10.100 established
access-list 100 remark *** allows ACKs back from CTC to ONS 15454 GNE ***
access-list 101 remark *** Outbound ACL, NE -> CTC ***
access-list 101 remark
access-list 101 permit tcp host 10.10.10.100 host 192.168.10.10 eq 683
access-list 101 remark *** allows alarms etc., from the 15454 (random port) to the CTC
workstation (port 683) ***
access-list 100 remark
access-list 101 permit tcp host 10.10.10.100 host 192.168.10.10 established
access-list 101 remark *** allows ACKs from the 15454 GNE to CTC ***
The following ACL example shows a firewall configuration when the proxy server gateway setting is
enabled. As with the first example, the CTC workstation address is 192.168.10.10 and the ONS 15454
address is 10.10.10.100. The firewall is attached to the GNE, so inbound is CTC to the GNE and
outbound is from the GNE to CTC. CTC CORBA Standard constant is 683 and TCC CORBA Default is
TCC Fixed (57790).
access-list 100 remark *** Inbound ACL, CTC -> NE ***
access-list 100 remark
access-list 100 permit tcp host 192.168.10.10 host 10.10.10.100 eq www
access-list 100 remark *** allows initial contact with the 15454 using http (port 80) ***
access-list 100 remark
access-list 100 permit tcp host 192.168.10.10 host 10.10.10.100 eq 1080
access-list 100 remark *** allows CTC communication with the 15454 GNE (port 1080) ***
access-list 100 remark
access-list 101 remark *** Outbound ACL, NE -> CTC ***
access-list 101 remark
access-list 101 permit tcp host 10.10.10.100 host 192.168.10.10 established
access-list 101 remark *** allows ACKs from the 15454 GNE to CTC ***
22.6 Open GNE
The ONS 15454 can communicate with non-ONS nodes that do not support Point-to-Point Protocol
(PPP) vendor extensions or OSPF type 10 opaque link-state advertisements (LSA), both of which are
necessary for automatic node and link discovery. An open GNE configuration allows a GCC-based
network to function as an IP network for non-ONS nodes.
To configure an open GNE network, you can provision GCC terminations to include a far-end, non-ONS
node using either the default IP address of 0.0.0.0 or a specified IP address. You provision a far-end,
non-ONS node by checking the “Far End is Foreign” check box during GCC creation. The default 0.0.0.0
IP address allows the far-end, non-ONS node to identify itself with any IP address; if you set an IP
address other than 0.0.0.0, a link is established only if the far-end node identifies itself with that IP
address, providing an extra level of security.
By default, the proxy server only allows connections to discovered ONS peers and the firewall blocks
all IP traffic between the GCC network and LAN. You can, however, provision proxy tunnels to allow
up to 12 additional destinations for SOCKS version 5 connections to non-ONS nodes. You can also
provision firewall tunnels to allow up to 12 additional destinations for direct IP connectivity between the
GCC network and LAN. Proxy and firewall tunnels include both a source and destination subnet. The
connection must originate within the source subnet and terminate within the destination subnet before
To Next Page
Loading...
